[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]






                 SUBCOMMITTEE HEARING ON DATA SECURITY:
                      SMALL BUSINESS PERSPECTIVES

=======================================================================

                    SUBCOMMITTEE ON FINANCE AND TAX
                      COMMITTEE ON SMALL BUSINESS
                 UNITED STATES HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                              JUNE 6, 2007

                               __________

                          Serial Number 110-27

                               __________

         Printed for the use of the Committee on Small Business


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 house








                     U.S. GOVERNMENT PRINTING OFFICE

36-102 PDF                 WASHINGTON DC:  2007
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office  Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800  Fax: (202) 512-2250 Mail Stop SSOP, 
Washington, DC 20402-0001















                   HOUSE COMMITTEE ON SMALL BUSINESS

                NYDIA M. VELAZQUEZ, New York, Chairwoman


WILLIAM JEFFERSON, Louisiana         STEVE CHABOT, Ohio, Ranking Member
HEATH SHULER, North Carolina         ROSCOE BARTLETT, Maryland
CHARLIE GONZALEZ, Texas              SAM GRAVES, Missouri
RICK LARSEN, Washington              TODD AKIN, Missouri
RAUL GRIJALVA, Arizona               BILL SHUSTER, Pennsylvania
MICHAEL MICHAUD, Maine               MARILYN MUSGRAVE, Colorado
MELISSA BEAN, Illinois               STEVE KING, Iowa
HENRY CUELLAR, Texas                 JEFF FORTENBERRY, Nebraska
DAN LIPINSKI, Illinois               LYNN WESTMORELAND, Georgia
GWEN MOORE, Wisconsin                LOUIE GOHMERT, Texas
JASON ALTMIRE, Pennsylvania          DEAN HELLER, Nevada
BRUCE BRALEY, Iowa                   DAVID DAVIS, Tennessee
YVETTE CLARKE, New York              MARY FALLIN, Oklahoma
BRAD ELLSWORTH, Indiana              VERN BUCHANAN, Florida
HANK JOHNSON, Georgia                JIM JORDAN, Ohio
JOE SESTAK, Pennsylvania

                  Michael Day, Majority Staff Director
                 Adam Minehardt, Deputy Staff Director
                      Tim Slattery, Chief Counsel
               Kevin Fitzpatrick, Minority Staff Director


                    SUBCOMMITTEE ON FINANCE AND TAX



                   MELISSA BEAN, Illinois, Chairwoman


RAUL GRIJALVA, Arizona               DEAN HELLER, Nevada, Ranking
MICHAEL MICHAUD, Maine               BILL SHUSTER, Pennsylvania
BRAD ELLSWORTH, Indiana              STEVE KING, Iowa
HANK JOHNSON, Georgia                VERN BUCHANAN, Florida
JOE SESTAK, Pennsylvania             JIM JORDAN, Ohio

                                 ______


                                  (ii)

























                            C O N T E N T S

                              ----------                              

                           OPENING STATEMENTS

                                                                   Page

Bean, Hon. Melissa...............................................     1
Heller, Hon. Dean................................................     3

                               WITNESSES

Milazzo, John, National Association of Federal Credit Unions.....     4
MacCarthy, Mark, Visa U.S.A., Inc................................     6
Duncan, Mallory, National Retail Federation......................     8
Cochetti, Roger, CompTIA.........................................    10
DelBianco, Steve, Association for Competitive Technology.........    12

                                APPENDIX


Prepared Statements:
Bean, Hon. Melissa...............................................    28
Heller, Hon. Dean................................................    30
Milazzo, John, National Association of Federal Credit Unions.....    32
MacCarthy, Mark, Visa U.S.A., Inc................................    44
Duncan, Mallory, National Retail Federation......................    51
Cochetti, Roger, CompTIA.........................................    66
DelBianco, Steve, Association for Competitive Technology.........    76

                                 (iii)

















 
                      SUBCOMMITTEE HEARING ON DATA
                 SECURITY: SMALL BUSINESS PERSPECTIVES

                              ----------                              


                        WEDNESDAY, JUNE 6, 2007

                     U.S. House of Representatives,
                               Committee on Small Business,
                            Subcommittee on Finance and Tax
                                                    Washington, DC.
    The Committee met, pursuant to call, at 10:00 a.m., in Room 
2360 Rayburn House Office Building, Hon. Melissa Bean 
[Chairwoman of the Subcommittee] presiding.
    Present: Representatives Bean, Ellsworth, Heller and 
Jordan.

              OPENING STATEMENT OF CHAIRWOMAN BEAN

    ChairwomanBean. Good morning. I call this hearing to order 
to address Data Security: Small Business Perspectives. With 
breaches of personal data being reported with increasing 
regularity, the issue of data security has become one of great 
concern to consumers and the small businesses they do business 
with.
    Over the past few years, tens of millions of records of 
data containing Social Security, bank account, credit card, and 
driver's license numbers have been compromised. A few weeks 
ago, The New York Times published a troubling cover story on 
identity theft in the elderly. The story discussed the data 
broker InfoUSA, one of the largest compilers of consumer 
information which sold contact lists of elderly consumers to 
known law breakers. The thieves posted as government officials 
and acquired bank account information which was used to empty 
out those accounts. According to the article, InfoUSA 
advertised lists of suffering seniors, 4.7 million people with 
cancer or Alzheimer's. Data brokers fall outside the scope of 
most current federal privacy regulations.
    A major reason for the increased awareness of breaches is 
due to a California law implemented in 2003 that requires 
notice of security breaches to be sent to affected consumers. 
The law was the first of its kind in the nation. Subsequently, 
35 states have enacted legislation requiring companies or state 
agencies to disclose security breaches involving personal 
financial information. Complying with a patchwork of state laws 
is challenging for all businesses and financial institutions, 
but particularly difficult for small firms. There have been 
many calls for federal legislation to address the issue of data 
security. In the last Congress, I introduced two data security 
bills and worked closely with my colleagues on the Financial 
Services Committee to craft a federal solution to this 
important issue.
    As a former small business owner, I understand the value of 
time. Small businesses are often dependent on the efforts of 
few, if not one person, to run their business. Owners' 
regulations can take a business owner's time away from focusing 
on their core business and their customers. Small businesses 
lack in-house counsel and expertise and information security. 
Burdensome data security law or regulations requires small 
businesses to retain outside consultants and highly specialized 
legal and regulatory areas. Small businesses typically lack 
experience in managing those outside vendors and when a 
complicated law requires systemic changes to their IT systems, 
this may make them more vulnerable to expensive service 
agreements.
    When examining this issue at the federal level, there are 
several considerations to keep in mind for small businesses and 
small financial institutions. First, a clear standard for 
triggering notification is critical. A vague standard could 
lead to a large volume of unnecessary notifications, 
desensitizing consumers and causing them to ignore more serious 
warnings. It's also important to consider that notification is 
costly, particularly so for small businesses to absorb.
    Second, financial institutions are already subject to 
federal regulations on data security. Subjecting them, and 
small banks in particular, to a duplicate layer of federal 
regulations could burden them unnecessarily.
    Third, while Congress should encourage adoption of best 
practices for securing private financial data, we should avoid 
mandating particular technologies in law or regulation. 
Security threats change rapidly and businesses must be given 
the flexibility to respond quickly. Firms must be able to 
deploy the latest security measures, mandating a particular 
product or technology could slow development of improved 
counter measures and leaves businesses one step behind the 
criminals.
    Finally, legislation should contemplate the protection 
level of compromised data such as encrypted information and how 
much of a risk a breach realistically poses to consumers. As 
Congress contemplates legislation, there are steps businesses 
can take on their own to reduce security risks. Government may 
be able to play a beneficial role in education small businesses 
about the basics of data security.
    Properly training employees can reduce the incidents of 
data breaches, while larger businesses with sophisticated 
compliance departments can create training programs, risk 
assessments, and written compliance plans. It's important to 
consider that small businesses may lack this ability and thus 
require assistance from regulators.
    Small businesses are increasingly being confronted with the 
issue of data security as breaches occur with more frequency. 
Small firms are taking steps to better secure customer 
information through internal procedures and upgrading 
information technology. As we move forward with federal 
legislation on data security, unique needs of small businesses 
should be integral to our efforts, because compromising the 
profitability of small businesses would ultimately pass on 
costs to the very consumers we're trying to protect.
    I look forward to today's testimony and thank the witnesses 
for their participation.
    I now want to recognize Ranking Member Mr. Heller for his 
opening statement.

                OPENING STATEMENT OF MR. HELLER

    Mr.Heller. Well, good morning, and thank you very much, 
Madam Chair, I know this issue is important to you and you have 
spent a tremendous amount of time looking into this and I 
appreciate your efforts. I want to also thank the witnesses 
that are here today, taking time out of their schedules to be 
in front of us today.
    Nevada is one of the fastest growing states in small 
businesses. As Secretary of State, I was responsible for 
registering tens of thousands of businesses a year and I fought 
to keep Nevada friendly to small businesses.
    I look forward to continuing to keep small business vibrant 
and healthy in America and in the State of Nevada. To this end, 
electronic commerce or e-commerce has enabled small businesses 
to become participants in both the national economy and the 
international economy. E-commerce requires data to be 
collected, processed, and stored electronically and transmitted 
across networks. Therefore, data security is a very important 
business requirement that requires the on-going process of 
exercising due care and due diligence by all participants in e-
commerce. A robust national and international economy requires 
protecting data from unauthorized access and use.If consumers 
lose confidence in e-commerce based on the lack of data 
security, this loss of confidence will inhibit the growth ofe-
commerce and small businesses, not to mention the effect of 
data breach can have on individual victims.
    The impact on small businesses will be disproportionately 
greater because right or wrong, consumers will perceive large 
businesses offering their customers more recourse in the event 
of a problem. Also, all participants in e-commerce will be 
looking for assurances that their business partners, both large 
and small, are operating under proper data security policies 
and procedures. Any business' lack of information security 
readiness will spread the risk throughout all levels of the 
economy. What we must do is devise a way to ensure that all the 
parties involved are effectively protecting the information 
they collect without putting small businesses to a disadvantage 
when we do so. All too often small firms are at a distinct 
disadvantage when these proposals are being debated and 
implemented. Imposing a large one size fits all data security 
bill or regulation on the nation at large could be more 
expensive for small firms because fixed costs 
disproportionately impacts small businesses.
    Additionally, because the owner of local hardware stores 
know hardware, not high-end encryption and data security 
services, it may require the hiring of outside vendors and 
consultants do implement data security and regulatory 
requirements because of that lack of expertise and anybody who 
runs a small business already knows that the time and attention 
of top management is already stretched too thin to be directly 
involved with issues such as these. Simply put, imposition of 
any additional costs will place small companies in a 
competitive disadvantage because their pre-unit costs of 
compliance will be greater than those of large businesses.
    Today, we live in a digital economy where both beneficial 
and potentially harmful uses of personal information are 
multiplying. Information about individuals is used by 
businesses to provide consumers with an unprecedented array of 
goods and services, increased productivity and protect 
individual businesses and society from fraud and other 
misdeeds.
    However, that same information can also be misused to harm 
individuals with results such as identify theft, deception, 
unwarranted intrusion, embarrassment, and the loss of consumer 
confidence. This is a very complicated and important matter, 
and I applaud the Chairwoman for her leadership on this timely 
issue. Just yesterday, I read in the USA Today a story of how 
David Joe Hernandez, who returned from service overseas in the 
Air Force, only to find that his identity was stolen and the 
collection agents were hunting him down to make good on some 
delinquent accounts. This recent case demonstrates that all 
businesses must ensure consumer protection and I look forward 
to hearing the testimony today and working with each of you to 
ensure that we devise a workable plan that achieves greater 
security and confidence in e-commerce without harming small 
businesses.
    Thank you, again, Madam Chairwoman. I appreciate your 
looking forward on this particular issue, and I yield back the 
balance of my time.
    ChairwomanBean. Are there any other Members who have 
opening statements? Okay.
    We'll now move to testimony from the witnesses. Witnesses 
will have five minutes to deliver their prepared statements. 
The timer begins when the green light is illuminated. When one 
minute of time remains, the light will turn yellow. The red 
light will come on when time is out.
     Our first witness is Mr. John Milazzo. Mr. John Milazzo is 
president and CEO of Campus Federal Credit Union in Baton 
Rouge, Louisiana. He served in that role since 1985. Campus 
Federal is a $320 million multi-branch statewide credit union 
serving 39,000 members. He's testifying on behalf of the 
National Association of Federal Credit Unions. The membership 
of the National Association of Federal Credit Unions consists 
of the nation's innovative and dynamic federal credit unions 
having various and diverse membership bases and operations.
    You may proceed with your testimony.

 STATEMENT OF JOHN MILAZZO, CHAIRMAN, NATIONAL ASSOCIATION OF 
                     FEDERAL CREDIT UNIONS

    Mr.Milazzo. Thank you. Good morning, Chairwoman Bean, 
Ranking Member Heller, and Members of the Subcommittee. My name 
as stated is John Milazzo and I'm the present Chief Executive 
Officer of Campus Federal Credit Union headquartered in Baton 
Rouge, Louisiana. I'm testifying today on behalf of the 
National Association of Federal Credit Unions where I serve as 
the chairman of its board. NAFCU appreciates this opportunity 
to participate in this hearing regarding data security.
    Looking to a few high profile examples, the TJX data breach 
has already cost Campus Federal Credit Union over $11,000. When 
Credit Card Systems Solution suffered a breach, Campus Federal 
spent over $20,000 to issue new cards and to respond to 
members' concerns and this does not include the detrimental 
effects to our institution's reputation and credibility.
    In 2006, Campus Federal charged off nearly $50,000 in fraud 
losses on our debit cards. Additionally, Campus Federal charged 
off $130,000 on other fraud. The cost of insurance for credit 
and debit cards is increasing dramatically. In the last six 
years, Campus Federal's premiums have increased by more than 64 
percent. At the same time, our deductible for payment card 
losses has also increased significantly. From 2001 to 2004, our 
deductible for payment card fraud and forgeries averaged $100. 
Today, our deductible is $1500, an increase of 1400 percent in 
six years.
    Campus Federal's situation is not unique among credit 
unions. Information from those that provide bonds to credit 
unions indicate that credit unions incurred over $100 million 
in payment card fraud in each of the last few years. The costs 
associated with issuing a payment card can run as high as $10 
or more, a cost that the 89 million Americans who are credit 
union members ultimately pay. Because of economies of scales, 
this cost is often higher for smaller credit unions.
    When Campus Federal is notified a data breach impacting 
credit cards, we follow a 16-step flow chart that includes at 
least two methods of notification to our members. We also keep 
enough credit card stock in-house to cover at least 15 percent 
of our card base, allowing us to reissue cards in a very timely 
manner. NAFCU supports the effort to enact a comprehensive 
proposal to protect consumers' personal data. Credit unions and 
other financial institutions already protect data consistent 
with the provisions of the Gramm-Leach-Bliley Act. The act, and 
its implementing regulations have successfully limited data 
breaches among financial institutions. There's no similar 
comprehensive regulatory structure for retailers. There should 
be a comprehensive regulatory scheme for industries that are 
not already subject to oversight.
    Any new legislation should create a safe harbor for 
financial institutions already in compliance with Gramm-Leach-
Bliley. Failing to do so would place undue burden on financial 
institutions. AFCU believes that any data security bill should 
place the burden of addressing a data breach on an entity 
responsible for the breach. Under the current law, some 
industries do not have a strong enough incentive for protecting 
the sensitivity of their information. The first notification 
that people receive that their information may have been 
compromised is often from their credit union. Thus, the 
companies responsible for the data breach oftentimes do not 
suffer any loss of consumer good will while consumer confidence 
in financial institutions suffer.
    Unfortunately, no matter how quickly government and 
industry reacts, criminals will always find a way around 
security measures. Therefore, it is important that there be 
stiff penalties to prohibit and punish the actual crooks who 
commit these breaches. Current data security standards with 
payment card companies such as Visa and Master Card prohibit 
storing sensitive data, yet these contracts often aren't 
enforced and the data ends up being compromised. Some states 
such as Minnesota recently have enacted tougher standards to 
hold those responsible accountable. We believe any federal data 
security bill needs to do the same.
    In conclusion, NAFCU believes that the most effective way 
to addressing the growing number of data breaches is to create 
a comprehensive regulatory scheme for those entities that 
currently have known. AFCU believes that a safe harbor for 
financial institutions already in compliance with Gramm-Leach-
Bliley should be included in any data security bill.
    Finally, financial institutions, merchants, retailers, data 
brokers, and any other party that holds customer information 
should be held financially accountable if it is responsible for 
a data breach. I thank you for this opportunity to appear and I 
would welcome your questions.
     [The prepared statement of John Milazzo may be found in 
the Appendix on page 32.]

    ChairwomanBean. Thank you for your testimony.
    We're going to hold questions until we've heard all who are 
testifying today.
    Next up is Mr. Mark MacCarthy who is Senior Vice President 
for Public Policy of Visa U.S.A. The Visa payment system is the 
largest consumer payment system in the world. Prior to joining 
Visa, Mr. MacCarthy was a principal and senior director with 
the Wexler Group. From 1981 to 1988 he was a professional staff 
member of the House Committee on Energy and Commerce.
    Please proceed and thank you for being here.

  STATEMENT OF MARK MACCARTHY, SENIOR VICE PRESIDENT, PUBLIC 
                   POLICY, VISA U.S.A., INC.

    Mr.MacCarthy. Thank you, Chairwoman Bean, and Ranking 
Member Heller and Members of the Subcommittee. I'm Senior Vice 
President for Public Policy as the Chairwoman Bean noted. Visa 
commends the Subcommittee for holding this hearing. It's an 
important topic, especially focusing on small businesses and 
I'm pleased to be able to talk about today.
    Madam Chairwoman, for Visa, cardholder security is about 
trust. Our goal is to protect the consumers, the merchants, the 
banks, the credit unions and other financial institutions that 
are part of the Visa system by preventing fraud from taking 
place in the first place.
    Our card security system starts with our zero liability 
policy which ensures that card holders are not liable for 
unauthorized use to their cards. And because we have that 
liability allocation, that creates a financial incentive for us 
to practice good security and to encourage our members and 
people associated with the Visa system to practice good 
security.
    Because the card holders don't pay the costs of a data 
breach, the member financial institutions within the Visa 
system have to pay these costs. And as John has noted, these 
costs are substantial. They include the fraud losses 
themselves. They include the monitoring costs, the reissuance 
costs, the reputational risks which are intangible, but are 
nevertheless real. Visa aggressively protects card holder data 
in order to protect our members from these financial costs.
    We employ a multi-faceted approach to combat fraud. Visa 
has implemented a comprehensive and aggressive information 
security program. We call it the Cardholder Information and 
Security Program or CISP. This program was pioneered by Visa. 
It applies to all entities that store, process, or transmit 
Visa cardholder data including merchants, retailers and 
processors. And this program includes three elements. It's got 
the data security standards themselves. It's got compliance 
verification. As you're aware, companies have to demonstrate to 
us that they're in compliance. And there are sanctions for 
failure to comply with the standards.
    In 2005, we issued penalties associated with failure to 
comply with this. It was $3.4 million in fines. In 2006, our 
fines went up to $4.6 million. So we're taking aggressive 
efforts to enforce the standards that we've got in place. This 
was the gold standard for data security. It's been widely 
imitated and thought as a model for other industries. And it's 
the basis for the common set of industry-wide data security 
requirements which is now known as the Payment Card Industry 
Data Security Standard.
    Visa has also led the industry in providing sophisticated 
neural networks that flag unusual spending patterns. These 
neural networks enable our member banks to block a suspected 
transaction even before the fraud has taken place. We've also 
put in place a cost recovery program that enables our members 
to resolve disputes related to account compromises. Visa 
pioneered a number of other security measures designed to 
detect and prevent fraud. We have an Address Verification 
Service that matches address and other information to confirm 
that a transaction is valid. All of the transactions processed 
through the Visa system are checked against an exception file. 
This is the file of world-wide accounts of lost or stolen 
cards.
    Other security measures have to do with special security 
codes on our cards. The Cardholder Verification Value, it's 
called CVV, is a three-digit code. It's included in the 
magnetic stripe on the card. You can't see this code on the 
card itself, but it's checked electronically at the time of a 
transaction to ensure that a valid card is present. The CVV2 
code is also a special three-digit security code. It's printed 
on the signature stripe on the back of the Visa card. On-line 
or telephone merchants can verify that their customers have the 
actual card by requesting this security code.
    For on-line transactions, we have verified by Visa which 
allows on-line merchants to verify that their cardholders are 
the people that they say they are at the time of an on-line 
transaction. And last, we have an Advanced Authorization 
Service that provides an instantaneous analysis for the 
potential for fraud at the very time of the transaction. As a 
result of these strong security measures, fraud within the Visa 
system is extremely low. It's about 5 to 6 cents for every $100 
of transactions.
    We also have a security program that's designed to address 
the special needs of small businesses. Small business account 
for the vast majority of the six million merchants that accept 
Visa cards in the United States. To promote sound security 
practices for small businesses, we've done a variety of things. 
We've conducted numerous webinars, conference calls, and other 
training programs that are targeted at small merchants. We have 
published a number of security alerts and articles to notify 
banks and merchants of the latest security vulnerabilities.
    In addition, Visa and the U.S. Chamber of Commerce recently 
conducted a 12-city nationwide data security education campaign 
to involve both the payments industry and merchants, including 
small merchants, in a fight to collect card holder information.
    Madam Chairwoman, on legislation, Visa favors reasonable 
risk-based security and notification requirements that apply to 
all entities that have sensitive information. These standards 
should be flexible to permit an entity to consider its size and 
complexity as well as the nation and scope of its activities. 
We also believe that standards should be consistent nationwide 
to avoid a clash of conflicting state laws. We favor stronger 
penalties for identify theft and additional resources for law 
enforcement to combat identity theft, and we agree with John of 
NAFCU that the Gramm-Leach-Bliley security rules should 
continue to be applicable to financial institutions, but should 
continue to be enforced by the federal financial regulators.
    Thank you for this opportunity to testify. I would be happy 
to answer any questions.
    [The prepared statement of Mr. MacCarthy may be found in 
the Appendix on page 44.]

    ChairwomanBean. Thank you for your testimony. We will come 
back to you with questions.
    Our next testimony comes from Mr. Mallory Duncan, Senior 
Vice President, General Counsel for the National Retail 
Federation. He is responsible for coordinating strategic 
legislative and regulatory initiatives. NRF is the world's 
largest retail trade association with membership that comprises 
all retail formats and channels of distribution. Prior to 
joining NRF, Duncan served as corporate counsel in the 
Washington office of J.C. Penney's and was attorney advisor in 
the Office of Policy Planning at the Federal Trade Commission. 
Welcome and please proceed.

STATEMENT OF MALLORY DUNCAN, SENIOR VICE PRESIDENT AND GENERAL 
              COUNSEL, NATIONAL RETAIL FEDERATION

    Mr.Duncan. Thank you, Madam Chair, Ranking Member Heller, 
and Members of the Committee. NRS membership includes retailers 
of all sizes, as you've mentioned. My focus today, however, is 
on our smaller members. All of us are concerned by the growth 
of high-tech scams that use data about individuals to commit 
financial fraud. Reaches have ranged from the mistaken sale of 
thousands of files full of sensitive personal information by 
brokers to criminals posing as legitimate businesses, the loss 
of encrypted bank account data-tapes from the cargo hold of an 
airplane, to criminals attacking and hacking into retailer's 
computer systems in order to steal card numbers.
    While each of these high-profile events was disclosed to 
the public as a data breach, they involve a broad spectrum of 
nonpublic information, from the most sensitive to the least. 
Each poses a different level of risk to consumers and to 
businesses. The most sensitive information, such as Social 
Security Numbers, driver's license numbers, and dates of birth 
are elements that if combined with names, addresses, and other 
identifying information, can lead to real cases of identity 
theft, that is the opening of new accounts, which a consumer is 
completely unaware.
    These types of crimes, such as the Ranking Member just 
referenced, are difficult for consumers to clear up and in some 
cases can bring significant financial distress. They also tend 
to result in the greatest loss for businesses that are duped by 
these thieves.
    The breach of other types of information, such as the 
misuse of card numbers, typically result in account fraud. This 
is the misuse of an existing account. In that case, the 
consumer is likely to learn of any fraudulent charges quickly, 
either by being alerted by their financial institutions, as Mr. 
MacCarthy just mentioned, or through their own monthly account 
review. Further, Congress generally ensure that consumers can 
erase bad charges or withdrawals by calling their bank or card 
company.
    This distinction between true identify theft and card fraud 
is very important. Not only are the intrusions different, but 
the remedies that apply to one can make little sense when 
applied to the other. So my point number one is that data 
breach laws need to be carefully targeted. To date, most 
legislators have recognized that the public concern is not with 
one off thefts that result in the loss of a few files. Rather, 
it is the massive intentional hacks by criminals seeking tens 
of thousands of data files at a time that has driven this 
issue.
    For the data thieves, this literally is a numbers game. 
They go where it's efficient to gather the greatest amount of 
useful electronic information. Fortunately, most small 
businesses do not store the large caches of sensitive 
information that can cause the most harm. Any law should be 
sensitive to this distinction.
    Second, the proposal by some to extend data-breach 
notification to paper is an area of particular sensitivity for 
small businesses, and should be for all businesses, because of 
the variety of paper records required to be kept for day-to-day 
operations. Indeed, some are required by federal mandate.
    But small businesses in particular tend to keep forms on 
paper. While it is conceivable that someone might steal 
hundreds of thousands of paper identity records, experience and 
common sense indicate that is not nearly as likely as a 
computer breach, where such a massive loss can happen at the 
click of a mouse. Paper breaches are more likely to be a one-
off crime, and while not diminishing their impact on any single 
identity theft victim, they certainly do not require the same 
federal mandate to act as do cases involving thousands or even 
millions of consumers.
    Fortunately, businesses and consumers have had a longer 
history of dealing with paper records than they have with 
electronic data files. Imposing a new regulatory scheme on top 
of existing practices would add potentially great cost for very 
little real benefit. Tellingly, of the 35 states that have 
considered and adapted data breach statutes, only two have 
included paper. Congress would be wise not to turn a focused 
bill into an unchecked regulatory burden by expanding its reach 
far beyond the electronic data breaches that have prompted it.
    Even given that, 35 differing state laws is a lot. Frankly, 
a uniform national breach standard with a strong preemption is 
the best way to ensure that all consumers are treated fair 
equally when it comes to notification. Preemption would also 
lesson the compliance burden for all businesses and allow for 
one clear notice to be given to all affected customers.
    Finally, and here I must disagree with my fellow panelist, 
Mr. Milazzo, and would be happy to go into this is in the 
question and answer period. Congress should proceed with 
caution. It is asked to allocate costs and blame in a credit 
card breach situation. The card associations' current system, 
while far from perfect for merchants and banks alike, attempts 
to balance the equities between all of the parties involved in 
a complex credit card transaction. Any interference by Congress 
could easily skew the cost of security for the card system 
disproportionately to some participants and leave issuing banks 
little responsibility for the ultimate security of their 
customers' cards.
    Thank you for this opportunity to speak today and I will be 
happy to answer questions.
    [The prepared statement of Mallory Duncan may be found in 
the Appendix on page 51.]

    ChairwomanBean. Thank you, Mr. Duncan.
    Our next testimony comes from Roger Cochetti, who is the 
group director of U.S. Public Policy for the Computing 
Technology Industry Association. Before coming to CompTIA, 
Roger was senior vice president for policy at VeriSign and a 
program director for policy with IBM. We welcome Mr. Cochetti's 
11-year old son, Emmet, in the audience today, who I understand 
is attending his first congressional hearing and will be 
reporting back to his teacher on what he thought of it.
    CompTIA has more than 22,000 member companies in over 100 
countries around the world, serves as the voice of the world's 
1 trillion plus IT industries, specifically all the VARS around 
the country and is based in Chicago, in my State of Illinois. 
Welcome.

  STATEMENT OF ROGER COCHETTI, GROUP DIRECTOR OF U.S. PUBLIC 
                        POLICY, CompTIA

    Mr.Cochetti. Thank you very much, Madam Chair, and Ranking 
Member Heller, Members of the Subcommittee. My name is Roger 
Cochetti and I am group director of U.S. Public Policy for the 
Computing Technology Industry Association, CompTIA. I am here 
today on behalf of our 20,000 member companies. Madam Chair, I 
want to thank you and the Members of your Subcommittee for 
holding this important hearing on the state of small business 
data security, and I ask that my full written testimony be 
submitted for the hearing record.
    We believe that your efforts to focus public attention on 
the factors that affect data security and small business will 
help American small business more ably address data and related 
IT security issues. Madam Chair, the Computer Technology 
Industry Association is the nation's oldest and largest trade 
association representing the information technology, or IT 
industry. While we represent every major segment of the IT 
industry, nearly 75 percent of our members are small IT 
businesses who provide integrated computer systems to American 
small business.
    The IT needs of American small business are mainly 
addressed by an important segment of the computer industry 
called value-added resellers, or VARs. VARs create and 
maintain, for example, the computer system in your dentist's 
office, the on-line store in which you shop on the Internet, 
and for your local plumber. VARs are on the front line of 
America's defense against IT security threats. An estimated 
32,000 American VARs buy and resell about one-third of all 
computer hardware and software in the United States today, 
mostly to small businesses.
    Also Madam Chair, for most people who work in the computer 
technology industry, CompTIA is well-known for its non-policy 
related services to the entire IT industry. Non-technical 
standards, industry education, and particularly relevant to 
this hearing, professional IT certifications. Some of the 
services that we offer that are relevant to this hearing 
include we have developed and managed the industry's standard 
basic professional certification for cyber security, which we 
call Security+. While almost one million American technology 
workers today hold some type of professional certification from 
CompTIA, around 35,000 hold this Security+ certification.
    Over the past year, we have launched educational programs 
for thousands of our members on the technical implications of 
Gramm-Leach-Bliley and HIPAA regulations for small businesses. 
And in doing so have introduced the technical issues of data 
security to much of the small business segment. In 2005, we 
began a series of conferences for VARs, and through them, the 
small businesses that they serve on cyber security. These 
programs uniquely deal with small business technical issues 
addressing issues of IT security, cyber security, and data 
security.
    Beginning in 2002, CompTIAs has commissioned a major annual 
survey on IT security. While this annual survey collects 
information about all sectors of the economy, about half of the 
participants are from small businesses, making it the 
countries' best barometer of small business IT security 
developments. The principle findings of the most recent CompTIA 
IT security survey are that the IT security issues of small 
businesses are serious and that the principal cause of IT 
security breaches is human error.
    Among the key findings of this year's CompTIA IT security 
survey are nearly 34 percent of all businesses experienced an 
IT security breach within the last year. While that number has 
declined from 2005, the survey found a higher level of severity 
in the breaches that have occurred. Over 32 percent of all 
businesses reported either successful or attempted data thefts, 
almost double the number from 2004. And 61 percent of small 
businesses do not have written IT security policy in place, 
although a written policy without IT awareness and training 
doesn't amount to much.
    Eighty-one percent of all participants in the survey 
believe that major IT security breaches can be reduced as a 
result of IT security training and certification. Seventy-four 
percent of all IT security breaches were the result of human 
error, either alone or in combination with a technical 
malfunction. Among human errors, employee failure to follow 
security procedures was a factor that was most often cited.
    In conclusion, Madam Chair, encouraging proper IT security 
training and certification of all relevant employees of small 
businesses is the single most important step that this 
Subcommittee could take to promote data security among small 
businesses. An example of an important way to accomplish this 
goal is the Technology Retraining and Investment Now Act for 
the 21st Century, H.R. 244, which embodies principles that we 
have supported for some time. TRAIN would provide a federal tax 
credit to organizations and individuals for increasing their IT 
training.
    More importantly, Madam Chair, is it clear to any one 
familiar with American small businesses that VARs much play a 
central role in any effort to reach out to small business in 
the areas of data security and cyber security. We believe that 
what is most needed is a government industry partnership to 
address small business IT security issues that takes advantage 
of the unique perspective of thousands of VARs in small 
businesses themselves. In this regard, Madam Chair, last year 
we called on this Committee and the Small Business 
Administration to create a public/private task force that would 
work to identify and address the IT security issues of small 
business.
    Such a task force could include VARs, small businesses, 
representatives from SBA, DHS, Department of Justice, experts 
and providers of IT security tools. It would identify specific 
small business IT security issues and make recommendations. 
Similarly, Madam Chair, we've called on the Committee and the 
Department of Homeland Security and the Small Business 
Administration to undertake a comprehensive outreach effort on 
data security and cyber security specifically for small 
business. Using the nation's VARs as a key link in cyber 
security business education, we as an association and our 
members stand ready to cooperate with such an outreach effort. 
We renew both of these recommendations today.
    Madam Chair, thank you again for conducting these important 
hearings. I'll be happy to answer any questions.
    [The prepared statement of Roger Cochetti may be found in 
the Appendix on page 66.]

    ChairwomanBean. Thank you for your testimony.
    Final testimony is from Steve DelBianco, serving as vice 
president for public policy of the Association for Competitive 
Technology. ACT or ACT is an international grass-roots advocacy 
and education organization representing more than 3,000 small 
and mid-sized information technology firms from around the 
world. Before joining ACT, Steve was president of Financial 
Dynamics, an IT consulting firm. Thank you for being here.

STATEMENT OF STEVE DelBIANCO, VICE PRESIDENT FOR PUBLIC POLICY, 
             ASSOCIATION FOR COMPETITIVE TECHNOLOGY

    Mr.DelBianco. Good morning, Chairman Bean, Ranking Member 
Heller, Members of the Committee. I'd like to thank the chair 
for being a real friend to the IT and tech community and for 
holding hearing on the impact of data security threats and the 
threats of data security regulation on small businesses.
    As you indicated, ACT represents thousands of tech and e-
commerce businesses, many of whom handle sensitive data for 
customer billing and for payroll records. And as you indicated, 
I'm hereafter making my own small business odyssey out there in 
the real world. I started that IT consulting firm back in '84. 
Grew it to $20 million and 200 employees. And then sold it 
before moving to help found ACT. So I'm a small business 
survivor in front of you today.
    Last night, I took my boys, my two boys to the Nationals 
game at RFK and the Nationals attempted a valiant comeback from 
being five runs down, only to come up one run short because the 
umpire completely below a call at home plate.
    And my boys were very upset. They were whining about the 
umpire. And I stopped and reminded them, wait a minute. There's 
no crying in baseball. And the same is true with running a 
small business, I can tell you. You take what the world gives 
you every day. Make the best of it. You try to survive to fight 
the next day.
    There's no crying in small business either. So I'm not here 
to whine. But since you asked. For the small business 
perspective on data security let me just share three insights 
and three suggestions.
    Insight number one, it takes a thief to commit identify 
theft and card fraud. We seem to have lost sight of this some 
times. It's not a crime if a laptop is left at the airport or 
an employee walks off with my customer file. Crime happens when 
someone uses your card to run up charges or uses a new account 
in your name. So law enforcement will be a key element of any 
data security effort we undertake.
    So insight number two, that ID theft has multiple victims. 
We know about the consumers, retailers, and lenders, credit 
unions, but there's also the business and institution who has 
been hacked or lost the data. Together, those victims have 
spent $55 billion on ID theft and card fraud in 2005, according 
to the Rubin & Lenard study.
    And what I would like you to remember is that ten times as 
much of those costs were incurred by businesses, as by the 
consumers themselves. In other words, 50 of the 55 billion. So 
let's be careful not to create more victims by piling 
unworkable regulatory burdens on small business.
    Insight number three, new costs as the chair indicated, are 
for security disproportionately impact small budgets. You've 
all heard that before, but there are those more subtle ways 
that small businesses are more vulnerable. An owner's attention 
is stretched incredibly thin and I was always too busy fighting 
fires to spend any time trying to prevent them. It's just the 
way of life of the small business. And as you indicated, it's 
very rare for small business to have the expertise in-house to 
solicit, manage, and understand what consultants are telling us 
when it came to complex IT issues.
    This makes compliance incredibly expensive for small 
business. That's a lesson we've all learned with the Sarbanes-
Oxley implementation which affected notably businesses that are 
still much larger than the small businesses affected here.
    I'm not quite as convinced as my fellow panelists that we 
absolutely need new data protection regulation to make small 
business care about data security or that new regulation would 
actually put a big dent in identify theft. But I'm a realist 
and regulation is coming. You can feel the momentum building 
and there's good reasons for it. Consumers, for instance, will 
better be able to protect themselves when they receive a notice 
of a data breach, provided that the notice is based on a real 
risk that ID theft may occur.
    And second, as you heard, 35 states have now created a 
patchwork of notice laws and we need to replace that with the 
single national standard.
    So if you do create a national standard data security law, 
I have just three suggestions from the small business 
perspective. Suggestion number one, we need broad and deep 
preemption of state laws. Gramm-Leach-Bliley preemption gives 
the states a floor, but no ceiling, therefore allowing the 
states to preserve a patchwork of state laws and even add 
particularly onerous state laws such as the strict liability 
standard that Mr. Milazzo spoke of. I believe the strict 
liability standard to reimburse costs incurred by banks and 
credit unions, even where the company that lost the data was 
not negligent at all in the way in which the data was lost.
    The industry, the credit card industry and retailers have 
worked together for 20 years to build a phenomenally commerce 
industry through contracts in cooperation, in sharing of costs 
and the sharing of burdens. Legislative is not the way to 
interfere with an ecosystem that has worked so well for e-
commerce and credit card transactions.
    Suggestion number two, it's a great idea to add incentives 
to the business will make that maybe lost or stolen data can't 
be used when the bad guys get their hands on it. That is to say 
encryption standards. So encryption software is what most of us 
use today, but legislation should not lock in today's 
technology only. So please, make any incentives for encryption 
broad enough to include tomorrow's data protection 
technologies.
    Third and final suggestion, if you're going to extend the 
data safeguard rules, as distinct from notice, data safeguard 
rules are millions of small businesses that are not currently 
regulated. Please don't assume that a small business will ever 
be able to meet the current GLB data safeguards standards. 
Prior data security bills in Congress, would have covered, 
``anyone handling personal information for interstate 
commerce.'' That is literally anyone who accepts anything other 
than cash for a sale. So it's true that flexibility is way 
better than prescriptive standards, but flexible can still be 
very hard and expensive for a small business. A small business 
really doesn't know where they are in terms of risk and they 
always have a tough time figuring out where they need to end 
up.
    The PCI standards that Mark spoke of, for instance, are 
about 176 individual items of security compliance. That's a 
dizzying array for a small business to understand how to 
implement. Small businesses need road maps, road maps to get 
from where we are, to where we need to be to adhere to a 
standard. Regulators, I would encourage, should evaluate the 
best practices industries using, including PCI, a great start, 
and figure out where it meets the standard, and then let the 
eco-system of It companies, Roger's members in mind.
    So in closing, just please remember that there are 
criminals behind ID theft and the small business is one of the 
victims, not the villain along with the consumers and others at 
the table. And please don['t force small business to implement 
brand new data safeguard standards until there are approved 
roadmaps to help small business get there.
    Thank you.
    [The prepared statement of Steve DelBianco may be found in 
the Appendix on page 76.]

    ChairwomanBean. Thank you for your testimony.
    Thank you all for your expertise and your perspective from 
your varying industries and from your members.
    My first question is for Mr. MacCarthy. You talked about 
the Visa payment system and the Cardholder Information Security 
Program which aims to secure cardholder data, wherever that 
resides. I'd like to know a little bit more about how you 
implement that and what resources you provide to assist small 
businesses with complying with those standards and I want to 
give you an example of a couple of things I ran into just this 
weekend and see if they would sort of be covered in what you 
seek to set as your standards.
    This weekend, my eighth-grader graduated and so I had a 
party in the back yard and called a rental company I've worked 
with in the past to set up a tent in the backyard and some 
tables and chairs and they're great to work with and they said 
we're all set up. I said let me give you my Visa number. They 
said ``that's okay, I've got it right here in the system from 
when you did your party two years ago for your other 
daughter.'' I'm wondering if that kind of thing would be 
covered.
    Then I took my oldest daughter, who is going to be a junior 
and we were going through some college brochures from College 
Night at the school recently. We went out to dinner to one of 
our favorite restaurants and when I signed my credit card, it 
wasn't just the four numbers on the credit card on the 
signature, it was the entire credit card number.
    These are two local businesses that get a good amount of 
business. Do a great job for our community, but I'm just 
wondering as I saw both of those things as flags this weekend, 
how prevalent that is and to what degree you're seeing some of 
your standards curb those activities.
    Mr.MacCarthy. Let me address the two specifics first, so 
that we can then go on to more general enforcement for small 
businesses and large businesses in general. On the example of 
the guy getting the card and he had your information from a 
year before, that's a perfectly legitimate business practice. 
Small businesses, large businesses often have a reason to 
retain cardholder information. Retaining the card number for 
purposes of customer service, for purposes of charge backs or 
problems associated with the transaction later on, that's a 
perfectly legitimate use of the cardholder information and Visa 
rules do not prohibit that.
    Nevertheless, if they do save that information, they are 
required to keep it safe and secure, but it is not a piece of 
information that they should be prohibited from retaining.
    On the other hand, those security codes that I mentioned in 
my testimony, the CVV 1 and 2, those are the kinds of codes 
which if they're retained in a computer system and that 
computer system is then hacked, the person who gets that 
information can then go on the Internet and resell the 
information. That can create the possibility that a counterfeit 
card can be made. Without those security codes, the counterfeit 
card cannot be made. And so the risks of a card being 
manufactured and used for fraudulent transactions at a large 
number of other merchants is significantly lower.
    So we have a rule that says do not save the security codes. 
There's no business reason to do that. There's no customer 
service involved in retaining that code. There's no 
verification or authorization that you need in order to save 
that code. Don't save the code.
    So what your vendor did in that kind of circumstance as far 
as I can tell was perfectly legitimate in saving the number. 
May or may not, if he saved also the security code, that could 
have created a problem. We have no way of knowing that just by 
the description that you gave.
    The truncation problem, there's a federal law, Visa was 
heavily involved in working with Congress with Senator 
Feinstein, with Members of the Financial Services Committee in 
putting in place a requirement in federal law that says that on 
the customer receipt the only thing that should appear is the 
last four digits of the card account number. And that's 
designed to create difficulty for the dumpster divers who might 
go in and find a receipt later on.
    That's been in effect for a couple of years. There was a 
transition period of time to allow small businesses and others 
to upgrade the systems to come into compliance. That transition 
period has passed. And those--they should be in place already. 
It's the kind of thing where the FTC is beginning to look more 
carefully at enforcement mechanisms. There have been a number 
of lawsuits filed in the area to try to create more incentive 
for the small businesses and others to come into compliance 
with that. But it is a matter of federal law that you come into 
compliance with that truncation requirement.
    More generally, we have found that the major problem in the 
payment card world with respect to data security comes not from 
small businesses, not from the six million or so small 
businesses that we think of as Level 4 merchants, of a small 
number of transactions. The major problem comes from the larger 
merchants. Almost the vast majority of the card accounts that 
are compromised come from large merchants and we have an 
incentive program to move them forward into compliance.
    I'm happy to report that in the last several years, 
following the ChoicePoint incidents and the CSSI incidents, DSW 
and BJ's, the perception has grown among the merchant and 
retailer community and the processor community. That's 
important to practice good security.
    Our compliance rates have gone up dramatically. And that 
key area of saving the security code, we now have among the 
larger merchants, 93 percent compliance and the remaining 7 
percent are subject to monthly fines so we expect them to be 
coming into compliance with that requirement very soon.
    For the more general of security rules, the whole PCI 
standard is such between 85 and 90 percent of our larger 
merchants have either given us a report that indicates that 
they're in compliance or have given us a report that indicates 
how they will come into compliance, a remediation plan for 
moving forward in that area. So the news is good. We still have 
to aggressively enforce our requirements and the intent to do 
so, going into the future.
    ChairwomanBean. Thank you. I have some other questions, but 
I'd first like to yield to Ranking Member Heller for some 
questions?
    Mr.Heller. Thank you, Madam Chairwoman. I want to go to Mr. 
MacCarthy also. I have a Visa debit card.
    Mr.MacCarthy. Thank you. Use it well.
    (Laughter.)
    Mr.Heller. It was put on hold last week during the 
recess.It was put on hold and I actually thank the gentleman on 
the other end of the line because a transaction was made in 
Washington, D.C., San Francisco, and Reno, Nevada in one day. 
And for that reason, when I went to fill up a tank of gasoline 
the card was rejected and we worked it out, but tell me more 
about that process. And what you guys do to protect the 
consumer under similar circumstances.
    Mr.MacCarthy. I can't speak to the exact facts of the case, 
but it sounds to me since you have the card, it sounds to me 
what happened is likely there was a data breach somewhere and 
the card information was improperly stored and a counterfeit 
card, maybe more than one counterfeit card was created based 
upon that stolen information. And then the fraudsters went 
through a number of locations and committed--
    Mr.Heller. By the way, I made all those transactions.
    Mr.MacCarthy. Pardon?
    Mr.Heller. I made all of those transactions.The transaction 
in Washington, San Francisco and Reno were made by me.
    Mr.MacCarthy. Okay.
    Mr.Heller. Just so you know, there wasn't misuse of the 
card.
    Mr.MacCarthy. I misunderstood. So the--what looked as 
though happened is that the neural network that I described in 
my testimony, looked at those pattern of transactions and said 
to you, that doesn't look like something you would normally do. 
That's out of character. It looks to us like exactly what I 
just described, a series of transactions that were committed by 
a fraudster. So to protect you and to protect themselves from 
the fraud losses, they put a stop on the card until they could 
talk to you directly and say are these transactions that you 
were involved in? And if you said oh yeah, I did that, then 
they know the problem is not a real problem. If, on the other 
hand you said no, no. I didn't do any of that stuff, then they 
know they've got a counterfeit fraud problem on their hands and 
they would have to re-issue the card.
    Mr.Heller. Explain again your Zero Liability policy.
    Mr.MacCarthy. That's a policy that we put in place to 
supplement the federal rules that exist in this area for credit 
cards and for debit cards. There's limitations on liability for 
credits cards. No more than $50 of fraudulent transactions can 
be charged go the cardholder. Visa and the other card companies 
in the last five, to six years, decided to move that policy to 
zero. And what it means is that if there is fraudulent 
transactions on your account, if your card has been lost or 
stolen or it's been the subject of a counterfeit and the 
transactions were made, but not by you, you are not responsible 
for any of the losses associated with that. So in that context 
that I just described, if you said I didn't do that, these are 
not my transactions, they would immediately expunge those debts 
from your record and you would not be responsible for paying.
    Mr.Heller. Who is responsible for those?
    Mr.MacCarthy. As I said in my testimony, in the first 
instance, the entity that's responsible for those fraud losses 
are the financial institutions that issue you the card. So 
John's members would be in the first instance responsible for 
those fraud losses.
    And that gives us a full reason to move ahead with 
providing good information security programs because our member 
banks bear the fraud loss. For example, if the card had been 
used at Circuit City to buy some electronic equipment, it's a 
fraudulent transaction. The merchant though didn't do anything 
wrong. So they typically get paid in that context, right? So 
they get their money. The cardholder is protected. He doesn't 
have to pay anything because it wasn't his transaction. So the 
entity that gets stuck paying the bill is the financial 
institution that issued the card, John's members.
    That's why we really have to step up to do something to fix 
this kind of problem.
    Mr.Heller. I was wondering if the burden was more on the 
merchant as it was the financial institution. It is the 
financial institution.
    Mr.MacCarthy. Yes.
    Mr.Heller. Mr. Duncan?
    Mr.Duncan. May I say a little bit to that? Mark is correct. 
The initial burden is on the financial institution. But I 
included in your package a charge that shows the system works. 
It's this. And these are the rules and regulations, Visa, 
Mastercard at the top of it, the issuing banks like the credit 
union and there are other merchant banks who actually have a 
contract with the individual merchants.
    If it turns out in this case, now within this system, there 
will be reimbursement paid for cost of issuing the cards, 
whatever else. It was a fraud. To the credit union. But if 
turns out there was a breach say in--to use the example, TJX. 
TJX also had a merchant bank. Ultimately what happens is that 
the merchant bank goes back after reimbursing the credit unions 
and others. It goes back to TJX, outside the system and says 
TJX, you have to pay us. So the initial payment is made within 
the system so that ultimately if there's a fraud, it goes back 
to the retailer outside. And that's actually one of the reasons 
why if--this is such a complicated system. You want to be very 
careful before you start reallocating what's going on. We 
frankly think the folks in Minnesota have made a mistake 
because they didn't understand how this system worked when they 
went ahead and reallocated.
    Mr.Heller. Thank you very much. Madam Chairwoman, so you 
know I have a markup in a Resource Committee. I appreciate your 
time and energy. I want to thank all the witnesses. Congressman 
Jordan will take my place as we move forward.
    ChairwomanBean. I recognize Mr. Jordan for five minutes. He 
has some questions.
    Mr.Jordan. Thank you, Madam Chair. What percentage of sales 
today are credit card versus cash or check? Any idea of the 
percentage?
    Mr.Duncan. It varies with the type of merchant. Obviously, 
if you're talking on-line merchants, it's virtually 100 
percent.
    Mr.Jordan. Right.
    Mr.Duncan. If you're talking in a grocery store, I think 
the last numbers I saw were approaching 55 percent of 
transactions are on plastic. More traditional department 
stores, it might even be higher than that.
    So it's the majority of purchases. Now there are other 
areas, for example, in fast food industry which has 
traditionally be a cash business where the number might be 
closer to 15 percent.
    Mr.Jordan. According to the Federal Reserve over half of 
all retail transactions are electronic inform. In the Visa 
system, over 60 percent of our transactions are with debit 
cards and over 50 percent of the dollar volume is with debit 
cards, not with credit cards.
    Mr.Jordan. Let me to go to, and I apologize I didn't catch 
everyone's testimony earlier, but Mr. DelBianco, you had 
mentioned in your testimony, I think this is a quote, 
``roadmaps not regulation'' is what you would advocate. Seems 
to make sense to me. As much as we possibly can let the 
marketplace drive what has to happen on data security.
    Because if a company or anybody is having some problems 
that's not good for business. They get an incentive to do it 
right. Walk me through what you mean exactly by the roadmaps 
versus some of the regulation that may be proposed?
    Mr.DelBianco. Thank you, Congressman. I'll draw a 
distinction. The way the GLB, Gramm-Leach-Bliley data 
safeguards rule was implemented has turned out to create a very 
flexible way of addressing through an audit risk assessments 
and then handling. It's in the final appendix of my testimony 
and then various industries will then take that on. For 
instance, Mark's industry, the payment card industry took that 
on and they had currently said here's how we think banks should 
implement or merchants should implement GLB compliant data 
safeguards. And again, this has nothing to do with notification 
of breach. It's just the data safeguards rules that are put 
into place.
    So what Mark considers to be a roadmap is a 12 page, 176 
individual items that is very daunting as Mark will acknowledge 
for small businesses to implement, for small merchants to 
implement. So the small merchant looks at that and says there 
are a myriad, an infinite number of ways to actually satisfy 
that standard. What we need are more implementable ways to say 
here's a plan to implement it, if you've got a website that 
does e-commerce. You can very strictly say, website is doing e-
commerce, capturing credit cards for single time billing. 
Here's the roadmap to be compliant with whatever data safeguard 
you issue.
    So it's not just the vendor telling our small business 
here's what I think you ought to do and it may be compliant. 
The vendor would say look, here's the roadmap. This has been 
approved b the regulatory authority, so you can follow it. 
There might be a different roadmap though. Some of my employees 
use laptop computers and travel with them. And there's customer 
data on the laptop. A different set of roadmaps for that on how 
I secure and encrypt that information.
    And finally, let's suppose I've got some work at home moms 
doing tech support for me on my small tech firm and we did. 
Well, they're working at home on the Internet on their own 
computers. Well, there may be a separate set of roadmap rules 
for how do I secure information that shows up on their 
machines. These are simple implementable steps that we would 
welcome and actually there would be central for small 
businesses to be able to afford implementation.
    Mr.Jordan. Good. Thank you. Thank you, Madam Chair.
    ChairwomanBean. Thank you. I wanted to follow up with Mr. 
Duncan. You talked about how the merchants are required to 
comply with the various standards. Can you tell me how that's 
working for the merchants' perspective. Are they finding it 
easy to comply? Is it very challenging for them? Can you give 
me some examples?
    Mr.Duncan. Are you referring to the current notification 
standards within the states?
    ChairwomanBean. Also from the payment card industry as 
well.
    Mr.Duncan. That has been and I think Mark and I wanted to 
raise this, it's been challenging. This was a relatively new 
proposal that's come up in response to a real need, the fact 
that there are bad guys out there who are trying to break into 
systems. The difficulty for many of the larger merchants is 
that there is no one single way to comply. I think, in fact, 
there are about 221 individual requirements. And many 
merchants, there's some ambiguity as to some of those 
requirements and some of those have actually changed over time. 
Some of them because the payment card industry has gone back 
and looked at them and realized maybe we didn't say this quite 
right, but other times because of the face of new threats. This 
not bad. It's an evolving entity, but it has been extremely 
challenging. And of course, if your--our primary business is 
trying to bring product into our stores, sell merchandise, make 
customers happy. And if you've got all of these requirements 
you have to look at, as a separate part of your business just 
in order to be able to take payment, and if those are changing, 
and it's costing you millions of dollars each time you're 
making those changes, it can be very challenging. But we are 
trying very hard, as Mark said, to our largest members to get 
into compliance.
    I think you have a very story when you're talking about 
smaller businesses and you have--and the payment card industry 
has recognized that they have to have some variation in their 
standards for the smaller businesses. but even there we have to 
be careful that we don't put on requirements that it's simply 
beyond the capability of a sole proprietorship to handle.
    ChairwomanBean. Do you have perspective from the state regs 
as well?
    Mr.Duncan. From the state regs, there is a fair amount of 
conflict out there. For example, some states may give you a 
great deal of flexibility to work with law enforcement before 
you make any notice of disclosure. Others don't give that 
flexibility. Well, if you've got customers coming from 
different states which approach do you take and you don't want 
to inadvertently cross over the line. So there are real 
challenges which is why a uniform standard with preemption 
would be desirable.
    Mr.MacCarthy. Madam Chairman, can I jump in on the PCI 
standard issue?
    ChairwomanBean. Yes, please.
    Mr.MacCarthy. On the question of the large merchants and 
their ability to comply, I think Mallory is right, this was a 
challenge at the beginning and there were some intense 
discussions before we moved ahead. The standard that Visa 
developed was designed for enforceability and testability. It 
was based upon private standard instead of being developed by 
ISO that were sort of general recommendations to do good things 
in this area.
    We took that and made it specific enough so that it could 
actually be tested against so that an outside vendor could come 
in, look at a system that was designed to handle payments and 
say are you in compliance with these rules or not?
    So it's flexible in the sense that it has many different 
ways of complying, but one of those ways of compliance is 
something that could be detected by an outside vendor and as I 
say in my comments before, the large merchants have moved ahead 
very, very effectively in this area.
    The small merchants tend to be less of the problem because 
they have, as Mallory said, less of a honey pot for the thieves 
to go after. So the enforcement there has to be less stringent 
and our validation requirements are tiered to make sure that we 
don't put an unnecessary burden on the companies. Many of the 
small businesses, they have computer systems. And then they 
have the point of sale terminal that connects up to the payment 
system, but they don't link the two. The two are separate 
systems and so there's no storage of information in the 
computer system. When they get to be more sophisticated and 
they want to do more customer service, like your vendor, they 
might link the two systems and store cardholder information in 
their computer systems in a way that could create a security 
problem.
    We have decided to move ahead with recommendations for our 
small businesses and for our large businesses. There are 
payment system applications that do not improperly store data 
in that context. We've listed those on our website. They're 
publicly available. All you have to do is go to the Visa site 
and find it. There's also a list of point of sale applications 
which we do not recommend, which have the flaw in them and we 
know that there is a problem associated with that. And so the 
small businesses and others can go there and say don't use 
those point of sale applications. They will create a problem.
    So we're taking seriously our obligation to provide 
information, guidance and training for small businesses to 
allow them to move ahead. When they move to try to link their 
two systems, they can turn to Visa or to the acquiring bank 
that they work with for guidance on how best to do that.
    Mr.Cochetti. Madam Chair, may I offer one very quick 
comment and that is much of the conversation has been about the 
importance of procedures and this trickle down of procedures. I 
think it is important to keep in mind that the vast majority of 
instances in which data breach occurs, particularly in small 
business, when it does occur, it is not a result of a failure 
of procedures, but it's a result of human error that occurs. 
You can have a merchant or small business owner or larger 
business owner or sort of sign up to procedures and you can 
have the technology tools that the vendors will provide, but if 
you don't have employees who are trained, and comply with them, 
that's where breaches very often occur. So I think the 
Subcommittee would be wise to keep in mind the importance of 
the human element in all of this. Thank you.
    ChairwomanBean. I'd like to get back to you, Mr. Cochetti, 
and I also want to ask Mr. Milazzo as well, given--I know that 
you have entities across the country that you train with, I 
think you called it your Security+ Program, also have 35 state 
regs to try to comply with makes it difficult to have a 
consistent training program or to adhere to a certain best 
practices model, so I would think that it would serve your 
membership and their customers as well.
    Mr.Cochetti. Yes, I think, Madam Chair, the issue for us is 
probably less sensitive to the compliance questions that the 
retail firms and the credit card issuers have to deal with, 
because they're in the compliance chain. What we do in our 
Security+ certification is basic security tools so that one 
understands how they work.
    For the most part, these have been able to be accommodated 
in the existing patchwork of state standards. However, as the 
patchwork itself grows and varies, it puts enormous stretches 
on the ability to have a standard professional certification. 
So you're absolutely right.
    Thank you.
    ChairwomanBean. I'd like to address that to Mr. Milazzo and 
for your membership, how challenging is that having 35 
different laws to--
    Mr.Milazzo. It's extremely challenging. Yes, ma'am. We in 
the credit union industry take great lengths to train our 
employees as well to be compliant. We do that internally. In my 
instance, we have an internal training facility that actually 
trains any employee that has contact or have any input in the 
plastic card or payment system on what policies, procedures, 
not only are impacted by our own credit union and its policies, 
but those of the credit card industry itself. We take that very 
seriously and it's a great cost, a great burden to our 
institution, as I'm sure the institutions in our industry.
    I might mention also that there has been a great deal of 
talk about small companies, or small entities and the cost of 
compliance. I might remind you then that in the credit union 
world, many credit unions are very small. Mine is a credit 
union of 300 and roughly $20 million in assets. In the world of 
financial institutions, I'm a small business. The cost, the 
burden to me to comply with GLB is great to me but we take it 
very seriously. We find a way to do that and those tools that 
we don't have internally, we'll find externally. We'll go to 
our associations or we will go to our vendors. We'll go to 
outside resources to make that happen.
    ChairwomanBean. All right. I would like to open up to the 
panel a question that is essentially addresses what we have all 
been talking about on some level, in that small businesses tend 
to lack the infrastructure. They don't have compliance 
departments, sometimes they don't have IT departments even to 
manage their data. What can be done to assist them, not only in 
the training--certainly you are doing some things, Mr. 
Cochetti, through your membership as far as training of 
employees, but in order to develop their security plans? Mr. 
DelBianco?
    Mr.DelBianco. Thank you. I already sort of addressed the 
road map, but in a general sense, Sarbanes-Oxley would be a 
road map on how not to do it, a road map to nowhere. Part of it 
depends on the ecosystem of vendors. Roger's members and mine, 
who actually implement solutions for businesses that you've 
described, that ecosystem typically comes out of the box, 
handling the biggest customers first. Same with Sarbanes-Oxley. 
The big consulting firms took care of the largest businesses 
first for compliance. Those are very expensive contracts, 
because they're large and complex systems, but both the vendors 
and the customers are sort of learning the ropes as to what is 
going to satisfy the congressional mandate.
    So it takes time--years, for those vendors to actually 
figure it out, come up with a cook book, their own road maps of 
implementing systems. They will come up with a road map for an 
ERP system, a road map for an in-house database. And only after 
they have sort of skimmed the cream of the big customers do 
they start to move into the middle tier and the smaller firms. 
So the ecosystem of industry will do a great job implementing 
it, but it cannot do it overnight and it will start at the top 
and work its way down. Therefore you need a graduated series of 
deadlines for implementation that are sensitive to the small 
businesses that will be the last ones that will be looked at. 
If Mark is right, that the vast majority of ID theft and card 
fraud occurs at very, very large institutions, I think it would 
be appropriate to work our way from a top down in terms of risk 
assessments. Thank you.
    ChairwomanBean. Alright. Thank you. Others? Mr. Duncan?
    Mr.Duncan. Yes, as I've suggested in my testimony, we 
really need to focus on where the core of the problem is first 
and it is the thieves who for a minimal amount of work relative 
to the number of names they will get will tend to focus on 
certain sizes and caches of data. Fortunately, small businesses 
aren't the prime opportunity. If there is anything that the 
Committee can do, the Subcommittee can do it, it would be to 
keep an eye out to make certain that some in a zeal to say I'm 
going to fix this problem once and for all, don't end up 
putting burdens on small businesses that are totally 
unrealistic. It's very important.
    ChairwomanBean. Thank you. I think, Mr. Milazzo, you 
wanted--
    Mr.Milazzo. I guess I would follow by saying that I think 
the real cause, obviously, are all the crooks that are out 
there, they are looking for ways that are taking great strides 
in trying to find the ways to break systems. If they use those 
talents to do something fruitful, there is no telling what they 
could accomplish. I think that the real key to all of this is 
to keep that in mind and to put teeth into the laws that 
prohibit that. Those people that are found and prosecuted ought 
to serve time and ought to do things to make restitution to 
make less attractive those activities to others.
    ChairwomanBean. Absolutely. It wouldn't be bad if we could 
publicize those penalties as well.
    Mr.MacCarthy. I think just to finish up, we do have small 
business validation dates that are significantly farther into 
the future than for the larger companies for exactly the 
reasons that they described earlier. As we get better and 
better at fixing the problem at the large databases retained by 
large processors and merchants, the crooks are going to say 
where else can I go? They're going to start to go down the 
chain and ultimately they're going to get to the smaller 
businesses. So we're working with the middle-sized businesses 
now and, you know, we're going to be ultimately having to work 
with the small businesses. It's a matter of time before, you 
know, the problem shifts down to that level. I do think we have 
to begin the process now so that we're ahead of the crooks. We 
don't wait for them to discover the new honey pots. I'm saying 
now we've got a rich trove here to create problems for members, 
for other merchants, for customers, and so on. So I think the 
process has to be slow. It has to be gradual, but it has to be 
ongoing.
    ChairwomanBean. Absolutely. Mr. Cochetti?
    Mr.Cochetti. Just a couple. I did want to emphasize the 
importance that Mr. DelBianco's point earlier of 
differentiating among the different segments. Most of the 
conversation that we've had today has focused on retail 
merchants. Indeed, among small businesses retail merchants are 
important and for data security issues, perhaps the most 
important. But the first differentiation is the vast 
differentiation between large and small. But it is also 
important to keep in mind that among small business, almost 
half of the clients of our members are not retail merchants.
    ChairwomanBean. They're B2B.
    Mr.Cochetti. Excuse me?
    ChairwomanBean. They're B2B.
    Mr.Cochetti. Of course. Or, you know, they are attorneys, 
they're real estate agents, they're manicurists, they're the 
enormous variety. Only a quarter of the small businesses in the 
United States today are retail merchants. The other two thirds 
primarily think of themselves--they may use a credit card from 
time to time for billing purposes, but they don't think of 
themselves as retail merchants. So let's differentiate those 
and let's make sure that we understand that when we think about 
road maps, there are really very different road maps that fit 
very different types of small businesses. At the end of the 
day, the people who know this best are the merchants and the IT 
people who work with them because they know exactly what that 
business is. They know exactly what data they store and where 
it is stored. So I think our number one recommendation 
continues to be the importance of an education and outreach 
effort, so that the various segments can sort of among 
themselves begin to figure out, with help from DHS, SBA, and 
everyone else, can begin to figure out what makes sense for 
them. Thank you.
    ChairwomanBean. I have a final question. Probably for Mr. 
Cochetti, but others may have some comments as well about the 
cost of data security insurance which has become an issue in 
more and more in looking at sort of cyber insurance. Some are 
finding it too costly. Do you have any comments on that?
    For Mr. Cochetti, specifically what IT investments can 
small businesses make maybe as an alternative to that to better 
protect themselves?
    Mr.Cochetti. Madam Chair, we have found over the past few 
years in particular as the issues have been more visible and 
these liability issues have become noteworthy, that there has 
been the development of an insurance service for data breaches. 
It has been difficult for that service to reach down to small 
business, and I think that's one of the issues that our members 
have been trying to work with their customers on as sort of 
what can they do to develop a compliance package that would 
satisfy and ensure that they should qualify for coverage?
    We haven't gotten there yet, but it is an on-going 
activity. I think on the second point, what can be done, I 
think the main tools that one looks to deal with this on the 
part of any small business are sort at the abstract level 
fairly common. They're procedures. They are technology tools, 
both hardware and principally software and then there is 
training. You know, I think at all three levels we work with 
small business to help them understand what are the best 
practices or what are the tools, what are the procedures that 
fit them. But that varies very much from segment to segment. 
For technology tools, there is a vast array of them available 
in the marketplace. There is no shortage of tools. That's the 
one area where you can say there is no shortage of tools 
available out there and training is the one that usually gets 
the short end of it and the one that we feel needs additional 
support and encouragement from the federal government.
    ChairwomanBean. Okay, before I get to Mr. DelBianco, I just 
want to comment. I also in my District, we do a lot on identity 
theft and also Internet safety for kids. Being a parent of 
teenage girls, it particularly hits home for me. One of the 
frustrations as a parent and even as we coach people on certain 
things they can do, it requires a level of technical aptitude. 
Even though I come out of high tech, I certainly haven't been 
keeping up in recent years to try to protect your kids from 
cyber criminals.
    I look to the VARs and the integrators that are out there 
and have said to them do any of you have a here's my, you know, 
kid's safe program, if I just buy that, that package, you come 
in, you lock everything up and now it is safe. There really 
isn't that. Partly because of the evolving technology, but 
partly because there hasn't been standards set that these are 
the core things you minimally have to do and different folks 
recommend different solutions.
    So I particularly like what you're talking about here, 
about having a road map, trying to set some at least core best 
practices to try to achieve in the industry.
    I know, Mr. DelBianco, you wanted to add some comments of 
your own?
    Mr.DelBianco. Thank you, Madam Chair. Appendix A to my 
testimony included a simple chart which I called the security 
stack. It's really just meant to imply that there is no silver 
bullet, no one point of vulnerability, but a whole stack. Of 
course, it starts with user habits and human error and goes all 
the way down to networking and support.
    ChairwomanBean. Physical error, yes.
    Mr.DelBianco. Exactly. But the one place where because you 
asked the question of where would you start, and one place you 
would start is the second layer of the stack called the 
application software. That would take care of the problem that 
Mark MacCarthy brought up. First thing that business would do 
is to encrypt customer account numbers. If they have to store 
them at all, you encrypt them so that if a breach should occur 
through some other layer of the stack, the data itself is not 
subject to abuse. That allows the risk trigger to be pulled and 
the company doesn't have to do notice. The company doesn't have 
to go through the problems, because it's not going to create a 
risk of identity fraud.
    ChairwomanBean. Thank you.
    Mr.Cochetti. Just if I could briefly say that many of the 
tools that have been developed for industry are applicable to 
consumers in home use. But there's a very substantial effort 
under way which I am happy to say CompTIA is a supporter and 
founder, to develop tools and services for consumers at the 
home level to provide on-line safety for children.
    Mr.MacCarthy. Madame Chairman, can I jump in on the--
    ChairwomanBean. I'm going to let you, you know, each make a 
comment on this because we're going to wrap on this one. I 
think we've covered--no, I did ask Mr. Jordan. He didn't have a 
question. So go ahead, Mr. Duncan.
    Mr.Duncan. I think your question illuminates something. 
It's very important for small businesses. They are running a 
business, and while IT may be part of that business, they 
frankly don't know--
    ChairwomanBean. They don't want to be in that business.
    Mr.Duncan. They don't know a lot about what is going on. We 
had a case of a retailer who had a cash register system within 
his store, and he frankly thought he was fully compliant, that 
he was not preserving the kinds of codes, and he knew enough to 
ask the vendor that if information is going being stored, and 
he was told not.
    Well, what happened of course was that the information was 
being stored, but it was wiped out at the close of each 
business day. So from the vendor's standpoint, the information 
was not being stored.
    ChairwomanBean. Not being stored.
    Mr.Duncan. And from the retailer's standpoint, he thought 
he had done--he knows no more about what's in that system than 
I know what is going on in my Windows. And yet, he found 
himself subject of a data breach because someone, a former 
employee of that company realized that there was a back door 
and was pulling the data out at 4:30 in the evening before he 
shut down. So we have to be realistic about what is actually 
achievable, and not put knowledge burdens on merchants that 
they literally can't achieve.
    ChairwomanBean. Well, it's your point many parents--talked 
about parents wanting to just buy safety for their children. 
Small businesses want to buy--just give me the Security+ 
package. I don't want to have to learn it or know it. I'm 
focused on revenue generation, I don't want to have focus on 
that. So I think that to the degree that we can achieve a 
roadmap where there will be those in the business who can offer 
that as a commodified product in the market.
    Mr.Duncan. And just finally, because it's a very 
competitive business and profit margins are very thin, you 
can't buy that system here.
    ChairwomanBean. Well, every business model is different to 
the degree to how much you're storing and how much customer or 
financial information you're keeping as well.
    Mr.Milazzo. Madame Chair, I think your original question 
had to do with insurance. I might want to share with you the 
fact that in the financial industry, and particularly in credit 
unions, we find that the cost as I had shared with you earlier 
is going up. It's increasing from year to year with the 
coverage for plastic card and payment card systems. It's gotten 
to the point too that many of the insurers have found that not 
to be a profitable business--
    ChairwomanBean. Thank you, Emmet.
    (Laughter.)
    ChairwomanBean. That is not a profitable business in spite 
of the rise in the premiums, to the point that some are 
actually considering, as I understand, dropping that coverage. 
If they do that, it gives financial institutions fewer choices 
to go to for that type of insurance which only drives that cost 
up from those that do provide it. It may cause some financial 
institutions to self-insure, which is I think somewhat 
dangerous. Or, in other cases, to sell their portfolios, which 
means basically they get out of the business. I think all those 
are detrimental.
    ChairwomanBean. All right, Mark, did you have a final 
comment, too?
    Mr.MacCarthy. A comment on Duncan's example of the retailer 
doesn't know what--I mean, that's one reason why Visa took the 
step of putting the approved payment applications on the 
Internet and putting the disapproved one on there at all. Maybe 
the retailer shouldn't know that, but the vendor who is 
providing the service would be able to check the site and get 
one of the application programs that doesn't save it even for a 
brief period of time. So we're trying to do what we can to get 
the information out into the marketplace to resolve exactly 
those kinds of difficulties.
    On Steve's mention that, you know, the first thing to do is 
encrypt the data--maybe. One of our requirements is protect, 
store data. It is not encrypt, store data. There may be reasons 
why in a given kind of circumstance that encryption isn't the 
right solution. You might have to redact it or otherwise make 
it unusable. So the requirement is protect the stored data, 
which actually has an implication for legislation. We shouldn't 
have something that says encrypt and only encrypt. The standard 
in the legislation should be encrypt the information or 
otherwise make it unusable. It's the kind of standard that is 
already built into what the industry is doing.
    ChairwomanBean. Well, thank you all for your insightful 
testimony. In conclusion, I'm going to ask unanimous consent 
that members will have five days to submit statements and 
supporting materials for the record. No one is here to object, 
so without objection, so ordered this hearing is now adjourned.
    [Whereupon, at 11:31 a.m., the hearing was concluded.]



    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
                                 
