[Senate Hearing 112-242]
[From the U.S. Government Publishing Office]
S. Hrg. 112-242
CYBERSECURITY AND DATA PROTECTION IN THE FINANCIAL SECTOR
=======================================================================
HEARING
before the
COMMITTEE ON
BANKING,HOUSING,AND URBAN AFFAIRS
UNITED STATES SENATE
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
ON
EXAMINING CYBERSECURITY AND DATA PROTECTION IN THE FINANCIAL SECTOR
__________
JUNE 21, 2011
__________
Printed for the use of the Committee on Banking, Housing, and Urban
Affairs
Available at: http: //www.fdsys.gov /
U.S. GOVERNMENT PRINTING OFFICE
72-701 WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS
TIM JOHNSON, South Dakota, Chairman
JACK REED, Rhode Island RICHARD C. SHELBY, Alabama
CHARLES E. SCHUMER, New York MIKE CRAPO, Idaho
ROBERT MENENDEZ, New Jersey BOB CORKER, Tennessee
DANIEL K. AKAKA, Hawaii JIM DeMINT, South Carolina
SHERROD BROWN, Ohio DAVID VITTER, Louisiana
JON TESTER, Montana MIKE JOHANNS, Nebraska
HERB KOHL, Wisconsin PATRICK J. TOOMEY, Pennsylvania
MARK R. WARNER, Virginia MARK KIRK, Illinois
JEFF MERKLEY, Oregon JERRY MORAN, Kansas
MICHAEL F. BENNET, Colorado ROGER F. WICKER, Mississippi
KAY HAGAN, North Carolina
Dwight Fettig, Staff Director
William D. Duhnke, Republican Staff Director
Charles Yi, Chief Counsel
Dean Shahinian, Senior Counsel
Laura Swanson, Policy Director
Pat Grant, Counsel
Levon Bagramian, Legislative Assistant
Dawn Ratliff, Chief Clerk
Brett Hewitt, Hearing Clerk
Shelvin Simmons, IT Director
Jim Crowell, Editor
(ii)
?
C O N T E N T S
----------
TUESDAY, JUNE 21, 2011
Page
Opening statement of Chairman Johnson............................ 1
Prepared statement........................................... 24
Opening statements, comments, or prepared statements of:
Senator Reed................................................. 2
Senator Menendez............................................. 2
WITNESSES
Kevin F. Streff, Associate Professor of Information Assurance,
Dakota State University Information Assurance Center........... 3
Prepared statement........................................... 24
Stuart K. Pratt, President and Chief Executive Officer, Consumer
Data Industry Association...................................... 5
Prepared statement........................................... 35
Leigh Williams, BITS President, on behalf of the Financial
Services
Roundtable..................................................... 6
Prepared statement........................................... 38
Marc Rotenberg, Executive Director, Electronic Privacy
Information Center............................................. 8
Prepared statement........................................... 45
Pablo Martinez, Deputy Special Agent in Charge, Criminal
Investigative Division, Secret Service......................... 9
Prepared statement........................................... 57
Additional Material Supplied for the Record
Statement submitted by the Securities Industry and Financial
Markets Association............................................ 63
(iii)
CYBERSECURITY AND DATA PROTECTION IN THE FINANCIAL SECTOR
----------
TUESDAY, JUNE 21, 2011
U.S. Senate,
Committee on Banking, Housing, and Urban Affairs,
Washington, DC.
The Committee met at 10:01 a.m., in room SD-538, Dirksen
Senate Office Building, Hon. Tim Johnson, Chairman of the
Committee, presiding.
OPENING STATEMENT OF CHAIRMAN TIM JOHNSON
Chairman Johnson. The Banking Committee will come to order.
The Banking Committee meets today to hear testimony about data
protection and cybersecurity issues in the financial sector.
Over the past 12 years, the Committee has enacted several
pieces of legislation to protect consumer data held by
financial institutions. Federal financial regulators under the
Committee's jurisdiction have issued extensive rules and
guidance on data practices that require the institutions they
regulate to keep data secure, notify customers and regulators
when breaches occur, authenticate customers, and notify
customers about how their sensitive information may be used.
Recent high-profile data breaches at major institutions
within the financial sector and elsewhere underscore the
importance of cybersecurity for the American economy. Breaches
are disruptive and raise the potential for financial fraud,
identity theft, and, potentially, severe threats to our
national economic security. This is an important issue that
deserves the Committee's careful attention and continued
oversight.
Today I invite the witnesses to share their views in three
areas: the current regulation of data practices affecting
financial institutions and their customers; the current state
of data privacy protection, data breaches, and cybersecurity in
the financial sector; and how legislative proposals, such as
the Administration's cybersecurity bill, would affect financial
institutions and would interact with existing regulation.
I look forward to the testimony of our witnesses and to the
question-and-answer period.
Are there any other members who would like to give opening
remarks?
Senator Reed. Mr. Chairman?
Chairman Johnson. Senator Reed.
STATEMENT OF SENATOR JACK REED
Senator Reed. Mr. Chairman, just very briefly, I want to
commend you for holding this very timely hearing. The cyber
dimension is something that is evolving so quickly, huge
consequences not just in the realm of financial information but
in national security policy. It is almost as if we are sort of
in the same position our predecessors were in 1920 trying to
figure out how to use the airplane, where it was a novelty or a
fundamentally game-changing--obvious it was fundamentally game
changing. So thank you, Mr. Chairman, for your thoughtful
hearing.
Chairman Johnson. Senator Menendez.
STATEMENT OF SENATOR ROBERT MENENDEZ
Senator Menendez. Thank you, Mr. Chairman. Briefly, I want
to joint Senator Reed in thanking you for holding this hearing,
something I have been very interested in pursuing in my
legislation on the Cybersecurity Enhancement Act.
I am concerned--and certainly the Committee's jurisdiction
is very appropriate here when financial institutions face major
breaches, and I am concerned about what are the financial
institutions doing, number one, to enhance their position
against cybersecurity attacks; and, number two, when there is a
breach, what are they doing in their fiduciary responsibility
to notify their customers of those breaches.
It just happens that my chief of staff was one of those
individuals whose information was breached under the City cyber
attack. Now, unfortunately, he was not notified, and it was not
until he attempted to use his card and found out that it was
impossible for him to use it and eventually called Citi that he
found out that, in fact, his information had been breached.
Now, it seems to me that there is a fiduciary
responsibility by the entity to proactively tell their customer
that, in fact, that has happened. And it strengthens, I
believe, the institution at the end of the day to be honest and
forthcoming as well as it gives the customer, the consumer, the
wherewithal to protect themselves as well.
So I look forward to hearing some of the expertise of these
witnesses, Mr. Chairman, and working with you to move to a more
secure process for all of our customers, all of our consumers,
all of our constituents.
Chairman Johnson. Now I would like to welcome the witnesses
for our panel today.
Dr. Kevin Streff is a good friend from South Dakota. He is
an associate professor and director of the Center for
Information Assurance at Dakota State University.
Mr. Stuart Pratt is the president and CEO of the Consumer
Data Industry Association.
Mr. Leigh Williams is the president of BITS, a division of
the Financial Services Roundtable.
Mr. Marc Rotenberg is the president of the Electronic
Privacy Information Center.
And Mr. Pablo Martinez is deputy special agent in charge in
cyber operations at the Criminal Investigative Division of the
U.S. Secret Service.
I thank all of you again for being here today, and I look
forward to your testimony. I will ask the witnesses to limit
your remarks to 5 minutes. Your written statements will be
submitted for the record.
Dr. Streff, would you like to begin?
STATEMENT OF KEVIN F. STREFF, ASSOCIATE PROFESSOR OF
INFORMATION ASSURANCE, DAKOTA STATE UNIVERSITY INFORMATION
ASSURANCE CENTER
Mr. Streff. Chairman Johnson, Ranking Member Shelby, and
Members of the Senate Committee on Banking, Housing, and Urban
Affairs, thank you for the opportunity to testify to the need
for comprehensive cybersecurity legislation and in support of
the Administration's cybersecurity proposal. I am pleased to
appear before you today on behalf of the National Center for
the Protection of the Financial Infrastructure at Dakota State
University to share our views on security in small- and medium-
sized financial institutions. My name is Dr. Kevin Streff, and
I am director of the NCPFI, whose mission is to advance the
security and safety of the Nation's electronic financial
infrastructure.
Eighty-five percent of the U.S. electronic infrastructure
is owned and operated by the private sector. PDD 63 identified
financial services as a critical infrastructure, advising a
public-private partnership model whereby the public sector
partners would partner with the private sector infrastructure
owners to secure it. While there has been much effort, the
results are insufficient to safeguard this infrastructure.
Cybersecurity laws for financial services have been
enacted, including Gramm-Leach-Bliley, Bank Secrecy Act, USA
PATRIOT Act, identity theft red flags rule, and Sarbanes-Oxley.
PCI has also been established at a data security standard for
card information.
SMFIs, small- and medium-sized financial institutions,
operate in a complex regulatory environment with community
banks regulated aggressively and credit unions less. We
encourage care in setting the new CNCI regulation to fit with
the good work of the banking regulators.
Over 300 million data records impacting financial services
have been breached since 2005. When terrorists target these
SMFIs and small- and medium-sized businesses, SMEs, they will
find a soft underbelly of underprotected targets. I recently
completed a study and found that 70 percent of small- and
medium-sized businesses lack basic security controls.
Information Week states SMFIs and SMEs have a wealth of data
that cybersecurity thieves are targeting with increased
regularity. White House Cybersecurity Coordinator Howard
Schmidt recently stated that 85 percent of cyber attacks are
now targeting small businesses.
Technology is advancing faster than SMFIs can secure. For
example, a picture of a check from a cell phone camera can be
deposited in a consumer's account. Consumers are demanding
mobile and social media technologies. The risk profile 10 years
ago included a teenager breaking into computers for fun, while
the risk profile today is a professional breaking into
networks, cell phones, laptops, mobile devices, social media
sites, merchants who deposit checks via imaging systems,
service providers who host critical banking applications, and
Web sites that validate flood plains and credit bureau
information. With the mounting risks of offshoring, requiring
data centers to be located in the U.S. seems good policy in
increase our cybersecurity posture.
SMFIs and SMEs lack security experts, unable to access and
afford qualified security specialists who command six-figure
salaries. Therefore, a SMFI will typically name a loan officer
or a VP of Operations or their IT staff their information
security officer. Understanding emergent security threats and
threat actors and vulnerabilities takes expertise and simply
cannot be assigned to existing staff. Universities, community
colleges, and trade schools can do more to produce security
experts that can work in these environments.
We applaud the President for including CNCI Initiative
Number 8, Expanding Cyber Education. We commend the Government
for anticipating the cybersecurity issue and resource shortage
back in 2001 when the NSA began designating Centers of Academic
Excellence. Today 106 universities are designated Centers of
Academic Excellence, and we encourage the President to consider
expanding this program with funding so that more educational
research and outreach opportunities are created to serve the
needs of Government and industry, including small- and medium-
sized companies.
The Financial Services Sector Coordinating Council has led
the development of a formal research agenda necessary to
improve the security of the electronic infrastructure. However,
funding is, again, lacking to make significant progress. Other
research funds, such as NSF, SBIR, and the like, could be
augmented to carry out the Treasury's agenda.
To the degree that major changes are needed at SMFIs and
SMEs, we urge the Administration to consider this
infrastructure and defense and fund it. If this infrastructure
is a matter of national security, then the Government may have
a funding responsibility, and just as roads are infrastructure,
networks are cyber infrastructure. Just as tanks and weapons
are funded to protect our defense interests, we urge the
Administration to consider its financial responsibility as it
relates to cyber defense.
President Obama said it best: ``We count on computer
networks to deliver our oil, our gas, our power, and our water.
But we have failed in the past to invest in our physical
infrastructure, and we are failing now to invest in our digital
infrastructure. The status quo is no longer acceptable.''
Electronic banking is the future. NCPFI and Dakota State
University look forward to working with all stakeholders to
operationalize the President's vision of a safe electronic
infrastructure for all businesses. We applaud the President in
making cybersecurity an Administration priority and concur with
the President's comments that the ``cyber threat is one of the
most serious economic and national security challenges we face
as a Nation.''
Thank you
Chairman Johnson. Thank you, Dr. Streff.
You may proceed, Mr. Pratt.
STATEMENT OF STUART K. PRATT, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, CONSUMER DATA INDUSTRY ASSOCIATION
Mr. Pratt. Chairman Johnson and members of the Committee,
my name is Stuart Pratt, and I am president and CEO of the
Consumer Data Industry Association. Thank you for this
opportunity to testify.
Let me start with an overview of some of the most relevant
laws and regulations which impose data security duties on the
financial institutions today.
One of the most pressing actions of the Committee was the
1999 passage of Title V of the Gramm-Leach-Bliley Act, signed
into law by President Clinton. Title V directed bank regulatory
agencies and the Federal Trade Commission to develop
regulations regarding the security of nonpublic personal
information. These rules are flexible but do require financial
institutions of all sizes to implement a written information
security program, conduct risk assessments, and to do so
periodically in order to update these programs.
In 2003, the Committee amended the Fair Credit Reporting
Act to require proper disposal of consumer information or any
compilation of consumer information derived from consumer
reports. This straightforward duty ensured that sensitive
personal data about consumers was not simply left in a dumpster
or on a hard drive of a laptop or a hand-held device which was
sold without concern for the contents.
As a result of this Committee's actions to enact both FCRA
and GLB, our members have a number of duties to ensure that
they also know their customers, which is yet another important
part of ensuring that a full and complete data security program
is in place. This is an area in which our members invest
heavily.
With this baseline of law in mind, you also asked us to
comment on how proposals such as the Administration's
cybersecurity bill would affect financial institutions that
come under the Committee's jurisdiction. The key to successful
cybersecurity initiatives is to ensure alignment between
existing statutory and regulatory regimes and those that are
new.
CDIA believes that while it is absolutely and unequivocally
appropriate for the Administration and Congress to focus on the
ever changing mix of risks posed by cybersecurity threats, it
is also important for new laws not to impinge on frameworks of
law that are already established and create the necessary focus
on data security. We urge Congress to consider the data
security standards in GLB as the model for data security
requirements for other sectors of the U.S. economy.
Forty-eight States have enacted data breach notification
laws, and some financial regulatory agencies have established
guidance on this topic for those within their jurisdiction.
While CDIA is on record as supporting a national standard for
data breach notification, any new requirements resulting from
efforts to address cybersecurity risks should not interfere
with the direction of this investment, which requires multiyear
planning.
In focusing on cybersecurity risks, Congress should not be
distracted by privacy issues that are not relevant to data
security. Several congressional committees have delved into
this privacy arena in an effort to address the data collection
and use practices of so-called information brokers. Under these
proposals, our members' products and services, which are
particularly essential to the financial services sector, could
be adversely affected. Consider the following:
Financial institutions offering credit need to detect and
prevent fraud and to verify the identities of individuals
seeking products and services.
Financial institutions must enforce contracts with
customers who have the ability to pay but do not choose to do
so.
Lenders, who must comply with Bankruptcy Code requirements
to cease dunning a consumer, use our members' tools in order to
comply. USA PATRIOT Act Section 326 duties and FACT Act red
flag guidelines demand that financial institutions properly
identify their customers.
Even President Obama's National Strategy for Trusted
Identities in Cyberspace will likely rely on our members'
current and emerging identity verification tools. It is our
members' products and services that empower the financial
services sector to protect consumers and comply with current
laws.
In closing, we applaud both the Congress and the
Administration's focus on cybersecurity risks. We believe that
this work must, however, be careful not to impair or impinge on
effective laws that already address risks in the financial
services sector. Alignment is key.
I am happy to answer any questions. Thank you.
Chairman Johnson. Thank you, Mr. Pratt.
Mr. Williams.
STATEMENT OF LEIGH WILLIAMS, BITS PRESIDENT, ON BEHALF OF THE
FINANCIAL SERVICES ROUNDTABLE
Mr. Williams. Thank you, Chairman Johnson and Members of
the Committee. My name is Leigh Williams, and I am president of
BITS, the technology policy division of The Financial Services
Roundtable. BITS addresses technology policy on behalf of its
100 member institutions, our millions of customers, and all of
the stakeholders in the U.S. financial system.
In my remarks today, I will briefly describe cybersecurity
protections in financial services and explain why the
Roundtable supports the Obama administration's cybersecurity
proposal.
In my view, most cybersecurity protection arises from
individual institutions investing tens of billions of dollars
and tens of millions of hours in voluntary measures for
business reasons. Up at the industry level, BITS and several
other coalitions promote best practices for protecting customer
information. For example, BITS is currently addressing security
in mobile, cloud, and social networking, protection from
malicious software, security training and awareness, and the
prevention of retail and commercial account takeover.
Beyond these voluntary efforts, our members are also
subject to a range of oversight mechanisms to ensure
consistency throughout the industry. Just to take the security
and privacy provisions of Gramm-Leach-Bliley as an example,
this Committee and the Congress enacted GLB. The regulators
detailed it in Regulation P. Regulation P was translated into
guidance. Institutions used that guidance to manage their
programs. Examiners audit the programs. Treasury monitors for
consistency. And just to take this whole process full circle,
this Committee oversees Treasury and the agencies.
Beyond this sector-specific work, we collaborate more and
more in public-private and in financial-nonfinancial
partnerships, often with regulators, DHS, with law enforcement,
with the intelligence community, and others.
People are not just consumers or just customers or
citizens. They are all of these. So business and Government are
working together to protect e-commerce and national economic
security.
As the Committee considers action on cybersecurity, I urge
members to appreciate these existing protections and these
current collaborations and to leverage them for maximum
benefit.
Even given this head start, we believe that comprehensive
cybersecurity legislation is warranted. It can improve security
throughout the cyber ecosystem, including in the telecom
networks on which our financial institutions depend, and it can
strengthen the security of Federal systems and mobilize law
enforcement resources.
More specifically, the Roundtable supports the
Administration's legislative proposal. We support many of the
provisions on their own merits, and we see the overall proposal
as an important step toward building a much more integrated
approach.
The Administration's proposal has this comprehensive
approach. It addresses cybersecurity both at the level of the
entire ecosystem and also within specific sectors like
financial services. For example, the law enforcement title
refers to damage to critical infrastructure computers, but also
to wire fraud and mail fraud. The breach notification title
refers to sensitive personally identifiable information and FTC
enforcement, but also to financial account numbers and credit
card security codes.
We believe that harmonizing this comprehensive approach and
the sector-specific mechanisms will be an important challenge
as the Congress considers this proposal. There are at least a
couple of ways of bridging this ecosystem/sector divide.
First, the Congress could establish uniform standards but
allow for exceptions where substantially similar requirements
are already in place, as in the FFIEC agencies' breach
notification requirements. Or the Congress could reserve more
autonomy for the sectors. For example, it could be the sector-
specific agencies and not DHS that determine what entities are
critical, much as in our sector the sector authorities
designate the systemically important financial institutions.
In conclusion, may I just say that at the Roundtable we
will continue to strengthen security protection around our
customers' information. We will help to answer this question of
ecosystem/sector balance, and we will support and work to
implement the Administration's cybersecurity proposal.
Thank you very much for your time.
Chairman Johnson. Thank you, Mr. Williams.
Mr. Rotenberg.
STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER
Mr. Rotenberg. Thank you, Mr. Chairman and members of the
Committee. My name is Marc Rotenberg. I am president of the
Electronic Privacy Information Center. I also teach privacy law
at Georgetown Law Center. I am grateful for the opportunity to
testify today and also for your interest and the Committee's
interest in this particular issue.
No doubt you have been reading the news stories and the
growing accounts of data breaches affecting bank customers
across the country. Just recently, Citigroup had to admit that
more than 360,000 of their customers had their personal
information improperly accessed. Bank of America was reported
to have lost customer information, resulting in the loss of
millions of dollars to their customers, though it took them
more than a year to acknowledge this.
The Identity Theft Resource Center reports that in 2010
there were 662 security breaches; 58 of those occurred at
financial institutions. And we believe this problem is going to
get worse. More of our personal information is moving into
cloud-based services, being stored on remote computing systems.
Bank customers know less and less about the information about
them that is being collected or how it is being used, which is
why data breach notification becomes so very important so that
customers understand the risks that they have been exposed to.
This is not just the problem of identity theft, though to
be sure that is a serious problem. According to the Federal
Trade Commission, identity theft has been the number one
concern of American consumers for the past decade. But as we
learned in the recent Citigroup breach, there is also the
problem of phishing, which is the use of bits of personal
information to obtain other bits of personal information. So
even without the bank account number, to have access to the
bank account name can be sufficient to then begin the process
that leads to other types of crimes against individuals.
Now, in my testimony, I have gone into some detail about
the current Federal legislation as well as the State laws and
the White House cybersecurity proposal, and if I may, I would
like to highlight just a few of the key points now.
The first thing to be said is that the privacy provisions
in Gramm-Leach-Bliley do not adequately address these new
challenges. They do not give customers the type of notification
that they need to respond when these problems arise. Many of
the States, we believe, have actually done a good job in trying
to promote data breach notification so that customers are aware
of these risks. And, of course, in consideration of Federal
legislation, we would be concerned about bills that might
preempt these strong State measures.
The experience in California, which I describe in my
testimony, is particularly significant because it was that
State breach notification law that made is possible for the
Government to act upon information that the personal
information on American consumers had actually been sold to a
criminal ring engaged in identity theft. I think without that
State law that problem would have never come to light, and the
authorities would not have been able to pursue the
investigations.
Now, turning to the White House cybersecurity proposal, we
are broadly in favor of many of the recommendations from the
White House. They have clearly treated this issue as a
priority, and they have tried to develop a comprehensive
approach that deals with the many different dimensions of
cybersecurity. We do not object to the role of the Department
of Homeland Security in promoting the strengthening of security
safeguards for American business, but we would caution against
overreaching because there is always concern that if the
Government sets technical standards in such areas as intrusion
detection or intrusion prevention, there is some risk that
there will be increasing surveillance and monitoring of the
private communications of American citizens. But as I said at
the outset, their approach to cybersecurity we think is a good
one, and it is in a cooperative relationship between the public
sector and the private sector can help address some of the
risks that American customers are today experiencing.
We would also note that there are other bills that have
been introduced in both the Senate and the House that try to
establish new safeguards for customers. We think, for example,
the private right of action is an important right to ensure
that in the absence of effective oversight by the regulatory
agencies, individuals who do suffer harm as a result of these
breaches are given the opportunity to pursue their rights as
well.
Finally, in our statement we draw attention to some of the
new security techniques that we had previously recommended in
the communications field, and we think they would be helpful in
the financial sector as well. In particular, the goal of
minimizing the collection of personal data not only reduces the
attractiveness of a target to hackers and to others, but when a
breach does occur, the subsequent damage is limited as well. So
we continue to promote efforts within the legislative process
that favor the minimization of data collection.
Thank you again for the opportunity to testify. I would be
pleased to answer your questions.
Chairman Johnson. Thank you, Mr. Rotenberg.
Mr. Martinez.
STATEMENT OF PABLO MARTINEZ, DEPUTY SPECIAL AGENT IN CHARGE,
CRIMINAL INVESTIGATIVE DIVISION, SECRET SERVICE
Mr. Martinez. Good morning, Chairman Johnson and
distinguished Members of the Committee. Thank you for the
opportunity to participate in this morning's hearing.
The Secret Service was established as an investigative
bureau of the Department of Treasury in 1865 in response to the
proliferation of counterfeit U.S. currency. While most people
today associate the Secret Service with the protection of the
President, it was not until 1901 that our agency was charged
with that mission. Our dual mission of investigations and
protection has evolved over the course of the last century, not
because we seek new responsibilities, but because the criminal
methods used by our adversaries are constantly evolving.
Over the past decade, Secret Service investigations have
revealed a significant increase in the quantity and complexity
of cyber crime cases. Broader access to advanced computer
technologies and the widespread use of the Internet has
fostered the proliferation of computer-related crimes targeting
our Nation's financial infrastructure. Current trends show an
increase in network intrusions, hacking attacks, malicious
software, and account takeovers resulting in data breaches
affecting every sector of the American economy.
In recent years, the Secret Service has been responsible
for the arrest of numerous transnational cyber criminals who
are responsible for the largest network intrusion cases ever
prosecuted in the United States. These intrusions resulted in
the theft of hundreds of millions of account numbers and a
financial loss of approximately $600 million to financial and
retail institutions, directly impacting the lives of millions
of American citizens.
The 31 Electronic Crime Task Forces that the Secret Service
has established domestically and abroad exemplify the Secret
Service's commitment to sharing information and best practices.
Membership in these ECTFs includes more than 4,000 private
sector partners, nearly 2,500 international, Federal, State,
and local law enforcement officials and more than 350 academic
partners. The Secret Service continually develops the technical
expertise to track down and successfully infiltrate,
investigate, and prosecute with our partners cyber criminals
who pride themselves on their knowledge and technical prowess.
We use this knowledge of criminal networks to adapt our
response to the challenges posed by financial crimes in the
21st century.
A central component of our approach is the training
provided through our Electronic Crimes Special Agent Program,
which gives our special agents the tools they need to conduct
cyber-crime-related investigations. The training we provide,
however, extends past our own agents to others in the public
sector. We continue to train State and local law enforcement
through the National Computer Forensics Institute. The goal of
this facility is to provide our partners with the necessary
training not only to understand cyber crime, but to respond to
any type of cyber-related investigation. Since 2008, we have
provided training to 932 State and local law enforcement
officials, prosecutors, and judges.
Investigations continue to highlight the need for further
collaboration between the financial services industry and law
enforcement. In recent years, the Secret Service, in
collaboration with the Department of Treasury, has briefed
organizations such as the Federal Reserve Board, the Securities
and Exchange Commission, the Federal Deposit Insurance
Corporation, as well as private sector organizations such as
the Financial Services Information Sharing and Analysis Center,
Securities Industry and Financial Markets Association, payment
card processing industry, and the payment card industry on the
latest trends and threats to their networks and operations.
These briefings have occurred within the Beltway, but also
across the country through our nationwide network of Electronic
and Financial Crimes Task Forces.
The legislative package proposed by the Administration will
better equip law enforcement agencies, such as the Secret
Service, with the additional tools to combat transnational
cyber crime by enhancing penalties against criminals that
attack critical infrastructure and adding computer fraud as a
predicate offense under the Racketeer Influenced and Corrupt
Organizations Act. With regard to data breaches, it will
replace the patchwork of State laws governing reporting of
breaches of personally identifiable information with a uniform
standard requiring businesses to notify affected individuals
and the Government if the business suffers a breach.
Chairman Johnson and distinguished Members of the
Committee, the Secret Service is committed to our mission of
safeguarding the Nation's financial infrastructure and will
continue to aggressively investigate cyber and computer-related
crimes to protect American consumers and institutions from
harm.
This concludes my prepared statement. Thank you for the
opportunity to testify at this Committee.
Chairman Johnson. Thank you, Mr. Martinez.
Professor Streff, you have testified that smaller banks
know their customers better than large banks, but do not have
the same resources to spend on protecting customer information.
How do small banks work to ensure that their customers are
protected, and what can the Federal Government do to aid these
small businesses?
Mr. Streff. Thank you for the question. What small- and
medium-sized financial institutions do is, really, they comply
with the IT Examination Handbook, which is ten booklets of
about 1,000 pages that--it is out there on FFIEC.gov, and they
put a comprehensive information security program in place that
starts with risk assessment, identifies business continuity
issues, pandemic preparedness issues. They hire somebody to
break into their networks. They scan their networks from the
inside, a whole host of different programs. Then an independent
organization comes in and audits and verifies that their
information security program is, indeed, in and working
effectively.
So there is already a lot done in place now. So that is
where, when we see more and more of these requirements coming
down, we want to make sure that what the Federal Government can
do is make sure that what comes out fits nicely with what is
already there. The FDIC, the OCC, and others work very hard
with fills and regulatory insights and other pieces of guidance
to interpret the law and to get it out there in a way that
these small- and medium-sized financial institutions can
operationalize effectively.
Chairman Johnson. For all the panelists, community banks
and rural banks currently meet stringent data security
standards. How would the Administration proposal affect
community and rural banks and their regulatory burden?
Mr. Pratt. Mr. Chairman, I think, and this really applies
to anyone who falls under the various laws that I think a
number of us have talked about here at the table today, what is
most important is to ensure that if you are a community bank or
a smaller financial institution, and candidly, even if you are
one of the largest in the country, that you have some
continuity in terms of those who are going to examine you. They
have expertise. They understand how the financial services
marketplace works.
So I think it is critically important that you preserve
that base of knowledge that you have with bank agencies, with
examination processes, in our case, with the Federal Trade
Commission, who continues to retain data security
responsibilities for enforcement of various provisions of the
Fair Credit Reporting Act, but also Gramm-Leach-Bliley. These
agencies have that expertise.
What you would not want is some sort of regulatory overlap
between what you have today and a DHS designation of a critical
infrastructure element where a bank or--small or large--has to
struggle with yet another set of requirements which may not
necessarily advance the ball in terms of security, but just
will necessarily require them to comply with, potentially, two
different competing approaches to security. So I think that
alignment issue we talked about before is very important.
Chairman Johnson. Anybody else?
Mr. Williams. Mr. Chairman, I certainly believe in
everything that Professor Streff and Mr. Pratt have said about
alignment. That is absolutely critical.
We see the proposal as doing two new things. One is it
better aligns what already happens in financial services, which
admittedly is imperfect, is evolving, and which continues to be
improved at both the institution and at the industry level, but
now could be better connected with the rest of the ecosystem
with efforts at the Internet Service Providers, the software
manufacturers, with what happens out at our customers' PCs. We
believe that the overall ecosystem approach contemplated in
this new proposal begins to connect these existing safeguards
in our industry to what needs to happen throughout the
ecosystem.
The second major change is that it is not only across
industries, but it is across the public and private sectors. So
Federal systems are also covered. Information sharing with the
Government is also covered. We think there would be much better
collaboration between institutions and industry and Government
partners that can bring expertise and resources to the table.
Chairman Johnson. What are the witnesses' views on the
effectiveness of the Federal financial regulators under this
Committee's jurisdiction in administering laws affecting data
protection and data security? Anybody?
Mr. Rotenberg. My view, Mr. Chairman, is that the laws
currently in place do not provide adequate protection to bank
customers, particularly in light of some of the recent security
breaches that have been so widely reported. We make several
recommendations for how those laws might be strengthened, but
we also point out that as the law was written, it operated as a
Federal baseline and that allowed the States to regulate upward
where they saw the need to do so. We think that is a good
approach. We think it allows the States to put in place
stronger safeguards and to continue to innovate as some of
these new challenges emerge.
Mr. Williams. Mr. Chairman, if I might, I absolutely agree
with Mr. Rotenberg's comment that GLB and some of the other
regulations are largely established as a baseline. But rather
than think about State intervention to move higher, we tend to
think of self-regulatory and business practices as pushing
practices well beyond that baseline. So if, as part of this
initiative, or if, as evolving regulation raises the bar, we
also very much will focus on institutions and industries
stepping in and voluntarily raising the bar in what we think is
the most dynamic approach.
Mr. Streff. If I could comment, as well, I think the
comprehensive approach will promote consistency. If the breach
happens at the bank, then the notification will happen a
certain way. If it happens at a credit union, it will happen a
certain way. If it happens at a trusted vendor, it will happen
a certain way. If it happens at a merchant or a small business
as part of a corporate account fraud that we are seeing, it
happens a certain way. I would think that the consumers today
are confused with when they are notified, how they are
notified, due to the inconsistencies and the lack of a
comprehensive approach.
Mr. Martinez. Chairman Johnson, I would agree with the
comments made here today. Working data breach cases for over 5
or 6 years now, we have seen all the different levels of
financial institutions that have been victims of data breaches,
and I believe a uniform standard across the Nation would be a
more effective way of moving forward.
I also believe that it is incumbent on businesses to notify
victims that have been--or individuals that have been
victimized from a data breach and also to notify law
enforcement. I think it is important that we try to do a
coordinated effort when moving forward on some of these data
breach investigations.
Mr. Pratt. Mr. Chairman, I would just like to add, this
uniformity is critically important and I would agree with Mr.
Williams' statement that industry itself is deeply motivated to
protect the information that it has and they design multiyear
budgets to build out, not just simply to sustain or to meet the
minimal baseline, but to develop the best systems that industry
can buy. But it is critically important that we are able to
build these on the nationwide basis.
That is just not important for the largest companies, but
it is also important, actually, for the smaller companies that
want to compete on a regional or super-regional basis. The more
complicated the statutory structure is, the more difficult it
is for them to have the resources to even approach compliance
on a State-by-State basis. So CDI has been on record as very
supportive of a national standard for data breach notification,
for example.
Chairman Johnson. Senator Reed.
Senator Reed. Well, thank you very much, Mr. Chairman.
Thank you, gentlemen, for your excellent testimony. Let me just
raise a few issues.
Professor Streff, you pointed out or suggested in your
comments that the location of data centers here versus overseas
tend to build a level of protection because of our laws, but it
raises a larger question of the international application of
any of the standards we develop and a related question of we
could have a very sophisticated national regime of protection,
but if it is an international economy, the back doors could be
elsewhere. So I wonder if you could comment and then ask your
colleagues on the panel to comment on that.
Mr. Streff. Sure. Thank you. I like the Administration's
proposal of identifying and prioritizing critical
infrastructure protection, critical infrastructure that we
depend upon, and then, based on that, making decisions
regarding protection. Certainly, offshoring data centers and
not controlling physical security, the differences in the
different laws, privacy and security laws of different nations,
you know, weave the fabric and make it even more difficult. So
I know that the proposal addresses the data centers here in the
U.S. and being careful about offshoring that kind of activity,
and the National Center for the Protection of the Financial
Infrastructure certainly agrees.
Senator Reed. Let me just add another sort of level. Is it
feasible, practical, to insist that we have jurisdiction--if it
is an American entity that has set up the center overseas, that
we have jurisdiction and that we can at least inspect,
investigate, and correct? You might want to comment, and then I
will turn it over to the rest of the panel.
Mr. Streff. You know, I guess from a legal perspective, I
will leave that to our Georgetown colleague, but certainly from
our perspective, what we are seeing is there are certainly ways
that you can audit those kinds of organizations, just like they
do here in the U.S. in terms of, like, service providers and
data aggregators and things like that. In terms of the legal
aspects, I guess I would leave it to my colleague.
Senator Reed. Mr. Pratt, and then we will go right down and
we will definitely get the Georgetown connection.
Mr. Pratt. Today, if we look at Title 5 of GLB today as an
example of a data security regime, it applies to the practices
of that financial institution, our members included, wherever
we may locate that data center. I know even the CDIA has stood
up several different data centers, and even here in the U.S.,
we look at different power grids. We try to separate the back-
up system from the primary with power grid differences. We look
at plate tectonics to see if we have them on the same
earthquake fault line or not, these sorts of things.
And candidly, whether it is overseas or whether it is here
in the U.S., the U.S. law applies to the U.S. business. And, in
fact, all of those requirements that the Professor just
outlined, you know, the physical security, the employee
training, the technology that has to be deployed, all the
requirements of the Title 5 apply and the examination powers
and the bank agency powers and the Federal Trade Commission
powers apply.
So I am not sure whether it is in the West Coast or the
East Coast or just off of one of those two coasts makes a
difference in terms of data centers. The key is to make sure
the data centers are managed properly and those risks are
assessed and accounted for.
Senator Reed. Mr. Williams, shortcomings?
Mr. Williams. I wish Mr. Pratt would say something I could
disagree with, but I cannot disagree with that. Our financial
institutions are already accountable for what happens at their
direction, whether it is at a service provider or in their own
subsidiaries, whether it is within the U.S. borders or outside
the U.S. borders. They are held accountable by their
regulators, and on the jurisdiction question, they should be
held accountable by this Committee.
We believe that the same logic should apply outside of
financial services. So if this proposal or some proposals like
it begin to address cybersecurity in the ecosystem, all players
should be accountable for what happens at their direction
inside or outside the U.S. borders, inside or outside of their
legal ownership.
One of the stipulations in the cybersecurity proposal
offered by the Administration takes State data centers and says
that there may be no restrictions in the borders among the U.S.
States. We believe that because we need this ecosystem-level
protection, that should be extended even beyond the U.S.
outside to international operations.
Senator Reed. Professor, but I just want to throw in
another issue here, too, not to go into really complicated
things, but you refer in your testimony to the effectiveness of
State laws, and there was a colloquy back and forth with the
Chairman about the need for a national standard. I have seen
sort of this debate in many different contexts, and a national
standard is terrific if it is tough and strong and reaches all
the players. It is less effective--and we saw this particularly
in the case of predatory lending--when the national standard is
rather low and State standards, much more effective, are
legally sort of avoided under Federal regulatory preemption. So
you might want to comment on that in this context, too.
Mr. Rotenberg. Senator, these are the two critical issues.
With respect to preemption, I certainly appreciate the position
of the business groups. I am sure that a national standard
would be easier to administer, but I think it is very important
to look at the practical effect when a low national standard
removes higher State safeguards. And even the States themselves
have learned that they do not always get it right the first
time. That very good California breach notification law covered
only financial institutions. They had to come back and update
the law to deal with medical record information when they
realized they would have a problem there. So that is another
reason I would urge caution on a Federal standard that ties the
hands of the States.
Now, the other question you raise, Senator, is also key in
this area. We are in a global economy with global businesses.
Particularly with the Internet, people are purchasing products
all around the world and a lot of customer data moves around
the world, particularly now that we have cloud computing
services that are offered in many different jurisdictions.
We have actually worked with the Administration to urge the
development of a comprehensive framework for privacy
protection, and there is interest. In fact, part of the White
House cybersecurity strategy talks about the need to strengthen
privacy safeguards for commercial data flows, particularly
between the United States and Europe. We hope they will go
further for many of the reasons that you have outlined. The
Europeans are also concerned about what happens to their
financial data. There is a need to establish there a common
framework with clear legal protections. And I think what you
are reading now about the data breaches, of course, it is not
just customers in the U.S., it is people all around the world.
Senator Reed. Agent Martinez.
Mr. Martinez. Senator Reed, from a law enforcement
perspective, storing data overseas does pose a challenge. For
example, look at it from the point of view of a crime scene.
Now we have a crime scene, and instead of just being located
within the United States, it is located in different parts of
the world, posing challenges to the type of legal process that
we could utilize to obtain that information. Is there legal
process in that country where I seek that information that is
pertinent to my case? How long will it take me to obtain that
information? I now might have to do what is referred to as a
Mutual Legal Assistance Treaty Request to that specific
country.
The violation that I am investigating the criminal for, is
that a covered violation within that country's legislative
process? We have been encouraging our international partners to
join in the Budapest Crime Convention because it talks about
establishing cyber crime legislation like this throughout
different countries around the world. But it does pose
challenges to us and it makes it much more difficult and it
takes more time for us to obtain that information.
There are extraterritorial violations, for example, even in
the area of identity thefts. Credit card fraud has an
extraterritorial section to it where we can use that part of
the statute to prosecute people who commit credit card fraud
using U.S. accounts domestically. But I think it is a challenge
that will be tested here sooner rather than later.
Senator Reed. Thank you, gentlemen. Thank you, Mr.
Chairman.
Chairman Johnson. Senator Menendez.
Senator Menendez. Thank you, Mr. Chairman. Just to show you
how timely these issues are, Mr. Chairman, as we are speaking,
a widespread phishing campaign is being targeted on Senate
staff with a false IRS statement that if you open up downloads
a malicious link. So this is a constant challenge, and
including the United States is not immune from it.
Mr. Williams, let me ask you, I look at the number of
attacks that have taken place, particularly in the last 6
years. There have been 288 publicly disclosed breaches at
financial service companies that exposed at least 83 million
customer records. And I am wondering, what is your view from
the industry perspective as to what is the fiduciary duty here
by these institutions to notify their customers in a timely and
efficient fashion?
Mr. Williams. There is no doubt in my mind that
institutions have a fiduciary responsibility, they have a
commercial responsibility, they have compliance
responsibilities, and that they take all of those very, very
seriously. We do an enormous amount of work with member
institutions on preventing breaches and ensuring that when they
do occur, they are absolutely responded to as quickly and as
completely as possible.
Senator Menendez. Do you think a month to notify customers
is an appropriate time frame?
Mr. Williams. I think that as soon as an institution
understands what has occurred, they have an obligation to
notify their regulators under regulatory rules and they have a
fiduciary and a business responsibility to notify customers if
there is any way that those customers can begin to take action
to protect themselves.
Senator Menendez. All right. I appreciate that answer,
because from what I can perceive of Citi's response, that was
not the case, as is evident by just the personal story I
related before. It took a lot more time, and that does not
allow people to protect themselves.
Agent Martinez, is not information and notification one of
the essential elements for someone to try to limit the scope of
the damage done to them once they know they can act?
Mr. Martinez. Yes, sir. I believe the Administration
proposal calls for a certain time frame by when victims have to
be notified. I think it is also important to realize that, when
it comes to law enforcement's investigations, a more clear,
concise, and exact set of events for the financial institution
to know what exactly has happened and to be able to relay that
to the law enforcement organizations in an efficient and
effective way helps us significantly, instead of getting dribs
and drabs of information.
So although I do not think--I agree with you that
notification needs to be made as soon as possible, we would
like a clear and concise picture of what they have, and I think
the Administration's proposals on data breach lay out specific
time lines that we think is enough time for institutions to
have that information.
Senator Menendez. Well, I look at NASDAQ, World Bank, Citi,
just to mention some, and I wonder whether there is anyone on
the panel who wants to give an opinion as to whether or not
financial institutions are seriously taking the challenge
before them and making the appropriate investments in trying to
protect against cybersecurity attacks.
Mr. Williams. I can assure you, they absolutely are taking
it seriously. They are investing tens of billions of dollars at
an institutional level and at an industry level. I cannot
promise you that there will never be another breach in
financial services, but I can tell you that we constantly
improve our ability to repel these attacks and we constantly
improve our ability to protect against inconvenience and any
financial loss on the part of customers or institutions. We are
getting better and better at this every single day.
Senator Menendez. Mr. Rotenberg.
Mr. Rotenberg. Senator, I wish I could agree with my
colleague, but I think the experience of consumers today is
actually very different. It may be the case that financial
institutions are spending a lot of money to safeguard this
data, but what consumers are seeing are more and more breach
notifications, more and more warnings that their credit card
information is in the hands of others, more and more
recommendations that they may need to change their bank account
numbers.
We have a problem, and this problem is getting worse. I do
not mean to suggest that passing legislation is going to solve
it. I think it will help make clearer the scope of the problem
and make possible some other approaches. But I do not think we
can overstate quite how serious today the problem of data
breach is in the United States.
Senator Menendez. Mr. Pratt, did I see you wanting to
comment?
Mr. Pratt. I would just--I would add, first of all, I think
some of the examples you have given are very helpful for all of
us because different breaches have occurred in different ways.
Where there is a phishing attack or where you are fooled into
clicking on an executable file that then scans your hard drive,
this is different than a cyber attack against a Web site.
Our own members, for example, have had to develop Web sites
for expatriates to access certain data here in the U.S. and
that entire data network is separate from the U.S.-based
system, which is a significant investment to create entire
duplicate systems, and that is all for that very reason of
trying to protect data and to ensure that the higher risk that
we have from foreign access is balanced against the domestic
risk.
So I would agree with Mr. Williams. There are enormous
investments. It is a constant moving target, as you know. You
are very experienced with this. You have the bills in place to
look at this. We are constantly sharing with information
sharing and analysis centers to try to understand what other
financial institutions have experienced in order to learn from
that, in order to better our own systems, in order to take the
next step to anticipate what the risk is. So it is a moving
target challenge. It is a challenge for small retailers who may
lose credit card account numbers, not because the bank has
failed but because the retailer may have failed in that case to
protect the information at the retail level. There are some
older breach examples where some retailer systems were storing
data that they should not have been storing based on guidance
that was out there.
We have to unpack all of these fact patterns. We have to
learn from these fact patterns. We have to make better
decisions going forward. We believe that we are.
Senator Menendez. Well, I thank you, and let me, Mr.
Chairman, let me just close by saying, I hope some of you will
look at the Cybersecurity Enhancement Act that we are offering.
We think it is an opportunity to do research and development,
bring the three entities, the National Science Foundation,
Department of Homeland Security, and Department of Defense
leading in the Federal perspective, and then seek to
commercialize that so that we can have institutions look at it.
But the one thing that I am still alarmed at--I know this
is a moving target, but the one thing I am still alarmed at is
timely notice to customers. I think it is essential for a good
business relationship, certainly it is essential for the
consumer, and I would like to see an industry response to that.
But in the absence of it, there will be some of us who will
consider legislative responses.
Thank you, Mr. Chairman.
Chairman Johnson. Senator Merkley.
Senator Merkley. Thank you, Mr. Chair.
I think I am going to follow up on this consumer
notification. More and more citizens have had the experience of
receiving a letter saying that there was a breach of data at
our institution and your records may have been among the
records lost. This certainly happened with my wife through her
place of employment, and some of these breaches have been
through Web sites being hacked, but others are as simple as
information left on laptops that were stolen out of cars and
things of this nature, and it is not always clear in whose
hands this information is going to end up in.
Oregon has adopted some provisions related to this, but I
just wondered, and maybe, Mr. Rotenberg, you would like to kick
this off, are there States that have a particularly successful
model that should recommend itself to our examination here?
Mr. Rotenberg. Well, Senator, California tends to be on the
front lines of these issues, and I think their efforts not only
in establishing early on a breach notification requirement and
then updating it has been successful, other States, as well.
But as I spoke with some of the consumer experts prior to this
hearing, they made additional recommendations. It would be
helpful, example, I think, when a person receives one of these
notifications to actually be told by the institution what the
institution has done to correct the problem. If we think about
it for a moment, when someone has had a problem that affects
us, we want to be assured that it will not be repeated in the
future. So I think actually saying explicitly what the
institution is doing to ensure that the problem will not be
repeated would be a good step.
Also, with respect to credit card information, you know,
the current system in the U.S. allows people to get access to
the credit card information of others unless they have
explicitly chosen to freeze the access. You might think of this
as the difference between opting out versus opting in. A number
of States are moving toward these freezes on credit card
information which gives individuals the ability to say if, for
example, they are shopping for a car, OK, now you can look at
my credit record information, but otherwise, I do not want
other people to be looking at our credit record information,
and I think this is another innovative approach that would be
worth looking at.
Senator Merkley. So some of the things that were discussed
in Oregon, and I would have to go back and see what all was
adopted, but it was also kind of a protocol for responding to
customers whose data has been breached, kind of providing them
with the tools that they need, the access that they need in
order to be able to monitor. OK, credit card information was
stolen, but what help can they get in fast detection of someone
misusing that information? Is that part of the California
model?
Mr. Rotenberg. Yes, and I should mention, also, the Federal
Trade Commission has put together very good resources that are
available on the FTC Web site to help consumers who have been
the victims of identity theft. But I have to say, I think,
also, people are just becoming very frustrated. It takes time
to walk through these steps. There is no necessary assurance
that if you have done everything you are supposed to do, you
might still not find an improper charge somewhere down the
line.
And so I think we actually need to be thinking more long-
term about how to minimize the risk when the breach occurs,
which is the reason why in my testimony I talked in some detail
about this concept of data minimization. For example, Social
Security numbers. I mean, for a long time, it has been
understood that Social Security numbers should not be widely
available because they are too frequently used as passwords.
Yet you have the case today that health club members are
required to provide Social Security numbers to join the health
club, which seems to create an unnecessary risk.
Mr. Streff. Senator, if I could comment, as well, you know,
I think if you--most of the State laws exempt financial
institutions. And if you really take a look at when this
happens, there is a tremendous cost, like, to the small- and
medium-sized financial institution. The Ponemon Institute
publishes that it is about $202 a data record that is breached.
So if you are a small financial institution, you have got a
thousand customers, you can do the math. That is fairly
significant. And I am not minimizing this.
I would encourage the Administration, as they are looking
at this, it seems to me that this gets minimized all the time,
so I am glad to hear you folks talking about this. The Epsilon
attack, to me, is a good example of how this gets minimalized.
If you read the press clippings on that one, thankfully, all
that was stolen were email addresses and names. Now, does that
require data breach notification, because it is not Social
Security numbers, it is not financial account numbers. That is
a serious issue when email addresses with names are disclosed,
because that sets up phishing attacks and that sets up all
other kinds of attacks. So I would encourage the Administration
to think that through as they are drafting policy.
Senator Merkley. So, Professor, to go back to your point,
you said the cost to a small business of addressing the loss of
data, the average is $200 a customer?
Mr. Streff. Two-hundred-and-two dollars, sir. If you really
take a look at do you cut up the cards, do you issue new
account numbers, do you provide fraud detection services, you
know, all those kinds of things, the Ponemon Institute has
``mathed'' [phonetic] that out to $202 a data record.
Senator Merkley. I am over my time, but I will ask more
questions if we continue this.
Chairman Johnson. Please proceed with your questions.
Senator Merkley. Thank you very much, Mr. Chair.
I want to shift a little bit to the issue of liability.
Recent courts have come down on both sides of the issue of bank
liability for data theft, some saying banks are not liable if
they meet the minimum regulatory standard, others finding
higher duties to customers. So I would just open this up to any
of you who would like to comment. How should liability be
configured to maximize cybersecurity protections while
minimizing litigation uncertainty?
Mr. Williams. Many of our member institutions see their
responsibilities to customers not in terms of legal liability
but in terms of the relationship that they have built with
these people. I think whether, for example, they are required
to or not, they do everything in their power to minimize, often
to zero, generally to zero, the risk of customers, especially
at the retail level, in breaches or in other cybersecurity
incidents. There has been some talk about whether that
protection that retail customers enjoy, sometimes voluntarily,
sometimes under regulation, should be extended to commercial
customers, some of whom look and act a little bit like retail
because they are smaller or because of the way that they
operate.
We would be reluctant, I think, to see that put into rule
or statute. There is this bright line between individuals and
institutional clients, and there are already under the banking
regulations ways that those two entities or classifications of
entities are treated differently. We do what we can to ensure
that individuals are protected and to ensure that their
financial losses are managed to zero, and we do what we can on
the institutional side, but the protections are a little
different and the liability scheme may also be appropriately
different.
Senator Merkley. Mr. Williams, how do you, in general, how
do people who have small home businesses, if you will, the
small businessman who is a Chapter S Corporation, they are
simply--their money comes through their personal taxes--are
they viewed as an institution in that framework or as an
individual?
Mr. Williams. We tend in most institutions to think of it
based on the type of account that they have. So if they have a
personal account, they are treated as individuals. If they have
a business account, then we treat them under the law as
business customers.
Senator Merkley. OK. Thank you.
Anyone else on this liability, kind of the need to have
some certainty over litigation exposure versus working to make
sure that it is made right when there is a breach?
Mr. Rotenberg. Well, Senator, I think the economists would
say that the liability should be assigned to the least cost
avoider, which is to say the institution that is in the best
position to minimize the risk. And this is an important
principle, because when you think about the customer who gives
over the information to the financial institution, they
actually at that moment have lost the ability to control the
subsequent use of the data they have provided. This is, as Mr.
Menendez says, this creates the fiduciary obligation that the
financial institution now has, and that is one of the reasons
that I think it is so important that that risk be shifted from
the individual, because they are simply not in a position to
reduce subsequent risk of misuse.
Mr. Pratt. Senator, I would only suggest that--in fact, we
have this in our written testimony--that one of the successes
of the data safeguards rules is that they are administratively
enforced. That does not mean that they are passively
administratively enforced. That is an aggressive program, as we
discussed before, examination processes and the Federal Trade
Commission uses CID processes and so on to do that. In the case
of Fair Credit Reporting Act, State Attorneys General also have
the ability to enforce the law.
What we would like to avoid, however, is almost a division
of the country circuit by circuit. There are other places in
our membership where we have companies that actually have to
comply with certain requirements because circuit by circuit
decisions have actually divided the country and it makes data
security less effectively administered, or some other kind of
compliance program less effectively administered.
So our argument is not for ineffective administrative
powers, but just simply to ensure that if there is an
administrative power, that it is uniform and applied across the
country, and you just simply cannot accomplish that if you are
going to have, for example, a private right of action that
would begin to divide the country into circuits. So we need
that uniformity in order to be successful. We want to be
successful. We want that data protected. And we also want to
notify consumers where data has been lost or stolen and we know
that we have a responsibility to make sure that consumer is
made whole.
Mr. Streff. You know, I think it is fairly risky business
to be Reg E-ing corporate accounts. This is my perspective. You
know, in my research, as I mentioned, seven out of ten small
businesses lack the basic security controls of access control
or a firewall or antivirus, basic stuff that we all should have
on our home environments and certainly in our business
environments. Because of those deficiencies, corporate account
fraud is occurring. The keys are laying there on the small
business desk and the crooks are picking them up and simply
logging into the bank and doing nefarious activity. So I think
we want the accountability at the corporate account at the
small business, and shifting that to the bank, I am not sure if
that is where the real issue lies.
Senator Merkley. So do you see a difference between fraud
that stems from people leaving the keys on the home desk versus
fraud that occurs because of a central data base in an
institution is hacked or records are copied onto a personal
computer and stolen or something of that nature?
Mr. Streff. I certainly do, and I think the courts are
trying to sort of figure out where those lines are. The EMI
America case that just was announced, the decision last week,
where it is trying to draw some of those lines about the
definition of what is commercially reasonable security, you
know, I think that that is what the courts are trying to figure
out, and without further policy on that, I think the courts
will struggle to interpret that.
Senator Merkley. I want to shift gears. I have one more
question if there is time for it.
Chairman Johnson. Yes.
Senator Merkley. This is related, although it is a bit
afield from the immediate conversation, but this is related to
issues that derive from changes in technology and mobile
banking. One of the things we have started to see more about,
or at least I have started to see more about, is the issue of
remotely created checks, or RCCs. The States Attorneys General
and the Federal Reserve have identified a high incidence of
fraud, and it is kind of interesting that these remotely
created checks only require verbal authorization, which is
undocumented in the process. So that immediately looks like a
weak link in the system. My understanding is payday loan
companies tend to be a major user of this, but also fraudsters
are seeing this as a weak link.
And so there has not been a lot of response from OCC or the
Federal Reserve, and I just wanted to get, if any of you have
any insights on this issue and think it is fine the way it is
or do we need to modify the system of remotely created checks.
Mr. Williams. I can tell you that many institutions are
looking at which of their clients they are comfortable with and
finding ways to monitor the behavior of those clients. So if
there are some that are processing remotely deposited checks or
remotely created checks and they see a pattern of many of those
checks being returned, our institutions typically will shut
those customers down and will file suspicious activity reports
so that they cannot open accounts elsewhere.
Senator Merkley. Do they still serve an important enough
role in the system that they should still be allowed, or do we
have--we have other options and strategies now to do those sort
of electronic transactions. Are they kind of an anachronism
that we could just as well do without?
Mr. Williams. They are an interesting bridge between old
mechanisms, like paper checks, and new ones, like ACH entries.
Senator Merkley. Yes.
Mr. Williams. ----and it may well be that we can evolve
past them and at some point they will no longer serve a
purpose.
Senator Merkley. Anyone else? Any other thoughts on this?
[No response.]
Senator Merkley. OK. Well, thank you all very much for your
testimony. This is an area, certainly, of importance to our
businesses, our financial institutions, and our citizens.
Thank you, Mr. Chair.
Chairman Johnson. I want to thank the witnesses for the
testimony on this important issue. I think that today's hearing
yielded some good information for us to review as we consider
this issue going forward. Thanks again to my colleagues and our
panelists who have been here today.
This hearing is adjourned.
[Whereupon, at 11:14 a.m., the hearing was adjourned.]
[Prepared statements and additional material supplied for
the record follow:]
PREPARED STATEMENT OF CHAIRMAN TIM JOHNSON
The Banking Committee meets today to hear testimony about data
protection and cybersecurity issues in the financial sector.
Over the past 12 years, the Committee has enacted several pieces of
legislation to protect consumer data held by financial institutions.
Federal financial regulators under the Committee's jurisdiction have
issued extensive rules and guidance on data practices that require the
institutions they regulate to keep data secure, notify customers and
regulators when breaches occur, authenticate customers, and notify
customers about how their sensitive information may be used.
Recent high-profile data breaches at major institutions within the
financial sector and elsewhere underscore the importance of
cybersecurity for the American economy. Breaches are disruptive and
raise the potential for financial fraud, identity theft and,
potentially, severe threats to our national economic security. This is
an important issue that deserves the Committee's careful attention and
continued oversight. Today, I invite the witnesses to share their views
in three areas:
The current regulation of data practices affecting
financial institutions and their customers;
The current state of data privacy protection, data breaches
and cybersecurity in the financial sector; and
How legislative proposals, such as the Administration's
cybersecurity bill, would affect financial institutions and
would interact with existing regulation
I look forward to the testimony of our witnesses, and to the
question and answer period.
______
PREPARED STATEMENT OF KEVIN F. STREFF
Associate Professor of Information Assurance, Dakota State University
Information Assurance Center
June 21, 2011
Introduction
Chairman Johnson, Ranking Member Shelby, and Members of the Senate
Committee on Banking, Housing, and Urban Affairs, I am pleased to
appear before you today on behalf of the National Center for the
Protection of the Financial Infrastructure (NCPFI) at Dakota State
University to share our views on the current state of data/
cybersecurity as relating to small- and medium-sized financial
institutions and what they do well/or not so well. These comments will
be made within the context of the President's recent proposal regarding
The Comprehensive National Cybersecurity Initiative (CNCI) which is
vital to increase America's detection, planning, and response
capabilities as it relates to attacks on our Nation's critical
electronic infrastructure.
My name is Dr. Kevin Streff and I am Director of NCPFI from
Madison, South Dakota. The NCPFI's mission is to ``advance the security
and safety of the Nation's financial infrastructure through research,
education and outreach.'' Started in 2009, the NCPFI has worked with
academia, the private sector and Government to bring attention to the
homeland security, critical infrastructure and cyber risks associated
with the electronic infrastructure which runs the financial industry.
The work of NCPFI is funded by the State of South Dakota, NSF, DoD,
DHS, Cheneega Logistics, and other Federal and private entities. We
appreciate the invitation to appear before the Committee on this
important issue, and thank the Committee for their leadership and
foresight in dealing with these issues before a crisis state.
Background
Every day cyber criminals are scanning Government, academic, and
industry networks for nonpublic information they can steal. Large
corporations have in-house IT departments to protect their systems and
customer data. Small- and medium-size financial institutions (SMFIs)
and small- and medium-sized businesses (SMEs) businesses do not.
Furthermore, Presidential Decision Directive 63 deemed the
financial services sector a critical cyber infrastructure which America
depends upon every day; however, small- and medium-sized financial
institutions are under heavy cyber attack and lack the requisite skills
and resources to combat these cyber threats. Without an understanding
of the risks each institution incurs and a capability to deploy
solutions to mitigates these risks, it is unlikely decision makers in
these SMFIs will win the battle against cyber thieves.
In this testimony, we will review the current legal and regulatory
environment in which small- and medium-sized financial institutions
must operate (SECTION I), discuss security and privacy experiences in
the financial services sector that have impacted small- and medium-
sized financial institutions (SECTION II), and discuss how the
Administration's cybersecurity bill will interact with existing
regulation and affect SMFIs. Some additional ideas and concerns are
noted for the President to consider as it relates to the Comprehensive
National Cybersecurity Initiative (SECTION III).
SECTION I. Overview of Current Data Protection Laws, Regulation, and
Policy Statements in Financial Services
A. Financial Industries Modernization Act of 1999 (Gramm-
Leach-Bliley)
The Gramm-Leach-Bliley Act (GLBA) 15 U.S.C. ��6801-6810 (disclosure
of personal financial information), 15 U.S.C. ��6821-6827 (fraudulent
access) repealed the Glass-Steagall Act of 1932, and is part of broader
legislation which removes barriers to banks engaging in a wider scope
of financial services. GLBA applies to financial institutions' use and
disclosure of nonpublic financial information about consumers. Section
501(b) requires administrative, technical, and physical safeguards to
protect covered nonpublic personal information. Federal banking
agencies have published Interagency Guidelines Establishing Standards
for Information Security for financial institutions subject to their
jurisdiction. 66 Fed. Reg. 8616 (February 1, 2001) and 69 Fed. Reg.
77610 (December 28, 2004). The Guidelines are published by each agency
in the Code of Federal Regulations, including:
Federal Deposit Insurance Corporation, 12 C.F.R., Part 364,
App. B;
Office of the Comptroller of the Currency, 12 C.F.R., Part
30, App. B;
Board of Governors of the Federal Reserve System, 12
C.F.R., Part 208, App. D-2 and Part 225, App. F;
Office of Thrift Supervision, 12 C.F.R., Part 570, App. B;
and
National Credit Union Administration, 12 C.F.R., Part 748
The Federal Trade Commission has issued a final rule, Standards for
Safeguarding Customer Information, 16 C.F.R. Part 314, and the
Securities and Exchange Commission promulgated Regulation S-P: Privacy
of Consumer Financial Information, 17 C.F.R. Part 248 for financial
institutions within their respective jurisdictions.
GLBA requires financial institutions to disclose privacy notices to
all customers, and provide a means for customers to opt out of the
sharing of information with third parties. However, it is �6801,
``Protection of Non-Public Personal Information'' that contains the
most sweeping provisions, by requiring each regulatory agency to:
Establish appropriate standards for the financial institutions
subject to their jurisdiction relating to administrative,
technical, and physical safeguards to:
1. Insure the security and confidentiality of customer records and
information;
2. Protect against any anticipated threats or hazards to the
security or integrity of such records; and
3. Protect against unauthorized access to or use of such records or
information which could result in substantial harm or
inconvenience to any customer.
These requirements mean that all financial institutions must
develop, document and operationalize a comprehensive information
security program. The administrative, technical, and physical
safeguards are sweeping and expansively interpreted by Federal and
State regulators to include everything from the physical security of
buildings, data security at service providers, to the types of
authentication used during online banking sessions. Each bank must
report annually to the Board of Directors on the status of the
information security program.
The Guidelines require a risk assessment designed to: ``identify
reasonably foreseeable internal and external threats'' to customer
information, assess the likelihood and potential damage of these
threats, and to assess the effectiveness of a wide variety of
information security controls. GLBA is significant because of the
extensive requirements and regulatory oversight imposed upon the
financial industry and carried out by Federal and State regulators.
The Interagency Guidelines Establishing Information Security
Standards includes a provision to implement a notification program to
notify customers, regulators and law enforcement officials of data
breaches. The regulations promulgated to implement the response program
have been codified as Supplement A to Appendix B of 12 C.F.R. Pt. 30.
``[E]very financial institution should . . . develop and implement a
risk-based response program to address incidents of unauthorized access
to customer information in customer information systems'' regardless of
whether the breach occurs in the financial institution's own computer
systems or those hosted by third party service providers.
B. Bank Secrecy Act
In 1970, Congress passed the Bank Secrecy Act (BSA). BSA requires
U.S. financial institutions to assist U.S. Government agencies to
detect and prevent money laundering. The act specifically requires
financial institutions to keep records of cash purchases of negotiable
instruments, file reports of cash transactions exceeding daily
aggregate amounts of $10,000, and to report suspicious activity that
might signify money laundering, tax evasion, or other criminal
activities. Several anti- money laundering acts, including provisions
in title III of the USA PATRIOT Act, have been enacted up to the
present to amend the BSA. (See, 31 USC 5311-5330 and 31 CFR Chapter X
(formerly 31 CFR Part 103)). The documents filed by financial
institutions under BSA are used by law enforcement agencies, both
domestic and international to identify, detect and deter money
laundering whether it is in furtherance of a criminal enterprise,
terrorism, tax evasion, or other unlawful activity.
C. USA PATRIOT Act
The USA PATRIOT Act (Patriot Act), enacted by President George W.
Bush in 2001, reduced restrictions on law enforcement agencies' ability
to search telephone, email communications, medical, financial, and
other records; eased restrictions on foreign intelligence gathering
within the United States; expanded the Secretary of the Treasury's
authority to regulate financial transactions. Section 314(b) of the USA
PATRIOT Act permits financial institutions, upon providing notice to
the U.S. Department of the Treasury, to share information with one
another in order to identify and report to the Federal Government
activities that may involve money laundering or terrorist activity.
More specifically, the BSA authorizes the Treasury to require financial
institutions to maintain records of personal financial transactions
that ``have a high degree of usefulness in criminal, tax and regulatory
investigations and proceedings'' and to report ``suspicious transaction
relevant to a possible violation of law or regulation.'' Again, because
The Patriot Act deals with governmental, rather than private, intrusion
into customer privacy, it is outside the scope of this discussion.
D. Identify Theft Red Flags Rule
The Identify Theft Red Flags Rule (Red Flags Rule) requires
financial institutions to implement a written Identity Theft Prevention
Program that is designed to detect the warning signs of identity theft
in their daily operations. By identifying red flags in advance,
financial institutions will be better able to identify suspicious
patterns that may arise, and take steps to prevent a red flag from
escalating into identity theft.
A financial institutions' Identify Theft Red Flags Program should
enable the organization to:
1. Identify relevant patterns, practices, and specific forms of
activity--the ``red flags''--that signal possible identity
theft;
2. Incorporate business practices to detect red flags;
3. Detail appropriate response to any red flags you detect to
prevent and mitigate identity theft; and
4. Be updated periodically to reflect changes in risks from identity
theft.
Shortly thereafter, regulatory agencies began issuing examination
procedures to assist financial institutions in implementing the
Identity Theft Red Flags, Address Discrepancies, and Change of Address
Regulations, reflecting the requirements of Sections 114 and 315 of the
Fair and Accurate Credit Transactions Act of 2003.
E. Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley Act of 2002 (SOX) was enacted to restore
confidence in the integrity of the financial reporting process at
publicly traded companies, influenced by high profile accounting
scandals at firms such as Enron and WorldCom. However, each publically
traded financial institution that is affected by the Sarbanes-Oxley Act
has some level of reliance on automated information systems to process,
store and transact the data that is the basis of financial reports, and
SOX requires financial institutions to consider the IT security
controls that are in place to promote the confidentiality, integrity,
and accuracy of this data. SOX states that specific attention should be
given to the controls that act to secure the corporate network, prevent
unauthorized access to systems and data, and ensure data integrity and
availability in the case of a disaster or other disruption of service.
Also, each system that interfaces with critical financial reporting
data should have validation controls such as edit and limit checks
built-in to further minimize the likelihood of data inaccuracy.
F. Payment Card Industry Standard
The Payment Card Industry Security Standards Council is an industry
group formed to manage and maintain the Data Security Standard (DSS),
which was created by the Council to ensure the security of payment card
information. Sensitive data is involved in card transactions, including
account number, cardholder name, expiration date, and PIN. The intent
of the PCI DSS is to ensure that card transactions occurring across
multiple private and public networks are subject to end-to-end
transaction security. The payment card industry consists of Card
Issuers, Card Holders, Merchants, Acquirers, and Card Associations.
From the collection of card information at a point of sale,
transmission through the merchant's systems to the acquiring bank's
systems, then on to the card issuer, the PCI DSS requirements attempt
to ensure sufficient security safeguards are in place on the card data
from beginning to the end of a card transaction. Enforcement of the
security requirements is done by the card associations and through a
certification process of each association member. The certification
process is carried out by Qualified Security Assessors (QSA), who audit
systems and networks to ensure the mandatory controls are in place.
Certification does not guarantee that an organization will not suffer a
data breach, as several PCI-certified organizations have suffered data
breach incidents.
G. Regulatory Guidance
The Federal Financial Institutions Examination Council (FFIEC) is a
formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the Federal examination of financial
institutions by the Federal financial regulatory agencies. As such, the
FFIEC publishes the ``Information Technology Examination Handbook'',
which is used by banking regulators in executing examinations of
information technology and systems of financial institutions. The
Handbook includes ten (10) booklets, one of which is the ``Information
Security Booklet'', which provides a baseline against which a financial
institution subject to GLBA can be evaluated. The ``Information
Security Booklet'' attempts to provide a high level, comprehensive
overview of the major types of information security controls one would
necessarily expect to be operating effectively within a financial
institution. The types of controls are not limited in applicability to
just financial institutions, and are derived from the same principles
underpinning all major information security frameworks.
Further, each regulatory agency produces further guidance for their
financial institutions. For example, FDIC FIL-103-2005 Authentication
in an Internet Banking Environment established single factor
authentication (such as a User ID and password) as necessary but
insufficient in logging users onto electronic banking systems,
requiring the use of an additional factor to establish identity. This
FIL involved industry investing in multifactor authentication
solutions, vendors leveraging these solutions in their systems, and
financial institutions operationalizing them. A second example is
Corporate Credit Union Guidance Letter 2010-01 dated July 8, 2010,
entitled ``Confidentiality and Protection of Sensitive Data''. The OCC
occasionally issues security bulletins, while FRB issues Supervision
and Regulation Letters (an example includes the April 4, 2011, release
of SR11-7 entitled ``Guidance on Model Risk Management''). The FDIC
also authored the Information Technology Officer's Questionnaire,
whereby an officer of the financial institution must document, attest,
and sign to 71 questions in five information security categories: risk
assessment, operations security and risk management, audit/independent
review program, disaster recovery and business continuity management,
and vendor management and service provider oversight. This
questionnaire is periodically updated and released as the security/
technology landscape changes.
H. Third-Party Self Regulation
Small- and medium-sized financial institutions depend heavily on
hardware and software vendors for nearly all banking products. In
addition, many of these vendors become service providers offering to
host and manage their products for the SMFI. The service provider
industry has experienced several significant data breaches affecting
the financial services industry in the past several years, including
ChoicePoint (163,000 data records), TJX (100 million data records),
Heartland Payment Systems (130 million data records), etc. When
companies choose to outsource data processing to a third party, they
typically perform information security due diligence on the third party
to understand how the data will be protected. A very common standard
for third party assurance has been the SAS 70; however, the SSAE16
standard is replacing the SAS70 and moving more to an attestation model
(similar to independent financial audits). BITS, a nonprofit
organization, has also attempted to standardize the assessment of
third-party service providers by developing the ``BITS Framework for
Managing Technology Risk for Service Provider Relationships'', which
includes two tools to help service providers in control selection and
implementation. The first tool is called Standardized Information
Gathering Questionnaire (SIG), which is a template based on the ISO
27002 standard, and specifies the expected information security
controls that should be in place at the service provider organization.
The second tool is the Agreed Upon Procedures (AUP), which serve as
testing procedures meant to validate the effectiveness of the controls
specified in the SIG.
In summary, SMFIs operate in an increasingly complex regulatory
environment, with community banks regulated aggressively and credit
unions a little less. This regulation is necessary, but causes
significant financial, resource, and other issues in SMFIs who must
leverage technology to compete. Increasing regulation is likely as
additional technologies are deployed and the cybersecurity stakes grow,
but all increased regulation must be tempered with a SMFI's ability to
stay in business and meet the needs of their customers. The majority of
SMFIs are in rural locations and may be the only local funding source
for a community.
SECTION II. Data Security and Privacy Issues in the Financial Sector
Over 500 million data records have been breached since the
ChoicePoint breach of 2005: 534,232,379 RECORDS BREACHED from
2,539 DATA BREACHES made public since 2005 (Source:
PrivacyRights.Org).
How many of these data records and breaches involved the
financial sector? 247,808,947 RECORDS BREACHED from 386 DATA
BREACHES made public since 2005 (Source: PrivacyRights.Org).
U.S. SMFIs and SMEs are important as millions of consumers depend
upon community banks, credit unions, accounting firms, tax-preparation
firms, investment offices, insurance agencies, and the like. When
issues in the financial system exist, confidence erodes and consumers
are left paralyzed wondering what to do. Similarly, as Deborah Platt
Majoras Chairman of the Federal Trade Commission stated at High-Tech
World, 2005, ``when data breaches or an infrastructure attack occurs,
customer confidence is eroded and spending is held close to the vest.''
The margin for error in SMEs is relatively small, and one such data
breach can shut the doors on viable businesses.
Further, if terrorists would target these vulnerable SMFIs or SMEs,
they would find a soft underbelly of relatively under-protected
targets. A plethora of nefarious activities are then possible,
including stealing and selling customer data, extorting ransoms,
``owning'' the computer, making these systems unavailable, etc. Stated
directly, these activities could be enough to put a SME or SMFI out of
business. The reality is that while it is nearly impossible to
challenge the importance of SMEs and SMFIs in the U.S., it is equally
difficult to convince security experts that either are prepared to
protect their critical systems, important customer information and do
their part to battle against the war on terror.
The Federal Government identified banking and finance as a critical
infrastructure that requires protection, yet most of the attention is
paid to the large financial institutions. SMFIs and SMEs store and
transmit much nonpublic data, with limited resources to fend off a
well-equipped, well-funded enemy. A recent survey of bank executives
called out this very fact. When asked what their top technology concern
was over the next 2 years, risk management and compliance topped the
list. A black market drives insiders and hackers to steal information
because of its value. An article in Information Week highlighted the
problem: ``More electronic records were exposed in 2009 than in the
previous 4 years combined and most of those breaches--nine out of ten--
could be easily avoided with basic preventative controls consistently
applied.'' SMFIs and SMEs have a wealth of nonpublic, sensitive data
that cyber thieves are targeting with increasing regularity.
Cybersecurity is a broad and pervasive issue leading to at least
two national issues: critical information protection and identify
theft. Critical information protection is guarding our electronic
infrastructures as an issue of national security. Incidents are
classified, but it is well established that China and others are
interested in technology disruptions that affect the United States'
ability to conduct commerce. President Obama is on record stating that
the United States is not prepared for CIP and despite national budget
pressures is creating a division within the national Government (Cyber
Command) to begin focusing on this new national issue.
Identity theft is the fastest growing crime in America and the
risks of not protecting such information can be catastrophic to SMEs in
communities. When identities of good U.S. citizens are stolen by cyber
criminals, the good citizen can be humiliated, lack good credit, and
spend significant time and money in an attempt to partially restore
their good name. Information risk management is the first step in
resolving the broad and pervasive issues of CIP and Identity Theft.
Public Law 111-24 was signed by the President establishing a Small
Business Information Security Task Force to look into the issue. The
Ponemon Institute, an independent research firm which conducts research
on privacy, data protection, and information security policy,
calculates in 2010 businesses paid an average of $202 per compromised
record (Ponemon Institute). This equates to $101,000 for a SME with 500
customer records. SMEs who cannot securely manage customer data from
identity theft face either closure or acquisition by larger
metropolitan-based organizations that have in-house IT security.
``Cyber crime is having enormous real consequences, which holds the
potential to cripple businesses and services,'' says Steven Chabinsky,
deputy assistant director of the FBI's Cyber Division. He continues,
``Cybersecurity is not a nice thing to have for American businesses, it
is critical to their survival.'' Cyber criminals began by hacking phone
systems and Government networks, and expanded their operations to
penetrate large organizations over the past 10 years. Today, cyber
criminals are expanding again, this time to target and thieve small-
and medium-sized businesses. This issue is magnified in America where
there is very limited information security expertise, offering
unprotected businesses as easy targets for organized cyber criminals
with financial motivation.
Electronic Crimes in Commercial Banking With Small- and Medium-Sized
Financial Institutions
Organized cyber gangs are increasingly preying on small- and
medium-sized companies in the U.S., setting off a multimillion-dollar
online crime wave and grave concerns that critical infrastructure
Government and business depends upon each day may become compromised.
It appears there are three contributing reasons they are growing so
fast: (1) Low threat of arrest in these ``safe havens'', (2) High
payout for the crime, and (3) Victim sharing data on these attacks has
been minimal. The attacks are amazingly simple and the amount of money
taken, information stolen, or infrastructure compromised is concerning.
SMEs do not know how to protect themselves. In some cases where credit
card theft has occurred, they have had to shut down because they lost
the ability to process credit cards. Small businesses are being
affected greatly by poor security practices. It is not a risk issue,
but rather an issue of survival.
Cyber criminals view SMEs as easy targets without the resources or
knowledge to fend them off or prosecute them if caught. Consequently,
cyber criminals are turning their attention to perceived easy targets
in America. Identity thieves can cost SMFIs and SMEs their basic
ability to stay in business (i.e., financial losses, bad publicity of a
data breach, significant costs of recovering from a data breach,
inability to process credit cards, etc.). Even if there were no
measurable damages to customers, the notification costs alone can put
the SME out of business. One-third of companies said that a significant
security breach could put their company out of business. Information
Week reports data breaches cost an average of $202 per record breached,
with $139 of this cost attributable to lost businesses as a result of
the breach. Many SMEs are having a difficult time in this recession,
and even the smallest of distractions can be devastating. SMFIs, too,
are struggling with increased assessment fees, limited deposits,
limited fee-based products, and overwhelming compliance expenses, which
is spurring closures and consolidation in the industry.
While SMFIs have struggled to keep pace with hackers, the SMEs have
clearly fallen short. In a study I completed of SMEs, 7 out of 10 SMEs
lack at least one basic security control, such as a firewall, antivirus
software, strong passwords, or basic security awareness for staff. Many
SMEs simply lack the basic security most of us expect on our home PCs.
As evidence, I provide a statistic. I am founder of Secure Banking
Solutions, LLC, a security/privacy firm focused on information security
and compliance for SMFIs. As such, SBS is regularly hired to conduct
penetration tests on SMFIs where SBS security personnel run (after
authorization) hacking tools to see if they can break into the bank's
network and systems. SBS is effective in 27 percent of SMFIs (meaning
that SBS personnel were able to gain access to information and systems
they were not authorized for). To contrast, SBS is effective in 98
percent of SME penetration tests. The question is ``why?'' and the
answer is simple: SMFIs are regulated to a certain level of security
that is far superior to a SME. Most anyone can download hacking tools
from the Internet, point them at a SME, and gain unauthorized access,
zombie the machine, steal data, or disrupt the environment.
Traditionally, most SMEs have viewed security as a problem faced
solely by large organizations, Government agencies, or online intensive
operations as large organizations possess large, prolific information
targets and are generally more regulated than SMEs. However, cyber
criminals are finding easy targets in SMEs that have limited security.
The financial gain for cyber thieves targeting SMEs is obviously less
than that of large organizations, but they can be hacked in
significantly less time with little to no effort. Tools to conduct
these attacks on SMEs are freely downloadable from the Internet.
Howard Schmidt, the White House Cybersecurity Coordinator, recently
stated: ``Around 85 percent of cyber attacks are now targeting small
businesses.'' (Source: Howard Schmidt, White House.)
SMEs are targeted as they are easy prey and do not have the
expertise to ward off attacks. Generally, SMEs with less than $10
million in revenue will be a big market over the last 18 months. Most
small businesses (86 percent) do not have staff dedicated to IT
security and only 28 percent have an Internet security policy, on which
only 35 percent train employees.
The FBI recently issued an alert to all SMFIs and SMEs of this
issue. These attacks are working because of a lack of security controls
at the SME whereby fraudulent transactions are directly taken out of
commercial customer's bank accounts.
The Ponemon Institute reported in 2010 that 58 percent of small
businesses had a security loss due to online banking fraud, and
nearly one third of these small businesses experienced a loss
of more than $5,000.
At a basic level, the attacker compromises the SME network due to a
lack of basic security controls, and proceeds to install malware to
steal login credentials. After receiving the login credentials (User ID
and password), the hacker simply logs onto the SMFI network, escalates
privileges as necessary, and steals data or money. Figure 1 outlines a
typical corporate account take-over attack.
SMFIs today lack an ability to understand which businesses
represent risk to these new-wave attacks. SMEs are the target of these
attacks and must understand how to prevent them from occurring.
The current generation of banking products work because of
technology, including remote deposit capture, Internet banking, mobile
banking, item imaging, and online account origination. However, USA
Today quoted Amrit Williams, a chief technology officer, ``Any
organization that cannot survive a sudden five- or six-figure loss
should consider shunning Internet banking altogether.'' Banking
security analyst at Gartner, Avivah Litan, tells acquaintances that run
small businesses to switch from commercial online accounts to an
individual consumer account to take advantage of consumer-protection
laws under Regulation E, because 57 percent of the time SMEs are stuck
paying some or 100 percent of the bill. Regulation E protection does
not exist for corporate accounts; consequently, SMEs have no legal
protection if commercial account fraud occurs. Unlike individual
accounts that protect individual consumers to a maximum exposure of $50
if fraud occurs, corporate accounts have no such protection. The SME
can sue or go to the media, but these approaches likely do not get the
money back and drains even more resources from SME which are typically
resource challenged.
New fees levied by financial institutions on paper-based banking
products are likely to push more small businesses into banking online,
whether or not they are aware of and prepared for the types of
sophisticated cyber attacks that have cost organizations tens of
millions of dollars in recent months. Gartner analysts say banks should
not be pushing more businesses into online banking without adequately
informing them of the risks. The reality is that the perfect small-
business storm is occurring: heaving attacks are already beginning and
significantly more technology will be deployed by SMFIs over the next 5
years, creating a fertile cyber ground for terrorists to create
problems.
The 2011 Business Banking Trust Study provides insights from the
SME perspective on the pervasiveness of fraud, the state of security at
banks and businesses, and the impact fraud has on businesses'
relationships with their banks. The 2011 study found:
1. Fifty-six percent of businesses reported experiencing payments
fraud or attempted payments fraud in the last 12 months;
2. In 78 percent of fraud cases, banks failed to catch fraud
involving the illegal transfer of funds or other nefarious
practices such as information identity theft; and
3. Thirty-eight percent of respondents said they access their
company's banking accounts from mobile devices including smart
phones and tablet PCs like the iPad, compared to only 23
percent in 2010.
The survey data reveals that despite a year of increased public
attention to the impact that corporate account takeover has had on
businesses and banks, the industry has barely moved the needle in
addressing the problem.
The National Cyber Security Alliance has conducted a new 2011
National Small Business Security Study with Visa Inc. to analyze small
business' cybersecurity practices and attitudes. Results include:
Only 43 percent of small- and medium-sized businesses have
a plan in place to respond to the loss of customer data, such
as credit or debit card information or personal identifying
data.
Forty-seven percent of employees at SMEs report receiving
no security training.
Fifty-three percent of all small business owners believe
the high cost in time and money to fully secure their business
is not justified by the threat.
Fifty-seven percent are NOT confident that their business
is protected against cyber thieves.
In summary, there is little doubt that the financial services
sector is under attack for identity theft and infrastructure corruption
motives. There is also little double that the small- and medium-sized
businesses and financial institutions are coming in the cross-hairs of
cyber criminals. The number and significance of data breaches and
attacks is significant, and only a comprehensive approach that looks at
all infrastructure holistically (from Government, academia, and
industry) can ward off these terrorists.
SECTION III. Analysis of Administration's Cybersecurity Bill on the
Financial Industry, With Particular Attention to Small- and
Medium-Sized Financial Institutions
This section will summarize the state of cybersecurity protection
and compliance in both SMFIs and SMEs and discuss the Administration's
Cybersecurity Bill and its impact on SMFIs.
1. Technology, Cybersecurity, and Compliance Challenges Are Outpacing
the Capabilities of SMFIs and SMEs.
Technology is advancing faster than SMFIs' ability to respond with
appropriate mitigating security controls. For example, the use of cell
phone cameras to take a picture of a check as the basis for making an
electronic deposit into an account, or P2P, B2B, or B2P transactions by
cell phone create security exposures for which there are inadequate
controls to prevent fraud. Fortunately, most SMFIs are not first
adopters of new technology, but rather prefer to wait until the systems
become more seasoned before embracing newer technologies. Moreover, the
timeline between introduction, implementation and adoption of new
technology by consumers continues to shrink. Just 10 years ago, data
processing was the buzz where computers were essentially back-off
equipment designed to promote efficiency in the financial institution.
Today, technology is front-line differentiators for banks, with
customers demanding to use mobile technologies and social media to
conduct banking commerce. The risk profile 10 years ago included
someone breaking into the bank's computer to get customer records,
while the risk profile today is someone breaking into cell phones,
laptops, mobile devices, social media sites, merchants who deposit
checks via imaging systems, service providers who host critical banking
applications, Web sites which validate flood plains or credit bureau
information, etc. This list goes on and on regarding the technologies
typical in a SMFI. The next generation of technologies will
exponentially increase the risk profile because information and
infrastructure will be further distributed, and not partitioned off by
the walls of the bank. With the increase in outsourcing and the
mounting risks of offshoring, requiring data centers to be located in
the U.S. seems consistent with the goal of increasing our cybersecurity
posture. Banks leverage Brinks trucks to secure the delivery of cash to
their bank. The financial industry needs to devise ``cyber Brinks
trucks'' to perform the same role in cyberspace.
The attack target at SMFIs is typically individual accounts and
small- and medium-sized business accounts (i.e., corporate accounts).
For the most part, cyber crooks have used malicious software to infect
those computers because the controls at small- and medium-sized
businesses (SMEs) are nonexistent or rudimentary at best--certainly not
nearly as in-depth as even the smallest financial institutions. The PCI
standards are clearly inadequate, and for the most part based on
voluntary compliance and self-audit. Today, the best mitigation
strategy seems to be to educate individuals and SMEs to the risks and
controls that are essential to minimize the potential for major cyber
loss or disruption. Moreover, we do not think it is appropriate or
reasonable to shift the burden of loss from the person or organization
that had inadequate controls in place to detect and deter cyber hacking
attacks, to the financial institutions that process the withdrawals by
the crooks, generally through ACH debits. The recent Experimental Metal
Incorporated (EMI) vs. Comerica Bank decision is concerning to the
small- and medium-sized financial sector as it appears to increase SMFI
responsibilities to information risk management of corporate accounts
(even if the security attack occurred at the SME). Automated systems
are necessary that help individuals and SMEs identify risks, controls,
and mitigation strategies. It would appear that SMFIs, which already
conduct a bank IT risk assessment and a third party vendor assessment,
will need to put in place a corporate account risk management program
very shortly.
The mounting compliance drivers are beginning to take their toll on
SMFIs around the country.
The compliance burden continues to rise. We cannot discount the
impact of using limited resources to combat cybersecurity risks
when so much time, energy, and money are being spent today on
operational compliance issues, training, and staff time.
(Source: Daryll Lund, President and CEO, Community Bankers of
Wisconsin.)
2. SMFIs and SMEs Lack Sufficient Cybersecurity Resources.
As we have discussed, cyber crime is now big business. There is
every reason to believe that cyber crooks will continue to find ways to
defeat controls and attempt to hack small- and medium-sized businesses
and high net worth individuals. To date, one of the most effective
deterrents has been in educating customers, ``know your customer'' and
placing per transaction and aggregate daily limits on ACH and wire
transfers. Smaller financial institutions are generally in a better
position than large institutions to know their customers, enforcing
lower transaction and aggregate limits, and placing more restrictive
controls involving ACH and wire transfer controls. However, smaller
financial institutions cannot afford to put in place the highly
sophisticated equipment that the large financial institutions use to
monitor data/cybersecurity exposures. Smaller financial institutions
generally do not have the resources to continually put in place the
most advanced security controls. However, the solution for the smaller
financial institutions is to form strategic partnerships with
organizations that have expertise and infrastructure to combat the
latest cyber threats. This of course requires a system for procedural
controls and continuous monitoring of vendors, more effective risk
management tools honed to the unique needs of small- and medium-sized
financial institutions, and normative data to help decision makers
understand trends, anomalies and the like to support cost-effective
information security spending.
In addition, SMFIs and SMEs typically lack information security
staff. At a SMFI, a loan officer, head teller, VP of Operations, or IT
staff are the usual candidates named Information Security Officer. We
have yet to meet a SMFI Information Security Officer with a formal
education in information protection. Bachelor, Masters, and Doctoral
programs are available in Computer and Network Security, Information
Security, Information Assurance, Homeland Security, and other
derivatives of cybersecurity; yet, because demand simply outpaces
supply, the SMFIs are left without qualified resources. Further, the
Information Security Officer that is named typically wears four or five
``hats'' at the SMFI. Understanding emerging security threats, threat
actors, vulnerabilities, and the like takes time and expertise, and
cannot simply be assigned likely to existing staff.
Further, we applaud the President for inclusion of CNCI Initiative
#8: Expand Cyber Education in his comprehensive strategy. While
technology is vital to preventing, detecting, and responding to
security attacks, equally important are the people who determine
security strategy, devise and operationalize security programs, and
skillfully deploy the technologies that wall-off our critical
infrastructures and information. We commend the Federal Government for
starting the NSA/DHS Center of Academic Excellence in Information
Assurance Education and Research Programs. The NSA/DHS partnership was
formed in 2004 in response to the President's National Strategy To
Secure Cyberspace of 2003. The CAE-R program was added in 2007 to
encourage universities and students to pursue research, development and
innovation in Information Assurance (cybersecurity). The program
originally created by this partnership has continued to grow and become
even more relevant and critical to U.S. national security today. One-
hundred-and-six universities across the United States, located in 37
States, the District of Columbia, and the Commonwealth of Puerto Rico,
are now designated by NSA/DHS as National Centers of Academic
Excellence in Information Education and/or Research. Qualified IA
professionals from the National Security Agency, the Department of
Homeland Security, and the Committee on National Security Systems
review and assess applications. Universities designated as National
Centers of Academic Excellence in Information Assurance are eligible to
apply for scholarships and grants through both the Federal and
Department of Defense Information Assurance Scholarship Programs.
Graduates from Information Assurance programs at CAE institutions
become the professional cybersecurity experts protecting national
security information systems, commercial networks, and critical
information infrastructure. These professionals are helping to meet the
increasingly urgent needs of the U.S. Government, industry, academia,
and research. Designation as a CAE/IAE or CAE-R is awarded for 5
academic years, after which the college or university must successfully
reapply in order to retain the designation.
CAE2Y--National Centers of Academic Excellence in
Information Assurance 2-Year Education
CAE/IAE--National Centers of Academic Excellence in
Information Assurance Education
CAE-R--National Centers of Academic Excellence in
Information Assurance Research
The CAE program is a huge success and the credit goes to the
thought leaders in the Federal Government that anticipated the
cybersecurity issue and the resource shortage it would create. We
advise the President to consider expanding this program with funding so
that more educational, research, and outreach capacity is created to
serve the needs of Government and industry (companies small and large).
We advise the expansion of the scholarship for service program (SFS) at
NSA, DoD, and NSF, including expanding the number of scholarships and
the places scholarship students can pay back their scholarship. For
example, can we make it possible for a SFS student to complete his/her
service at a critical infrastructure owned and operated by the private
sector? NSA and DHS alike deserve a lot of credit for operationalizing
this successful program, and we suggest Administration considers
leveraging this investment as a starting point for CNCI Initiative #8:
Expand Cyber Education, rather than creating a new mousetrap and
starting over.
More effective training and educational programs must be made
available to SMFI and SME industry personnel. One such example is the
program in Bank Technology Management that Kirby Davidson at the
Graduate School of Banking at the University of Wisconsin has
developed. This program launched in April 2011, and was capped at 50
students (which filled in 2 weeks). The program is a blend of
technology and security honed specifically to the community banking
audience. The program includes 12 hours of ``ethical hacking,'' where
students download and execute common hacking tools so they understand
what tools the adversary has in the arsenal.
As the technologies used to support banking become more
important, and as banking products demand more sophisticated
technology solutions, it's vital that IT professionals and
information security officers understand how to effectively
choose, deploy and lead the use of current and emerging
technologies to meet business goals and regulatory
requirements. It's also critical that IT professionals
understand key steps that they can initiate at their bank to
proactively protect vital customer information from cyber and
network attacks. All of this, and more, is included in the new
Bank Technology Management School offered through the Graduate
School of Banking at the University of Wisconsin-Madison. The
school uses a mix of lectures, small group discussions and
interactive computer simulation labs that allow students to
work with learned concepts in real-world situations. (Kirby
Davidson, President and CEO, Graduate School of Banking,
Madison, WI.)
Small- and medium-sized financial institutions lack qualified
security experts to protect their interests. SMFIs simply cannot afford
or do not have access to security specialists. Many certified and
qualified security officers command six-figure salaries, inconsistent
with the resources available at SMFIs. Most of these certified,
qualified individuals live in urban areas, again inconsistent with the
demands of SMFIs. Universities, community colleges and trade schools
can do even more to create programs that produce security experts who
can work into the SMFI environment. As the Federal Government continues
hiring of cyber experts, this will likely put even more pressure on the
supply of such experts needed in SMFIs.
3. Digital Infrastructure Is Infrastructure.
When an ice storm occurs in North Dakota, icing up power lines and
taking out power, the region is paralyzed until power is restored. It
can sometimes take weeks and months to complete this task, depending
upon the tenacity of Mother Nature. What would happen to these
financial institutions, our economy, and our consumer confidence level
if malicious nation-states disrupted our power instead of an ice storm?
How long would it take for power to be restored on infrastructure
dating back centuries?
Power, water, transportation, and the Internet (just to name a few)
are all required to conduct banking commerce. While SMFIs are required
to devise business continuity, incident response, and pandemic
preparedness plans, no SMFI could operate if essential infrastructure
we all depend up (such as the power grid) was compromised. The job is
much larger than any one SMFI. The CNCI's major goals to establish a
front line of defense against today's immediate threats and to defend
again a full spectrum of (future) threats is so massive that only the
Federal Government could take this on. However, to the degree major and
minor changes are needed at SMFIs or SMEs, we urge the Administration
to consider this infrastructure and fund it. There needs to be a mind-
set shift away from industry paying for everything in this
infrastructure (because they created it and are the users of it) to
some shared cost model. If this infrastructure is truly a matter of
national security then the Federal Government has a funding
responsibility. Just as tanks, planes, and weapons are funded to
protect our interests, we urge the Administration to consider their
financial responsibilities as it relates to this vital electronic
infrastructure. President Obama said it best:
We count on computer networks to deliver our oil and gas, our
power and our water. We rely on them for public transportation
and air traffic control . . . But just as we failed in the past
to invest in our physical infrastructure--our roads, our
bridges and rails--we've failed to invest in the security of
our digital infrastructure . . . This status quo is no longer
acceptable--not when there's so much at stake. We can and we
must do better. (Source: President Obama, May 29, 2009.)
Conclusion
Electronic banking is the future, and if SMFIs cannot understand
and resource their technology and security requirements then they will
likely be left behind. We agree with the White House's conclusion in
their recent cybersecurity legislative proposal that, at least with
respect to cyber terrorists, the vulnerability of the electricity grid
poses one of the most severe exposures to our country's critical
infrastructure. The fact that a computer programmer in another country
could cause the partial or complete disruption of this Nation's grid
is, to say the least, extremely disturbing, but is beyond the scope and
expertise of SMFIs to respond. However, small- and medium-sized
financial institutions need representation at the table, and we
encourage the President to consider including this voice as small- and
medium-sized financial institutions and businesses are the majority,
not the minority, of American businesses.
Thank you for the opportunity to participate in this important and
timely hearing. The National Center for the Protection of the Financial
Infrastructure and Dakota State University look forward to working with
all stakeholders to operationalize the President's vision of a safe
electronic infrastructure for all businesses to use. We applaud the
President in making cybersecurity an Administration priority, and
concur with the President's comments that the ``cyber threat is one of
the most serious economic and national security challenges we face as a
Nation.'' To make an impact, policy must change, resource allocation
must change, and a more comprehensive approach must be deployed.
We want to thank you again for this opportunity to appear before
you.
______
PREPARED STATEMENT OF STUART K. PRATT
President and Chief Executive Officer, Consumer Data Industry
Association
June 21, 2011
Chairman Johnson, Ranking Member Shelby, and Members of the
Committee, my name is Stuart Pratt, and I am president and CEO of the
Consumer Data Industry Association (CDIA). Thank you for this
opportunity to testify on cybersecurity and data protection in the
financial sector.
CDIA is an international trade association with more than 190
member companies, providing our Nation's businesses with the data tools
necessary to manage risk in a wide range of consumer transactions.
These products include credit and mortgage reports, identity
verification tools, law enforcement investigative products, fraudulent
check transaction identification systems, employment screening, tenant
screening, depository account opening tools, decision sciences
technologies, locator services, and collections. Our members' data and
the products and services based on it ensure that consumers benefit
from fair and safe transactions, broader competition and access to a
market which is innovative and focused on their needs. We estimate that
the industry's products are used in more than nine billion transactions
per year.
You have asked us to address a number of topics in our testimony.
Let me start with an overview of some of the most relevant laws and
regulations which apply to our members' products and services.
Data Security
The Senate Banking Committee has a clear record across many
Congresses of oversight of the financial services sector's efforts to
secure sensitive personal information. Let me describe just a few of
these efforts.
One of the most notable and prescient actions of the Committee was
the 1999 passage of Title V of the Gramm-Leach-Bliley Act, signed into
law by President Clinton. While Title V established a number of new
duties relative to how data transfers occur in the financial services
sector, most notable for today's hearing was the direction given to
bank regulatory agencies and the Federal Trade Commission in section
501 to develop regulations regarding the security of nonpublic personal
information.
The FTC's explanation of the Safeguards Rule, which implements the
security requirements of the GLB Act, speaks to the breadth of the
rule's application and what is required of any person who must comply:
[It] requires financial institutions to have reasonable
policies and procedures to ensure the security and
confidentiality of customer information. The ``financial
institutions'' covered by the Rule include not only lenders and
other traditional financial institutions, but also companies
providing many other types of financial products and services
to consumers. These institutions include, for example, payday
lenders, check-cashing businesses, professional tax preparers,
auto dealers engaged in financing or leasing, electronic funds
transfer networks, mortgage brokers, credit counselors, real
estate settlement companies, and retailers that issue credit
cards to consumers.
The Rule is intended to be flexible to accommodate the wide
range of entities covered by GLB, as well as the wide range of
circumstances companies face in securing customer information.
Accordingly, the Rule requires financial institutions to
implement a written information security program that is
appropriate to the company's size and complexity, the nature
and scope of its activities, and the sensitivity of the
customer information it handles. As part of its program, each
financial institution must also: (1) assign one or more
employees to oversee the program; (2) conduct a risk
assessment; (3) put safeguards in place to control the risks
identified in the assessment and regularly test and monitor
them; (4) require service providers, by written contract, to
protect customers' personal information; and (5) periodically
update its security program.
It is hard to overstate the effects that this action has had on the
security of the flows of sensitive personal information in the United
States. CDIA's members operate as financial institutions under GLB and
thus comply with the Safeguards Rule. The model that this Committee
established more than a decade ago has withstood the test of time. It
should operate as a framework for other committees as they consider
establishing a similar data security duty.
Of particular importance to the CDIA is that the Senate Banking
Committee had the foresight to ensure that data security was not a
hard-coded statutory prescription. Risks change over time and so too
must the strategies used to mitigate these risks. The Committee also
recognized that those who have a duty to comply will vary in terms of
size, complexity, and even the types of data retained. Because of this,
the Committee built into the statute direction for regulators to take
into consideration these factors when designing the rule and measuring
how each person implements its requirements. This ``regulatory
flexibility act like'' approach has been critical to ensuring strong
security, by not dictating a single solution or approach to security
threats, thus leaving our members' security experts the creative room
to secure data assets against threats. At the same time, its
flexibility is not a statutory and regulatory regime which drives
small- and medium-sized businesses out of the marketplace.
The GLB Safeguards Rules are also designed to be administratively
enforced, which we believe has ensured that national uniformity has not
been impaired by private actions that could create a circuit-by-circuit
compliance nightmare for U.S. businesses operating on a super-regional
or nationwide basis. This is not to say, however, that such laws are
not enforceable. For financial institutions subject to regulatory
examination by bank agencies, compliance with the GLB Safeguards Rule
is an annual event measured with prudence and care. For persons not
subject to bank agency examinations, the Federal Trade Commission has
proven itself to be an able agency in many ways. First, it has sought
to encourage successful compliance through education. CDIA applauds
this education-first approach which compliments the Association's own
training programs on this subject. FTC enforcement actions have focused
on both smaller and larger institutions, and consent orders have
informed the broader community regarding approaches to compliance and
FTC expectations. Overall, the GLB Safeguards Rules have operated just
as expected, and have ensured that literally trillions of data
transmissions and transactions are secure in the context of a healthy
and competitive private-sector marketplace.
Disposal of Records
The Senate Banking Committee's accomplishments are not limited to
the enactment of Title V of GLB. In 2003, as part of its extensive
oversight of the Fair Credit Reporting Act, the Committee recognized
that disposing of sensitive data, whether stored electronically or
otherwise, should be addressed. As part of the Fair and Accurate Credit
Transactions Act of 2003, Congress amended the Fair Credit Reporting
Act by adding Section 628 [15 USC 1681w] entitled ``Disposal of
Records.'' This enactment required the Federal Trade Commission (as
well as the Federal banking agencies, NCUA and SEC) to promulgate rules
regarding the proper disposal of ``consumer information, or any
compilation of consumer information, derived from consumer reports.''
This duty expanded the concept of proper disposal of records beyond the
borders of users of consumer reports who were already subject to duties
under the GLB Safeguards rule. This simple, straight-forward duty, it
brought tens of thousands of users of data under the new law and
specific rules. In doing so, the Committee ensured that sensitive
personal data about consumers wasn't simply left in a dumpster, or on
the hard drive of a laptop or a hand-held device which was sold without
concern for its contents.
Credentialing Customers
As a result of this Committee's actions to enact the FCRA (1970)
and Title V of GLB (1999), our members have a number of duties to
ensure that they know their customers, which is yet another important
part of ensuring that a full and complete data security program is in
place. Section 607(a) of the FCRA requires our members when operating
as consumer reporting agencies to have each customer certify the uses
for which they will order consumer reports. Today, this certification
process often involves on-site inspections of the customer's offices,
reviewing and confirming other credentials such as business licenses,
and cross-referencing a prospective customer with the SDN list and
other lists administered by the U.S. Treasury's Office of Foreign
Assets Control. Further, the GLB Safe Guards Rules issued by bank
agencies and the FTC require that proper access controls be in place to
protect against unlawful access to nonpublic personal information.
Access control strategies may include details of how passwords are
administered, the frequency with which they are changed, how many
factors are used to authenticate a legitimate user or the use of
technologies to detect possible fraudulent access.
Aligning Current Law With Cybersecurity Proposals
You have asked us to comment on how proposals, such as the
Administration's cybersecurity bill, would affect financial
institutions that come under the Committee's jurisdiction.
Clearly because of the leadership of the Senate Banking Committee
in establishing data security requirements found in laws such as the
FCRA and Title V of GLB, as well as extensive regulations and guidance
issued by bank agencies which resulted from these enactments,
cybersecurity risks for financial institutions and their customers are
far less than would otherwise be the case. Our members already invest
heavily in defending against attacks by deploying external resources,
leading-edge technologies and internal data security teams with unique
core competencies. Some of our largest members also participate in
existing information sharing systems such as the Financial Services
Information Sharing and Analysis Center. \1\
---------------------------------------------------------------------------
\1\ ISACs were created as a result of Presidential Decision
Directive 63 (PDD-63) in 1998. The directive created a public/private-
sector partnership to share information about physical and cyber
threats.
---------------------------------------------------------------------------
With the existing legal and regulatory framework in mind, CDIA's
members recognize that risks remain, and we do believe it is
appropriate for the Administration and the Congress to focus on the
ever-changing mix of risks posed by cybersecurity threats. We believe,
however, that it is important for new laws not to impinge on frameworks
of law which already establish the necessary focus on data security.
Such conflicts are not inevitable and do not have to impede the passage
of new national cybersecurity protections.
As an example of how conflicts can be avoided, in place of 47
existing State laws the Administration's bill proposes to protect the
American people by creating a single, national standard for how and
when a notification should be sent to a consumer if there has been a
breach of sensitive personal information that could pose a risk. CDIA
is on record testifying as recently as this past week in support of
establishing an appropriate national standard for breach notification.
We look forward to contributing our experience and expertise to any
effort to structure a standard that is uniform and effective for
consumers. Part of ensuring that such a standard is effective is to
avoid arbitrarily overwriting existing national standards that are
effective today--such as data breach guidance already issued by bank
agencies.
The ``financial sector'' is considered part of the ``Nation's
critical infrastructure'' according to the Administration's May 12,
2011, release. As described above, the financial services industry
(including CDIA's members) is heavily regulated in general and
specifically with regard to securing sensitive personal information. It
is not clear, however, how a ``critical infrastructure'' designation as
determined by the Department of Homeland Security would operate in the
context of new agencies such as the Consumer Financial Protection
Bureau created by the Dodd Frank Act, and the existing bank agencies
that have a leading mission when it comes to data security or even the
Federal Trade Commission. Avoiding conflicts is necessary and will
require the Senate Banking Committee to proactively engage on the broad
topic of cybersecurity to ensure that current, effective laws,
regulations, and guidelines for the financial services industry
continue to operate coterminous with new data security or data breach
notification duties that may be established for other critical
infrastructure identified by DHS.
Data Security and Privacy Are not the Same Issue
The Senate Banking Committee can also play a vital role in ensuring
that the important work of reducing the risks of cybersecurity attacks
are not distracted by privacy issues, such as data collection and use
practices. Several Congressional committees have delved into this
privacy arena in an effort to address the data collection and use
practices of so-called ``information brokers.'' It is important to
understand that information brokers provide the data services and
products necessary for commercial entities.
Our members' products and services are particularly essential to
the financial services sector. Financial institutions offering credit
need to detect and prevent fraud, including identity theft, and to
verify the identities of individuals seeking products and services
through increasingly common remote transactions such as through the
Internet, over mobile services, through the telephone and even by
direct mail. CDIA members also help financial institutions enforce
contracts with customers who have the ability to pay, but don't choose
to do so. Lenders who must comply with bankruptcy code requirements to
cease dunning a consumer who has filed for protection use our members'
data tools to comply. USA Patriot Act Section 326 duties demand that
financial institutions properly identify their customers and again it
is our members' products and services which help them accomplish this
goal and reduce the downstream effects of stolen data and other
criminal efforts.
Conclusion
Let me conclude with just a few summative points:
1. As stated above, CDIA has been on record for more than a decade
in support of establishing uniform, national standards for data
security and data breach notification. Action on cybersecurity
law could advance this cause.
2. Eliminating possible conflicts between the laudable and important
goal of ensuring that the Nation is secure from cybersecurity
risks and the operation of effective current data security and
breach notification laws/regulations/guidance which govern the
financial services sector can be accomplished with the
involvement of this Committee.
3. Keeping the privacy and data security debates separate is vital
to ensuring the continuance of data products and services which
contribute to preventing the crimes which arise from data/
cybersecurity risks and ensuring that the important work of
mitigating cybersecurity risks is not encumbered by policy
issues that are not relevant.
Our members again thank you for the opportunity to testify. I am
happy to answer any questions.
______
PREPARED STATEMENT OF LEIGH WILLIAMS
BITS President, on behalf of the Financial Services Roundtable
June 21, 2011
Thank you Chairman Johnson, Ranking Member Shelby, and Members of
the Committee for the opportunity to testify before you today.
My name is Leigh Williams and I am president of BITS, the
technology policy division of The Financial Services Roundtable. BITS
addresses issues at the intersection of financial services, technology
and public policy, on behalf of its 100 member institutions, their
millions of customers, and all of the stakeholders in the U.S.
financial system.
From this perspective, I will briefly describe cybersecurity and
data protection in financial services, including private sector
efforts, sector-specific oversight and inter-sector interdependencies.
I understand that the Committee is considering the cybersecurity
legislative proposal delivered by the Obama administration to the
President of the Senate on May 12. I will explain why The Financial
Services Roundtable supports that proposal, and I will comment on how
the proposal can best leverage our current protections.
Financial Institutions' Voluntary Cybersecurity Efforts
In my view, within the financial services sector, the greatest
amount of cybersecurity protection arises from voluntary measures taken
by individual institutions for business reasons. To protect their
retail customers, commercial clients, and their own franchises,
industry professionals--from Chief Information Security Officers to
CIOs to CEOs--are increasingly focused on safeguards, investing tens of
billions of dollars in data protection. They recognize the criticality
of confidentiality, reliability, and confidence to their success in the
marketplace. This market-based discipline is enforced through an
increasingly informed consumer base, and by a very active commercial
clientele that often specifies security standards and negotiates for
audit and notification rights.
At the industry level, BITS and several other coalitions facilitate
a continuous process of sharing expertise, identifying and promoting
best practices, and making these best practices better, to keep pace in
a dynamic environment. For example, as BITS and our members implement
our 2011 business plan, we are addressing the following items
associated with protecting customer data:
Security standards in mobile financial services.
Protection from malicious or vulnerable software.
Security in social media.
Cloud computing risks and controls.
Email security and authentication.
Prevention of retail and commercial account takeovers.
Security training and awareness.
While all of this institution-level and industry-level effort is
voluntary--not driven primarily by regulation--it is not seen by
industry executives as discretionary or optional. The market, good
business practices and prudence all require it.
Oversight
To strengthen public confidence and to ensure consistency across a
wide variety of institutions, self-regulatory organizations and
Government agencies codify and enforce a comprehensive system of
requirements. Many of these represent the distillation of previously
voluntary best practices into legislation introduced in this Committee,
enacted into law, detailed in regulation, enforced in the field, with
feedback to the Committee.
For example, Members of this Committee are very familiar with the
provisions of Gramm-Leach-Bliley, the Financial Services Modernization
Act of 1999 (GLB). GLB fostered the promulgation of Regulation P by the
Federal Financial Institutions Examinations Council (FFIEC) and
Regulation S-P by the Securities and Exchange Commission (SEC). These
regulations were translated into examination guidance. That guidance is
consulted by institutions as they manage security and privacy programs,
comprised of risk assessments, strategic plans, control teams,
authentication technologies, customer notices, and many other elements.
These elements are then audited by on-site examiners, who enforce the
underlying requirements and promote safety and soundness in the
institutions and across the industry. The sector-wide impact is
assessed by our sector-specific agency, the U.S. Department of the
Treasury. Finally, bringing the process full circle, this Committee
oversees the agencies.
In addition to these Federal authorities, institutions are subject
to self-regulatory organizations like the Financial Industry Regulatory
Authority (FINRA), State regulators like the banking and insurance
commissioners, independent auditors, outside Directors, and others.
These various oversight bodies, in addition to applying GLB, also
apply the Fair and Accurate Credit Transactions Act (FACTA), Electronic
Funds Transfers (Regulation E), Suspicious Activity Reporting (SARs),
the International Organization for Standardization criteria (ISO), the
Payment Card Industry Data Security Standard (PCI), BITS' own Shared
Assessments and many, many more regulations, rules, guidelines, and
standards.
Inter-Sector Collaboration
Commensurate with the escalating cybersecurity challenges and
increasing interconnectedness among sectors, more and more of our work
entails public/private and financial/nonfinancial partnerships. Our
Financial Services Sector Coordinating Council (FSSCC) of 52
institutions, utilities and associations actively partners with the
seventeen agencies of the Finance and Banking Information
Infrastructure Committee (FBIIC). (For additional detail on the FSSCC's
perspective on cybersecurity, research and development, and
international issues, I refer the Committee to the April 15, 2011,
testimony of FSSCC Chair Jane Carlin before the Subcommittee on
Cybersecurity, Infrastructure Protection and Security Technologies of
the House Homeland Security Committee.) Our Financial Services
Information Sharing and Analysis Center (FS-ISAC) is in constant
communication with the Department of Homeland Security (DHS), law
enforcement, the intelligence community, and ISACs from the other
critical infrastructure sectors, to address individual incidents and to
coordinate broader efforts.
Other examples of collaboration with nonfinancial partners, drawn
just from BITS' 2011 agenda, include:
The Cyber Operational Resiliency Review (CORR) pilot, in
which institutions may voluntarily request Federal reviews of
their systems, in advance of any known compromise--with DHS and
the Treasury.
Multiple strategies for enhancing the security of financial
Internet domains--with the Internet Corporation for Assigned
Names and Numbers (ICANN) and Verisign, in partnership with the
American Bankers Association (ABA) and in consultation with
members of the FFIEC.
A credential verification pilot--with DHS and the
Department of Commerce--building on private sector work that
began in 2009, was formalized in a FSSCC memorandum of
understanding in 2010, and was featured in the April 15, 2011,
announcement of the National Strategy for Trusted Identities in
Cyberspace (NSTIC).
Through the processes and initiatives above and in many other
efforts, financial institutions, utilities, associations, service
providers, and regulators continue to demonstrate a serious, collective
commitment to strengthening the security and resiliency of the overall
financial infrastructure. As the Committee considers action on
cybersecurity, I urge Members to be conscious of the protections and
supervisory structures already in place and the collaborations
currently underway, and to leverage them for maximum benefit.
Need for Legislation
Even given this headstart and substantial momentum, we believe that
cybersecurity legislation is warranted. Strong legislation can catalyze
systemic progress in ways that are well beyond the capacity of
individual companies, coalitions or even entire industries. For
example, comprehensive legislation can:
Raise the quality and consistency of security throughout
the full cyber ecosystem, including the telecommunications
networks on which financial institutions depend.
Enhance confidence among U.S. citizens and throughout the
global community.
Strengthen the security of Federal systems.
Mobilize law enforcement and other Federal resources.
Enable and incent voluntary action through safe harbors and
outcome-based metrics, rather than relying primarily on static
prescriptions.
Attached to my testimony is a list of 13 policy approaches that the
FSSCC recently endorsed, along with three that it deemed problematic. I
urge the Committee to consider the FSSCC's input, particularly in light
of the FSSCC's leadership of the financial services industry on this
issue.
Obama Administration Proposal
On May 12, 2011, on behalf of the Administration, the Office of
Management and Budget transmitted to Congress a comprehensive
legislative proposal to improve cybersecurity. The Financial Services
Roundtable supports this legislation and looks forward to working for
its passage. We support many of the provisions of this proposal on
their individual merits, and we see the overall proposal as an
important step toward building a more integrated approach to
cybersecurity. Given that our member institutions operate nationally,
are highly interdependent with other industries, and are already
closely supervised by multiple regulators, we appreciate that this
proposal promotes uniform national standards, throughout the cyber
ecosystem, with the active engagement of sector-specific agencies and
sector regulators.
Consistent with its comprehensive approach, the proposal strives to
address cybersecurity both at the level of the entire ecosystem and
also within specific sectors. For example:
The Law Enforcement title refers to damage to critical
infrastructure computers, but also to mail fraud and wire
fraud.
The Data Breach Notification title refers to sensitive
personally identifiable information and Federal Trade
Commission (FTC) enforcement, but also more specifically to
financial account numbers, credit card security codes, the Fair
Credit Reporting Act (FCRA), and an exclusion for entities
covered under the Health Information Technology for Economic
and Clinical Health Act (HITECH).
The DHS Cybersecurity Authority title naturally stresses
DHS' role, but it also mentions ``other relevant agencies'' and
sector coordinating councils.
Finally, the Regulatory Framework title focuses largely on
DHS leadership and standardized evaluations, but it also
mentions ISACs and sector-specific regulatory agencies, and
provides for sector-level exemptions.
We believe that harmonizing the comprehensive approach with the
need to incorporate sector-specific mechanisms will be one of the most
important challenges as the Congress considers this proposal. We urge
the Committee and the full Congress to leverage existing financial
services protections and circumstances, and their analogs in other
sectors, while preserving the comprehensive quality of the proposal. We
offer the following two approaches as illustrations:
Establish a uniform standard with specified exceptions: In
the Data Breach Notification title, the FTC could enforce the
requirements enacted under this bill, but defer to sector-
specific regulators where substantially similar sector-specific
rules and guidelines already are in place (e.g., the FFIEC
could continue to enforce its 2005 interagency guidance, and
the Department of Health and Human Services could continue to
enforce HITECH).
Preserve sector autonomy with centralized information
aggregation and coordination: In the Regulatory Framework
title, rather than requiring DHS to list critical
infrastructure entities for every sector, the sector-specific
agencies could make that determination, just as the Financial
Stability Oversight Council is responsible for designating
Systemically Important Financial Institutions.
Given the likely fluidity of the overall solution, we cannot yet
make a definitive recommendation for either approach. We do believe
that this question of sector/ecosystem balance warrants careful
deliberation.
I will structure the remainder of my testimony as a brief
commentary on a few key provisions of the proposal.
Law Enforcement
We support the proposal's clarification and strengthening of
criminal penalties for damage to critical infrastructure computers, for
committing computer fraud, and for the unauthorized trafficking in
passwords and other means of access. We also urge similar treatment for
any theft of proprietary business information. With this extension, the
law enforcement provisions will improve protections for both consumers
and institutions, particularly when paired with expanded law
enforcement budgets and the recruitment of personnel authorized in
later titles.
Data Breach Notification
We support the migration to a uniform national standard for breach
notification. Given existing State and financial services breach
notification requirements, this migration will require both strong
preemption and reconciliation to existing regulations and definitions
of covered data. We support the exemptions for data rendered
unreadable, in breaches in which there is no reasonable risk of harm,
and in situations in which financial fraud preventions are in place.
DHS Authority
We believe that two areas mentioned in this section--fostering the
development of essential technologies, and cooperation with
international partners--merit considerable investment. As DHS and the
National Institute of Standards and Technology (NIST), pursue their
research and development agendas, and as the Administration pursues its
recently announced International Strategy for Cyberspace, we hope to
see substantial resource commitments and advances in these areas.
Federal Information Security Policies
We are encouraged by the proposal of a comprehensive framework for
security within Federal systems. As institutions report more and more
sensitive personal and financial data to regulators (and directly and
indirectly to DHS), it is critically important that this data be
appropriately safeguarded. Protecting this data, modeling best
practices, and using Federal procurement policies to expand the market
for secure products, are all good motivations for adopting these
proposed mandates.
Personnel Authorities
Because we recognize how difficult it is to recruit the most
talented cybersecurity professionals, we support the expanded
authorities articulated in this section. We particularly support
reactivating and streamlining the program for exchanging public sector
and private sector experts.
Data Center Locations
Consistent with our view of financial services as a national
market, we support the presumption that data centers should be allowed
to serve multiple geographies. We encourage Congress to consider
extending this logic for interstate data centers to the international
level, while recognizing that the owners, operators, and clients of
specific facilities and cloud networks must continue to be held
accountable for their security, resiliency, and recoverability of
customer data, regardless of the servers' geographic location or
dispersion.
Conclusion
The Financial Services Roundtable and its members are fully
committed to advancing cybersecurity and resiliency, and we very much
appreciate the Senate Banking Committee's attention to this issue. For
our part:
We will continue to strengthen security with our members
and partners,
We will help answer this question of ecosystem/sector
balance,
And we will work to pass and implement the Administration's
cybersecurity proposal.
Thank you for your time. I would be pleased to answer any questions
you may have.
PREPARED STATEMENT OF MARC ROTENBERG
Executive Director, Electronic Privacy Information Center
June 21, 2011
PREPARED STATEMENT OF PABLO MARTINEZ
Deputy Special Agent in Charge, Criminal Investigative Division, Secret
Service
June 21, 2011
Good morning Chairman Johnson, Ranking Member Shelby, and
distinguished Members of the Committee. Thank you for the opportunity
to testify on the role of the U.S. Secret Service (Secret Service) in
investigating and dismantling criminal organizations involved in cyber
crime.
On February 1, 2010, the Department of Homeland Security (DHS)
delivered the Quadrennial Homeland Security Review (QHSR), which
established a unified, strategic framework for homeland security
missions and goals. The QHSR underscores the need for a safe and secure
cyberspace:
Our economic vitality and national security depend today on a
vast array of interdependent and critical networks, systems,
services and resources. We know this interconnected world as
cyberspace, and without it, we cannot communicate, travel,
power our homes, run the economy, or obtain Government
services.
Yet as we migrate more of our economic and societal
transactions to cyberspace, these benefits come with increasing
risk. We face a variety of adversaries who are working day and
night to use our dependence on cyberspace against us.
Sophisticated cyber criminals pose great cost and risk both to
our economy and national security. They exploit vulnerabilities
in cyberspace to steal money and information, and to destroy,
disrupt, or threaten the delivery of critical services. For
this reason, safeguarding and securing cyberspace has become
one of the Department of Homeland Security's most important
missions. (p. 29) \1\
---------------------------------------------------------------------------
\1\ Department of Homeland Security. (2010). Quadrennial Homeland
Security Review Report: A Strategic Framework for a Secure Homeland.
In order to maintain a safe and secure cyberspace, we have to
disrupt the criminal organizations and other malicious actors engaged
in high consequence or wide-scale cyber crime.
As the original guardian of the Nation's financial payment systems,
the Secret Service has a long history of protecting American consumers,
industries and financial institutions. Over the last two decades, the
Secret Service's statutory authorities have been reinforced to include
access device fraud (18 USC �1029), which includes credit and debit
card fraud. The Secret Service also has concurrent jurisdiction with
other law enforcement agencies for identity theft (18 USC �1028),
computer fraud (18 USC �1030), and bank fraud (18 USC �1344).
Due to our extensive experience investigating financial crimes, the
Secret Service participated in the President's Comprehensive National
Cyber Security Initiative to raise our overall capabilities in
combating cyber crime and all forms of illegal computer activity. The
Secret Service developed a multifaceted approach to combating cyber
crime by: expanding our Electronic Crimes Special Agent Program;
expanding our network of Electronic Crimes Task Forces; creating a
Cyber Intelligence Section; expanding our presence overseas; forming
partnerships with academic institutions focusing on cybersecurity; and
working with DHS to establish the National Computer Forensic Institute
to train our State and local law enforcement partners in the area of
cyber crime. These initiatives led to the opening of 957 criminal cases
and the arrest of 1,217 suspects in fiscal year 2010 for cyber crime
related violations with a fraud loss of $507.7 million. The arrest of
these individuals prevented an additional loss estimated at $7 billion
dollars and involved the examination of 867 terabytes of data, which is
roughly the equivalent of 867,000 copies of the Encyclopedia
Britannica. As a result of these efforts, the Secret Service is
recognized worldwide for our investigative and innovative approaches to
detecting, investigating, and preventing cyber crimes.
Trends in Cyber Crimes
Advances in computer technology and greater access to personal
information via the Internet have created a virtual marketplace for
transnational cyber criminals to share stolen information and criminal
methodologies. As a result, the Secret Service has observed a marked
increase in the quality, quantity, and complexity of cyber crimes
targeting private industry and critical infrastructure. These crimes
include network intrusions, hacking attacks, malicious software, and
account takeovers leading to significant data breaches affecting every
sector of the world economy.
The increasing level of collaboration among cyber criminals raises
both the complexity of investigating these cases and the level of
potential harm to companies and individuals. For example, illicit
Internet carding portals allow criminals to traffic stolen information
in bulk quantities globally. These portals, or ``carding Web sites,''
operate like online bazaars where criminals converge to trade personal
financial data and cyber tools of the trade. The Web sites vary in
size, from a few dozen members to some of the more popular sites
boasting membership of approximately 80,000 users. Within these
portals, there are separate forums moderated by notorious members of
the carding community. Members meet online and discuss specific topics
of interest. Criminal purveyors buy, sell, and trade malicious
software, spamming services, credit, debit and ATM card data, personal
identification data, bank account information, brokerage account
information, hacking services, counterfeit identity documents, and
other forms of contraband.
Over the years, the Secret Service has infiltrated many of the
``carding Web sites.'' One such infiltration allowed the Secret Service
to initiate and conduct a 3-year investigation that led to the
indictment of 11 perpetrators involved in hacking nine major U.S.
retailers and the theft and sale of more than 40 million credit and
debit card numbers. The investigation revealed that defendants from the
United States, Estonia, China, and Belarus successfully obtained credit
and debit card numbers by hacking into the wireless computer networks
of major retailers--including TJX Companies, BJ's Wholesale Club,
OfficeMax, Boston Market, Barnes & Noble, Sports Authority, and Dave &
Buster's. Once inside the networks, they installed ``sniffer'' programs
that would capture card numbers, as well as password and account
information, as they moved through the retailers' credit and debit
processing networks. After the data was collected, the conspirators
concealed the information in encrypted computer servers that they
controlled in the United States and Eastern Europe. The credit and
debit card numbers were then sold through online transactions to other
criminals in the United States and Eastern Europe. The stolen numbers
were ``cashed out'' by encoding card numbers on the magnetic strips of
blank cards. The defendants then used these cards to withdraw tens of
thousands of dollars at a time from ATMs. The defendants were able to
conceal and launder their fraudulent proceeds by using anonymous
Internet-based electronic currencies within the United States and
abroad, and by channeling funds through bank accounts in Eastern
Europe.
In both of these cases, the effects of the criminal acts extended
well beyond the companies compromised, affecting millions of individual
card holders in one of the incidents. Although swift investigation,
arrest, and prosecution prevented many consumers from direct financial
harm, all potential victims were at risk for misuse of their credit
cards, overall identity theft, or both. Further, business costs
associated with the need for enhanced security measures, reputational
damage and direct financial losses are ultimately passed on to
consumers.
Collaboration With Other Federal Agencies and International Law
Enforcement
While cyber criminals operate in a world without borders, the law
enforcement community does not. The increasingly multinational,
multijurisdictional nature of cyber crime cases has increased the time
and resources needed for successful investigation and adjudication. The
partnerships developed through our Electronic Crimes Task Forces, the
support provided by our Cyber Intelligence Section, the liaison
established by our overseas offices, and the training provided to our
special agents via Electronic Crimes Special Agent Program were all
instrumental to the Secret Service's successful investigation into the
network intrusion of Heartland Payment Systems. An August 2009
indictment alleged that a transnational organized criminal group used
various network intrusion techniques to breach security, navigate the
credit card processing environment, and plant a ``sniffer,'' a data
collection device, to capture payment transaction data.
The Secret Service investigation--the largest and most complex data
breach investigation ever prosecuted in the United States--revealed
that data from more than 130 million credit card accounts were at risk
of being compromised and exfiltrated to a command and control server
operated by an international group directly related to other ongoing
Secret Service investigations. During the course of the investigation,
the Secret Service uncovered that this international group committed
other intrusions into multiple corporate networks to steal credit and
debit card data. The Secret Service relied on various investigative
methods, including subpoenas, search warrants, and Mutual Legal
Assistance Treaty requests through our foreign law enforcement partners
to identify three main suspects. As a result of the investigation, the
three suspects in the case were indicted for various computer-related
crimes. The lead defendant in the indictment pled guilty and was
sentenced to 20 years in Federal prison. This investigation is ongoing
with over 100 additional victim companies identified. The Secret
Service is working with our law enforcement partners both domestically
and overseas to apprehend the two defendants who are still at large.
Recognizing these complexities, several Federal agencies are
collaborating to investigate cases and identify proactive strategies.
Greater collaboration within the Federal, State, and local law
enforcement community enhances information sharing, promotes efficiency
in investigations, and facilitates efforts to de-conflict in cases of
concurrent jurisdiction. For example, the Secret Service has
collaborated extensively with the Department of Justice's Computer
Crimes and Intellectual Property Section (CCIPS), which ``prevents,
investigates, and prosecutes computer crimes by working with other
Government agencies, the private sector, academic institutions, and
foreign counterparts.'' \2\ The Secret Service's Electronic Crimes Task
Forces are a natural complement to CCIPS, resulting in an excellent
partnership over the years. In the last decade, nearly every major
cyber investigation conducted by the Secret Service has benefited from
CCIPS contributions. Successful investigations such as the prosecution
of the Shadowcrew criminal organization, E-Gold prosecution, TJX and
Heartland investigations, as well as the recent apprehension of
Vladislav Horohorin, were possible as a result of this valued
partnership. The Secret Service looks forward to continuing our
excellent work together.
---------------------------------------------------------------------------
\2\ U.S. Department of Justice. (n.d.). Computer Crime and
Intellectual Property Section: About CCIPS. Retrieved from http://
www.justice.gov/criminal/cybercrime/ccips.html.
---------------------------------------------------------------------------
The Secret Service also maintains an excellent relationship with
the Federal Bureau of Investigation (FBI). The Secret Service has a
permanent presence at the National Cyber Investigative Joint Task Force
where the FBI leads Federal law enforcement efforts surrounding cyber
matters of national security. In the last several years, the Secret
Service has partnered with the FBI on various high-profile cyber
investigations.
The case of Vladislav Horohorin is another example of successful
cooperation between the Secret Service and its law enforcement partners
around the world. Mr. Horohorin, one of the world's most notorious
traffickers of stolen financial information, was arrested in Nice,
France, on August 25, 2010, pursuant to a U.S. arrest warrant issued by
the Secret Service. Mr. Horohorin created the first fully automated
online store which was responsible for selling stolen credit card data.
Working with our international law enforcement partners, the Secret
Service identified and apprehended Mr. Horohorin as he was boarding a
flight from France back to Russia. Both the CCIPS and the Office of
International Affairs of the Department of Justice played critical
roles in this apprehension. Furthermore, as a result of information
sharing, the FBI was able to bring additional charges against Mr.
Horohorin for his involvement in a Royal Bank of Scotland network
intrusion. We are presently awaiting Mr. Horohorin's extradition to the
United States to face charges levied upon him in different districts by
both the Secret Service and the FBI. This type of cooperation is
crucial if law enforcement is to be successful in disrupting and
dismantling criminal organizations involved in cyber crime.
One of the main obstacles that agents investigating transnational
crimes encounter is the jurisdictional limitations. The Secret Service
believes that to fundamentally address this issue, appropriate levels
of liaison and partnerships must be established with our international
law enforcement counterparts. Currently, the Secret Service operates 23
offices abroad, each having regional responsibilities to provide global
coverage. The personal relationships that have been established in
those countries are often the crucial element to the successful
investigation and prosecution of suspects abroad.
Within DHS, the Secret Service has strengthened our relationship
with the National Protection and Programs Directorate's (NPPD) United
States Computer Emergency Readiness Team (US-CERT), which provides
response support and defense against cyber intrusions or incidents for
the Federal Civil Executive Branch (.gov) domain, as well as
information sharing and collaboration with State and local government,
industry and international partners. As the Secret Service identifies
malware, suspicious IPs and other information through its criminal
investigations, it shares information with US-CERT. The Secret Service
looks forward to building on its full-time presence at US-CERT, and
broadening this and other partnerships within the Department.
As a part of these efforts and to ensure that information is shared
in a timely and effective manner, the Secret Service has personnel
detailed to the following DHS and non-DHS entities:
NPPD's Office of the Under Secretary;
NPPD's National Cyber Security Division (US-CERT);
NPPD's Office of Infrastructure Protection;
DHS's Science and Technology Directorate (S&T);
Department of Justice National Cyber Investigative Joint
Task Force (NCIJTF);
Each FBI Joint Terrorism Task Force (JTTF), including the
National JTTF;
Department of the Treasury--Terrorist Finance and Financial
Crimes Section
Department of the Treasury--Financial Crimes Enforcement
Network (FinCEN);
Central Intelligence Agency;
Department of Justice, International Organized Crime and
Intelligence Operations Center;
Drug Enforcement Administration's Special Operations
Division
EUROPOL; and
INTERPOL
The Secret Service is committed to ensuring that all its
information sharing activities comply with applicable laws,
regulations, and policies, including those that pertain to privacy and
civil liberties.
Secret Service Framework
To protect our financial infrastructure, industry, and the American
public, the Secret Service has adopted a multifaceted approach to
aggressively combat cyber and computer-related crimes. The Secret
Service has dismantled some of the largest known transnational cyber-
criminal organizations by:
Providing computer-based training to enhance the
investigative skills of special agents through our Electronic
Crimes Special Agent Program, and to our State and local law
enforcement partners through the National Computer Forensics
Institute;
Collaborating with our partners in law enforcement, the
private sector and academia through our 31 Electronic Crimes
Task Forces;
Identifying and locating international cyber criminals
involved in network intrusions, identity theft, credit card
fraud, bank fraud, and other computer-related crimes through
the analysis provided by our Cyber Intelligence Section;
Maximizing partnerships with international law enforcement
counterparts through our international field offices; and
Maximizing technical support, research and development, and
public outreach through the Software Engineering Institute/CERT
Liaison Program at Carnegie Mellon University.
Electronic Crimes Special Agent Program
A central component of the Secret Service's cyber-crime
investigations is its Electronic Crimes Special Agent Program (ECSAP),
which is comprised of nearly 1,400 Secret Service special agents who
have received at least one of three levels of computer crimes-related
training. These agents are deployed in more than 98 Secret Service
offices throughout the world and have received extensive training in
forensic identification, preservation, and retrieval of electronically
stored evidence. ECSAP-trained agents are computer investigative
specialists, qualified to conduct examinations on all types of
electronic evidence. These special agents are equipped to investigate
the continually evolving arena of electronic crimes and have proven
invaluable in the successful prosecution of criminal groups involved in
computer fraud, bank fraud, identity theft, access device fraud, and
various other electronic crimes targeting our financial institutions
and private sector.
The ECSAP program is divided into three levels of training:
Level I--Basic Investigation of Computers and Electronic Crimes
(BICEP). The BICEP training program focuses on the investigation of
electronic crimes and provides a brief overview of several aspects
involved with electronic crimes investigations. This program provides
Secret Service agents and our State and local law enforcement partners
with a basic understanding of computers and electronic crime
investigations and is now part of our core curriculum for newly hired
special agents.
Level II--Network Intrusion Responder (ECSAP-NI). ECSAP-NI training
provides special agents with specialized training and equipment that
allows them to respond to and investigate network intrusions. These may
include intrusions into financial sector computer systems, corporate
storage servers or various other targeted platforms. The Level II
trained agent will be able to identify critical artifacts that will
allow effective investigation of identity theft, malicious hacking,
unauthorized access, and various other related electronic crimes.
Level III--Computer Forensics (ECSAP-CF). ECSAP-CF training provides
special agents with specialized training and equipment that allows them
to investigate and forensically obtain legally admissible digital
evidence to be utilized in the prosecution of various electronic crimes
cases, as well as criminally focused protective intelligence cases.
Electronic Crimes Task Forces
In 1995, the Secret Service established the New York Electronic
Crimes Task Force (ECTF) to combine the resources of academia, the
private sector, and local, State, and Federal law enforcement agencies
to combat computer-based threats to our financial payment systems and
critical infrastructures. Congress further directed the Secret Service
in Public Law 107-56 to establish a nationwide network of ECTFs to
``prevent, detect, and investigate various forms of electronic crimes,
including potential terrorist attacks against critical infrastructure
and financial payment systems.''
The Secret Service currently operates 31 ECTFs, including two based
overseas in Rome, Italy, and London, England. Membership in our ECTFs
includes: 4,093 private sector partners; 2,495 international, Federal,
State, and local law enforcement partners; and 366 academic partners.
By joining our ECTFs, all of our partners benefit from the resources,
information, expertise and advanced research provided by our
international network of members while focusing on issues with
significant regional impact.
Cyber Intelligence Section
Another example of our partnership approach with private industry
is our Cyber Intelligence Section (CIS) which collects, analyzes, and
disseminates data in support of Secret Service investigations worldwide
and generates new investigative leads based upon its findings. CIS
leverages technology and information obtained through private sector
partnerships to monitor developing technologies and trends in the
financial payments industry for information that may be used to enhance
the Secret Service's capabilities to prevent and mitigate attacks
against the financial and critical infrastructures.
CIS has an operational unit that investigates international cyber
criminals involved in cyber intrusions, identity theft, credit card
fraud, bank fraud, and other computer-related crimes. The information
and coordination provided by CIS is a crucial element to successfully
investigating, prosecuting, and dismantling international criminal
organizations.
National Computer Forensics Institute
The National Computer Forensics Institute (NCFI) initiative is the
result of a partnership between the Secret Service, NPPD of DHS, the
State of Alabama, and the Alabama District Attorney's Association. The
goal of this facility is to provide a national standard of training for
a variety of electronic crimes investigations. The program offers State
and local law enforcement officers, prosecutors, and judges the
training necessary to conduct computer forensics examinations.
Investigators are trained to respond to network intrusion incidents and
conduct electronic crimes investigations.
Since the establishment of NCFI on May 19, 2008, the Secret Service
has provided critical training to 932 State and local law enforcement
officials representing over 300 agencies from all 50 States and two
U.S. territories.
Computer Emergency Response Team/Software Engineering Institute (CERT-
SEI)
In August 2000, the Secret Service and Carnegie Mellon University
Software Engineering Institute (SEI) established the Secret Service
CERT Liaison Program to provide technical support, opportunities for
research and development and public outreach and education to more than
150 scientists and researchers in the fields of computer and network
security, malware analysis, forensic development, training and
education. Supplementing this effort is research into emerging
technologies being used by cyber criminals and development of
technologies and techniques to combat them.
The primary goals of the program are: to broaden the Secret
Service's knowledge of software engineering and networked systems
security; to expand and strengthen partnerships and relationships with
the technical and academic communities; to provide an opportunity to
work closely with CERT-SEI and Carnegie Mellon University; and to
present the results of this partnership at the quarterly meetings of
our ECTFs.
In August 2004, the Secret Service partnered with CERT-SEI to
publish the first ever ``Insider Threat Study'' examining the illicit
cyber activity in the banking and finance sector. Due to the
overwhelming response to this initial study, the Secret Service and
CERT-SEI, in partnership with DHS S&T, are working to update the study.
An updated study, expected to be released in late 2011, will analyze
actual incidents of insider crimes from inception to prosecution. The
research team will share its findings with Federal, State, and local
law enforcement, private industry, academia and other Government
agencies.
Conclusion
As more information is stored in cyberspace, target-rich
environments are created for sophisticated cyber criminals. With proper
network security, businesses can provide a first line of defense by
safeguarding the information they collect. Such efforts can
significantly limit the opportunities for these criminal organizations.
Furthermore, the prompt reporting of major data breaches involving
sensitive personally identifiable information to the proper authorities
will help ensure a thorough investigation is conducted.
The Secret Service is committed to safeguarding the Nation's
financial payment systems by investigating and dismantling criminal
organizations involved in cyber crime. Responding to the growth in
these types of crimes and the level of sophistication these criminals
employ requires significant resources and greater collaboration among
law enforcement and its public and private sector partners.
Accordingly, the Secret Service dedicates significant resources to
improving investigative techniques, providing training for law
enforcement partners and raising public awareness. The Secret Service
will continue to be innovative in its approach to cyber crime and
cybersecurity and is pleased that the Subcommittee recognizes the
magnitude of these issues and the evolving nature of these crimes.
Chairman Johnson, Ranking Member Shelby, and distinguished Members
of the Committee, this concludes my prepared statement. Thank you again
for this opportunity to testify on behalf of the Secret Service. I will
be pleased to answer any questions at this time.
Additional Material Supplied for the Record
STATEMENT SUBMITTED BY THE SECURITIES INDUSTRY AND FINANCIAL MARKETS
ASSOCIATION
I. Introduction
SIFMA supports the goals of President Obama and Congress to limit
cybersecurity threats to the American people, businesses, and
Government through a more integrated approach to fighting these
threats. The increase in cyber intrusions and cyber crimes in the past
decade is cause for great concern, particularly those in the financial
services sector. SIFMA member firms are on the front lines of defense
against cyber threats to the financial markets and we take this role
very seriously. On May 12, 2011, President Obama released an extensive
proposal (Proposal) which is intended to bolster the American
cybersecurity infrastructure and protect Americans from cyber threats.
Although SIFMA supports the ultimate goals of the Proposal, we are
concerned that the Proposal does not adequately take into consideration
the extensive existing regulatory framework under which the financial
services industry functions.
SIFMA brings together the shared interests of more than 600
securities firms, banks, and asset managers throughout the world. By
building trust and confidence in the financial industry SIFMA intends
to encourage capital availability, job creation, and economic growth.
Encouraging effective data protection goes to the heart of SIFMA's
mission of building trust and confidence in the financial services
industry. Without effective protection of the personal data of their
customers, financial institutions would lack the public trust that is
so critical for their operation.
SIFMA's members include some of the largest financial institutions
in the world. As part of the financial services industry, SIFMA members
are currently subject to stringent laws and regulation on the
protection of personal data, including the Gramm-Leach-Bliley Act
(GLBA), the Fair Credit Reporting Act (FCRA) and the Right to Financial
Privacy Act. These laws and regulations are reinforced by regular,
proactive review and audit by highly specialized regulators.
Consequently, SIFMA members are accustomed to and fully supportive of
protecting their customers' data, and, as partners and service
providers, the data of customers of financial institutions worldwide.
II. Importance of Recognizing Uniqueness of the Financial Services
Sector
The United States has for decades embraced a sector-specific
approach to data security and privacy regulation. As a result, health
and financial information are subject to extensive regulation that was
crafted for the unique circumstances presented by those industries.
Applying general data security and privacy concepts to those industries
is not only unnecessary, it could be inconsistent with existing
regulations and produce unintended negative consequences.
SIFMA urges Congress to consider the unique position of the U.S.
financial services sector in connection with the ongoing examination of
national privacy framework. As discussed below, financial services
firms appreciate more than almost any sector of the economy the
importance of maintaining the confidentiality of customer information.
The financial services industry is keenly aware of the potential for
tangible harm that could flow from a privacy or security lapse, and has
long played a leadership role in developing policies, procedures, and
technology to protect customer data.
The financial services industry has had an effective and
longstanding engagement with the U.S. Treasury Department on
cybersecurity since Presidential Decision Directive/NSC-63 was issued
in May 1998. In response, the industry proactively formed the Financial
Services Information Sharing and Analysis Center (FS-ISAC). The
industry has committed significant time and effort to integration with
the Department of Homeland Security (DHS) through US-CERT and the
National Cybersecurity and Communications Integration Center (NCCIC).
In addition, the FS-ISAC is already in the process of embedding
appropriately cleared staff in the NCCIC.
Since 1970, the FCRA has promoted the accuracy, fairness, and
privacy of personal data assembled by ``consumer reporting agencies''
(CRAs), including data provided by a majority of SIFMA member firms.
The FCRA establishes a framework of fair information practices that
include rights of data quality, data security, identity theft
prevention, use limitations, requirements for data destruction, notice,
user consent, and accountability.
The GLBA provides data privacy rules applicable to ``financial
institutions,'' a term defined broadly to cover entities significantly
engaged in financial activities such as banking, insurance, securities
activities, and investment activities. The GLBA imposes data privacy
obligations such as the obligation to securely store personal financial
information, and provide data subjects with notice of the institution's
privacy practices and the right to opt-out of some sharing of personal
financial information. The GLBA and the regulations issued under the
GLBA help to protect valuable customer information and to prevent data
breaches. Through exceptionally broad definitions, GLBA protections
apply to virtually all personal information about individual consumers
or customers held by more than 40,000 financial institutions in the
United States--including less traditional ``financial institutions''
such as check-cashers, information aggregators, and financial software
providers. Moreover, the GLBA and its implementing regulations require
financial institutions not only to limit the disclosure of customer
information, but also to protect that information from unauthorized
accesses or uses. The GLBA regulations also provide guidelines to
financial institutions on appropriate actions in response to a breach
of security of sensitive data, including on investigation, containment,
and remediation of the incident and notification of consumers and/or
law enforcement authorities when warranted.
Many SIFMA member firms also follow the Federal Financial
Institutions Examination Council (FFIEC) guidance and monitoring
procedures. The FFIEC is an interagency body empowered to prescribe
uniform principles, standards, and report forms for the Federal
examination of financial institutions by the Board of Governors of the
Federal Reserve System, the Federal Deposit Insurance Corporation, the
National Credit Union Administration, the Office of the Comptroller of
the Currency, and the Office of Thrift Supervision. The FFIEC also
makes recommendations to promote uniformity in the supervision of
financial institutions. In the area of cybersecurity and data breach
protection, the FFIEC has published the following standards: FFIEC
Interagency Guidelines Establishing Standards for Safeguarding Customer
Information; FFIEC Interagency Guidelines Establishing Information
Security Standards; FFIEC Interagency Guidance on Response Programs for
Unauthorized Access to Customer Information and Customer Notice; FFIEC
Information Technology Examination Handbook (includes guidance and
audit provisions of many of the requirements identified in the guidance
documents referenced above).
Finally, many SIFMA member firms who process Government loan data
must comply with the Federal Information Security Management Act of
2002 (FISMA) and the Federal Information System Controls Audit Manual
2009 (FISCAM). FISMA emphasizes the need to develop, document, and
implement an enterprise-wide program to provide information security
for the information and information systems that support the operations
and assets of the Federal Government, including those provided or
managed by another agency, contractor, or other source. FISMA directs
the promulgation of Federal standards for: (i) the security
categorization of Federal information and information systems based on
the objectives of providing appropriate levels of information security
according to a range of risk levels; and (ii) minimum security
requirements for information and information systems in each such
category.
In accordance with FISMA, the National Institute of Standards and
Technology (NIST) develops the guidance and procedures which directly
pertain to security control implementation, continuous monitoring,
independent assessment, and risk analysis. The NIST Federal Information
Processing Standard (FIPS) Publication 200, ``Minimum Security
Requirements for Federal Information and Information Systems,''
specifies minimum security requirements for Federal information in 17
security-related areas. These minimum security requirements are defined
through the use of the security controls provided by NIST Special
Publication 800-53 rev3, ``Recommended Security Controls for Federal
Information Systems.''
FISCAM is designed to be used primarily on financial and
performance audits and attestation engagements performed in accordance
with generally accepted Government auditing standards (GAGAS), as
presented in Government Auditing Standards (also known as the ``Yellow
Book''). FISCAM is also consistent with the GAO/PCIE Financial Audit
Manual (FAM). Additionally, FISCAM control activities are consistent
with NIST Special Publication 800-53 rev3 controls.
III. Support for the Proposal
A. Improved Coordination Across Agencies and Sectors
SIFMA believes the Proposal takes many important steps to ensuring
a safer cyber community and SIFMA fully supports those efforts. The
Federal Government should be leading the proactive defense against
cybersecurity threats and take coordinated action to protect critical
infrastructure from such attacks. SIFMA members rely heavily on other
sectors such as telecommunications, information technology, energy, and
transportation which are frequently at risk for cyber attacks. SIFMA
supports enhanced supervision over service providers on which financial
institutions depend (e.g., hardware and software providers, Internet
service providers, etc.). Such coordination may be achieved by building
on the existing mechanisms that seek to address these issues (e.g.,
Partnership for Critical Infrastructure Security).
Moreover, SIFMA believes that cyber threats can be best fought
through a coordinated defense network across agencies and business
sectors. Such an infrastructure would improve communication and
enforcement mechanisms. Coordination should occur at the agency level
where agencies can report cyber threats through predetermined channels
whereby threats can be reviewed and analyzed consistently, regardless
of source. Individual firms should not be required to report cyber
attacks and threats to multiple agencies under multiple reporting
regimes. Such a structure is inefficient and may delay defensive
measures.
SIFMA also supports the Administration's commitment to two-way
public/private information-sharing, leveraging the Information Sharing
and Analysis Centers (ISACs), the US-CERT, safe harbors, clearances,
and confidentiality guarantees. As an example, the Financial Services-
Information Sharing and Analysis Center (FS-ISAC) constantly gathers
reliable and timely information from financial services providers,
commercial security firms, Federal, State, and local government
agencies, law enforcement and other trusted resources. FS-ISAC is
uniquely positioned to quickly disseminate physical and cyber threat
alerts and other critical information to participating organizations,
including analysis and recommended solutions from leading security
industry experts. SIFMA also believes there is opportunity to
accelerate information flow on a cyber event without compromising
sensitive information. This can be done through segmentation,
protocols, and decision trees.
SIFMA also supports Federal cybersecurity supply chain management
and promotion of cybersecurity as a priority in Federal procurement.
Other efforts to defend against cybersecurity threats will be lessened
without financial support for the infrastructure necessary to implement
a defense strategy.
B. Law Enforcement
SIFMA supports the strengthening and clarification of criminal
penalties for certain cyber crimes. Such expansion will provide
additional protection for consumers and financial institutions from
financial crimes. These improvements are further bolstered by the
increase in budgets and personnel for these purposes at law enforcement
agencies.
C. Technology and International Cooperation
SIFMA believes that the development of essential technologies and
improving Federal systems are important efforts which should be
supported. As DHS and NIST pursue their research and development
agendas, and as the Administration pursues its recently announced
International Strategy for Cyberspace, we hope to see substantial
resource commitments and advances in these areas. SIFMA also supports
the improvement of the resilience and security of Federal systems to
further prevent cyber crime.
D. Cooperation With International Partners
Because cybersecurity is a global problem and cyber crimes
frequently occur across borders, cooperation with international
partners is critical to preventing, investigating, and prosecuting
cyber crime. Without strong cooperation with international law
enforcement agencies, U.S. efforts to improve cybersecurity will be
severely limited.
E. Safe Harbor for Voluntary Disclosure
SIFMA members believe that the safe harbor provisions for
cybersecurity reporting under Sec. 245, ``Voluntary Disclosure of
Cybersecurity Information,'' will be helpful for SIFMA members and
provide much-needed extra protections for sharing information beyond
what is currently available under Protected Critical Infrastructure
Information (PCII) provisions.
F. Safe Harbor for Encrypted Information
Although SIFMA has reservations about several aspects of the data
breach notification provisions, SIFMA is supportive of the safe harbor
in Section 102(b) whereby if the data which is the subject of a breach
is ``unusable, unreadable, or indecipherable through a security
technology'' there is a presumption of no reasonable risk. Currently,
not all States allow for such a presumption, so a consistent Federal
standard for such a presumption would be helpful when assessing a
security breach. Our other concerns related to the data breach
notification provisions, are set forth in the next section below.
G. Public Education and Awareness
Public education and awareness campaigns have been a critical
method of limiting cyber crimes in the financial services industry.
Both the SEC and SIFMA members have promoted public awareness of the
risk of disclosure of personal information for many years, and SIFMA
supports the expansion of any such campaigns and promotions.
IV. SIFMA Concerns With the Proposal
A. Data Breach Notification
SIFMA members are concerned that the data breach notification
provisions in the Proposal are unduly burdensome as currently drafted.
Although SIFMA believes a preemptive data breach notification standard
would serve the industry well, the Federal Trade Commission (FTC)
reporting requirements in the Proposal are potentially more burdensome
than the existing web of State data breach notifications laws and
regulations. SIFMA believes that a reasonable Federal data breach
notification standard would help reduce cyber crime and protect
individuals and businesses from unnecessary losses. To reach that
standard, however, SIFMA believes the Proposal should be changed to
incorporate several critical concepts as outlined below.
1. Definition of Security Breach
As proposed, the definition of ``Security Breach'' is significantly
broader than most existing State data breach notification requirements.
SIFMA recommends a definition similar to several State laws that would
define security breach as ``unlawful and unauthorized acquisition of
computerized data that materially compromises the security,
confidentiality, or integrity of personal information maintained by the
person.'' See, e.g., Fla. Stat. �817.5681(4). SIFMA also asserts that
there should be a good faith exception for employees or agents of the
firm for businesses purposes so long as there is no further
unauthorized disclosure or use of such information. See, e.g., N.Y.
GBS. LAW �899-aa.
2. Definition of Sensitive Personally Identifiable
Information
SIFMA believes that the current definition of ``Sensitive
Personally Identifiable Information'' is unduly broad and if left
unchecked would increase compliance costs severely without preventing
data breach. Leaving the definition open to FTC interpretation and
rulemaking creates additional uncertainty. The definition in the
Proposal includes a social security number or driver's license number
without any other information. Existing State laws generally define
``personal information'' as a person's name or other identifying
information in conjunction with a social security or driver's license
number. See, e.g., Fla. Stat. �817.5681(5). The disclosure of a social
security or driver's license number without any other identifying
information should not trigger data breach notification requirements
because such information has limited or no value. Requiring firms to
undergo a risk assessment and FTC report every time such a piece of
information is misdirected in good faith would require multiple reports
per week.
In addition, the definition in Section 1(g)(4) of the Proposal also
includes ``a unique account identifier, including a financial account
number or credit or debit card number, electronic identification
number, user name, or routing code.'' Yet, Section 1(g)(5) requires
such information in (g)(4) plus a name or security code to trigger the
notification requirements. SIFMA proposes deleting paragraph (g)(4) as
duplicative and unnecessarily broad. If section (g)(4) is passed as
written, the daily business ramifications for SIFMA member firms would
be extensive. Among others, account numbers are necessary for financial
firms to transact its business as well as for allocation to ensure that
transactions are aligned with proper account information. If
transaction information is misdelivered and happens to contain only
account numbers, the firm would have to conduct a risk assessment and
report the results to the FTC. Those efforts would far outweigh any
benefit reaped from such an innocuous disclosure.
3. FTC Reporting Requirements (Safe Harbor Exemption)
The Proposal's exemption under Sec. 102(b) provides a safe harbor
from enforcement when a firm determines that there is no risk of harm
to an individual from a security breach. The qualifying firm will not
send a notice to that individual if within 45 days the firm submits to
the FTC a written risk assessment justifying the conclusion of no harm.
SIFMA believes that performing a risk assessment and submitting such
results to the FTC for every Security Breach no matter how small or
insignificant mitigates the potential benefit of having such a safe
harbor. As currently drafted, even a small data misdirection between
financial institutions due to an error would constitute a Security
Breach and thus would require the firm to perform a risk assessment and
submit the results to the FTC. This result is in spite of the fact that
the ``unauthorized party'' is in fact another financial institution
covered by the same legal, regulatory and operational controls and
there with only minimal risk for harm to the customer. Consequently
SIFMA believes that this provision is not actually a safe harbor, but
rather an additional layer of reporting obligation. We would recommend
that this provision be amended to only cover material Security
Breaches, such that a small or insignificant misdirection of data,
particularly when the recipient is a regulated entity, should not
trigger these requirements.
4. Effective Date
SIFMA members are concerned that the effective date of 90 days
after enactment for the data breach notification requirement is too
short. The time frame does not give the FTC adequate time to propose
and adopt clarifying regulations. In addition, firms must make
corresponding changes to policies and procedures, as well as modify
their reporting systems. The new notification and disclosure provisions
will require training and hiring of new staff, which will be difficult
to achieve in a 90-day period.
B. Covered Critical Infrastructure
1. DHS as a Cybersecurity Regulator
As currently drafted, the Proposal centralizes domestic
cybersecurity responsibilities in DHS, thus making DHS a regulator as
well as an enforcer. The addition of DHS into the web of financial
services regulation may cause complications for both regulators and
regulated financial services firms. SIFMA would prefer for the existing
financial regulators to continue as primary regulators for the firms.
The financial regulators could then coordinate with DHS and the FTC to
the extent necessary, but the firms would not be required to report
directly to DHS.
DHS is primarily a technical coordination agency for cybersecurity
but DHS has no fundamental understanding of the many business functions
performed by the financial services sector. Sector Specific Agencies
(SSAs), such as the Department of Treasury, under Homeland Security
Presidential Decision Directive 7 and the National Infrastructure
Protection Plan, play a significant role for the sector in providing
business understanding and advocacy.
In addition, there is a technical capability gap between DHS, the
NSA, and U.S. Cyber Command (CYBERCOM). NSA, CYBERCOM, and all
intelligence community members need to be subordinate technical and
operational resources that DHS coordinates to support critical
infrastructure. These agencies need to be subject to the mandate of the
National Infrastructure Protection Plan (NIPP) and function to
coordinate all engagement with CI/KR sectors through DHS and the SSAs.
DHS would be responsible for the incident response process and national
technical coordination. For the financial services industry, the
Department of Treasury, along with the SEC, CFTC, Federal Reserve
Board, and others, would handle mission, business, and regulatory
coordination.
2. Identifying Critical Infrastructure Operators
The Proposal gives DHS the authority to designate an organization
as a critical infrastructure operator. SIFMA believes that DHS is not
well-suited to this role because of its lack of familiarity with the
operations of financial services organizations. The Treasury
Department, as the Sector Specific Agency for the financial services
sector, and the regulatory agencies through the FBIIC, should determine
if an institution in the sector is considered critical, not DHS.
3. Risk Mitigation Framework and Evaluation
The Proposal would require critical operators to develop a
framework to address cyber threats, and engage a third-party commercial
auditor to assess such plans. These requirements would impose
significant additional administrative burdens on financial services
firms which are already subject to intense regulation. Although
engaging an independent auditor significantly increases defense against
cyber threats, it does not guarantee effectiveness. It also appears
that DHS and NIST would have the ability to modify a firm's framework,
which raises many questions for SIFMA members.
4. Public Disclosure of Cybersecurity Plans
SIFMA is also concerned about the requirements in the Proposal
under Section 7(b) which would require the critical infrastructure
operators to publicly disclose high-level summaries of their
cybersecurity plans and whether those plans are working effectively.
SIFMA believes that any disclosure of cyber defensive mechanisms may
give criminals information which may help them to carry out a cyber
crime.
V. Conclusion
SIFMA supports the efforts of President Obama and Congress to
further protect the American people, businesses, and Government from
the increasing threat of cyber attacks and cyber crimes. SIFMA believes
that this Proposal could help achieve those goals if the amendments
suggested in this statement are implemented. Without such changes, this
Proposal will have diminished value and could do more harm than good
for SIFMA members and their customers.
�