[Senate Hearing 113-531]
[From the U.S. Government Publishing Office]
S. Hrg. 113-531
PROTECTING PERSONAL CONSUMER
INFORMATION FROM CYBER ATTACKS
AND DATA BREACHES
=======================================================================
HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
MARCH 26, 2014
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
U.S. GOVERNMENT PUBLISHING OFFICE
92-594 WASHINGTON : 2015
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
JOHN D. ROCKEFELLER IV, West Virginia, Chairman
BARBARA BOXER, California JOHN THUNE, South Dakota, Ranking
BILL NELSON, Florida ROGER F. WICKER, Mississippi
MARIA CANTWELL, Washington ROY BLUNT, Missouri
MARK PRYOR, Arkansas MARCO RUBIO, Florida
CLAIRE McCASKILL, Missouri KELLY AYOTTE, New Hampshire
AMY KLOBUCHAR, Minnesota DEAN HELLER, Nevada
MARK BEGICH, Alaska DAN COATS, Indiana
RICHARD BLUMENTHAL, Connecticut TIM SCOTT, South Carolina
BRIAN SCHATZ, Hawaii TED CRUZ, Texas
EDWARD MARKEY, Massachusetts DEB FISCHER, Nebraska
CORY BOOKER, New Jersey RON JOHNSON, Wisconsin
JOHN E. WALSH, Montana
Ellen L. Doneski, Staff Director
John Williams, General Counsel
David Schwietert, Republican Staff Director
Nick Rossi, Republican Deputy Staff Director
Rebecca Seidel, Republican General Counsel and Chief Investigator
C O N T E N T S
----------
Page
Hearing held on March 26, 2014................................... 1
Statement of Senator Rockefeller................................. 1
Report entitled ``A `Kill Chain' Analysis of the 21013 Target
Data Breach'' by the Majority Staff........................ 2
Statement of Senator Thune....................................... 12
Statement of Senator McCaskill................................... 47
Statement of Senator Pryor....................................... 49
Statement of Senator Klobuchar................................... 57
Statement of Senator Blunt....................................... 64
Statement of Senator Blumenthal.................................. 67
Statement of Senator Markey...................................... 69
Witnesses
Hon. Edith Ramirez, Chairwoman, Federal Trade Commission......... 14
Prepared statement of the Federal Trade Commission........... 16
Dr. Wallace D. Loh, President, University of Maryland............ 21
Prepared statement........................................... 23
John J. Mulligan, Executive Vice President and Chief Financial
Officer, Target Corporation.................................... 24
Prepared statement........................................... 26
Ellen Richey, Chief Enterprise Risk Officer and Chief Legal
Officer, Visa, Inc............................................. 28
Prepared statement........................................... 30
Peter J. Beshar, Executive Vice President and General Counsel,
Marsh & McLennan Companies..................................... 34
Prepared statement........................................... 36
David Wagner, President, Entrust, Inc............................ 39
Prepared statement........................................... 40
Appendix
Electronic Transactions Association, prepared statement.......... 75
News Release dated Monday, February 24, 2014 from the Department
of Justice entitled ``Attorney General Holder Urges Congress to
Create National Standard for Reporting Cyberattacks''.......... 76
America Bankers Association, prepared statement.................. 77
National Retail Federation, prepared statement................... 82
Letter dated March 26, 2014 to Hon. Jay Rockefeller, Chairman,
Committee on Commerce, Science and Transportation and Hon. John
Thune, Ranking Member, Committee on Commerce, Science, and
Transportation from Bill Hughes, Senior Vice President,
Government Affairs, Retail Industry Leaders Association (RILA). 103
Response to written questions submitted to Hon. Edith Ramirez by:
Hon. John D. Rockefeller IV.................................. 104
Hon. John Thune.............................................. 105
Hon. Kelly Ayotte............................................ 106
Hon. Deb Fischer............................................. 107
Response to written questions submitted to John J. Mulligan by:
Hon. John D. Rockefeller IV.................................. 108
Hon. Bill Nelson............................................. 108
Hon. Kelly Ayotte............................................ 109
Response to written question submitted by Hon. Kelly Ayotte to:
Ellen Richey................................................. 111
PROTECTING PERSONAL CONSUMER
INFORMATION FROM CYBER ATTACKS
AND DATA BREACHES
----------
WEDNESDAY, MARCH 26, 2014
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 1:49 p.m., in
room SR-253, Russell Senate Office Building, Hon. John D.
Rockefeller IV, Chairman of the Committee, presiding.
OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV,
U.S. SENATOR FROM WEST VIRGINIA
The Chairman. This hearing will come to order. This hearing
is in order. It doesn't have to come to order; it is.
We now live in the era of ``big data.''
You knew that, Senator McCaskill? That is not news to you,
OK.
Whether we like it or not, companies are regularly
collecting reams of information about us as we go about our
daily lives.
I serve on the Intelligence Committee, and I have since
before
9/11. And it just drives me absolutely wild sometimes to read--
The New York Times and The Washington Post are the guilty
parties, for the most part--but they talk about everybody's
privacy is just about to be invaded, except nobody's has been.
But if it could happen, then it has happened, you see. That is
the way you keep people scared. And now people are reacting to
it, saying, oh, we just have to get rid of that thing. We are
not necessarily an intelligent Congress when it comes to our
national security.
So, in any event, they are tracking us as we visit our
websites, as we visit stores, as we purchase products. While
some of the information may be mundane, a lot of it is highly
sensitive. It might have to do with health, family problems,
whatever.
I think we can all agree that if Target or any other
company is going to collect detailed information about its
customers, they need to do everything possible to protect them
from identity thieves.
Because what, in fact, everybody was fearing about the NSA,
which has never come to be true, has come to be true about the
American private sector. That is the irony of the whole thing.
This city is wrought with, you know, the terrible things that
could happen from NSA, except nothing terrible has happened,
but some terrible things are happening elsewhere.
So it is now well known that Target fell far short of doing
this--that is, protecting their customers. Last November and
December, cyber thieves were able to infect their credit card
payment terminals with a malicious software, loot their
computer servers, access a staggering amount of consumer
information, which they could pick and choose from and then
sell them for something called a profit.
There has been a lot of anxiety recently about the kind of
information the Federal Government--I am making my point here
again; I like making this point--may be collecting about
American citizens as part of their efforts to protect our
country from the ongoing terrorist threat. But the truth is
that private companies like Target hold vastly larger amounts
of sensitive information about us than the government could
ever think of doing. And they spend much less time and much
less money protecting their sensitive data than the government
does. You cannot penetrate the firewalls, all of the firewalls,
around the NSA.
Senator Thune, welcome, sir.
So we learned yesterday that Federal agents notified more
than 3,000 companies last year that their computer systems had
been hacked. I am certain that there are many more breaches
that we never hear about.
In my zeal a number of years ago, I asked the SEC if they
would sort of make it a requirement that every time somebody
was hacked into, that had to be reported to the SEC, put on
their website, for the advantage of the shareholders, because
that is the kind of information they need to know if they are
going to buy or sell or whatever. That is haphazard at best.
So Target is going to tell us today that they take data
security very seriously and that they followed their industry's
data security standards, but the fact remains it wasn't enough.
The credit card numbers of 40 million people and the e-mail
addresses of nearly 70 million people were potentially stolen
under their watch.
My staff has carefully analyzed what we know at this point
about the Target breach. In a new report, they identify many
precise opportunities Target had to prevent this from
happening. It is a very interesting sort of a chart of where
they could have--and I will hold it up.
And I ask unanimous consent that this be made a part of the
record of this hearing.
[The information referred to follows:]
A ``Kill Chain'' Analysis of the 2013 Target Data Breach
Majority Staff Report for Chairman Rockefeller
Executive Summary
In November and December 2013, cyber thieves executed a successful
cyber attack against Target, one of the largest retail companies in the
United States. The attackers surreptitiously gained access to Target's
computer network, stole the financial and personal information of as
many as 110 million Target customers, and then removed this sensitive
information from Target's network to a server in Eastern Europe.
This report presents an explanation of how the Target breach
occurred, based on media reports and expert analyses that have been
published since Target publicly acknowledged this breach on December
19, 2013. Although the complete story of how this breach took place may
not be known until Target completes its forensic examination of the
breach, facts already available in the public record provide a great
deal of useful information about the attackers' methods and Target's
defenses.
This report analyzes what has been reported to date about the
Target data breach, using the ``intrusion kill chain'' framework, an
analytical tool introduced by Lockheed Martin security researchers in
2011, and today widely used by information security professionals in
both the public and the private sectors. This analysis suggests that
Target missed a number of opportunities along the kill chain to stop
the attackers and prevent the massive data breach. Key points at which
Target apparently failed to detect and stop the attack include, but are
not limited to, the following:
Target gave network access to a third-party vendor, a small
Pennsylvania HVAC company, which did not appear to follow
broadly accepted information security practices. The vendor's
weak security allowed the attackers to gain a foothold in
Target's network.
Target appears to have failed to respond to multiple
automated warnings from the company's anti-intrusion software
that the attackers were installing malware on Target's system.
Attackers who infiltrated Target's network with a vendor
credential appear to have successfully moved from less
sensitive areas of Target's network to areas storing consumer
data, suggesting that Target failed to properly isolate its
most sensitive network assets.
Target appears to have failed to respond to multiple
warnings from the company's anti-intrusion software regarding
the escape routes the attackers planned to use to exfiltrate
data from Target's network.
A. The Target Data Breach
1. The Stolen Data
On December 19, 2013, Target publicly confirmed that some 40
million credit and debit card accounts were exposed in a breach of its
network.\1\ The Target press release was published after the breach was
first reported on December 18 by Brian Krebs, an independent Internet
security news and investigative reporter.\2\ Target officials have
testified before Congress that they were not aware of the breach until
contacted by the Department of Justice on December 12.\3\ The data
breach affected cards used in U.S. Target stores between November 27
and December 18, 2013.\4\
---------------------------------------------------------------------------
\1\ Target, Target Confirms Unauthorized Access to Payment Card
Data in U.S. Stores (Dec. 19, 2013) (online at http://
pressroom.target.com/news/target-confirms-unauthorized-access-to-
payment-card-data-in-u-s-stores).
\2\ Brian Krebs, Sources: Target Investigating Data Breach,
KrebsOnSecurity (Dec. 18, 2013) (online at http://krebsonsecurity.com/
2013/12/sources-target-investigating-data-breach/).
\3\ Testimony of John Mulligan, Target Executive Vice President and
Chief Financial Officer, before the Senate Committee on the Judiciary,
at 2 (Feb. 4, 2014) (online at http://www
.judiciary.senate.gov/pdf/02-04-14MulliganTestimony.pdf).
\4\ Id. at 2-3.
Thieves were able to sell information from these cards via online
black market forums known as ``card shops.'' \5\ These websites list
card information including the card type, expiration date, track data
(account information stored on a card's magnetic stripe), country of
origin, issuing bank, and successful use rate for card batches over
time. The newer the batch, the higher the price, as issuing banks often
have not had sufficient time to identify and cancel compromised cards.
A seller, nicknamed ``Rescator,'' at a notorious card shop even offered
a money-back guarantee for immediately cancelled cards.\6\ Those
purchasing the information can then create and use counterfeit cards
with the track data and PIN numbers \7\ stolen from credit and debit
card magnetic stripes. Fraudsters often use these cards to purchase
high-dollar items and fence them for cash, and if PIN numbers are
available, a thief can extract a victim's money directly from an ATM.
Based on a reading of underground forums, hackers may be attempting to
decrypt the stolen Target PIN numbers.\8\
---------------------------------------------------------------------------
\5\ Brian Krebs, Cards Stolen in Target Breach Flood Underground
Markets (Dec. 20, 2013) (online at http://krebsonsecurity.com/2013/12/
cards-stolen-in-target-breach-flood-underground-markets/).
\6\ Id.
\7\ Target initially denied that debit card PIN numbers had been
stolen, but reports confirmed that encrypted PIN numbers had indeed
been stolen. See Jim Finkle and David Henry, Exclusive: Target hackers
stole encrypted bank PINs--source, Reuters (Dec. 25, 2013) (online at
http://www.reuters.com/article/2013/12/25/us-target-databreach-
idUSBRE9BN0L220131225).
\8\ Adam Greenberg, Hackers Seek to Decrypt PIN Codes Likely Stolen
in Target Breach, SC Magazine (Jan. 8, 2014) (online at http://
www.scmagazine.com/hackers-seek-to-decrypt-pin-codes-likely-stolen-in-
target-breach/article/328529/).
---------------------------------------------------------------------------
On January 10, 2014, Target disclosed that non-financial personal
information, including names, addresses, phone numbers, and e-mail
addresses, for up to 70 million customers was also stolen during the
data breach.\9\
---------------------------------------------------------------------------
\9\ Target, Target Provides Update on Data Breach and Financial
Performance (Jan. 10, 2014) (online at http://pressroom.target.com/
news/target-provides-update-on-data-breach-and-financial-performance).
---------------------------------------------------------------------------
2. The Attack
On January 12, Target CEO Gregg Steinhafel confirmed that malware
installed on point of sale (POS) terminals \10\ at U.S.-based Target
stores enabled the theft of financial information from 40 million
credit and debit cards.\11\ This malware utilized a so-called ``RAM
scraping'' attack, which allowed for the collection of unencrypted,
plaintext data as it passed through the infected POS machine's memory
before transfer to the company's payment processing provider. According
to reports by Brian Krebs, a tailored version of the ``BlackPOS''
malware--available on black market cyber crime forums for between
$1,800 and $2,300--was installed on Target's POS machines.\12\ This
malware has been described by McAfee Director of Threat Intelligence
Operations as ``absolutely unsophisticated and uninteresting.'' \13\
This assessment is in contrast with the statement of Lawrence Zelvin,
Director of the Department of Homeland Security's National
Cybersecurity and Communications Integration Center, who describes the
malware used in the attack as ``incredibly sophisticated.'' \14\
---------------------------------------------------------------------------
\10\ A Point of Sale (POS) terminal is a physical device used by a
merchant to process payments for goods and services purchased by a
customer. Customized hardware and software is often used at a POS
terminal, or cash register, part of which is used to swipe and process
credit and debit card information.
\11\ Becky Quick, Target CEO Defends 4-Day Wait to Disclose Massive
Data Hack, CNBC (Jan. 12, 2014) (online at http://www.cnbc.com/id/
101329300).
\12\ Brian Krebs, A First Look at the Target Intrusion, Malware,
KrebsOnSecurity (Jan. 15, 2014) (online at http://krebsonsecurity.com/
2014/01/a-first-look-at-the-target-intrusion-mal
ware/).
\13\ Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack,
Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target
Blew It, Bloomberg Businessweek (Mar. 13, 2014) (online at http://
www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-
hack-of-credit-card-data).
\14\ House Committee on Energy and Commerce, Subcommittee on
Commerce, Manufacturing, and Trade, Protecting Consumer Information:
Can Data Breaches Be Prevented?, 113th Cong. (Feb. 5, 2014).
---------------------------------------------------------------------------
According to unnamed investigators, the attackers first installed
their malware on a small number of POS terminals between November 15
and November 28, with the majority of Target's POS system infected by
November 30.\15\ A report by The New York Times states that the
attackers first gained access to Target's internal network on November
12.\16\
---------------------------------------------------------------------------
\15\ Brian Krebs, Target Hackers Broke in Via HVAC Company,
KrebsOnSecurity (Feb. 5, 2014) (online at http://krebsonsecurity.com/
2014/02/target-hackers-broke-in-via-hvac-company/).
\16\ Elizabeth A. Harris, Nicole Perlroth, Nathaniel Popper, and
Hilary Stout, A Sneaky Path Into Target Customers' Wallets (Jan. 17,
2014) (online at http://www.nytimes.com/2014/01/18/business/a-sneaky-
path-into-target-customers-wallets.html).
---------------------------------------------------------------------------
A Dell SecureWorks report shows that the attackers also installed
malware, designed to move stolen data through Target's network and the
company's firewall, on a Target server.\17\ The Dell SecureWorks team
was able to analyze a sample of the actual malware used in the Target
attack. The attackers reportedly first installed three variants of this
malware on November 30 and updated it twice more, just before midnight
on December 2 and just after midnight on December 3.\18\ According to a
Bloomberg Businessweek report, Target's FireEye malware intrusion
detection system triggered urgent alerts with each installation of the
data exfiltration malware.\19\ However, Target's security team neither
reacted to the alarms nor allowed the FireEye software to automatically
delete the malware in question. Target's Symantec antivirus software
also detected malicious behavior around November 28, implicating the
same server flagged by FireEye's software.\20\
---------------------------------------------------------------------------
\17\ A third type of malware was installed on intermediate servers
which presumably stored stolen data inside Target's network before the
next exfiltration step. However, this malware has thus far not been
analyzed publicly. See Keith Jarvis and Jason Milletary, Inside a
Targeted Point-of-Sale Data Breach, Dell SecureWorks, at 5 (Jan. 24,
2014) (online at http://krebs
onsecurity.com/wp-content/uploads/2014/01/Inside-a-Targeted-Point-of-
Sale-Data-Breach.pdf).
\18\ Id.
\19\ Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack,
Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target
Blew It, Bloomberg Businessweek (Mar. 13, 2014) (online at http://
www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-
hack
-of-credit-card-data).
\20\ Id.
---------------------------------------------------------------------------
According to Seculert, a security company focused on advanced cyber
threats, the malware started to send the stolen data to an external
file transfer protocol (FTP) server via another compromised Target
server on December 2, 2013.\21\ Over the next two weeks, the attackers
collected 11 GB of stolen information using a Russia-based server.\22\
Analysis of the malware by Dell SecureWorks found that the attackers
exfiltrated data between 10:00 a.m. and 6:00 p.m. Central Standard
Time, presumably to obscure their work during Target's busier shopping
hours.\23\ Other sources describe a variety of external data drop
locations, including compromised servers in Miami and Brazil.\24\ The
70 million records of non-financial data were included in this theft,
but public reports do not make clear how the attackers accessed this
separate data set.
---------------------------------------------------------------------------
\21\ Aviv Raff, PoS Malware Targeted Target, Seculert (Jan. 16,
2014) (online at http://www.seculert.com/blog/2014/01/pos-malware-
targeted-target.html).
\22\ Id.
\23\ Keith Jarvis and Jason Milletary, Inside a Targeted Point-of-
Sale Data Breach, Dell SecureWorks, at 6, 11 (Jan. 24, 2014) (online at
http://krebsonsecurity.com/wp-content/up
loads/2014/01/Inside-a-Targeted-Point-of-Sale-Data-Breach.pdf).
\24\ Brian Krebs, Target Hackers Broke in Via HVAC Company,
KrebsOnSecurity (Feb. 5, 2014) (online at http://krebsonsecurity.com/
2014/02/target-hackers-broke-in-via-hvac-company/).
The attackers reportedly first gained access to Target's system by
stealing credentials from an HVAC and refrigeration company, Fazio
Mechanical Services, based in Sharpsburg, Pennsylvania.\25\ This
company specializes as a refrigeration contractor for supermarkets in
the mid-Atlantic region \26\ and had remote access to Target's network
for electronic billing, contract submission, and project management
purposes.\27\
---------------------------------------------------------------------------
\25\ Id.
\26\ Fazio Mechanical Services, About Us (accessed Mar. 12, 2014)
(online at http://fazio
mechanical.com/about-us.html).
\27\ Fazio Mechanical Services, Statement on Target Data Breach
(accessed Mar. 12, 2014) (online at http://faziomechanical.com/Target-
Breach-Statement.pdf).
---------------------------------------------------------------------------
Reports indicate that at least two months before the Target data
breach began, attackers stole Fazio Mechanical's credentials for
accessing Target's network via e-mails infected with malware.\28\
According to a former Target security team member, Fazio would more
than likely have had access to Target's Ariba external billing
system;\29\ however, reports do not make clear how the attackers gained
access to Target's POS terminals from this initial foothold on the edge
of Target's network. According to the same source, it is likely the
outside portal was not fully isolated from the rest of Target's
network.\30\ Once inside, the attackers may have exploited a default
account name used by an IT management software product by BMC Software
to move within Target's network.\31\ The attackers also disguised their
data exfiltration malware as a legitimate BMC Software product.\32\
---------------------------------------------------------------------------
\28\ Sources have identified malware known as ``Citadel,'' which
steals passwords on compromised machines. However, this has not been
confirmed. See Brian Krebs, E-mail Attack on Vendor Set Up Breach at
Target, KrebsOnSecurity (Feb. 12, 2014) (online at http://krebs
onsecurity.com/2014/02/e-mail-attack-on-vendor-set-up-breach-at-target/
).
\29\ Id.
\30\ Id.
\31\ Brian Krebs, New Clues in the Target Breach, KrebsOnSecurity
(Jan. 29, 2014) (online at http://krebsonsecurity.com/2014/01/new-
clues-in-the-target-breach/).
\32\ Keith Jarvis and Jason Milletary, Inside a Targeted Point-of-
Sale Data Breach, Dell SecureWorks, at 6 (Jan. 24, 2014) (online at
http://krebsonsecurity.com/wp-content/uploads/2014/01/Inside-a-
Targeted-Point-of-Sale-Data-Breach.pdf).
---------------------------------------------------------------------------
B. The Kill Chain
1. The ``Kill Chain'' as a Cybersecurity Defense Tool
The conventional model of information security relies on static
defense (e.g., intrusion detection systems and antivirus software) and
assumes that attackers have an inherent advantage over defenders given
ever-shifting technologies and undiscovered software vulnerabilities.
In 2011, the Lockheed Martin Computer Incident Response Team staff
published a white paper explaining how these conventional defenses were
not sufficient to protect organizations from sophisticated ``advanced
persistent threats'' (APTs).\33\ The paper proposed an ``intelligence-
driven, threat-focused approach to study intrusions from the
adversaries' perspective'' that could give network defenders the upper
hand in fighting cyber attackers.\34\
---------------------------------------------------------------------------
\33\ Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin,
Intelligence-Driven Computer Network Defense Informed by Analysis of
Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin (2011)
(online at http://www.lockheedmartin.com/content/dam/lockheed/data/
corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf).
\34\ Id. at 2.
---------------------------------------------------------------------------
Instead of installing static defense tools and waiting for the next
attack, the paper argued, network defenders should continuously monitor
their systems for evidence that attackers are trying to gain access to
their systems. Any intrusion attempt reveals important information
about an attacker's tactics and methodology. Defenders can use the
intelligence they gather about an attacker's playbook to ``anticipate
and mitigate future intrusions based on knowledge of the threat.'' \35\
When a defender analyzes the actions of attackers, finds patterns, and
musters resources to address capability gaps, ``it raises the costs an
adversary must expend to achieve their objectives . . . [and] such
aggressors have no inherent advantage over defenders.'' \36\
---------------------------------------------------------------------------
\35\ Id.
\36\ Id. at 3.
---------------------------------------------------------------------------
To illustrate how network defenders can act on their knowledge of
their adversaries' tactics, the paper lays out the multiple steps an
attacker must proceed through to plan and execute an attack. These
steps are the ``kill chain.'' While the attacker must complete all of
these steps to execute a successful attack, the defender only has to
stop the attacker from completing any one of these steps to thwart the
attack.
Analyzing past attacks, utilizing threat intelligence, and
improving defenses at all phases of the kill chain allow a defender to
detect and deny future attacks earlier and earlier in the kill chain.
This requires constant vigilance, but it can theoretically defend
against even APTs using so-called ``zero-day'' exploits, which utilize
previously unknown vulnerabilities and attack signatures that defense
tools cannot detect.\37\
---------------------------------------------------------------------------
\37\ Id. at 4-5.
2. Analysis of the Target Data Breach Using the Kill Chain
John Mulligan, Target's Executive Vice President and Chief
Financial Officer, testified that his company ``had in place multiple
layers of protection, including firewalls, malware detection software,
intrusion detection and prevention capabilities and data loss
prevention tools.'' \38\ He further stated that Target had been
certified in September 2013 as compliant with the Payment Card Industry
Data Security Standards (PCI-DSS),\39\ which credit card companies
require before allowing merchants to process credit and debit card
payments.
---------------------------------------------------------------------------
\38\ Testimony of John Mulligan, Target Executive Vice President
and Chief Financial Officer, before the Senate Committee on the
Judiciary, at 4-5 (Feb. 4, 2014) (online at http://
www.judiciary.senate.gov/pdf/02-04-14MulliganTestimony.pdf).
\39\ Id. at 5.
---------------------------------------------------------------------------
These steps were obviously not sufficient to prevent the breach.
Based on public information about Target's breach reviewed in the
previous section, this section walks through the steps of the kill
chain and analyzes what actions Target and its contractor, Fazio
Mechanical Services, did or did not take to defend themselves.
A. Reconnaissance--Attacker Quietly Gathers Information About Victim
As discussed above, the attacker may have sent malware-laden e-
mails to Fazio at least two months before the Target data breach began.
According to analysis by Brian Krebs, the attacker may have found
information on Target's third-party vendors through simple Internet
searches, which, at the time of his writing, displayed Target's
supplier portal and facilities management pages.\40\ Files available on
these sites provided information for HVAC vendors and, through a
metadata analysis, allowed the attacker to map Target's internal
network prior to the breach. To disrupt this step in the kill chain,
Target could have limited the amount of publicly available vendor
information. Target could have also shared threat information with its
suppliers and vendors and encouraged collaboration on security within
the community.
---------------------------------------------------------------------------
\40\ Brian Krebs, E-mail Attack on Vendor Set Up Breach at Target,
KrebsOnSecurity (Feb. 12, 2014) (online at http://krebsonsecurity.com/
2014/02/e-mail-attack-on-vendor-set-up-breach-at-target/).
---------------------------------------------------------------------------
B. Weaponization--Attacker Prepares Attack Payload to Deliver to Victim
While unconfirmed, the attacker likely weaponized its malware
targeting Fazio in an e-mail attachment, likely a PDF or Microsoft
Office document. Fazio could have disrupted this step in the kill chain
through the use of broadly accepted real-time monitoring and anti-
malware software. However, according to investigators familiar with the
case, Fazio used the free version of Malwarebytes Anti-Malware, which
does not provide real-time protection and is intended only for
individual consumer use.\41\
---------------------------------------------------------------------------
\41\ Id.
---------------------------------------------------------------------------
C. Delivery--Attacker Sends Payload to Victim
The attacker sent infected e-mails to Fazio in a so-called phishing
attack. Phishing, or ``spear phishing,'' when an attacker customizes e-
mail messages using social engineering techniques (e.g., checking
Facebook or LinkedIn for a potential victim's business associates and
relationships), is a well-known attack method. Fazio could have
disrupted this step in the kill chain by training its staff to
recognize and report phishing e-mails. Real-time monitoring and anti-
malware software could have also potentially detected the infected
file(s).
While reports are unconfirmed, the malware on Fazio's systems may
have recorded passwords and provided the attackers with their key to
Target's Ariba external billing system. In this phase of the kill
chain, Target could have potentially disrupted the attack by requiring
two-factor authentication for its vendors. Two-factor authentication
includes a regular password system augmented by a second step, such as
providing a code sent to the vendor's mobile phone or answering extra
security questions. According to a former Target vendor manager, Target
rarely required two-factor authentication from its low-level
contractors.\42\ PCI-DSS require two-factor authentication for remote
access to payment networks and access controls for all users,\43\
although the Ariba system is not technically related to Target's POS
system.
---------------------------------------------------------------------------
\42\ Id.
\43\ Standard 7.2 and 8.3 are most relevant to this discussion.
Version 3.0 of the standard was released in November 2013, after the
Target breach. As such, this report references the previous version
2.0. See Payment Card Industry Security Standards Council, Payment Card
Industry (PCI) Data Security Standard Version 2.0, at 44, 47 (Oct.
2010) (online at https://www
.pcisecuritystandards.org/documents/pci_dss_v2.pdf).
---------------------------------------------------------------------------
However the attacker actually leveraged its access to this vendor's
system to enter Target's, less security at the perimeter of Target's
network may have contributed to the attacker's success in breaching the
most sensitive area of Target's network containing cardholder data.
Using the Fazio credentials to gain access to Target's inner network,
it appears the attackers then directly uploaded their RAM scraping
malware to POS terminals.
D. Exploitation--Attackers Payload Deployed in Victim's Network
Once delivered, the RAM scraping malware and exfiltration malware
began recording millions of card swipes and storing the stolen data for
later exfiltration. Target could have potentially blocked the effect of
the exfiltration malware on its servers by either allowing its FireEye
software to delete any detected malware, or, if not choosing the
automatic option, by following up on the several alerts that were
triggered at the time of malware delivery. According to Businessweek,
the FireEye software sent an alert with the generic name
``malware.binary'' to Target security staff.\44\ It is possible that
Target staff could have viewed this alert as a false positive if the
system was frequently alarming.
---------------------------------------------------------------------------
\44\ Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack,
Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target
Blew It, Bloomberg Businessweek (Mar. 13, 2014) (online at http://
www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-
hack
-of-credit-card-data).
---------------------------------------------------------------------------
Another protective step could have been paying greater attention to
industry and government intelligence analyses. According to an FBI
industry notification, RAM scraping malware has been observed since
2011.\45\ Furthermore, a Reuters report stated that Visa published in
April and August of 2013 two warnings about the use of RAM scraping
malware in attacks targeting retailers.\46\ These warnings apparently
included recommendations for reducing the risk of a successful attack.
According to the Wall Street Journal, Target's security staff made
their misgivings known about vulnerabilities on the company's POS
system; however, it is unclear if Target took any action to address
vulnerabilities before the attack.\47\
---------------------------------------------------------------------------
\45\ FBI Cyber Division, Recent Cyber Intrusion Events Directed
Toward Retail Firms (Jan. 17, 2014) (online at http://
krebsonsecurity.com/wp-content/uploads/2014/01/FBI-CYD-PIN-140
117-001.pdf).
\46\ Jim Finkle and Mark Hosenball, Exclusive: More Well-Known U.S.
Retailers Victims of Cyber Attacks--Sources, Reuters (Jan 12, 2014)
(online at http://www.reuters.com/article/2014/01/12/us-target-
databreach-retailers-idUSBREA0B01720140112).
\47\ Danny Yadron, Paul Ziobro, Devlin Barrett, Target Warned of
Vulnerabilities Before Data Breach, The Wall Street Journal (Feb. 14,
2014) (online at http://online.wsj.com/news/articles/
SB10001424052702304703804579381520736715690).
---------------------------------------------------------------------------
E. Installation--Attacker Establishes Foothold in Victim's Network
Reports suggest that the attacker maintained access to Fazio's
systems for some time while attempting to further breach Target's
network. It is unclear exactly how the attacker could have escalated
its access from the Ariba external billing system to deeper layers of
Target's internal network. But given the installation of the BlackPOS
malware on Target's POS terminals, the compromise of 70 million records
of non-financial data, and the compromise of the internal Target
servers used to gather stolen data, it appears that the attackers
succeeded in moving through various key Target systems.
Brian Krebs and Dell SecureWorks posit that the attackers may have
exploited a default account name used in a BMC Software information
technology management system;\48\ however, it is unclear exactly how
the attackers found the account password. If the theory is true, a
protective step at this phase of the kill chain could have included the
elimination or alteration of unneeded default accounts, as called for
in PCI-DSS 2.1.\49\
---------------------------------------------------------------------------
\48\ Brian Krebs, New Clues in the Target Breach, KrebsOnSecurity
(Jan. 29, 2014) (online at http://krebsonsecurity.com/2014/01/new-
clues-in-the-target-breach/); Keith Jarvis and Jason Milletary, Inside
a Targeted Point-of-Sale Data Breach, Dell SecureWorks, at 5 (Jan. 24,
2014) (online at http://krebsonsecurity.com/wp-content/uploads/2014/01/
Inside-a-Targeted-Point-of-Sale-Data-Breach.pdf).
\49\ Payment Card Industry Security Standards Council, Payment Card
Industry (PCI) Data Security Standard Version 2.0, at 24 (Oct. 2010)
(online at https://www.pcisecuritystandards.org/documents/
pci_dss_v2.pdf).
---------------------------------------------------------------------------
In its recently filed 10K, Target states that in the fall of 2013,
``an independent third-party assessor found the portion of our network
that handles payment card information to be compliant with applicable
data security standards.'' \50\ One of those standards would have been
PCI-DSS 11.5, which requires vendors to monitor the integrity of
critical system files.\51\ To achieve this standard, Target could have
used a technique called ``white listing,'' whereby only approved
processes are allowed to run on a machine.
---------------------------------------------------------------------------
\50\ Target Corporation, SEC Form 10-K, at 17, 47 (Mar. 14, 2014)
(online at http://www
.sec.gov/Archives/edgar/data/27419/000002741914000014/tgt-
20140201x10k.htm).
\51\ Payment Card Industry Security Standards Council, Payment Card
Industry (PCI) Data Security Standard Version 2.0, at 63 (Oct. 2010)
(online at https://www.pcisecuritystandards.org/documents/
pci_dss_v2.pdf).
---------------------------------------------------------------------------
F. Command and Control (C2)--Attacker Has ``Hands on the Keyboard''
Remote Access to Victim's Network
Based on the reported timeline of the breach, the attackers had
access to Target's internal network for over a month and compromised
internal servers with exfiltration malware by November 30. While the
exact method by which the attackers maintained command and control is
unknown, it is clear the attackers were able to maintain a line of
communication between the outside Internet and Target's cardholder
network.
In this phase of the kill chain, one protective step includes
analysis of the location of credentialed users in the network. For
example, if the attackers were still using Fazio's stolen credentials,
an analyst would have reason to be concerned if that credential was
being used in an unrelated area of the Target network. That the
attackers were still using Fazio's credentials when installing malware
or moving through the Target network is unlikely, but the analysis
could have still proven useful.
Another protective step at this phase would have been strong
firewalls between Target's internal systems and the outside Internet
(e.g., routing traffic through a proxy) to help disrupt the attacker's
command and control. Target could also have filtered or blocked certain
Internet connections commonly used for command and control.
G. Actions on Objectives--Attacker Acts to Accomplish Data Exfiltration
The attackers transmitted the stolen data to outside servers--at
least one of which was located in Russia--in plain text via FTP \52\ (a
standard method for transferring files) over the course of two weeks.
At this phase of the kill chain, protective defensive steps could have
included white listing approved FTP servers to which Target's network
is allowed to upload data. For example, a white list could have
dismissed connections between Target's network and Russia-based
Internet servers. An analysis of data transmissions on Target's busy
network may be like searching for a needle in a haystack, but an upload
to a server in Russia presumably would have been flagged as suspicious
if discovered.
---------------------------------------------------------------------------
\52\ McAfee, McAfee Labs Threats Report Fourth Quarter 2013, at 7
(2013) (online at http://www.mcafee.com/us/resources/reports/rp-
quarterly-threat-q4-2013.pdf).
---------------------------------------------------------------------------
Target's FireEye software reportedly did detect the data
exfiltration malware and decoded the destination of servers on which
data for millions of stolen credit cards were stored for days at a
time. Acting on this information could have stopped the exfiltration,
not only at this last stage, but especially during the ``delivery''
step on the kill chain.
______
The Chairman. And anybody who wants one of these is welcome
to have it. I hope people at the press table have it.
It is increasingly frustrating to me that organizations are
resisting the need to invest in their security systems. Target
must be a clarion call to businesses, both large and small,
that it is time to invest in some changes.
While I am disappointed that many companies have failed to
take responsibility for their data security weaknesses, I am
just as disappointed by Congress and our failure to create
Federal standards for protecting consumer information. If you
can imagine having stores in 45 or 35 states, and every state
has different rules and regulations, it is just an impossible
mess.
Recently, I put forth legislation that builds on the long,
well-established history of the Federal Trade Commission and
state attorneys general in protecting consumers from data
breaches.
The bill set forth strong Federal consumer data security
and breach notification standards by: one, directing the FTC to
circulate rules requiring companies to adopt reasonable but
strong security protocols; requiring companies to notify
affected consumers in the wake of the breach--I mean, that
should just be automatic; and authorizing both the FTC and
state attorneys general to seek civil penalties for violations
of that law.
For nearly a decade, we have had major data breaches at
companies large and small. Millions of consumers have suffered
the consequences. While Congress deserves its share of the
blame for inaction, I am increasingly frustrated by industry's
disingenuous attempts at negotiations.
So this is my message to the industry today: It is time to
come to the table. Be willing to compromise. While I am willing
to hear their concerns about the legislation--my legislation or
any other legislation--I am not willing to forfeit the basic
protections that American consumers have a right to count on.
And I will not.
Finally, I would be remiss if I did not publicly note that
representatives from the company Snapchat declined my
invitation to testify today. When people refuse to testify in
front of this committee, my instincts, which may be skewed, are
nevertheless that they are hiding something. In this instance,
on this subject, I think it warrants closer scrutiny.
I call on my most distinguished good--I won't go through
the usual drill.
[Laughter.]
STATEMENT OF HON. JOHN THUNE,
U.S. SENATOR FROM SOUTH DAKOTA
Senator Thune. OK. Well, thank you, Chairman Rockefeller,
for holding this afternoon's hearing on data breaches and
protecting consumer information. Protecting consumers from
identity theft, fraud, and financial harm is certainly a goal
that all of us on this committee share.
I am glad that representatives from Target and the
University of Maryland accepted our invitation to be here today
to tell us of their recent and well-publicized breaches. While
the forensic investigations into these incidents are still
ongoing, it is clear that millions of individuals have
unfortunately been affected.
I look forward to hearing about what lessons Target and the
University of Maryland have learned from these breaches and
what additional steps they are taking to prevent them in the
future and to better safeguard individuals' personal
information.
Yet data breaches clearly are not unique to Target and the
University of Maryland. A data breach report from Verizon found
that there were more than 600 confirmed data breach disclosures
among private and government entities and at least 44 million
compromised records in 2012 alone.
While we are here today primarily to discuss data breaches
in the private sector, we can't forget that the U.S. Government
also holds immense amounts of consumer financial data and
personal information. It is estimated that the Federal
Government spent more than $14.6 billion on IT security in
Fiscal Year 2012, but it is not immune to cyber attacks and
data breaches.
In 2012, Federal agencies reported more than 22,000 data
breach incidents, a number that is more than double what was
reported in 2009. In addition, a recent report by the
Government Accountability Office, the government's watchdog,
identified several instances where Federal agencies failed to
notify affected individuals, even when the breach was
determined to have a high risk of harm.
Breaches of personal information can affect individuals in
many ways, ranging from the inconvenience of having a credit
card replaced to the harm of identity theft, where a criminal
runs up large debts or commits crimes in the victim's name.
When there is risk of real harm stemming from a breach, we
need to make sure that consumers have the information they need
to protect themselves. That is why I support a uniform Federal
breach notification standard to replace the patchwork of laws
in 46 states and the District of Columbia.
A single Federal standard would ensure all consumers are
treated the same with regard to notification of data breaches
that might cause them harm. Such a standard would also provide
consistency and certainty regarding timely notification
practices, which benefits both consumers and businesses.
I also want to ensure that businesses appropriately secure
information and are not burdened by outdated or ill-suited
security requirements but, rather, are provided with the
flexibility to develop effective and innovative tools to secure
the information they are entrusted to protect.
For these reasons, I cosponsored Senate Bill 1193, the Data
Security and Breach Notification Act of 2013, with Senator
Toomey and a number of my colleagues on this committee. The
bill would require companies possessing personal data to notify
consumers in a timely manner if their information has been
unlawfully taken.
Mr. Chairman, I know that you have also introduced
legislation on this topic, and I look forward to working with
you and our colleagues as we consider how best to promote the
security of personal consumer information and ensure
appropriate breach notification.
Of course, we should acknowledge that this issue is not a
new one. The Committee reported data breach legislation in 2005
and again in 2007, but finding broad agreement on the path
forward has proven difficult. We should heed the testimony of
Mr. Wagner and not allow the perfect to become the enemy of the
good.
Our recent experience advancing legislation on the role of
the National Institute of Standards and Technology in the
identification of voluntary best practices and standards for
cybersecurity gives me reason for optimism. And I was pleased
to see that several of the witnesses today have highlighted the
good work done by NIST in that regard.
As we have noted in the past, legislation is also needed to
enhance information-sharing of cyber threats, with liability
protections. While not every data breach occurs because of a
cyber attack, timely information-sharing of cyber threats is
key to preventing and responding to cyber attacks, whether it
is a breach of consumer data, theft of intellectual property,
or an attack on critical infrastructure.
So I look forward to learning more about the new
partnership between the merchant and financial associations
that will focus on sharing more information on cyber threats
and improving technology to protect consumers.
I also hope Visa and Target can elaborate on the work that
they are doing to identify and prevent payment card fraud
resulting from the recent breach so that the payment system is
more secure and consumers are better protected.
I also look forward to hearing from Chairwoman Ramirez of
the Federal Trade Commission about the work the agency is doing
on enforcement and education to protect consumers from identity
theft and fraud.
I also know that the Secret Service and the Federal Bureau
of Investigation, in partnership with industry and government
partners, are working hard to detect and prosecute cyber
criminals and fraudsters.
So, Mr. Chairman, I hope our witnesses can share their
experiences, good or bad, working with Federal agencies on our
shared goal of safeguarding consumers' personal information.
And I want to thank you again for holding this hearing, and I
look forward to hearing from our witnesses.
Thank you, Mr. Chairman.
The Chairman. Thank you very much, Senator Thune.
We are a very good combination. If you don't know that now,
you will learn it.
Senator Thune. It is true.
The Chairman. It is true. We both come from big states.
[Laughter.]
Senator Thune. We are both tall people.
The Chairman. We are both tall people, that is right. And
we both--and we love sports.
First, let's start with the Honorable Ramirez, Edith
Ramirez, who is Chairwoman of the Federal Trade Commission.
And, once again, I issue the following words of comfort to
you: Never fear that the National Gallery of Art is going to
take you over. You are going to be there 1,000 years from now.
Whether they will be or not, I don't know, but you will be.
[Laughter.]
STATEMENT OF HON. EDITH RAMIREZ, CHAIRWOMAN, FEDERAL TRADE
COMMISSION
Ms. Ramirez. Thank you.
Chairman Rockefeller, Ranking Member Thune, and members of
the Committee, I appreciate the opportunity to present the
Federal Trade Commission's testimony on data security.
Under your leadership, Chairman Rockefeller, this committee
has led critical efforts in Congress to protect consumers'
privacy and data security. From the recent examination of the
data-broker industry and its impact on consumers to proposing
data security requirements for industry, you and the members of
this committee have sought to advance the same goals as the
FTC. And I want to thank you for your leadership.
As this committee is well aware, consumers' data is at
risk. Recent data breaches remind us that hackers seek to
exploit vulnerabilities in order to access and misuse
consumers' data in ways that can cause serious harm to
consumers and businesses.
These threats affect more than just payment card data. For
example, breaches in recent years have also compromised Social
Security numbers, account passwords, health data, and
information about children. This occurs against the backdrop of
identity theft, which has been the FTC's top consumer complaint
for the last 14 years.
Today, I am here to reiterate the Commission's bipartisan
call for the enactment of a strong Federal data security and
breach notification law. Never has the need for legislation
been greater. With reports of data breaches on the rise,
Congress must act.
The FTC supports Federal legislation that would strengthen
existing data security standards and require companies, in
appropriate circumstances, to provide notification to consumers
when there is a security breach. Reasonable security practices
are critical to preventing data breaches and protecting
consumers from ID theft and other harm. And when breaches do
occur, notifying consumers helps them protect themselves from
any harm that is likely to be caused by the misuse of their
data.
Legislation should give the FTC authority to seek civil
penalties where warranted to help ensure that FTC actions have
an appropriate deterrent effect. In addition, enabling the FTC
to bring cases against nonprofits, such as universities and
health systems, which have reported a substantial number of
breaches would help ensure that whenever personal information
is collected from consumers, entities that maintain such data
adequately protect it.
Finally, APA rulemaking authority, like that used in the
CAN-SPAM Act, would allow the Commission to ensure that as
technology changes and the risks from the use of certain types
of information evolve, companies would be required to give
adequate protection to such data.
For example, whereas a decade ago it would have been
difficult and expensive for a company to track an individual's
precise location, smartphones have made this information
readily available. And as the growing problem of child identity
theft has brought to light in recent years, Social Security
numbers alone can be combined with another person's information
to steal an identity.
Using its existing authority, the FTC has devoted
substantial resources to encourage companies to make data
security a priority. The FTC has settled 50 cases against
companies that we alleged put consumer data at risk.
In all these cases, the touchstone of the Commission's
approach has been reasonableness. A company's data security
measures must be reasonable in light of the sensitivity and
volume of consumer information it holds, the size and
complexity of its data operations, and the cost of available
tools to improve security and reduce vulnerabilities.
The Commission has made clear that it does not require
perfect security and that the fact that a breach occurred does
not mean that a company has violated the law. As the
Commission's case against the retailer TJX illustrates, the
Commission's data security cases have alleged failures to
implement basic, fundamental safeguards.
In 2007, TJX announced what was then one of the largest
known data breaches. According to the FTC's subsequent
complaint against TJX, a hacker obtained information from tens
of millions of credit card and debit payment card information,
as well as the personal information of approximately 455,000
consumers.
The FTC alleged that TJX engaged in a number of practices
that, taken together, were unreasonable, such as allowing
network administrators to use weak passwords, failing to limit
wireless access to in-store networks, not using firewalls to
isolate computers processing cardholder data from the Internet,
and not having procedures to detect and prevent unauthorized
access to its networks, such as procedures to update antivirus
software.
In addition to our enforcement efforts, the Commission also
undertakes policy initiatives to promote privacy and data
security, such as workshops on mobile security issues and child
and senior ID theft. And for those consumers who may have been
affected by recent breaches, the FTC has posted information
online about steps they should take to protect themselves. The
FTC also provides guidance to businesses about reasonable
security practices.
Thank you for the opportunity to provide the Commission's
views on data security. The FTC remains committed to promoting
reasonable security for consumer data, and we look forward to
continuing to work with the Committee and Congress on this
critical issue.
Thank you.
[The prepared statement of Ms. Ramirez follows:]
Prepared Statement of the Federal Trade Commission
I. Introduction
Chairman Rockefeller, Ranking Member Thune, and members of the
Committee, I am Edith Ramirez, Chairwoman of the Federal Trade
Commission (``FTC'' or ``Commission'').\1\ I appreciate the opportunity
to present the Commission's testimony on data security.
---------------------------------------------------------------------------
\1\ This written statement presents the views of the Federal Trade
Commission. My oral statements and responses to questions are my own
and do not necessarily reflect the views of the Commission or of any
other Commissioner.
---------------------------------------------------------------------------
Under your leadership, Chairman Rockefeller, this Committee has led
critical efforts in Congress to protect consumers' privacy and data
security. Throughout your tenure, the Committee has focused on a wide
range of privacy and security concerns facing consumers in this
increasingly interconnected economy. From the recent examination of the
data broker industry and its impact on consumers; \2\ to protecting our
children's privacy as technology changes; \3\ to promoting consumers'
choices about online privacy; \4\ to proposing baseline data security
requirements for industry,\5\ you and members of the Committee have
shared the same goals as the Federal Trade Commission: to protect
consumer privacy and promote data security in the private sector. The
FTC thanks you for your leadership.
---------------------------------------------------------------------------
\2\ See Office of Oversight & Investigations Majority Staff Report,
Senate Commerce Committee, A Review of the Data Broker Industry:
Collection, Use, and Sale of Consumer Data for Marketing Purposes (Dec.
18, 2013), available at http://www.commerce.senate.gov/public/
?a=Files.Serve
&File_id=bd5dad8b-a9e8-4fe9-a2a7-b17f4798ee5a.
\3\ See, e.g., Press Release, Rockefeller Says Modernized COPPA
Rule Will Better Protect Children Online, Dec. 19, 2012, available at
http://www.commerce.senate.gov/public/index.cfm?p=
PressReleases&ContentRecord_id=1a0ac4aa-bfbe-493e-a877-
16035146562d&ContentType_id=7
7eb43da-aa94-497d-a73f-5c951ff72372&Group_id=4b968841-f3e8-49da-a529-
7b18e32fd69d&M
onthDisplay=12&YearDisplay=2012.
\4\ See, e.g., Hearing Before the Committee on Commerce, Science,
and Transportation, U.S. Senate, A Status Update on the Development of
Voluntary Do-Not-Track Standards, Apr. 24, 2013, available at http://
www.commerce.senate.gov/public/index.cfm?p=Hearings&ContentRe
cord_id=1cf8fb1a-fb0b-4bf1-958b-1ea3c443a73c&ContentType_id=14f995b9-
dfa5-407a-9d35-56c
c7152a7ed&Group_id=b06c39af-e033-4cba-9221-
de668ca1978a&MonthDisplay=4&YearDisplay
=2013.
\5\ See, e.g., Press Release, The Data Security & Breach
Notification Act, Jan. 30, 2014, available at http://
www.commerce.senate.gov/public/
index.cfm?p=Legislation&ContentRecord_id=
40e0ad58-866a-41ea-bf00-750c17e1ee3a.
---------------------------------------------------------------------------
As this Committee is well aware, consumers' data is at risk. Recent
publicly announced data breaches \6\ remind us that hackers and others
seek to exploit vulnerabilities, obtain unauthorized access to
consumers' sensitive information, and potentially misuse it in ways
that can cause serious harm to consumers as well as businesses. These
threats affect more than payment card data; breaches reported in recent
years have also compromised Social Security numbers, account passwords,
health data, information about children, and other types of personal
information.
---------------------------------------------------------------------------
\6\ See Elizabeth A. Harris & Nicole Perlroth, For Target, the
Breach Numbers Grow, N.Y. Times, Jan. 10, 2014, available at http://
www.nytimes.com/2014/01/11/business/target-breach
-affected-70-million-customers.html (discussing recently-announced
breaches involving payment card information by Target and Neiman
Marcus); Nicole Perlroth, Michaels Stores Is Investigating Data Breach,
N.Y. Times, Jan. 25, 2014, available at http://www.nytimes.com/2014/01/
26/technology/michaels-stores-is-investigating-data-breach.html
(announcement of potential security breach involving payment card
information).
---------------------------------------------------------------------------
Data security is of critical importance to consumers. If companies
do not protect the personal information they collect and store, that
information could fall into the wrong hands, resulting in fraud,
identity theft, and other harm, along with a potential loss of consumer
confidence in the marketplace. As one example, the Bureau of Justice
Statistics estimates that 16.6 million persons--or 7 percent of all
U.S. residents ages 16 and older--were victims of identity theft in
2012.\7\
---------------------------------------------------------------------------
\7\ See Bureau of Justice Statistics, Victims of Identity Theft,
2012 (Dec. 2013), available at http://www.bjs.gov/content/pub/pdf/
vit12.pdf.
---------------------------------------------------------------------------
As the Nation's leading privacy enforcement agency, the Commission
has undertaken substantial efforts for over a decade to promote data
security and privacy in the private sector through civil law
enforcement, education, and policy initiatives. The Commission is here
today to reiterate its longstanding, bipartisan call for enactment of a
strong Federal data security and breach notification law. Never has the
need for legislation been greater. With reports of data breaches on the
rise, and with a significant number of Americans suffering from
identity theft, Congress must act. This testimony provides an overview
of the Commission's data security efforts, and restates the FTC's
support for data security legislation.
II. The Commission's Data Security Program
A. Law Enforcement
The Commission enforces several statutes and rules that impose
obligations upon businesses to protect consumer data. The Commission's
Safeguards Rule, which implements the Gramm-Leach-Bliley Act (``GLB
Act''), for example, provides data security requirements for non-bank
financial institutions.\8\ The Fair Credit Reporting Act (``FCRA'')
requires consumer reporting agencies to use reasonable procedures to
ensure that the entities to which they disclose sensitive consumer
information have a permissible purpose for receiving that
information,\9\ and imposes safe disposal obligations on entities that
maintain consumer report information.\10\ The Children's Online Privacy
Protection Act (COPPA) requires reasonable security for children's
information collected online.\11\ Reasonableness is the foundation of
the data security provisions of each of these laws.
---------------------------------------------------------------------------
\8\ 16 C.F.R. Part 314, implementing 15 U.S.C. Sec. 6801(b).
\9\ 15 U.S.C. Sec. 1681e.
\10\ Id. at Sec. 1681w. The FTC's implementing rule is at 16 C.F.R.
Part 682.
\11\ 15 U.S.C. Sec. Sec. 6501-6506; see also 16 C.F.R. Part 312
(``COPPA Rule'').
---------------------------------------------------------------------------
In addition, the Commission enforces the proscription against
unfair or deceptive acts or practices in Section 5 of the FTC Act.\12\
A company acts deceptively if it makes materially misleading statements
or omissions.\13\ Using its deception authority, the Commission has
settled more than 30 matters challenging companies' express and implied
claims about the security they provide for consumers' personal data.
Further, a company engages in unfair acts or practices if its data
security practices cause or are likely to cause substantial injury to
consumers that is neither reasonably avoidable by consumers nor
outweighed by countervailing benefits to consumers or to
competition.\14\ The Commission has settled more than 20 cases alleging
that a company's failure to reasonably safeguard consumer data was an
unfair practice.\15\
---------------------------------------------------------------------------
\12\ 15 U.S.C. Sec. 45(a).
\13\ See Federal Trade Commission Policy Statement on Deception,
appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984).
\14\ See Federal Trade Commission Policy Statement on Unfairness,
appended to Int'l Harvester Co., 104 F.T.C. 949, 1070 (1984) (``FTC
Unfairness Statement'').
\15\ Some of the Commission's data security settlements allege both
deception and unfairness, as well as allegations under statutes such as
the FCRA, GLB Act, and COPPA.
---------------------------------------------------------------------------
The FTC conducts its data security investigations to determine
whether a company's data security measures are reasonable and
appropriate in light of the sensitivity and volume of consumer
information it holds, the size and complexity of its data operations,
and the cost of available tools to improve security and reduce
vulnerabilities. The Commission's 50 settlements with businesses that
it charged with failing to provide reasonable protections for
consumers' personal information have halted harmful data security
practices; required companies to accord strong protections for consumer
data; and raised awareness about the risks to data, the need for
reasonable and appropriate security, and the types of security failures
that raise concerns.\16\ And they have addressed the risks to a wide
variety of consumer data, such as Social Security numbers, health data,
data about children, credit card information, bank account information,
usernames, and passwords, in a broad range of sectors and platforms.
---------------------------------------------------------------------------
\16\ See Commission Statement Marking the FTC's 50th Data Security
Settlement, Jan. 31, 2014, available at http://www.ftc.gov/system/
files/documents/cases/140131gmrstatement.pdf.
---------------------------------------------------------------------------
In each of these cases, the Commission has examined a company's
practices as a whole and challenged alleged data security failures that
were multiple and systemic. Through these settlements, the Commission
has made clear that reasonable and appropriate security is a continuous
process of assessing and addressing risks; that there is no one-size-
fits-all data security program; that the Commission does not require
perfect security; and that the mere fact that a breach occurred does
not mean that a company has violated the law.
In its most recent case, the FTC entered into a settlement with GMR
Transcription Services, Inc., a company that provides audio file
transcription services for its clients--which includes health care
providers.\17\ According to the complaint, GMR relies on service
providers and independent typists to perform this work, and conducts
its business primarily over the Internet by exchanging audio files and
transcripts with customers and typists by loading them on a file
server. As a result of GMR's alleged failure to implement reasonable
and appropriate security measures or to ensure its service providers
also implemented reasonable and appropriate security, at least 15,000
files containing sensitive personal information--including consumers'
names, birthdates, and medical histories--were available to anyone on
the Internet. The Commission's order prohibits GMR from making
misrepresentations about privacy and security, and requires the company
to implement a comprehensive information security program and undergo
independent audits for the next 20 years.
---------------------------------------------------------------------------
\17\ GMR Transcription Servs., Inc., Matter No. 112-3120 (F.T.C.
Dec. 16, 2013) (proposed consent order), available at http://
www.ftc.gov/news-events/press-releases/2014/01/provider-medical-
transcript-services-settles-ftc-charges-it.
---------------------------------------------------------------------------
The FTC also recently announced a case against TRENDnet, which
involved a video camera designed to allow consumers to monitor their
homes remotely.\18\ The complaint alleges that TRENDnet marketed its
SecurView cameras for purposes ranging from home security to baby
monitoring. Although TRENDnet claimed that the cameras were ``secure,''
they had faulty software that left them open to online viewing, and in
some instances listening, by anyone with the cameras' Internet address.
This resulted in hackers posting 700 consumers' live feeds on the
Internet. Under the FTC settlement, TRENDnet must maintain a
comprehensive security program, obtain outside audits, notify consumers
about the security issues and the availability of software updates to
correct them, and provide affected customers with free technical
support for the next two years.
---------------------------------------------------------------------------
\18\ TRENDnet, Inc., No. C-4426(F.T.C. Jan. 16, 2014) (consent
order), available at http://www.ftc.gov/enforcement/cases-proceedings/
122-3090/trendnet-inc-matter.
---------------------------------------------------------------------------
The FTC also has brought a number of cases alleging that
unreasonable security practices allowed hackers to gain access to
consumers' credit and debit card information, leading to many millions
of dollars of fraud loss.\19\ The Commission's settlement with TJX
provides a good example of the FTC's examination of reasonableness in
the data security context.\20\ According to the complaint, TJX engaged
in a number of practices that, taken together, failed to reasonably
protect consumer information. Among other things, it (1) failed to
implement measures to limit wireless access to its stores, allowing a
hacker to connect wirelessly to its networks without authorization; (2)
did not require network administrators to use strong passwords; (3)
failed to use a firewall or otherwise limit access to the Internet on
networks processing cardholder data; and (4) lacked procedures to
detect and prevent unauthorized access, such as by updating antivirus
software and responding on security warnings and intrusion alerts. As a
result, a hacker obtained tens of millions of credit and debit payment
cards, as well as the personal information of approximately 455,000
consumers who returned merchandise to the stores. As this matter
illustrates, the FTC's approach to reasonableness is process-based
rather than a checklist of specific technologies or tools. The
Commission looks to see whether companies have a general framework in
place to develop, implement, and maintain appropriate safeguards that
is reasonable and appropriate in light of the sensitivity and volume of
the data it holds, the size and complexity of its data operations, and
the cost of available tools.
---------------------------------------------------------------------------
\19\ See, e.g., Dave & Buster's, Inc., No. C-4291 (F.T.C. May 20,
2010) (consent order), available at http://www.ftc.gov/enforcement/
cases-and-proceedings/cases/2010/06/dave-busters-incin-matter; DSW,
Inc., No. C-4157 (F.T.C. Mar. 7, 2006) (consent order), available at
http://www.ftc.gov/enforcement/cases-and-proceedings/cases/2006/03/dsw-
incin-matter; BJ's Wholesale Club, Inc., No. C-4148 (F.T.C. Sept. 20,
2005) (consent order), available at http://www.ftc.gov/enforcement/
cases-and-proceedings/cases/2005/09/bjs-wholesale-club-inc-matter.
\20\ The TJX Cos., Inc., No. C-4227 (F.T.C. July 29, 2008) (consent
order), available at http://www.ftc.gov/enforcement/cases-and-
proceedings/cases/2008/08/tjx-companies-inc-matter.
---------------------------------------------------------------------------
B. Policy Initiatives
The Commission also undertakes policy initiatives to promote
privacy and data security. For example, the FTC hosts workshops on
business practices and technologies affecting consumer data. The FTC is
in the midst of hosting its Spring Privacy Series to examine the
privacy implications of a number of new technologies in the
marketplace.\21\ The first seminar, held in February, included a panel
of industry, technical experts, and privacy advocates and examined the
privacy and security implications of mobile device tracking, where
retailers and other companies rely on technology that can reveal
information about consumers' visits to and movements within a
location.\22\
---------------------------------------------------------------------------
\21\ Press Release, FTC to Host Spring Seminars on Emerging
Consumer Privacy Issues, Dec. 2, 2013, available at http://www.ftc.gov/
news-events/press-releases/2013/12/ftc-host-spring-seminars-emerging-
consumer-privacy-issues.
\22\ See Spring Privacy Series, Mobile Device Tracking, Feb. 19,
2014, available at http://www.ftc.gov/news-events/events-calendar/2014/
02/spring-privacy-series-mobile-device-tracking.
---------------------------------------------------------------------------
In November, the FTC held a workshop on the phenomenon known as the
``Internet of Things''--i.e., Internet-connected refrigerators,
thermostats, cars, and other products and services that can communicate
with each other and/or consumers.\23\ The workshop brought together
academics, industry representatives, and consumer advocates to explore
the security and privacy issues from increased connectivity in everyday
devices, in areas as diverse as smart homes, connected health and
fitness devices, and connected cars. Commission staff is developing a
report on privacy and security issues raised at the workshop and in the
public comments.
---------------------------------------------------------------------------
\23\ FTC Workshop, Internet of Things: Privacy & Security in a
Connected World (Nov. 19, 2013), available at http://www.ftc.gov/bcp/
workshops/internet-of-things/.
---------------------------------------------------------------------------
And last June, the Commission hosted a public forum on mobile
security issues, including potential threats to U.S. consumers and
possible solutions to them.\24\ As the use of mobile technology
increases at a rapid rate and consumers take advantage of the
technology's benefits in large numbers, it is important to address
threats that exist today as well as those that may emerge in the
future. The forum brought together technology researchers, industry
members and academics to explore the security of existing and
developing mobile technologies and the roles various members of the
mobile ecosystem can play in protecting consumers from potential
security threats.
---------------------------------------------------------------------------
\24\ FTC Workshop, Mobile Security: Potential Threats and Solutions
(June 4, 2013), available at http://www.ftc.gov/bcp/workshops/mobile-
security/.
---------------------------------------------------------------------------
C. Consumer Education and Business Guidance
The Commission is also committed to promoting better data security
practices through consumer education and business guidance. On the
consumer education front, the Commission sponsors OnGuard Online, a
website designed to educate consumers about basic computer
security.\25\ OnGuard Online and its Spanish-language counterpart,
Alerta en Liinea,\26\ average more than 2.2 million unique visits per
year. Also, for consumers who may have been affected by the recent
Target and other breaches, the FTC posted information online about
steps they should take to protect themselves.\27\
---------------------------------------------------------------------------
\25\ See http://www.onguardonline.gov.
\26\ See http://www.alertaenlinea.gov.
\27\ See Nicole Vincent Fleming, An Unfortunate Fact About
Shopping, FTC Consumer Blog, http://www.consumer.ftc.gov/blog/
unfortunate-fact-about-shopping (Jan. 27, 2014); Nicole Vincent
Fleming, Are you affected by the recent Target hack?, FTC Consumer
Blog, https://www.consumer.ftc.gov/blog/are-you-affected-recent-target-
hack. In addition to these materials posted in response to recent
breaches, the FTC has long published a victim recovery guide and other
resources to explain the immediate steps identity theft victims should
take to address the crime; how to obtain a free credit report and
correct fraudulent information in credit reports; how to file a police
report; and how to protect their personal information. See http://
www.consumer.ftc.gov/features/feature-0014-identity-theft.
---------------------------------------------------------------------------
The Commission directs its outreach to businesses as well to
provide education about applicable legal requirements and reasonable
security practices. For example, the FTC widely disseminates its
business guide on data security,\28\ along with an online tutorial
based on the guide.\29\ These resources are designed to provide a
variety of businesses--and especially small businesses--with practical,
concrete advice as they develop data security programs and plans for
their companies. First, companies should know what consumer information
they have and what personnel or third parties have, or could have,
access to it. Understanding how information moves into, through, and
out of a business is essential to assessing its security
vulnerabilities. Second, companies should limit the information they
collect and retain based on their legitimate business needs, so that
needless storage of data does not create unnecessary risks of
unauthorized access to the data. Third, businesses should protect the
information they maintain by assessing risks and implementing
protections in certain key areas--physical security, electronic
security, employee training, and oversight of service providers.
Fourth, companies should properly dispose of information that they no
longer need. Finally, companies should have a plan in place to respond
to security incidents, should they occur.
---------------------------------------------------------------------------
\28\ See Protecting Personal Information: A Guide for Business,
available at http://business.ftc.gov/documents/bus69-protecting-
personal-information-guide-business.
\29\ See Protecting Personal Information: A Guide for Business
(Interactive Tutorial), available at http://business.ftc.gov/
multimedia/videos/protecting-personal-information.
---------------------------------------------------------------------------
The Commission has also released articles directed towards a non-
legal audience regarding basic data security issues for businesses.\30\
For example, because mobile applications (``apps'') and devices often
rely on consumer data, the FTC has developed specific security guidance
for mobile app developers as they create, release, and monitor their
apps.\31\ The FTC also creates business educational materials on
specific topics--such as the risks associated with peer-to-peer
(``P2P'') file-sharing programs and companies' obligations to protect
consumer and employee information from these risks \32\ and how to
properly secure and dispose of information on digital copiers.\33\
---------------------------------------------------------------------------
\30\ See generally http://www.business.ftc.gov/privacy-and-
security/data-security.
\31\ See Mobile App Developers: Start with Security (Feb. 2013),
available at http://business.ftc.gov/documents/bus83-mobile-app-
developers-start-security.
\32\ See Peer-to-Peer File Sharing: A Guide for Business (Jan.
2010), available at http://business.ftc.gov/documents/bus46-peer-peer-
file-sharing-guide-business.
\33\ See Copier Data Security: A Guide for Business (Nov. 2010),
available at http://business.ftc.gov/documents/bus43-copier-data-
security.
---------------------------------------------------------------------------
III. Data Security Legislation
The FTC supports Federal legislation that would (1) strengthen its
existing authority governing data security standards on companies and
(2) require companies, in appropriate circumstances, to provide
notification to consumers when there is a security breach.\34\
Reasonable and appropriate security practices are critical to
preventing data breaches and protecting consumers from identity theft
and other harm. Where breaches occur, notifying consumers helps them
protect themselves from any harm that is likely to be caused by the
misuse of their data. For example, in the case of a breach of Social
Security numbers, notifying consumers will enable them to request that
fraud alerts be placed in their credit files, obtain copies of their
credit reports, scrutinize their monthly account statements, and take
other steps to protect themselves. And although most states have breach
notification laws in place, having a strong and consistent national
requirement would simplify compliance by businesses while ensuring that
all consumers are protected.
---------------------------------------------------------------------------
\34\ See, e.g., Prepared Statement of the Federal Trade Commission,
``Privacy and Data Security: Protecting Consumers in the Modern
World,'' Before the Senate Committee on Commerce, Science, and
Transportation, 112th Cong., June 29, 2011, available at http://
www.ftc.gov/sites/default/files/documents/public_statements/prepared-
statement-federal-trade-commission-privacy-and-data-security-
protecting-consumers-modern/110629privacytestimonybrill.pdf; Prepared
Statement of the Federal Trade Commission, ``Data Security,'' Before
Subcommittee on Commerce, Manufacturing, and Trade of the House
Committee on Energy and Commerce, 112th Cong., June 15, 2011, available
at http://www.ftc.gov/sites/default/files/documents/public_statements/
prepared-statement-federal-trade-commission-data-security/
110615datasecurity
house.pdf; FTC, Security in Numbers, SSNs and ID Theft (Dec. 2008),
available at http://www.ftc.gov/sites/default/files/documents/reports/
security-numbers-social-security-numbers-and-identity-theft-federal-
trade-commission-report/p075414ssnreport.pdf; President's Identity
Theft Task Force, Identity Theft Task Force Report (Sept. 2008),
available at http://www
.ftc.gov/sites/default/files/documents/reports/presidents-identity-
theft-task-force-report/081021
taskforcereport.pdf.
---------------------------------------------------------------------------
Legislation in both areas--data security and breach notification--
should give the FTC the ability to seek civil penalties to help deter
unlawful conduct, jurisdiction over non-profits, and rulemaking
authority under the Administrative Procedure Act. Under current laws,
the FTC only has the authority to seek civil penalties for data
security violations with regard to children's online information under
COPPA or credit report information under the FCRA.\35\ To help ensure
effective deterrence, we urge Congress to allow the FTC to seek civil
penalties for all data security and breach notice violations in
appropriate circumstances. Likewise, enabling the FTC to bring cases
against non-profits \36\ would help ensure that whenever personal
information is collected from consumers, entities that maintain such
data adequately protect it.\37\
---------------------------------------------------------------------------
\35\ The FTC can also seek civil penalties for violations of
administrative orders. 15 U.S.C. Sec. 45(l).
\36\ Non-profits are generally outside the FTC's jurisdiction. 15
U.S.C. Sec. Sec. 44 & 45(a).
\37\ A substantial number of reported breaches have involved non-
profit universities and health systems. See Privacy Rights
Clearinghouse Chronology of Data Breaches (listing breaches including
breaches at non-profits, educational institutions, and health
facilities), available at http://www.privacyrights.org/data-breach/new.
---------------------------------------------------------------------------
Finally, rulemaking authority under the Administrative Procedure
Act would enable the FTC in implementing the legislation to respond to
changes in technology. For example, whereas a decade ago it would be
incredibly difficult and expensive for a company to track an
individual's precise geolocation, the explosion of mobile devices has
made such information readily available. And, as the growing problem of
child identity theft has brought to light in recent years, a child's
Social Security number alone can be used in combination with another
person's information, such as name or date of birth, in order to commit
identity theft.\38\ Rulemaking authority would allow the Commission to
ensure that as technology changes and the risks from the use of certain
types of information evolve, companies would be required to give
adequate protection to such data.
---------------------------------------------------------------------------
\38\ FTC Workshop, Stolen Futures: A Forum on Child Identity Theft
(July 12, 2011), available at http://www.ftc.gov/news-events/events-
calendar/2011/07/stolen-futures-forum-child-identity-theft.
---------------------------------------------------------------------------
IV. Conclusion
Thank you for the opportunity to provide the Commission's views on
data security. The FTC remains committed to promoting reasonable
security for consumer data and we look forward to continuing to work
with the Committee and Congress on this critical issue.
The Chairman. Thank you very much.
We are very honored to have the President of the University
of Maryland here, Dr. Wallace Loh.
Thank you for taking the time, sir. I am sure that
testifying before a congressional committee must be something
you look forward to.
[Laughter.]
STATEMENT OF DR. WALLACE D. LOH, PRESIDENT,
UNIVERSITY OF MARYLAND
Mr. Loh. Thank you, Chairman Rockefeller and Ranking Member
Thune and members of the Commerce Committee. I spend most of my
time testifying before the Maryland legislature, so I hope that
is good preparation for today.
On February 18, after a major snowstorm paralyzed this
region that weekend--that was President's Day weekend--we had a
very sophisticated cyber attack. Somebody basically uploaded a
Trojan horse into the website of one of our colleges. This
website, about 10 years old, invites the uploading of
photographs, but instead they uploaded this malware.
Once they got into that website, they were able to pierce
into central systems, and they were actually coding in order to
do that. And they were able to get to the directory of the
management of IT, find their passwords, and then change these
to issue orders.
So they downloaded 310,000 names, Social Security numbers,
university IDs. They intentionally left out photographs, so on
and so forth, that kind of information, because that would have
slowed the exfiltration of the data. And they did it using Tor
(software allowing online anonymity), which means that they
were able to hide the point of origin of the attack.
It turns out, because we have never been hacked before, we
were just flying by the seat of our pants.
And it just so happens that we did exactly what your bill
proposes to do. With regard to notification, we announced it
within 24 hours. Within 24 hours, we also contacted credit
rating agencies, set up call centers, and notified the entire
university community, all 38,000 students, all 12,000 faculty
and staff. And within 4 or 5 days, we e-mailed, called, sent
letters to everybody else, a total of 310,000 because some of
them are alumni going back for 20 years.
The reason, of course, is that what they got were the
university IDs, but, remember, until about the year 2000, every
university in this country was using Social Security numbers as
identification. And we have thousands of databases, and they
just took that one database where we had both the university ID
and the Social Security.
So, in terms of notification, not only did we notify, we
offered to pay 5 years of protection--credit card protection--
to all the affected parties. That is approximately $20 per
person, multiplied by 310,000 over 5 years. To date,
approximately 60,000 have signed up for this free 5-year
protection.
What we also did in terms of data security is very much
along the lines of what your bill has proposed. What we have
done immediately was to purge all of the unnecessary data. We
have purged approximately 225,000 names from our records. We
didn't purge all of them because you need Social Security
numbers for a student's financial aid, for payroll purposes. We
are trying to reinforce the security for those Social Security
numbers that remain.
So what we are trying to do, with the help of the FBI, the
Secret Service, private security companies, are two things. One
is to strengthen perimeter defenses and hire firms to do
periodic, on a regular basis, penetration testing. And then,
also, assuming they still are able to penetrate, because people
who play offense will always be one step ahead of those who are
playing defense, is to tighten the security around the
sensitive databases.
So what we have done in just one month is we have migrated
almost all of our websites to the cloud. We have purged, as I
said, lots of information. We have engaged firms to do
penetration testing. We have isolated information that is
sensitive from information that is less sensitive and so on.
And the cost is very, very high.
Let me just conclude by saying that 3 weeks later we had
another major intrusion. Fortunately, of course, the FBI was
working with us. All I can say at this point is that within 36
hours the FBI was able to identify and, in their parlance,
successfully mitigate that intrusion. No data was released,
except that the data of one individual was posted on the Web
for everybody to see just because the intruder wanted everybody
to know that they were successful.
So that is where we are at. And thank you very much for all
of your work in terms of requiring data notification and data
security. This is a very important issue.
And I will conclude by saying this. Security in a
university is very different than data security in the private
sector, because a university is an open organization. There are
many points of access because it is all about the free exchange
of information. By definition, that is the Internet. In the
private sector, you can centralize cybersecurity. You cannot do
that at a university.
So we have to find that proper balance between security and
access. And that is the challenge for all universities because,
as you know, in the past 12 months 50 universities have had
major data breaches, and not all of them even bothered to
report it.
[The prepared statement of Mr. Loh follows:]
Prepared Statement of Dr. Wallace D. Loh, President,
University of Maryland
My name is Wallace Loh and I am the President of the University of
Maryland. From its beginnings as a small, land-grant institution to its
current status as a major presence in higher education, the University
of Maryland has a long and distinguished history of excellence and
innovation, evidenced by being #38 in the 2013 Academic Ranking of
World Universities.
I am grateful for this opportunity to discuss an issue that is not
only important to the higher education community but to all of us who
participate in online activities on a daily basis. As the state's
flagship institution, the University of Maryland has 37,000 students,
12 colleges and schools, 9000 faculty and staff, and an annual $1.7
billion operation budget. To safeguard such a large and complex
operation, we recently doubled the number of our IT security engineers
and analysts as well as our investment in top-end security tools.
However, as our recent data breach reveals, more remains to be done.
On February 18, 2014, the University of Maryland was the victim of
a sophisticated computer security attack that exposed records
containing personal information of faculty, staff, students and
affiliated personnel from the College Park and Shady Grove campuses.
Fortunately, no financial, academic, health or contact (phone and
address) information was compromised, but we are not taking any
chances. I have ordered five years of credit protection services at no
cost to every person affected by this breach. This is above and beyond
the protection measures taken by other organizations and institutions,
and so far nearly 30,000 persons affected by the breach have
registered, which is also well ahead of projections. In addition, all
sensitive records in the breached database that are no longer required
have been removed.
As evidence of our efforts, the University of Maryland IT security
staff, working with the U.S. Secret Service, the FBI, and the campus
police, mitigated another intrusion which occurred on Saturday, March
15, 2014. There was no public release of any information and no damage
to the institution, except for the release of personal data of one
senior university official.
Our experience highlights a serious and growing threat. In fact, in
the past decade, some 20 large universities across the country have
also reported major data breaches. Fortunately, there are steps that
can be taken to minimize our risk and vulnerability.
Over the past month, the University of Maryland has handled the
situation in a deliberate and thorough manner, working with computer
forensic investigators to determine how our sophisticated, multi-
layered security defenses were bypassed, to track down the
perpetrators, and most importantly to ensure there is no repeat of
these intrusions. The steps we are taking now should serve as both a
warning and a model for other institutions.
First, many university databases were created years ago when the
environment for cyber threats was different. Consequently, they need to
be explored, updated and secured. A comprehensive review of all
personal information across all databases is underway, which has
already led to the removal of all sensitive records in the breached
database that are no longer required. Second, to maintain protection,
universities should perform penetration tests of security defense on an
ongoing basis to seal any possible technological gaps. At the moment,
we are evaluating cyber security consulting firms that can assist with
this process. Finally, there must be an appropriate balance between
centralized (University-operated) versus decentralized (unit-operated)
IT systems. Technical fixes must be reflected in policy changes to
ensure that safeguards at central and local levels are equally robust
and tightly coordinated. This includes examining national cybersecurity
policies, procedures and best practices. The University of Maryland is
performing each of these steps and recommends that other universities
follow suit. And while such changes may be pricey, being proactive in
safeguarding sensitive information is worth the investment.
To execute this threefold mission, I have formed an 18-member Task
Force on Cybersecurity. The Task Force includes experts from our
campus, including members from our Maryland Cybersecurity Center. It
also includes students since their perspective is unique and essential.
The first meeting of the Task Force took place March 12 and I have
charged them to complete an investigation and submit recommendations to
me by June 12. The Task Force has the full support of my office and the
resources it needs to complete its task. I will take all necessary
actions based on the Task Force's recommendations and the results of
the forensic analysis now underway.
Concurrently, the University IT staff with the support of outside
consultants are working virtually non-stop to protect better the vast
information systems in our network that are accessible to students,
faculty, staff and others. In the past month, they have identified and
closed the pathways utilized in the February 18, 2014, breach and the
incursion on March 15, 2014, changed the passwords for all databases
and applications, and conducted an initial audit to detect
vulnerabilities in individual websites within web hosting environments.
Plans have also been accelerated to migrate web hosting to a more
secure environment.
Equally important, it is not enough to rely on others to defend
against cyber threats. Each of us must do our part and take reasonable
steps to ensure our own information security. Therefore, the University
of Maryland will also present a series of identity theft seminars to
our students, faculty, staff and alumni. These seminars, which will
also be recorded and made available online for viewing at a later time,
will feature Jeff Karberg from the Maryland Attorney General's Identity
Theft Unit.
It is clear that there is no impregnable barrier against every
cyber-attack. There is an arms race between hackers playing offense and
universities playing defense. Nonetheless, as the threat evolves, so
can we. It will require higher investments in cyber security and
greater diligence on our part, but as we become more adept at defense,
we will inevitably create a good offense, and cyber criminals will have
to be the ones who are worried.
Thank you.
Wallace D. Loh
The Chairman. Excellent testimony, and I thank you very
much.
Mr. John Mulligan is Executive Vice President and Chief
Financial Officer of the Target Corporation.
We welcome you.
STATEMENT OF JOHN J. MULLIGAN, EXECUTIVE VICE
PRESIDENT AND CHIEF FINANCIAL OFFICER,
TARGET CORPORATION
Mr. Mulligan. Good afternoon, Chairman Rockefeller, Ranking
Member Thune, and members of the Committee. My name is John
Mulligan, and I am the Executive Vice President and Chief
Financial Officer of Target. It is a pleasure to be with you
here today.
As you know, Target experienced a data breach resulting
from a criminal attack on our systems. Let me begin by once
again reiterating how deeply sorry we are for the impact this
incident has had on our guests, your constituents.
Our top priority is always taking care of our guests. They
should feel confident about shopping at Target. We work hard to
protect information about them, but the reality is we
experienced a data breach. Our guests expect more, and we are
working hard to do better. We know this has shaken their
confidence, and we intend to earn it back.
My written statement provides additional details about the
breach and Target's response. Like you, we are asking hard
questions about whether we could have taken different actions
before the breach was discovered that would have resulted in
different outcomes.
In particular, we are focused on what information we had
that could have alerted us to the breach earlier, whether we
had the right personnel in the right positions, and ensuring
that decisions related to operational and security matters were
sound. We are working quickly to answer these questions.
This afternoon, I would like to provide an update since I
last testified, including the actions we are taking to further
strengthen our security and potential policy solutions we
support.
From the outset, our response to the breach has been
focused on supporting our guests and taking action to protect
them against constantly evolving cyber threats. We are taking a
hard look at security across our network.
While we don't know everything yet, we have initiated the
following steps to further protect our perimeter and better
secure our data: We are enhancing our security systems. We are
increasing segmentation of key portions of our network. We have
accelerated the installation of additional anti-malware tools.
And we are hardening our network perimeter by expanding two-
factor authentication.
Earlier this month, Target became the first retailer to
join the Financial Services Information Sharing and Analysis
Center. The center shares critical information and facilitates
detection, prevention, and response to cyber attacks and fraud
activity.
We are accelerating our $100 million investment in the
adoption of chip technology because we believe it is critical
to enhancing consumer protection. We have already installed
approximately 10,000 chip-enabled devices in Target stores and
expect to complete this installation in all Target stores by
September, 6 months ahead of schedule. We also expect to begin
to issue and accept chip-enabled cards by early 2015.
We have offered one year of free credit monitoring and
identity theft protection to anyone who has ever shopped at our
U.S. Target stores. And we have informed our guests that they
have zero liability for any fraudulent charges on their cards
arising from this incident.
We believe that responsible policy measures can help
further enhance security for our guests and all consumers. Mr.
Chairman, I know that you and other members of the Committee
have introduced legislation designed to enhance data security.
Although I am not a policy expert, I have discussed the
principles of your bill with our team. We agree that a uniform
standard would help provide clarity and predictability to
consumer notifications. While the standard would be uniform, we
would support continued state attorneys general enforcement.
We also believe that data security standards, if
appropriately structure by the Federal Trade Commission, could
provide additional protection for consumers. We have learned
that even robust security can't completely shield a company
from a criminal breach. However, the more that data security
can be improved across the economy, the better protected
consumers will be.
For many years, Target has invested significant capital and
resources in technology, personnel, and processes. Prior to the
data breach, we had in place multiple layers of protection and
continually made enhancements to meet evolving threats. And in
September 2013, our systems were certified compliant with
Payment Card Industry data security standards, meaning that we
met approximately 300 independent requirements of the
assessment.
Yet the reality is that criminals breached our system. To
prevent breaches like this from happening again, none of us can
go it alone. All businesses and their customers are facing
frequent and increasingly sophisticated attacks by cyber
criminals. Protecting American consumers is a shared
responsibility, and Target remains committed to being part of
that solution.
Senators, I want to once again say to you and to our guests
how sorry we are this happened. We are committed to getting
things right.
Thank you.
[The prepared statement of Mr. Mulligan follows:]
Prepared Statement of John Mulligan, Executive Vice President and Chief
Financial Officer, Target
I. Introduction
Good afternoon Chairman Rockefeller, Ranking Member Thune, and
Members of the Committee. My name is John Mulligan and I am the
Executive Vice President and Chief Financial Officer of Target. I
appreciate the opportunity to be here today to discuss important issues
surrounding data breaches and cybercrime.
As you know, Target experienced a data breach in late 2013
resulting from a criminal attack on our systems. Let me reiterate how
deeply sorry we are for the impact this incident has had on our
guests--your constituents. Our top priority is taking care of our
guests. They should feel confident about shopping at Target. We work
hard to protect their information. But the reality is we experienced a
data breach. Our guests expect more and we are working hard to do
better. We know this has shaken their confidence and we intend to earn
it back.
We are asking hard questions about whether we could have taken
different actions before the breach was discovered that would have
resulted in different outcomes. In particular, we are focused on what
information we had that could have alerted us to the breach earlier;
whether we had the right personnel in the right positions; and ensuring
that decisions related to operational and security matters were sound.
We are working diligently to answer these questions.
This afternoon, I'd like to provide an update since I last
testified, including actions we are taking to further strengthen our
security and potential policy solutions we support. Because the
government's investigation regarding the intruders remains active and
ongoing, I may not be able to provide specifics on certain matters. We
continue to work closely with the U.S. Secret Service and the U.S.
Department of Justice--to help them bring to justice the criminals who
perpetrated this wide-scale attack on Target, American business and
consumers.
II. What We Know
We are further strengthening our data security based on learnings
from an end-to-end review of our systems. We are not finished with that
review, and additional facts may affect our findings, but we are
certainly developing a clearer picture of events and want to share with
you some key facts we have learned.
Like any large business, we log a significant number of technology
activities in our system--more than 1 billion on average each day.
These activities range from relatively insignificant, such as a team
member logging onto a laptop, to more significant, such as removal of a
virus from a computer. Using technology tools, those activities are
narrowed to a few hundred events that are surfaced to the professionals
staffing our Security Operations Center (SOC). As a result of their
review of these events, dozens of cases are opened daily for additional
assessment.
It appears that intruders entered our system on November 12. We now
believe that some intruder activity was detected by our computer
security systems, logged and surfaced to the SOC and evaluated by our
security professionals. With the benefit of hindsight and new
information, we are now asking hard questions regarding the judgments
that were made at that time and assessing whether different judgments
may have led to different outcomes.
We believe that the intruders initially obtained an HVAC vendor's
credentials to access the outermost portion of our network. We are
still investigating how the intruders were able to move through the
system using higher-level credentials to ultimately place malware on
Target's point-of-sale registers. The malware appears to have been
designed to capture payment card data from the magnetic strip of credit
and debit cards prior to encryption within our system.
On the evening of December 12, we were notified by the Justice
Department of suspicious activity involving payment cards used at
Target stores. We immediately started our internal investigation.
On December 13, we met with the Justice Department and Secret
Service. On December 14, we engaged an outside team of experts to lead
a thorough forensic investigation.
On December 15, we confirmed that criminals had infiltrated our
system, installed malware on our point-of-sale network and potentially
stolen guest payment card data. That same day, we removed the malware
from virtually all registers in our U.S. stores.
Over the next two days, we began notifying the payment processors
and card networks, preparing to publicly notify our guests, and
equipping call centers and stores with the necessary information and
resources to address our guests' concerns.
Our actions leading up to our public announcement on December 19--
and since--have been guided by the principle of serving our guests. We
moved quickly to share accurate and actionable information with the
public. When we announced the intrusion on December 19, we used
multiple forms of communication, including a mass-scale public
announcement, e-mail, prominent notices on our website, and social
media.
Additionally, when we subsequently confirmed the theft of certain
personal data, we used various channels of communication to notify our
guests on January 10.
The breach affected two types of data: payment card data, which
affected approximately 40 million guests, and certain personal data,
which affected up to 70 million guests. The theft of the payment card
data affected guests who shopped at our U.S. stores from November 27
through December 18. The theft of personal data included name, mailing
address, phone number or e-mail address, and in many cases, it was
partial in nature.
It is difficult to develop an accurate assessment of overlap
between these two types of data, due in part to the partial nature of
the information related to the file of 70 million individuals. Our
analysis indicates there is an overlap of at least 12 million guests in
the two populations, and likely more.
III. Protecting Our Guests
From the outset, our response to the breach has been focused on
supporting our guests and taking action to further protect them against
constantly evolving cyber threats. We are taking a hard look at
security across the network. While we don't know everything yet, we
have initiated the following steps to further protect our perimeter and
better secure our data:
Segmentation. We are increasing the segmentation and separation
of key portions of our network by enhancing the protections
provided by the firewalls we have in place to limit
unauthorized traffic. This is about making it more difficult to
move across our network.
Whitelisting. We continue to strengthen our anti-virus tools,
and accelerated the installation of a whitelisting solution on
our registers. Whitelisting protects guests by detecting
malicious applications and stopping them from running on our
registers and gives us another tool to prevent malware from
taking root and spreading in our environment. This is about
limiting what can run on our network.
Authentication. We are strengthening our network perimeter by
expanding two-factor authentication for entry into the system.
This is about double locking the door.
Beyond these technology responses, we need to ensure the right
people, with the right experience, are in the right place. That's why
we are also taking a hard look at our organization, with the intention
of bolstering our information security structure and practices.
Earlier this month, Target became the first retailer to join
the Financial Services Information Sharing and Analysis Center
(FS-ISAC), an initiative developed by the financial services
industry to help facilitate the detection, prevention, and
response to cyber attacks and fraud activity. Target was
eligible to join the organization because of its financial
operations. During my testimony to Congress in February, I
stressed Target's commitment to more coordinated information
sharing with law enforcement and others fighting cyber threats,
in order to help make our company, partners and guests more
secure. Joining the FS-ISAC underscores Target's position that
the retail and financial industries have a shared
responsibility to collaborate and strengthen protection for
American consumers.
We are accelerating our $100 million investment in the
adoption of chip technology because we believe it is critical
to enhancing consumer protections. We have already installed
approximately 10,000 chip-enabled payment devices in Target
stores and expect to complete the installation in all Target
stores by this September, six months ahead of schedule. We also
expect to begin to issue chip-enabled Target REDcards and
accept all chip-enabled cards by early 2015. As a founding
member and steering committee member of the EMV Migration
Forum, we will continue to lead the adoption of these
technologies across the payment ecosystem.
We continue to reissue new Target credit or debit cards
immediately to any guest who requests one.
We continue to offer one year of free credit monitoring and
identity theft protection to anyone who has ever shopped at our
U.S. Target stores. This protection includes a free credit
report, daily credit monitoring, identity theft insurance and
unlimited access to personalized assistance from a fraud
resolution agent.
We have informed our guests that they have zero liability
for fraudulent charges on their cards arising from this
incident. To ensure our guests are protected, we continue to
encourage them to monitor their accounts and promptly alert
either Target or their issuing bank, as appropriate, of any
suspicious activity.
Moving Forward
For many years, Target has invested significant capital and
resources in security technology, personnel and processes. Prior to the
data breach, we had in place multiple layers of protection, including
firewalls, malware detection software, intrusion detection and
prevention capabilities, and data loss prevention tools. We performed
internal and external validation and benchmarking assessments. And, in
September 2013, our systems were certified compliant with the Payment
Card Industry Data Security Standards, meaning that we met
approximately 300 independent requirements of the assessment. Yet the
reality is that our systems were breached.
To prevent this from happening again, none of us can go it alone.
All businesses--and their customers--are facing frequent and
increasingly sophisticated attacks by cybercriminals. Protecting
American consumers is a shared responsibility and requires a collective
and coordinated response. Target remains committed to being part of the
solution.
V. Conclusion
I want to once again say to the Members of this Committee and our
guests how sorry we are that this happened. We are determined to get
things right. Thank you.
The Chairman. Thank you, sir.
Now Ms. Ellen Richey, who is Chief Enterprise Risk Officer
for a small corporation called Visa.
[Laughter.]
STATEMENT OF ELLEN RICHEY, CHIEF ENTERPRISE RISK OFFICER AND
CHIEF LEGAL OFFICER, VISA, INC.
Ms. Richey. Thank you, Chairman Rockefeller, Ranking Member
Thune, and members of the Committee. I appreciate the
invitation to testify today.
Everyone in our payment system--merchants, financial
institutions, networks, and cardholders--is affected when data
compromises occur, because they jeopardize the trust that we
have worked to build for more than 50 years. We continue to
work to maintain that trust every day by placing security at
the forefront of everything we do.
The payments industry has adopted a layered approached to
data security. First, we protect consumers from financial harm
through zero-liability policies that ensure they aren't held
responsible for fraudulent charges on their accounts. And then
we work behind the scenes to protect their personal information
and prevent fraud before it can happen. As a result, fraud
rates in the Visa system have declined by more than two-thirds
in the last 2 decades to just 6 cents for every $100
transacted.
As recent compromises show, however, our work is never
done. A critical first step in data security is to limit the
amount of data that needs to be protected. For example, years
ago we campaigned successfully to eliminate the storage of
sensitive card data in large merchant environments. This made
it more difficult for criminals to steal large volumes of data.
But, as we all know, more sophisticated criminals today are
stealing data in transit. Therefore, strong data security
remains fundamental to our program to protect the payment
system. The Payment Card Industry data security standards
establish a baseline which, when fully and consistently
implemented, has proven effective in protecting our
stakeholders from cyber attack.
Visa understands, however, that it is difficult for any
organization to maintain complete security all of the time.
With that in mind, we are working with others in the industry
toward a paradigm shift that would in the future reduce or even
eliminate vulnerable payment data from the merchant
environment. If the data available in the environment could no
longer be reused to commit fraud, criminals would have no
reason to attack. We call this devaluing the data.
That is why we are joining with others in the industry to
create a roadmap for the future of payment security with a
focus on three data-devaluation technologies: EMV chip,
tokenization, and point-to-point encryption.
The EMV chip is a microprocessor that can be embedded in
payment cards. Chip cards are nearly impossible to counterfeit,
and, as such, they eliminate one of the most important
incentives for criminals to steal payment data today: the
profit opportunity from counterfeit cards.
But EMV is not a silver bullet. In countries where it is
widely used, fraud has simply moved to the online channel. So
to address that threat, we have proposed a new standard for
digital payments known as ``tokenization,'' which replaces the
accountholder's 16-digit account number with a digital token
during the transaction process. Tokenization removes the
sensitive data from the online merchant environment because it
is the token and not the card number that goes to the merchant.
The third element in the roadmap is point-to-point
encryption, a technology which is available today and protects
account data from the moment it enters a point-of-sale terminal
to the completion of the transaction process.
Securing data today and devaluing it tomorrow are the most
critical components of our security strategy, but the layered
approach assumes that no single strategy will ever be 100
percent effective. Therefore, we also invest in fraud
prevention and analytical tools, some of the most advanced in
the world, that identify and prevent billions of dollars of
fraud each year. And we also invest in breach response,
continuously improving our ability to identify breaches,
respond to them quickly, and protect consumers when they occur.
As a result, the vast majority of accounts exposed in large
data breaches do not experience fraud. In fact, just 2 to 5
percent of the accounts exposed incur fraud resulting from a
breach.
As the Committee considers its policy responses, Visa
believes there are three areas where government help could be
most effective. First, the government can help create a safe
environment to share cyber-threat information. Second, the
government can continue to work with the international
community to improve coordination among law enforcement
agencies and to eliminate the havens from which cyber criminals
launch their attacks on our financial system. Third, the
government can establish a uniform breach-notification standard
to replace the myriad state laws currently in place.
And, finally, in closing, let me note that we know cyber
criminals will always be with us. They will continue to target
any environment that contains valuable information. The
payments industry has fought back, investing in sophisticated
solutions that protect the system and the consumers who rely on
it.
But as the criminals improve their technologies, we have to
improve ours as well. The key is to work together to defeat our
common enemy. And Visa is fully committed to working with all
the participants in the payments industry toward this
objective.
Thank you again for the opportunity to testify today.
[The prepared statement of Ms. Richey follows:]
Prepared Statement of Ellen Richey, Chief Enterprise Risk Officer and
Chief Legal Officer, Visa Inc.
Chairman Rockefeller, Ranking Member Thune and Members of the
Committee, my name is Ellen Richey and I am Chief Enterprise Risk
Officer and Chief Legal Officer at Visa Inc. Thank you for the
invitation to appear before the Commerce Committee to discuss payment
system security and Visa's ongoing efforts to protect cardholder data
from cyber attacks and data breaches.
For more than 50 years, Visa has enabled people, businesses and
governments to make and receive payments across the globe. As a global
payments technology company, we connect financial institutions,
merchants and governments around the world with credit, debit and
prepaid products. Visa works behind the scenes to enable billions of
daily transactions, powered by our core processing network--VisaNet. We
make digital commerce more convenient, reliable and secure. It's
important to note that Visa does not issue credit or debit cards or set
the rates and fees on those products--our financial partners do.
Fighting fraud and protecting cardholders is a top priority for
Visa--and securing electronic payments is fundamental to Visa's
success. We invest heavily in advanced fraud-fighting technologies and
develop and deploy innovative programs that protect cardholders and
merchants.
Recent breaches have highlighted that organized and enterprising
cyber criminals will seek to infiltrate any vulnerability to access
consumers' personally identifiable information, payment card data or
other information they view as valuable. When successful, these
criminals steal more than money or information; they steal customers'
peace of mind. Everyone in the payments system--merchants, financial
institutions, networks, and customers--is affected by these breaches
because they jeopardize the trust we've worked to establish over the
last 50 years. At Visa, nothing is more important than trust in the
payment system. Trust is the cornerstone of electronic payment systems,
and consumers have long trusted us to safely and efficiently move their
money. We value their trust and work to maintain it every day, by
placing security foremost in everything we do.
It's also important to emphasize that when fraud does occur, Visa
cardholders are protected through Visa's Zero Liability policy, which
protects debit and credit cardholders from being held liable for
fraudulent purchases.
Visa believes that protecting consumer data is the shared
responsibility of all parties, including payment networks, financial
institutions and merchants. No business or industry is exempt from
protecting customer data or guarding against cyber attacks. Criminals
are constantly adapting their techniques to gain access to systems that
store or transmit data. To meet this challenge, security is a 24/7 job
for all businesses that touch customer data.
The electronic payments industry secures payment card data through
a layered approach. It takes a combination of technology, processes and
people to guard account information and prevent fraud. As a result of
the industry's security investments, we've seen fraud rates in the Visa
payment system decline by more than two-thirds over the past two
decades and fraud rates remain low and stable at less than six
hundredths of a percent--that's 6 cents for every hundred dollars
transacted. Our collective success in maintaining the trust and
confidence of consumers comes from the ability to work together, share
information and coordinate our defenses. However, as recent compromises
show, our work is never done.
Protecting Sensitive Data
The first principle of protecting sensitive data is to limit the
amount of data you have to protect. To promote this objective, Visa is
constantly working to eliminate the storage of vulnerable payment data
in the merchant environment. ``Prohibited'' data includes full magnetic
stripe information, the CVV2 or ``Card Verification Value 2,'' and PIN.
Since 2006, Visa has promoted a ``drop the data'' campaign around the
world to encourage merchants to discontinue storage of prohibited data
and reduce cardholder data storage overall. As of March 2013, all major
merchants (Level 1 and Level 2 as defined by PCI DSS) have confirmed
they do not store prohibited data.
Eliminating data storage reduces the damage a hacker can cause by
decreasing the amount of sensitive data in the environment. However,
today's cyber criminals can also steal data in transit--while passing
into, out of, or through the system--even if the data is never stored.
Therefore, strong data security remains a critical element of our
program to protect and secure the payment system.
The key to an effective data security program--as with any
successful operation--is a solid foundation. For the electronic
payments industry, the Payment Card Industry Data Security Standards
(PCI DSS) provides that foundation. PCI DSS has proven to be an
effective set of minimum security standards when fully and consistently
implemented across all systems handling cardholder data. No standard
can provide an absolute guarantee of security in a changing world, and
PCI DSS is not an exhaustive list of all the security practices that an
organization should consider. However, compliance with the standard is
a valuable component of a comprehensive security program and greatly
reduces the risk of data compromise. In fact, we have yet to see a
payment data compromise in which the breached entity was fully in
compliance with PCI DSS at the time of the breach.
The implementation of technical security tools is only one
component of an effective security regime. In addition, companies must
put in place business processes that ensure their tools are used and
maintained properly, their procedures are executed correctly, and the
inevitable human errors are detected and corrected quickly. This
requires a rigorous program of internal control, monitoring, corporate
governance, communication, and training that touches every part of the
business environment.
It can take a considerable effort to ensure, for example, that
everyone in the company follows basic security protocols such as
removing default passwords, using strong ones in their place,
prohibiting the use of unapproved removable USB devices, and limiting
access to systems containing sensitive data. Employees often find these
controls tedious and inconvenient. But sadly, a lapse in any of these
areas can open the door to a criminal intrusion that threatens the
entire enterprise. We often see data compromises that could have been
avoided by following baseline security procedures.
Going beyond the basics, we believe that advanced cyber training is
critically important for large enterprises. For instance, Visa cyber
defense analysts have undergone training with leading organizations
including Lockheed Martin, RSA Advanced Cyber Defense and the
Department of Homeland Security's Industrial Control Systems Cyber
Emergency Readiness Team.
Visa views the recent release of the NIST Cyber Security Framework
for Improving Critical Infrastructure as a positive development in
strengthening U.S. cyber defenses. We support a flexible, standards-
based approach that recognizes and builds upon existing private and
public regulatory structures, and we're encouraged that the final
framework issued by the Administration embraces existing security best
practices.
Finally, it is important to recognize that cyber security is not a
one-time exercise. Companies must continually assess and evolve their
policies and procedures and educate their employees on how to best
protect against cyber threats. Cyber hygiene is something Visa, and all
companies, must work at every day.
Devaluing Data
While effective security is critical, we understand that it is
difficult for any organization to be completely secure all the time.
With that in mind, Visa is working with others in the industry toward a
paradigm shift that would in the future reduce--or even eliminate--
vulnerable payment data from the merchant environment, by moving from a
data protection to a data devaluation approach. If the data available
in the merchant environment could no longer be reused to commit fraud,
then criminals would have no reason to steal it, and merchants would no
longer be targeted by criminals seeking to commit payment fraud.
This approach to the future of payment security relies on three
technologies: EMV chip, tokenization and point-to-point encryption.
The EMV chip is a microprocessor that can be embedded in plastic
payment cards or in other form factors such as mobile phones. Sometimes
referred to as a smart card or chip card, EMV enables more secure
processing by generating a one-time-use code for each transaction.
Since EMV chip cards are nearly impossible to counterfeit, they
eliminate one of the most important incentives for criminals to steal
payment data today--their ability to use the data to create counterfeit
cards. As such, EMV chip makes payment data a less attractive target
for criminals.
To encourage adoption of EMV chip in the United States, in August
2011, Visa announced a roadmap that included processor requirements and
liability shifts. Visa's EMV roadmap is not a mandate. Instead, it
provides marketplace incentives to encourage adoption by Visa financial
institutions and merchants--elements that have proven to be effective
in moving other markets to deploy EMV chip technology.
As part of Visa's incentive program, the party that has not
implemented EMV technology bears the loss from any resulting
counterfeit fraud. This shift will become effective October 1, 2015 for
point-of-sale environments, and October 1, 2017 for Automated Fuel
Dispensers and ATMs.
Last fall, we reached an important milestone in the migration
process when the vast majority of U.S. Visa acquirer/processor
endpoints certified their ability to support merchant acceptance of EMV
chip transactions. Acquirers representing 95 percent of Visa's payment
volume in the United States have been certified to support EMV chip
processing.
Based on years of experience working with merchants as well as
issuing banks, Visa has taken care to ensure that our roadmap supports
a variety of cardholder verification methods, including signature, PIN
and no cardholder verification for low value, low risk transactions. In
order to accomplish the transition to EMV in the most cost-effective
and expeditious way, we want to provide customers, merchants and
financial institutions with options that minimize the disruption to the
current payments environment.
Many have asked why the United States is taking longer than other
markets to adopt EMV chip technology. The speed and efficiency of our
telecommunications infrastructure, coupled with back-office tools such
as the real-time authorization and advanced fraud analytics have helped
stakeholders to effectively manage fraud levels here. In other markets,
including the European Union, one reason EMV was adopted was because
the existing telecommunications infrastructure presented challenges for
using the kind of real-time network authorizations that occur on
virtually all transactions in the U.S. As a result, an alternative
technology was needed to facilitate off-line security checks between
the card and terminal; thus the emergence of a microchip.
As the U.S. is adopting EMV chip, we are also now seeing
international markets adopt real-time authentication tools similar to
those used in the U.S. While each market went down different paths over
a decade ago, we are now seeing fraud and security strategies converge
as all markets recognize the need to deploy multiple technologies to
fight fraud and to protect personal data.
As we make the transition to EMV in the United States, it is
critical that all participants in the payments system work together.
The payments ecosystem in the U.S. is larger and more complex than any
other in the world, with thousands of financial institutions and
millions of businesses accepting electronic payments. Visa has been
mindful to allow enough time for this migration to occur without
disadvantaging smaller merchants and financial institutions or unduly
disrupting the consumer experience as the migration process occurs.
While EMV is the traditional first step to devaluing payment data,
it is not a silver bullet. When EMV has been adopted in other countries
we have seen that cyber thieves continued to steal data in order to
commit fraud in the eCommerce channel. To address this growing threat,
in 2013, Visa, MasterCard and American Express proposed a new standard
for digital payments that will allow a traditional account number to be
replaced with a payment ``token'' in eCommerce or mCommerce.
Tokenization uses a unique digital token that is tied to and
replaces the accountholder's 16-digit account number in a payment
transaction. Tokenization can enhance transaction efficiency, improve
cardholder privacy and data security, and may enable new types or
methods of payment. Tokenization shows particular promise in stopping
online fraud, because it is the token--not the card number--that goes
to the merchant, and because the token can be issued with limits on the
times and places it can be used. Tokenization, like EMV chip, can be
used to introduce a dynamic element into the transaction, thus
devaluing the data and making it less lucrative for criminals to steal
in the first place. When fully deployed, tokenization in combination
with EMV could eliminate the need for merchants, digital wallet
operators or others to secure account numbers.
The final element in a comprehensive data devaluation strategy is
point-to-point encryption, which can be implemented to secure data as
it is transmitted from one point to another throughout the transaction
processing environment. To gain full protection from EMV and
tokenization approaches, multiple stakeholders must make changes to
their systems that can take several years to complete. In the meantime,
encryption technologies are available that can be deployed to protect
data from the moment it enters a point-of-sale terminal to the
completion of the transaction process. When properly implemented,
encryption makes stolen data unusable by criminals and thus reduces the
incentive to steal it.
Preventing Fraud
Securing data and ultimately devaluing it are two core elements of
Visa's approach to securing the payment system and protecting
consumers. The third is fraud prevention. Our fraud analytics are among
the most advanced in the industry and have helped to identify and
prevent billions of dollars of fraud. One such prevention tool is Visa
Advanced Authorization, which provides an instantaneous rating of a
transaction's potential for fraud to the financial institution that
issued the card, including whether it was part of a reported data
security compromise. This rating occurs as part of the transaction
authorization and enables the issuer to make a more informed decision
about whether to accept or decline the transaction.
These technologies allow financial institutions to better serve and
protect their customers. I am sure many of you here have received a
call from your bank or credit union to inquire about a possible
suspicious transaction. These types of services provide additional
layers of security to help protect consumers.
Visa has also invested in tools for consumers to help prevent
fraud. For instance, Visa offers a service called Verified by Visa that
adds an extra layer of security, making it harder for someone else to
use your Visa card to shop online in the rare event your Visa card or
account number is lost or stolen. Each time your Visa credit or debit
card is presented to make an online purchase at a participating
merchant, Verified by Visa helps to make sure it is you who is
attempting to make that purchase and not someone else.
In addition, Visa has developed an alerts service that instantly
notifies cardholders of transaction activity on their mobile phones via
SMS text or e-mail. Many banks offer this service, or similar ones they
have developed themselves. An alert is triggered whenever a transaction
meets a cardholder's preset parameters, and can be sent within seconds
of a transaction occurring. Alerts generally contain important
transaction details such as the amount, time, date, the type of
purchase, and may also include the merchant name and location and the
currency conversion exchange rate for international transactions. These
instant notifications are useful to consumers for monitoring their own
transactions. More importantly, however, they assure consumers that
they will receive instant notice of any fraudulent activity on their
accounts, providing them with additional peace of mind.
Breach Response
The fourth and final element of security and fraud prevention is
how we respond when a breach has occurred. Visa is continually working
with clients to improve our ability to identify payment data breaches
and protect consumers affected by them. We may learn of a breach
through issuer reports, self-reporting by a compromised merchant, our
own monitoring efforts, or through law enforcement.
One commonly used method for detecting compromise activity is known
as the ``Common Point of Purchase'' or ``CPP.'' Card issuing banks and
payment networks use advanced analytical tools to search millions of
transactions in order to identify those unique locations that show a
pattern of genuine transactions followed by confirmed fraudulent
activity on the same card. Identifying points of compromise at the
early stages of stolen card account usage helps to minimize the
financial consequences of compromise events and enables corrective and
mitigation actions as early as possible.
When data breaches expose sensitive cardholder information, Visa's
first priority is to protect cardholders from fraud. After learning of
data compromise events, Visa immediately begins working with the
compromised entity, law enforcement and affected client financial
institutions to ensure the compromise is remediated and to prevent
card-related fraud. Visa notifies all potentially affected card issuing
institutions and provides them with the necessary information so that
they can monitor the accounts, reissue cards, and, if necessary, advise
customers to check closely all charges on their statements.
The banks that issue Visa cards have the direct responsibility and
relationship with cardholders; they work diligently to ensure that
cardholders are not responsible for any fraudulent charges. But it is
also important to note that the vast majority of the accounts exposed
in large data breaches do not experience fraud. In fact, thanks to
network, issuer and merchant fraud detection, prevention and monitoring
solutions, only about 2 to 5 percent of compromised accounts incur
incidents of fraud resulting from the compromise.
Public Policy Considerations
As the Committee considers appropriate actions in response to
recent events, Visa believes there are several areas where government
can help defend against cyber criminals.
First, as the payments and other industries reinforce their
safeguards, the government can help create a safe environment to share
cyber threat information. Visa currently works closely with a number of
different groups to gather threat information, including the Financial
Services Information Sharing and Analysis Center. Improvements in cyber
threat information sharing with appropriate liability protections can
further bolster collective efforts on global cyber security.
Second, a number of cyber criminals are launching attacks from
overseas. We encourage the government to continue to work with the
international community to improve coordination and cooperation among
law enforcement agencies. Cyberspace is not limited by geographic
borders, and we know that the most sophisticated attackers are often
physically located overseas. Therefore, any effort to strengthen law
enforcement cooperation across national or jurisdictional boundaries
would be beneficial. In addition, governments should agree that it is
unacceptable for any country to provide a safe haven for cyber
criminals.
In addition, the development of a uniform Federal data breach-
notification standard would be a valuable tool to replace the myriad of
state laws currently in place. Such a standard could guide when and by
what means consumers and law enforcement agencies should be notified--
as well as by whom--when consumer harm may result from a compromise of
account information.
Lastly, we would caution against legislating technology standards
or mandating a specific security or payment technology, to avoid
hindering the rapid rate of new payment innovations that are coming to
market, especially mobile wallet solutions that will leverage a range
of new tools to authenticate payments and enhance security.
In closing, the reality is that cyber criminals will continue to
target U.S. companies, the payment system or any database that contains
valuable information. But the good news is that there are sophisticated
tools to protect the system. Visa is committed to working with all
participants in the payments industry to implement the full range of
technologies that will fight fraud and further protect consumers'
information as the marketplace and threats evolve. Of course,
technology cannot completely eliminate human error or internal threats,
so it remains critical for businesses to adopt strong policies that are
effectively implemented by their employees. Cyber criminals are a
common foe and we all must work together to protect personal consumer
information from cyber attacks and data breaches.
Thank you again for the opportunity to testify today. I would be
happy to answer any questions you may have.
The Chairman. Thank you very much, very much indeed.
Now Mr. Peter Beshar, who is Executive Vice President and
General Counsel, Marsh & McLennan Companies.
STATEMENT OF PETER J. BESHAR, EXECUTIVE VICE
PRESIDENT AND GENERAL COUNSEL, MARSH &
McLENNAN COMPANIES
Mr. Beshar. Chairman Rockefeller, Ranking Member Thune,
members of the Committee, my name is Peter Beshar. And as a
former David Rockefeller fellow, it gives me particular
pleasure, Mr. Chairman, to be before this committee.
I would like to focus my remarks this morning----
The Chairman. You did it for free?
Mr. Beshar. I am sorry?
The Chairman. My uncle did this for free?
[Laughter.]
Mr. Beshar. Something like that, Mr. Chairman.
The Chairman. That is very unusual.
Please.
Mr. Beshar. Thank you.
So I would like to focus my remarks this afternoon on a
single and narrow topic of cyber insurance: What is it? Who is
buying it? And what role might it play as part of a
comprehensive risk-mitigation framework?
As the world's leading insurance broker, our company has a
unique perspective on the cyber insurance marketplace. Marsh
assists clients in preparing risk-mitigation strategies,
including as to cyber insurance, and has issued its first cyber
policy as far back as 1999 called ``NetSecure.''
So there are three basic types of cyber insurance.
The first and most fundamental is coverage that protects
out-of-pocket expenses that the University of Maryland or
another institution might suffer--expenses like credit
monitoring or setting up call centers or notifying affected
individuals.
The second type of insurance is something analogous to
business interruption insurance so that if your system is
really disabled for a period of days or longer, you are able to
recover the actual harm that you have suffered in the form of
lost profits.
And the third type of insurance is for damage that might be
suffered by parties outside of your company, so customers or
consumers or clients, and that is called third-party insurance.
To give the Committee some insight into the dynamics in the
cyber insurance market, we just conducted a survey of our cyber
clients to give you a sense of who is buying it, what the take-
up rights are, and what the price of this insurance actually
is.
So there are a couple of charts that were in my written
testimony. I think you have some of them in front of you.
The Chairman. They are in each of our packets.
Mr. Beshar. Great. Thank you, Mr. Chairman.
So there are a couple of important headlines.
The first is that interest in cybersecurity is increasing
rapidly. Indeed, the number of Marsh clients who purchased
stand-alone cyber insurance increased by more than 20 percent
just in the past year.
The highest take-up rates are in industries like financial
services; health care, particularly because of the HIPAA
statute and the importance of protecting healthcare data; and
also, interestingly, in the education space, where there have
been marked increases. So that is a breakdown by industry.
In terms of size of companies, larger companies perceive a
greater risk to cyber threat than smaller companies do. And so
we analyzed the take-up rates, and if you are a company with
revenues of more than $1 billion, your take-up rates are almost
double what they are if you are a smaller company.
And, last, Mr. Chairman, on pricing, here the news is
actually quite positive. Throughout the past year, even as the
perception of the risk and potential severity associated with
cyber attacks increased, pricing has remained relatively stable
throughout the year. This is partly a product of a number of
new entrants, new underwriters coming into the marketplace.
So that is the actual insurance. The process of simply
applying for the insurance is itself constructive because,
similar to the NIST framework, the process of applying forces
you to go through a gap analysis to try to benchmark yourself
against industry standards and what are considered the best
practices and see what you can do to position yourself as a
better risk for the underwriting community.
So, just in closing, Mr. Chairman, as this committee is all
too aware, this is a race without a finish line. Our
adversaries will continue to adopt new methods of attack and
different strategies. And it is extraordinarily important that,
in combating this threat, government, the private sector, and
also the nonprofit world partner together to try to respond
effectively.
Thank you.
[The prepared statement of Mr. Beshar follows:]
Prepared Statement of Peter J. Beshar, Executive Vice President and
General Counsel, Marsh & McLennan Companies
Introduction
Good afternoon Chairman Rockefeller, Ranking Member Thune, and
members of the Committee. I am Peter Beshar, the Executive Vice
President and General Counsel of Marsh & McLennan Companies. I commend
you for convening this hearing and am grateful for the opportunity to
participate.
Marsh & McLennan Companies operates through four market-leading
brands--Marsh, Guy Carpenter, Mercer, and Oliver Wyman. Our 55,000
employees provide advice and solutions to clients across an array of
industries in the areas of risk, strategy and human capital. In
particular, Marsh and Guy Carpenter assist companies in identifying and
then mitigating key risks to their business--including cyber security.
I wanted to offer a couple of initial observations and then focus
my remarks on a single topic--cyber insurance.
First, hyperconnectivity has been a boon for enhancing our
productivity. We are able to connect the world and execute tasks with a
speed that was inconceivable even a decade ago. With that
hyperconnectivity, however, comes the risk of a significant disruption
through a cyber attack.
Second, the government has led the way in identifying the
significance of this risk and then pushing industry and the non-profit
sector to bolster their defenses. A case in point was the release last
month of the Administration's Cyber Security Framework. This is an
important tool to help enterprises assess their preparedness and then
enhance their resilience against a cyber attack.
Moreover, this Committee has been at the vanguard of the effort to
raise awareness of the threat posed by a cyber security attack. In
particular, this Committee's interactions with the SEC have served to
help companies, and investors, better understand the potential
disruption that can occur from a significant attack.
In the area of cyber security, offense is a lot easier than
defense. There is no silver bullet or panacea that will eliminate this
risk. Rather, it will take a collaborative effort between government
and business and among professionals in different disciplines--IT, HR,
Legal and Compliance--to assess vulnerabilities and link arms to
confront this risk head on.
This afternoon, I would like to discuss the role that cyber
insurance can play as one component of a comprehensive risk mitigation
strategy.
To begin, what is cyber insurance? Who is buying it? What role can
it play to mitigate this risk?
As the largest insurance broker in the world, Marsh has a unique
perspective on the cyber insurance market.
The concept of cyber insurance was first introduced the 1980s, when
insurers began providing coverage for computer failures at banks and
other Fortune 500 companies. Marsh launched its first cyber insurance
product, NetSecure, in 1999.
Broadly stated, there are three core types of cyber insurance.
The first, and most basic, provides protection for out-of-pocket
expenses that a company incurs in the wake of a data breach. These
expenses include notifying affected individuals, setting up call
centers and providing credit monitoring.
The second form of coverage protects companies if their computer
network is effectively shut down for days or longer. With this broader
business interruption coverage, a company can recover the actual harm
it suffers in the form of lost profits.
The third type of coverage is for harm caused to an insured's
clients, customers and consumers as a result of a significant breach.
This is called third-party coverage.
To give the Committee insight into this market, Marsh conducted a
comprehensive survey of the type of companies that are currently
purchasing cyber coverage--broken down by industry and size of company.
There are a number of important headlines. Most importantly,
interest in cyber insurance is expanding rapidly. Indeed, the number of
Marsh clients purchasing stand-alone cyber insurance increased more
than 20 percent in just the past year.
As reflected below, the highest take up rates for cyber insurance
are in the following three industries: (1) health care; (2) education;
and (3) financial services. These industries handle a large volume of
sensitive personal information, including health care data, social
security numbers and credit card information. As a result of statutes
like HIPAA, the take up rates in health care are markedly higher--
approaching 50 percent--than any other industry.
Marsh also analyzed how the size of a business impacts its decision
whether to purchase cyber insurance. As a general matter, larger
companies perceive a greater threat to their operations than smaller
companies. As a result, the take up rates for companies with revenues
over $1 billion are almost twice as high as the rate for companies with
revenues below $1 billion.
Third, Marsh analyzed trends in the cost of cyber insurance. Here,
the news is quite positive. Throughout 2013, cyber insurance rates
remained stable--even as the perception and potential severity of the
risk increased. This is partly because a number of new underwriters are
interested in providing cyber coverage.
As reflected in the analysis below, the average price per million
dollars of coverage for a cyber policy actually dropped in 2013 in a
number of sectors, including financial institutions, utilities, sports
and entertainment, while increasing for other sectors, including
communications and transportation.
Furthermore, the process of applying for cyber insurance--analogous
to the process of conducting a gap analysis under the Administration's
Cyber Security Framework--is itself a constructive exercise for raising
awareness and identifying potential vulnerabilities. At Marsh, we
utilize a proprietary Information Security and Privacy Self-Assessment,
which is based on international information security management
standards known as ISO 27001.
Using the assessment, Marsh brokers perform a high-level review of
information security management protocols with respect to access
control, physical security, incident response and business continuity
planning. The assessment focuses on the strength of a company's
governance procedures regarding cyber practices to understand how
insurance carriers will view the company's risk profile.
Importantly, a number of cyber coverages also provide access to
experts who are available to monitor the client's information security
and assist the client to restore operations in the event of a network
attack. These services include technical advice from on-call
consultants, vulnerability detection to examine network devices and
servers, and assistance developing incident response plans.
Conclusion
As the SEC indicated in its cyber security guidance, cyber
insurance is one element, among many, of a comprehensive risk
mitigation strategy.
This is a race without a finish line. As we strengthen our
defenses, adversaries will adjust and develop new methods of attack.
Our success in combatting this dynamic and evolving threat will depend
on continued collaboration between government, industry and the non-
profit sector.
I look forward to answering any questions you might have.
The Chairman. Thank you very much. It was eloquent and
helpful.
Mr. David Wagner, President, Entrust, Incorporated.
Welcome.
STATEMENT OF DAVID WAGNER, PRESIDENT, ENTRUST, INC.
Mr. Wagner. Good afternoon, Chairman Rockefeller, Ranking
Member Thune, Committee members. Entrust is pleased to be here
to help facilitate and to continue the dialogue for a better
understanding of cybersecurity issues.
Just over 2 years ago, Entrust testified on the similar
topic of cybersecurity, and since that time the situation has
worsened. Nation-states and criminals are continuing to use
cyber to advance their interests.
The December point-of-sale breaches are another example of
this escalation. Although Entrust has no direct relationship
with any of the victims of the December point-of-sale attacks,
we can provide general insight into the attacks.
As we have heard earlier in these testimonies, criminals
are using old-fashioned con tricks and cyber tools to get past
moat-style defenses. Social engineering and malware are the
silent equivalent of crowbars, penetrating into corporate
networks. And once past the perimeter defenses, the criminal
uses a stolen identity and virtually becomes someone on the
network, making them difficult to distinguish from normal
network behavior.
In the case of the retail breaches, once the criminals
assumed the right identity, they were able to push malicious
code to the point-of-sale terminals, they were able to collect
customer credit card data from the magnetic stripes, and then
they stored and exfiltrated that data overseas.
You can see from the attack scenarios that they are
sophisticated. They are sophisticated, but they are not rocket
science. They use stolen identities to access the victim
company's network and then use the victim company's IT tools to
complete their crime.
A determined cyber attacker can overcome even strong moat
defenses. We need strategies to strengthen the defenses inside
the perimeter. Good information security governance is vital,
and industry regulations like PCI and frameworks like SANS 20,
COBIT, and ISO are available to help build effective security
architectures.
So you might be asking, with all of this knowledge,
guidance, and standards, how did the breaches occur? Why
weren't accounts using authentication techniques stronger than
username and password? Why wasn't the network segmented to
protect sensitive data? Why weren't alerts responded to and
network monitoring equipment capturing the unauthorized traffic
patterns?
Nothing in the breaches was new. We know that good security
governance requires investment in people, process, and
technology applied consistently over time. But have we created
a culture where executives and board members are aware and
understand the information security risk at their enterprise?
Have we created regulations that evolve and change with
technology? If we haven't, then no regulation or no security
tool will solve our problem.
When a retailer is breached, financial institutions bear
the cost of the stolen data, banks and credit unions bear the
cost of card reissuance, and consumers suffer the pain of
changing cards and cleaning up accounts. Risk assessments at
the organizations where sensitive data reside must consider the
full systemic value of their data.
Cyber crime poses a greater threat to the security of
nations, corporations, and individuals than ever before. The
challenge is balancing--balancing the importance of protecting
data with the benefits of emerging technology. As policymakers,
you are charged with facilitating commerce and putting in place
a structure for finding this balance.
Entrust recommends actions in three areas.
First, Federal breach notification law needs to be passed.
Federal harmonization will allow enterprises and consumers
alike to know what is expected of them on a national level. It
will also put the Federal Government in a role where it
belongs.
Second, the Federal Government needs to continue to foster
best practices and sharing of information across the public and
private sectors. Collaboration fueled by real-world learning is
critical to creating a strong, unified front so criminal groups
can't simply migrate to the next weakest target.
Third, we must change the cybersecurity culture.
Enterprises large and small, public and private, need to
embrace information-security governance as a core
responsibility.
Evolving our approach and our cyber defense posture needs
to be a Federal priority, and we need to move forward now.
Without changes to the security posture of our most important
industries and infrastructure, cyber crimes will continue to
grow in frequency and potency. The best path forward rests upon
a public-private ecosystem that is built upon good security
governance, secure identities, and constant self-assessment of
vulnerabilities.
Whether we drive adoption through incentives or directives,
we need to proceed now. I urge you, your colleagues, and the
administration not to let 2014 expire without adoption of
measures that will better protect our economy and our security
posture.
Thank you for your time this afternoon and for your
attention to this important matter of cybersecurity.
[The prepared statement of Mr. Wagner follows:]
Prepared Statement of David Wagner, President, Entrust, Inc.
I am David Wagner, President of Entrust, a leader in identity-based
security software systems and solutions. On behalf of Entrust, we
appreciate the opportunity to testify today.
At Entrust, a wholly owned subsidiary of Datacard Group, we secure
and protect digital identities and information. We serve more than
5,000 organizations, spanning 85 countries, by safeguarding
enterprises, governments, financial institutions, websites and
citizens--including your constituents.
For its part, Datacard is the world leader in secure identity and
card personalization solutions. Most payment cards in circulation today
are issued using Datacard systems. As a combined company, and as a
result of the ways in which we serve our customers, we possess a unique
perspective on secure identity and trusted transactions and the
increasing threat of cyberattacks on networks and systems.
Just more than two years ago, we testified before a U.S. House of
Representatives Energy and Commerce Committee subcommittee on this same
subject of cybersecurity. We said then that cybercrime poses a greater
threat to the security of nations, corporations and individuals than
ever before. We noted that the threat had moved from one of hacking for
honor to one of hacking for harm and profit via overt criminal
activity.
Today, it's no secret. The situation has worsened. Incidents
involving the loss of personal information have increased an average of
40 percent in each of the two years since we last testified.\1\
Practically every day, new headlines appear about a data breach at a
financial institution, a retailer, a university, a hospital, a
government agency--and the list continues.
---------------------------------------------------------------------------
\1\ ``Incidents Over Time: 2011 versus 2012 and 2013.'' Open
Security Foundation n.pag. Data Loss Statistics. Web. 24 Mar 2014.
.
---------------------------------------------------------------------------
In February, cybersecurity firm Hold Security said it uncovered
stolen credentials from some 360 million accounts available for sale on
cyber black markets. It also reported the criminals are selling some
1.25 billion e-mail addresses.\2\ The breaches impact consumer
confidence and have economic consequences.
---------------------------------------------------------------------------
\2\ Finkle, Jim. ``360 million newly stolen credentials on black
market: cybersecurity firm.'' Reuters [Boston] 25 02 2014, n. pag. Web.
24 Mar. 2014. .
---------------------------------------------------------------------------
In the U.S. alone, the direct and indirect impact of
identity theft totaled $24.7 Billion (USD).\3\
---------------------------------------------------------------------------
\3\ Harrell, Erika, and Lynn Langton. United States. Department of
Justice, Office of Justice Programs, Bureau of Justice Statistics.
2013. Web. .
According to the Bureau of Justice Statistics, 7 percent of
Americans aged 16 and older fell victim to identity theft in
---------------------------------------------------------------------------
2012. Of these, 22 percent fell victim more than once.\3\
The median loss for those victims to identity theft was
$2,183, with a mean of $300.\3\
In a report from the Federal Trade Commission (FTC), which
consists of formal complaints registered with law enforcement,
the FBI, Canadian counterparts, the FTC, and several other
organizations, identity theft remained the largest single
consumer compliant category in 2013.\4\
---------------------------------------------------------------------------
\4\ United States. Federal Trade Commission. Consumer Sentinel
Network Data Book for January-December 2013. 2014. Web. .
It also appears that the number of larger breaches is increasing.
Unfortunately, and a point we will elaborate on later, there is no
national breach law and the means of assessing an aggregated view of
this data remain somewhat elusive.
______
However, one view of the data behind the breaches is shown in the
adjacent figure, which is an aggregation of data from several well-
known breach reporting sites.\5\
---------------------------------------------------------------------------
\5\ Quick, Miriam, Miriam Hollowood, Christian Miles, and Dan
Hampson. ``World's Biggest Data Breaches: Selected losses greater than
30,000 records.'' Information Is Beautiful. N.p., 31 Dec 2013. Web. 24
Mar 2014. .
---------------------------------------------------------------------------
What this data suggests is that the overall volume and numbers of
large attacks continue to increase. Additionally, the majority of
attacks are dedicated efforts to extract information (versus accidental
losses). In total, it appears that both the number of records exposed
and the number of incidents have nearly doubled since 2011 and the
majority of these incidents were in the U.S.\6\
---------------------------------------------------------------------------
\6\ ``Data Breach QuickView: An Executive's Guide to 2013 Data
Breach Trends.'' Risk Based Security & Open Security Foundation, n.d.
Web. 24 Mar 2014. .
---------------------------------------------------------------------------
We are witnessing massive growth in the volume of transactions,
amount of data and number of devices connected online. This attracts
criminals and provides vectors for attacks. It is at the center of the
rising tide of cyber issues and the increasing impact of related
breaches.
The challenge is to make sure that success in protecting the
growing volume of data doesn't unnecessarily hinder users from
receiving the benefits of emerging technology or burden those charged
with securing the systems. As policymakers, you are charged with
facilitating commerce and ensuring an optimal structure for finding
this balance.
The Focus: Identity and Malware
Before recommending actions to enhance our cyber posture, I'd like
to provide a bit more background on how the attacks are occurring.
Although Entrust has no direct relationship with any of the victims
of the December 2013 point-of-sale (POS) attacks, we can provide
general insight to the attacks from public information and from our
understanding of how cyberattacks are normally perpetrated.
In many of the retail breaches, and not unlike attacks witnessed in
other industries, criminals are using a combination of social
engineering and technical tools, such as malicious software or
``malware,'' to steal credit card numbers and personal information.
The traditional approach to network security continues to put
significant focus on developing a perimeter around the corporate
network. Whether or not these defenses can be breached directly, we can
ascertain that they aren't the weakest link in the defense by assessing
the successful attacks. Instead of trying to breach perimeter defenses
directly, criminals are focusing on obtaining an identity that provides
access directly inside the network.
The logic could work something like this: criminals know that many
organizations still treat the internal network as being protected by
the perimeter (i.e., castle walls and moat analogy). As a result, less
attention gets paid to internal systems and where monitoring occurs, it
tends to get less attention than the external environment.
As a criminal, if you can get inside, your objectives become much
easier. So, what is the easiest way to accomplish this goal? A direct
attack is possible against the perimeter, but this is where we're
focusing our security investment and attention.
Back to the castle analogy, the walls are formidable, and the moat
is deep. However, organizations are people; people working on the
trusted ``inside'' of the network, people just trying to get their jobs
done (we will come back to this later). And we generally trust these
people. They become the vector for many of the attacks.
If a criminal can get one of their identities, or more specifically
credentials, they have bypassed the perimeter, the walls and the moat.
This can be done through social engineering an unsuspecting individual
with legitimate access to the network (e.g., an employee or
contractor), by exploiting flaws in a technical implementation, or via
direct access through a knowing accomplice on the network.
Using stolen credentials, the criminal has virtually become
``someone'' on the network and appears as a legitimate user, making
them difficult to see and detect. From here, the attacker can move more
easily within the network, using the systems available to the
legitimate user and bringing in their own more malicious tools.
How Hackers Do It
A cyberattack is typically not a single event. Regardless of the
attack goal, there are a series of objectives that need to be completed
along the way. As described above, each step is made significantly
easier if the attacker possess the identity of a legitimate person or
device on the target network.
Disciplined cyberattackers do not need to ``hack'' or ``break'' a
computer system in order to take advantage of it maliciously. Attackers
will use the system as a whole, by taking full advantage of the way
that PCs and networks are engineered. PCs and their operating systems
are designed to be highly connected and interoperable in order to
provide excellent user experiences for their legitimate users.
This, unfortunately, also provides rich functionality for an
attacker. Computer networks are naturally trusting by their nature, and
cyberattackers take full advantage of that. It is very difficult to
tell the difference between malicious and legitimate behavior on a PC
or on a computer network. This is because the cyber attacker has stolen
a legitimate identity. The attacker is not a masked, highly visible
criminal. The attacker has your identity and is imitating you.
Employees inside a corporate network can be tricked into opening e-
mails that contain a malicious payload. The original Greek `Trojan
Horse' is a good analogy, but instead of a wooden horse, the gift may
be an e-mail that looks like a legitimate request for assistance from
your boss.
Anyone can be tricked into opening that e-mail or browsing to a Web
link. The e-mail or Web link will contain the malicious payload that
will infect the employee's PC, which will serve as a beachhead from
which the attacker will perform subsequent steps in the attack.
By infecting the first PC, the attacker has assumed the identity of
the employee on that PC. If the employee happens to be an
administrator, which is all too often the case, the attacker will also
have the rights of an administrator and allow the attacker to move even
more quickly to their target.
The initial infection will be invisible to the employee. Attackers
are using techniques that defeat end-point protections and continually
adapt to monitoring. Unfortunately, most defenses at the PC and network
level are based on catching attacks where the patterns of attacker
behavior have been seen before. But attackers are capable of adjusting
their tools and behavior just enough to slip through these defenses.
From the beachhead of the initial PC infection, the cyberattacker
will use the first stolen identity to gather information on the target
network and begin to move towards the ultimate target. The fog of war
is quickly cleared for the attacker as they map out the network.
If you have ever browsed for a printer on an enterprise network,
your own computer has performed network reconnaissance
indistinguishable from the activity a malicious attacker needs to do to
map out your network. This means that the attacker's movements in your
network are exceedingly difficult to distinguish from a normal user,
unless you have very tight controls over identity, and the rights that
those identities have.
A human resources employee should normally never need to view
computer resources that store highly valuable intellectual property. A
third-party partner or vendor who has been given access rights to a
corporate network should not have access to anything beyond the limited
systems needed to complete their tasks.
Preventing Data Breaches
You can see from the attack scenario that the criminals must be
knowledgeable of the systems involved and typical responses from the
compromised organization. They are knowledgeable, but they aren't
overly sophisticated. They merely use stolen identities to access and
use the normal IT tools of the victim in conjunction with malware.
Although the most advanced and persistent attackers can breach even
strong defenses, good security governance and strong security policies,
processes and implementation can thwart most attacks or at least limit
their impact.
In addition to industry standards such as the Payment Card Industry
Data Security Standard, best practices for information security are
covered in a number of security frameworks such as SANS 20, ISO 27002,
COBIT and recent publications from NIST.
The SANS Top 20 Critical Security Controls is an example of the
focus areas provided in the frameworks. The controls discussed by SANS
are a subset of a larger body of work provided in NIST SP 800-53, with
the top 20 controls as follows:
Top 20 Critical Security Controls--Version 5
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile
Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses
6. Application Software Security
7. Wireless Access Control
8. Data Recovery Capability
9. Security Skills Assessment and Appropriate Training to Fill Gaps
10. Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches
11. Limitation and Control of Network Ports, Protocols, and Services
12. Controlled Use of Administrative Privileges
13. Boundary Defense
14. Maintenance, Monitoring, and Analysis of Audit Logs
15. Controlled Access Based on the Need to Know
16. Account Monitoring and Control
17. Data Protection
18. Incident Response and Management
19. Secure Network Engineering
20. Penetration Tests and Red Team Exercises
Examples of the rationale behind some of this guidance are provided
below:
The principle of ``least privileges'' should be considered a
vital part of policy, leading to a minimal usage of
administrative credentials. Employees and third parties are
often given too many rights on a corporate network, which
increases risk. If an attacker is able to steal an
administrative identity, this brings huge risk. Therefore,
administrative identities should be used minimally and secured
strongly.
It is difficult or impossible to defend a computer network
without an inventory of resources. This includes desktop
computers, back-office servers, Wi-Fi and wired access points.
This is required in order to create secure network
architecture.
A trained security staff equipped with tools is needed to
operationalize that defensive posture.
For example, an important tool to thwart identity-stealing is
strong second-factor authentication. Most people think of
authentication as being only username and password. Username
and password is a single-factor authentication. In other words,
the attacker only has to steal one secret (the username and
password) in one place in order to steal the identity and be
able to log in to a computer system.
Second-factor authentication requires a user to use two
secrets. Strong forms of second-factor authentication exist
that take advantage of mobile devices. Strong second-factor
authentication provides a very high level of identity
protection, not only for employees on a corporate network, but
also for third-party users of the network such as partners and
vendors.
Strong second-factor authentication also makes it more
difficult to inadvertently `share' a credential with a co-
worker. Imagine a scenario where an `insider' wishes to
sabotage a network for malicious purposes. If an insider simply
stood over the shoulder of an administrative co-worker and
learned the username/password, they could simply log in as
their co-worker and perform malicious activity with the co-
worker's identity. With strong second-factor authentication,
this is not possible.
Complementing the above, network segmentation is a concept
where important resources are only made minimally accessible to
computer systems that have a need to reach them.
Focusing on the December 2013 attacks, whitelisting the
software programs able to run on the POS terminal make it more
difficult to install the malware. Whitelisting is a technique
that allows only a specific set of software to be installed on
a computer. If malware is installed on a computer, it will not
match the ``whitelisted'' set of software and be rejected.
In addition, carefully monitoring network traffic with intrusion
detection and intrusion prevention systems (IDS/IPS) could allow
security analysts to detect the unauthorized network traffic patterns
used by the attackers.
Although attackers are knowledgeable and persistent, there are ways
to reduce the likelihood of a successful attack and mitigate damages.
It is commonly understood that security in layers and defense in depth
help combat attacks.
However, what is appropriate for any given organization is
typically defined through an assessment of risk. Inputs to this process
come from the core values of the business and require top-level
engagement to be accomplished successfully.
Challenges and Recommendations
One of the questions we should be asking is, ``with all of the
knowledge, guidance and standards, how did the breach happen?''
One avenue to explore is the pace at which we bring lessons learned
from the experts on the frontline of cyber into practice. Nothing in
the breaches was new. We don't have a gap in understanding the attacks
currently being executed.
Any security practitioner will tell you that good information
security requires investment in people, process and technology applied
consistently over time. But have we established a cybersecurity system
and culture that inherently evolves at the same rate as the threats? Is
the bureaucratic process seen in government and industry groups
inherently too slow to adapt? If so, there is no silver bullet in
technology will help.
Another problem with many cybercrimes is that the loss has an
asymmetric impact on its victims. For example, although a retailer is
breached, the bank bears the cost of the stolen card data, financial
institutions bear the cost of card re-issuance, and consumers suffer
the pain of changing cards and cleaning up accounts.
A major focus of the guidance and regulation that exists today is
based on the organization conducting a risk assessment where one of the
first steps is to assign value to the data. But if the impact of a
breach is only partially born by the organization conducting the
assessment, then the amount of protection given to that asset may not
completely capture its systematic value.
Over the past decade we have significantly advanced our
understanding of the threat landscape and best practices. What the most
recent events are showing us is that there are opportunities to improve
the translation of understanding the threats into mechanisms that turn
this understanding into action. Evolving our approach and defense
posture needs to be a Federal priority and we need to move forward now.
We should start with harmonizing breach notification laws so that
enterprises and consumers alike know what is expected of them. The
first state-level breach notification law was enacted in California in
2002; today, 46 states have similar laws.\7\ However, we are still
without a common Federal approach. Federal harmonization of breach
notification laws is a good place to start.
---------------------------------------------------------------------------
\7\ ``State Security Breach Notification Laws.'' National
Conference of State Legislatures. N.p., 21 Jan 2014. Web. 24 Mar 2014.
.
---------------------------------------------------------------------------
Second, the Federal government needs to continue to foster the
adoption of best practices across both the public and private sectors.
Investments in Federal programs like HSPD-12 and the Transportation
Workers Identity Modernization program are advancing the security
infrastructure and generating significant lessons learned. NIST is also
playing a key role in generating recommendations and guidance based on
cross-sections of best practices and lessons learned from many
industries. So, there is a good baseline to work from.
Finally, we must change the cybersecurity culture. Enterprises--
large and small, public and private--need to embrace information
security governance as a core responsibility. Industries where data has
been viewed as a critical asset of the organization have found ways to
integrate this into their DNA with many good examples existing in
finance and the defense and intelligence communities.
However, in these cases, the value of the data is obvious. Losses
are not asymmetrical. We may want to look closer at how industries
where handling data, especially personally identifiable information
(PII), is a byproduct and not an objective of the organization.
Healthcare, retail and critical infrastructure are all very good
examples.
In either case, we believe the focus should be on 1) how to
accelerate the cycle from learning to implementation and 2) ensuring
that the asymmetric nature of data is taken into account in
cyberstrategy. Whether you want to drive adoption via incentives or
directives is a public policy matter, but however we proceed, we need
to proceed now.
Conclusion
Simply as a result of more transactions, data and devices going
online, and without changes to the security posture of our most
important industries and infrastructure, cybercrimes will continue to
increase in frequency and potency. The asymmetric impacts will afflict
those entrusted with sensitive data and the consumers, citizens and
employees who put their faith in these systems.
Given the current situation, you must not let the perfect become
the enemy of the good. The recommendations put forward would increase
visibility into the threat environment and costs borne by individuals,
organizations and the system as a whole. This insight needs to quickly
filter into a more accurate assessment of risk and a system that is
quicker to adapt.
Finally, the recent breaches have brought more attention to the
cyber challenges we face today. We must take advantage of this focus,
turn a negative into a positive, and move forward with policy that
helps organizations embrace information security governance as a core
responsibility. I urge you, your colleagues and the Administration to
not let 2014 conclude without adoption of some measures that will
better protect our economy and security.
The Chairman. Thank you very, very much.
Because of an unusual circumstance, and with the permission
of my distinguished ranking member, the first question from our
side will come from Senator McCaskill.
STATEMENT OF HON. CLAIRE McCASKILL,
U.S. SENATOR FROM MISSOURI
Senator McCaskill. Thank you. I adore you.
[Laughter.]
Senator McCaskill. I wanted it on the record. Both of you,
I adore both of you.
[Laughter.]
Senator Wicker. Fails for lack of a second.
[Laughter.]
Senator McCaskill. I believe that ultimately the market is
more effective at controlling behavior than the government. So
let me start with a question that I don't think has fully been
answered.
Mr. Mulligan or Ms. Richey or can any of you shed light on
exactly how much fraud has resulted from this breach?
Mr. Mulligan. Are you speaking specifically to our breach?
Senator McCaskill. Yes, to the Target breach.
Mr. Mulligan. I will start, and certainly feel free--I can
only speak to, about 15 percent of the cards that were taken
were Target-branded product cards. The other 85 percent are
third parties that we don't have visibility to.
But when I can tell you, what we have seen, two of the card
products--one is a branded debit card, the other is a
proprietary card, a card that only be used at Target--we have
not seen any incremental fraud on those two particular cards.
We also have a Visa product that can be used broadly, just
like anywhere else. There, on our $5.5 billion portfolio, we
have seen about $2 million of incremental fraud or about a 0.1
percent increase.
Senator McCaskill. OK. Tiny amount, then, on your 15
percent.
Mr. Mulligan. On ours, yes.
Senator McCaskill. Ms. Richey, do you have any figures for
us in terms of----
Ms. Richey. Yes. I would say, I mentioned in my testimony
that 2 to 5 percent of accounts might be expected to experience
incremental fraud.
We are actually seeing much lower numbers from the Target
breach. I do believe that the rapid notification that Target
provided, as well as the strong response from our member
financial institutions, is responsible for limiting the fraud.
Senator McCaskill. OK. So what is the total, do you think,
dollar-wise?
Ms. Richey. I don't have those dollars available right now.
Senator McCaskill. Does anybody?
Ms. Richey. We can get those for you. Of course, you have
to realize we are still in relatively early stages. But we
could provide those for you.
Senator McCaskill. Well, what I am trying to figure out
here is how much fraud there was and who is holding the bag on
the fraud. Because I think people don't understand that this--I
mean, I don't think people understand that Visa doesn't
necessarily hold the bag on any of it, that most of this debit
card fraud ends up with a local bank, that a lot of the costs
associated with this breach, in fact the majority of them, fall
to credit unions and local banks as opposed to Target.
Of the $61 million that you have said it cost your company,
Mr. Mulligan, how much of that was marketing to try to reassure
your customers that you were--and you are the good guys, by the
way. I am not trying to say you are not the good guys. But how
much of that $61 million was marketing as opposed to actual
loss that you suffered?
Mr. Mulligan. For the $61 million that we recorded in the
fourth quarter--any marketing expenses that we undertook would
have been recorded in the normal course of our business. The
$61 million was related to response costs, credit monitoring,
activities such as that.
Senator McCaskill. Well, the credit monitoring that you are
offering to your customers, that, in fact, is marketing.
Mr. Mulligan. We viewed that as a way to respond and help
our guests for what is, we know, a difficult time for them, to
provide for them not only credit monitoring but identity theft
protection and identity theft insurance.
Senator McCaskill. I think it is terrific you are doing it,
and I think it was smart for you to do it, and I think it was a
wise corporate decision. But it was an optional activity you
engaged in in order to try to repair the damage that had
occurred as a result of the breach.
Mr. Mulligan. Yes, we were----
Senator McCaskill. Correct?
Mr. Mulligan.--focused on our guests, absolutely.
Senator McCaskill. OK.
And the estimate to the banks and credit unions is about
$200 million. And those are costs that are not optional to
them, correct? That is them having to reissue the cards and
bearing the cost of doing that.
Mr. Mulligan. So the payment card industry has collectively
determined that, importantly, consumers don't bear any of the
fraud related to this type of activity.
There are commercial arrangements that underpin that. Those
commercial arrangements provide both for the revenues that
companies like Target pay in. They also provide for the
remediation in situations like this.
Senator McCaskill. The point I am trying to make here is
that I think it is confusing to the consuming public where this
loss falls and where the costs are absorbed.
I know that there is $10 billion in more revenue to
retailers as a result of the government getting involved in
interchange fees, because interchange fees were $19 billion
before the Durbin amendment and now they are $10 billion--less
than $10 billion. So there was $10 billion extra that flowed to
retailers as a result of those prices coming down. And I am not
saying that was a good or bad thing.
I guess what I am trying to get at here is that I think it
is very important that the risk be borne by those who must
engage in the activity to protect. Because if the risk goes
somewhere else, it lessens the incentive to protect.
Now, I am not going to argue that you all have had a
terrible thing happen to your company and that you are working
hard to recover from it and you have been damaged. But there
are many instances where people think there has been a breach--
I think most Americans thought you guys were covering all the
costs of this. When you said, ``We are going to make sure that
no customer loses a dime,'' I don't think that they realize
that most of the dimes were being paid by somebody else in the
first place.
So I think a clarification of where the risk falls is
important for us if we are going to do anything as a
government, because it is going to be much better to align
those risks with the right incentives in the free market.
Ms. Richey?
Ms. Richey. I was just going to say that if there is any
lack of clarity about who is bearing the loss here in the
Committee, the financial institutions would make their
customers whole in the first instance, as we know, with the
zero-liability policies.
And then the payment networks, both Visa and MasterCard, do
have a program to shift the cost back to a merchant if the
merchant is shown to have been out of compliance with our
industry standards.
Senator McCaskill. OK.
Ms. Richey. However, that program covers only a portion of
their costs. And the reason for that is, just as you said, to
balance the incentives so that each party is incented to reduce
the risk and protect the consumer.
Senator McCaskill. I would love to get into the weeds on
that, if you would help us with that information, Ms. Richey.
Ms. Richey. You mean right now?
Senator McCaskill. No. I mean later.
[Laughter.]
Senator McCaskill. No, no, no. I am done. I am done.
[Laughter.]
Senator McCaskill. No, no, I mean later. I mean, I really
want to understand how these risks are being shifted in the
marketplace.
Ms. Richey. OK.
Senator McCaskill. Thank you.
STATEMENT OF HON. MARK PRYOR,
U.S. SENATOR FROM ARKANSAS
Senator Pryor [presiding]. Thank you.
What I am going to do is I am going to recognize Senator
Thune and then, just for the Committee's information, we will
recess for votes.
And we have four votes scheduled, I believe? Five votes
scheduled.
So we will work that out, but I just wanted the Committee
to know we will go to Senator Thune, then we will take as short
a recess as we can, come back and conclude the hearing.
Senator Thune. Thank you, Mr. Chairman.
Mr. Mulligan, we are still learning all the details of the
Target breach, but we know that it affected two types of data.
One was the payment card data of approximately 40 million
Target shoppers and other personal data of up to 70 million
customers.
The question is, what steps have you taken to provide your
customers the assurance that their personal information is
going to be protected going forward?
Mr. Mulligan. Senator, we have taken several steps.
Immediately upon identifying the malware, we removed it from
our system. We closed the portal that created the access point
in the first place. We have narrowed the scope of who has
access to our systems.
We also began an investigation and hired a third-party
advisor who brought in a forensic investigator to do an end-to-
end review, not just a forensic analysis but a review of our
entire data security technology processes and controls. From
that, we will have additional learnings, and we have already
taken steps that we have learned from there.
We have enhanced our data segmentation. We have hardened
our perimeter by increasing the use of two-factor
authentication. And we have increased malware detection with
something called ``whitelisting.'' We accelerated the
investment in that. And that essentially allows only the
programs we want to run on our point-of-sale terminals to run.
We have also accelerated the investment in chip and PIN
technology. A $100 million investment will complete the
installation of guest payment devices this year and roll out
the cards in early next year.
So we have taken many steps, and we will continue to have
learnings from our end-to-end review and expect to continue to
make changes.
Senator Thune. Good.
Ms. Ramirez, you state in your testimony that, and I quote,
``Although most states have breach notification laws in place,
having a strong and consistent national requirement would
simplify compliance by businesses while ensuring that all
consumers are protected,'' end quote.
I agree with that statement, and I am wondering maybe if
you can elaborate on the advantages of a consistent national
requirement for breach notification.
Ms. Ramirez. We see a need for legislation for various
reasons, and I think that is one. I think it is critical that
there be comprehensive Federal legislation in this area. And we
think that if that legislation and the standards that are set
are sufficiently strong, that in that instance the Federal
standards should preempt state breach notification laws.
Senator Thune. OK.
And several of you, I think, have testified to the
advantages of having a single Federal standard. And I am just
wondering maybe if you would like to underscore the value of
Federal preemption of what is a patchwork right now of state
laws.
Ms. Ramirez. I am sorry, if I may add one more point that I
want to make sure is also clear, in terms of our position at
the FTC. It is also critical that the states be permitted to
enforce in this area, that there be concurrent jurisdiction on
the part of the FTC as well as the states.
Senator Thune. Right. OK.
Anybody else want to comment on the value of having a
national----
Mr. Wagner. Just a couple quick comments.
You know, we have talked about transparency here on the
panel today, and transparency is absolutely critical. So having
a common breach standard would make it easier to aggregate the
data to know what is going on from a national perspective.
And then we also know from these crimes that they often--
probably most often have a multi-state impact and very often an
international impact. And having the Federal Government
involved in breach notification seems to make a lot of sense to
centralize that.
Senator Thune. Anybody else?
Ms. Richey. I would just say that a single standard would
ease the way for getting the notification out faster and
spending less time and money on lawyers and more on informing
consumers.
Senator Thune. Dr. Loh, you are here today because the
University of Maryland experienced a security attack, which
exposed the names and Social Security numbers and dates of
birth of more than, as you note in your testimony, 300,000
members of your community.
In your testimony today, you state that the University of
Maryland experienced a second breach on March 15 but that this
time that breach resulted only in one senior university
official having their data breached.
And so the question is, why is that? Was that official the
only target of that breach, or was it because of steps taken
after the first breach?
Mr. Loh. They actually had unlawful access to far more
information than was breached the first time, but we don't call
it a breach because, except for that one individual, it was not
made public, it was not circulated. And, again, I want to thank
the FBI for their very expeditious and effective intervention
that resulted in the successful mitigation within 36 hours.
The reason we are not saying anything more is because the
investigation is still proceeding. But it is the case that no
other information was made available. The fact that that one
senior university official's name, ID, everything was put on
the Web and on a public website, on Reddit, was simply because,
well, the intruder wanted to show how clever he or she was and
wanted the world to know.
Senator Thune. I just have one last question, Mr. Chairman,
and that has to do--again, I want to come back to Ms. Ramirez.
You testified today that your role at the FTC is to protect
consumers and ensure companies take reasonable and appropriate
measures to protect consumer information and that, to do that,
the FTC uses both its unfairness and deception authority,
deception authority being relatively clear-cut. And, in that
case, if a company acts deceptively, it makes materially
misleading statements or omissions, for instance regarding the
security measures it has taken.
But a good number of the FTC's actions in data security
have come under its unfairness authority, which some have
argued provides less guidance to companies regarding which
practices cross the line. Because most of these cases are the
result of consent decrees, it doesn't seem like there is a
record, or it doesn't produce a record of precedential value.
So the question is, short of regulations, should the FTC
make public the rationale that they use to determine what is
unfair so that companies have better guidance?
Ms. Ramirez. Senator, I have to disagree with the critiques
that have been made of the FTC in this arena. I think that we
have provided good guidance.
The approach that we take when we exercise, frankly, both
our deception authority and our unfairness authority in this
area is one of reasonableness. As a law enforcer, what we do is
really driven by the specific facts of a given case. And the
documents that are part and parcel of our consent decrees
demonstrate and explain the bases for our allegations and also
what we believe are remedies and actions that a company should
undertake.
So, in our view, we have provided guidance. And the actions
that we have taken really go to very basic and fundamental
failures on the part of companies that we think are
unreasonable and, therefore, that would be a violation of
Section 5.
So I do take issue with that. We provide a great deal of
guidance, also, to businesses as part of our outreach and
educational efforts. And I believe that companies can discern
the approach that we take.
It is a process-based approach, where we urge companies to
do a very thorough risk assessment based on the type of
information that they collect and that they use and that they
then, in turn, develop a program that would be able to address
any risks to which that information might be exposed.
We also think it is absolutely critical to have one person,
at least, who would be in charge of any data security program.
Senator Thune. Is that guidance made public?
Ms. Ramirez. Absolutely.
Senator Thune. OK.
All right, Mr. Chairman, I see we are out of time and we
have to run and vote, so I yield back.
Senator Pryor. Thank you.
And that is what we will do. We are going to recess for a
little while; I don't have a time certain. My guess is it will
be 40 minutes or so, but I don't know exactly, depending on how
many actual votes we have on the floor. There is a little bit
of conflicting information about it, whether we have four or
five votes.
But, nonetheless, what we will do is we will recess. And
probably, just for everybody's benefit, we will probably try to
start as we are doing our last vote on the floor, because
members can vote and then come back here. So we are trying to
do that.
So, with that, what we will do is we will take the recess
now, and we will reconvene subject to the call of the chair.
Thank you. [Recess.]
The Chairman [presiding]. You know, it is nice, we are
actually just piling through judges. And that has been an
enormous problem in our system. And we did something called the
nuclear option, which means if you can get past cloture, then
all you need is 51 votes. That is what everybody--we have five
judges, which may not be of any interest to you.
[Laughter.]
The Chairman. OK. Mr. Mulligan--where is my Mr. Mulligan?
There you are.
Have you all been nice to Mr. Mulligan?
[Laughter.]
The Chairman. OK.
My staff, as you know, have prepared a report analyzing the
data breach at your company. And we do a lot of reports.
One that doesn't have anything to do with you or the
question--and I shouldn't even be saying it--but I am
interested, so I am going to say it--and I am Chairman, so I
can say what I want.
[Laughter.]
The Chairman. A lot of moving companies, if you want to
move, you sign a contract, they put your stuff in the moving
van, and then they take it about 2 miles and then park in an
alley and call you up and say, ``The price has just tripled.''
And, you know, you say, well, that doesn't happen in America.
The point is it does. And it is very disturbing. It is very
disturbing.
So that is why we focus a lot on these kinds of things. It
is not that we are nasty.
Richard, you are not nasty, are you? Senator Blumenthal?
You are not nasty. You are smart, you----
Senator Blumenthal. Ask my wife, Mr. Chairman.
[Laughter.]
Senator Blumenthal. Never.
The Chairman. That is right.
My granddaughter and his----
Senator Blumenthal. Wife.
The Chairman.--wife are together at school.
Senator Blumenthal. Your granddaughter and my wife----
The Chairman. I didn't mean that----
Senator Blumenthal. Your granddaughter and my daughter were
together in school.
The Chairman. Were, yes, that is right.
Senator Blumenthal. Yep.
The Chairman. At different levels.
Senator Blumenthal. Yes.
The Chairman. Right.
[Laughter.]
The Chairman. So, anyway, Mr. Mulligan, we have prepared
this report, and I want to know if you have read the report.
Mr. Mulligan. I have. I had a chance to review it last
night.
The Chairman. You did last night.
The report walks through the many steps the attackers had
to go through in order to hack your company. And then it
explains how Target could have prevented the breach if you had
stopped the attackers from completing even just one of the
steps.
Let me give you a few examples. You could have prevented
the breach if one of your vendors, a small Pennsylvania company
called--is it ``Fazio'' or ``Fazio''?
Mr. Mulligan. My understanding is it is ``Fazio.''
The Chairman.--Fazio Mechanical Service had better security
practices.
Will you acknowledge that poor vendor security was a factor
in this attack?
Mr. Mulligan. Yes.
The Chairman. And once the attackers had gotten into your
network, you did not stop them from gaining access to your
company's highly sensitive consumer data. Will you acknowledge
that Target failed to properly monitor your computer network
for the intruders?
Mr. Mulligan. Senator, it is my understanding that we did
have proper segmentation in place. As recent as 2 months prior
to the attack, we were found to be PCI-compliant, and that
includes network segmentation.
But your question is an excellent one. How they migrated
from the outermost portion of our network to our point-of-sale
data is an excellent question, and I don't have the answer to
that.
The Chairman. OK. And who is ``they''?
Mr. Mulligan. How the intruder, excuse me.
The Chairman. OK.
Chairwoman Ramirez, I congratulate the Federal Trade
Commission for its recent announcement of its 50th data
security case.
The FTC has been successful in pursuing data security cases
using the authority under Section 5 of the FTC Act. As you
know, Senator Feinstein, Pryor, Nelson, and I have introduced
data security legislation, as Senator Pryor has done in
previous years, all to no avail so far--legislation the FTC has
consistently called for.
Can you talk about why you see the need for such
legislation? Why isn't your existing authority under the FTC
Act enough?
Ms. Ramirez. Chairman, thank you for your question. And,
again, I want to thank you for your leadership in this area.
The FTC has undertaken very critically important work in
this arena. But I think that our experience and what we see
happening in the marketplace really does show that companies
are continuing to under-invest when it comes to data security.
And that is why we believe that more needs to be done in
this area and why we think that Congress absolutely needs to
take action to have Federal comprehensive legislation that
addresses the issues of data security.
And, in particular, we want to highlight things that we
think are critically important relative to enforcement
authority on the part of the FTC. And that is that we feel that
it is critical that the FTC have civil penalty authority so
that there can be appropriate deterrence. We also feel that it
is important that any legislation give us APA rulemaking
authority so that the agency can have the flexibility to
implement any legislation and to adapt to changing technology
in this arena.
And then, in addition, we feel that it is also important
for the FTC to have jurisdiction over nonprofits. Currently, we
do not have jurisdiction over nonprofits, and we do see that
universities and other nonprofits are falling victim to
intrusions and that it is important for the nonprofit sector
also to have reasonable security measures in place so that
Americans' information can be protected.
The Chairman. But they will precisely at that point tell
you that self-regulation works.
Ms. Ramirez. We believe that self-regulation is an
important element of all of this. Data security is a
complicated issue, and in order to really address it
effectively, we need to do it in a multi-pronged way.
So we believe that self-regulation that is robust and where
you have backup enforcement by the FTC, for instance, that that
would be a good and important complement to the civil law
enforcement that we undertake.
The Chairman. But, in essence----
Ms. Ramirez. But it wouldn't--in my mind, it is not enough.
The Chairman. You are saying it is not enough.
Ms. Ramirez. That is correct.
The Chairman. Yes. But whether it is cybersecurity, whether
it is this, whether it is almost anything else, self-regulation
always solves the problem.
We had, as you know, recently a chemical spill in
Charleston in West Virginia. Nine counties just couldn't drink
water, including my house, and it was not a pleasant
experience. And I found out rather quickly that there is no
regulation, they are under no Federal regulation, no state
regulation--they can do exactly as they please.
And so one of the people who was really trapped by this,
who is my, sort of, chief of staff for my West Virginia
operations, has two young children. And I talked to her this
morning, and she said--and she had just been on a trip to
India, in fact, to look at water, new ways of doing water--that
two more leaks had been discovered on that river, just causing
one to be blindingly angry and infuriated at ourselves for
allowing that to happen.
I was a Governor for eight years; I never did anything
about it. Every time I drove into Charleston, which I did
hundreds and hundreds and hundreds of times, I always came
directly toward those tanks that held all this toxic stuff
which leaked, and I said, that doesn't look very good to me, it
looks kind of crummy.
It is sort of like the pictures in Washington State before
everything went wrong. Everything looked fine, but if you knew
that there was a lot of mud there, your mind would lead you to
other kinds of conclusions. But your mind doesn't choose to
dwell on things which aren't of the moment.
Anyway, so I am encouraging increasing hostility towards
giving the FTC--I am hearing this from others--authority to
address consumer protection issues like data breaches. That is
a common complaint from some. And it reaches ears easily
because people like to hear about the Federal Government not
being able to do its work, or failing to do its work.
Unlike years past, when this committee routinely gave the
FTC the tools it needs to do the job, I am now constantly
hearing about the dangers of an overzealous FTC, overregulating
and overburdening American businesses, a lot--hearing it a lot,
and in this committee.
My data breach bill, which is S. 1976, gives your agency
basic rulemaking authority to set data security standards, just
as Congress did in the Gramm-Leach-Bliley and the children's
online privacy laws. I don't think that is a controversial
idea, but some people do.
Chairwoman Ramirez, can you explain, please, to these
skeptics, through me, how the FTC goes about setting these
rules so that, one, I can be satisfied that you are not out to
ruin industry for the pure pleasure of doing it but you are
trying to do your job; how the Commission has a careful and
deliberative process that does not lend itself to the type of
regulatory chaos that some fear? And then can you explain how
these rules will help protect consumers from data breaches?
Ms. Ramirez. I would be happy to.
Let me say that, first of all, the call for legislation in
this area is a bipartisan call. The Commission unanimously
supports the enactment of Federal legislation in this area and
supports specifically the pieces of legislation that I have
outlined.
Let me also say that, in response to the critics of the
FTC, anyone who looks closely at the work that we undertake can
see that we do our work in a very balanced way and that we
absolutely want to be--our job is to protect American consumers
fundamentally, but we absolutely do listen to the concerns of
industry.
And I think when you look at the body of casework that we
have in this area, the 50 data security cases that you
mentioned, I think people will see exactly what the basis for
these are and, in fact, that the actions that we took were
justified.
In response to your specific question about how we employ
APA rulemaking authority, in my initial remarks I referenced
the CAN-SPAM Act, which is one example of a situation where we
were given APA rulemaking authority. Any rule that the agency
would promulgate would go through a notice-and-comment period,
so stakeholders would have an opportunity to give input. Any
rule that we ultimately would impose would be based on the
evidentiary record that would be developed over the course of
the rulemaking process.
And the reason that we ask for that is that it is critical
that the FTC have flexibility in this arena to implement any
legislation. And two main issues, I think, are the ones that I
want to highlight.
One is that we have to recognize that technology is just
moving very rapidly. So, a decade ago, no one would have
predicted that facial recognition technology would be so
readily available, for example, or that geolocation information
would be so easily obtainable today. So it is critically
important that there be flexibility that is embedded in any
legislation to allow the FTC to adapt any rule to emerging and
evolving technology.
By the same token, it can also be to the benefit of
businesses to grant the FTC that flexibility, because we may be
able to lift certain requirements that may no longer be
necessary over time. And that certainly happened in connection
with our implementation of the CAN-SPAM Act.
So, in my view, it really would be to the advantage of
everyone--consumers as well as the business community--to grant
us that flexibility.
The Chairman. I thank you.
I am well over my time, and it is time for Senator
Klobuchar.
STATEMENT OF HON. AMY KLOBUCHAR,
U.S. SENATOR FROM MINNESOTA
Senator Klobuchar. Thank you very much, Mr. Chairman. Thank
you for holding this important hearing and for working on some
important legislation.
I think we all know that this is no longer one singular
problem, as we have heard from our witnesses today. In fact,
The Washington Post printed an article yesterday showing that
the Federal Government notified 3,000 U.S. companies of a
breach in just the last year.
And I think it calls attention to the fact that we need to
move on cybersecurity legislation, that we need to move on some
of the notification bills and the work that Senator Rockefeller
is doing, Senator Leahy is doing. I am on both committees, so I
have been immersed in this.
As Mr. Mulligan knows, we had another hearing, and
Chairwoman Ramirez, in the Judiciary Committee. And one of the
things we focused on a lot there that I continue to believe is
important is, one, going after the people that did this and
working with the Justice Department on that. That has to be a
top priority. But, number two, how we prevent this going
forward.
And one of the things that I found pretty shocking was that
in America we have 25 percent of credit card transactions in
the world but we have 50 percent of the world's fraud. And, as
we know, some of the other countries have moved to the chip and
PIN technology. I know that Target tried some of this
technology--maybe you can talk about that--a few years back,
but it wasn't adopted by other companies.
And so I think I would start with that. What do you think
we need to do to stop this from happening, in terms of adopting
some of the technology? And how long do you think it is going
to take, when we already have parts of the world that are
already adopting this? It is currently the standard in Europe.
So maybe we could hear from you, Ms. Richey, first.
Ms. Richey. We do believe that it is necessary for the
United States to join most of the rest of the countries of the
world in adopting the chip technology to control fraud in the
face-to-face environment.
We have set out a roadmap for EMV chip adoption, and we
announced that in August of----
Senator Klobuchar. Great.
Ms. Richey.--2011, with the idea that it would take
probably around 4 to 7 years to get to a critical mass of chip
adoption, based on our experience in other countries.
I am encouraged by the level of enthusiasm toward the chip
project that we are seeing in the wake of these recent events.
And I am hopeful that by our liability-shift date in 2015,
October 2015, that we will see substantial adoption in both the
merchant and the issuing bank side.
Senator Klobuchar. And do you think it would be better to
have the PIN rather than signatures? Would that be safer?
Ms. Richey. ``Safe'' is an interesting word in this
context.
Senator Klobuchar. OK. Would that lead to less fraud?
Ms. Richey. It might initially lead to less fraud. PIN does
reduce lost and stolen fraud. So PIN does nothing to prevent
the criminal from counterfeiting a card, unfortunately. And
about 70 percent of the fraud that occurs in physical
locations, brick-and-mortar stores, is counterfeit, not lost
and stolen.
So we believe the bigger problem is counterfeit. It is also
easier for the criminal to accomplish because they can do it by
stealing data, not by having to take possession of, you know,
thousands or millions of physical plastic cards.
So we believe that the best thing for the industry to do is
to focus on chip and that trying to change the environment
between PIN, signature, and no cardholder verification, which
are our current methodologies, would just slow things down and
increase the cost.
So, therefore, we are saying the issuer could have the
choice, based on their own risk profile, whether to issue with
chip and PIN or chip and signature, and similarly in the
merchant environment, where today about two-thirds of the
merchants don't currently deploy PIN.
Senator Klobuchar. Right.
And I think we know, I mentioned--Mr. Mulligan, maybe you
want to address this--that Target had tried to go with the chip
technology. And what happened?
Mr. Mulligan. We did. A little more than 10 years ago, we
introduced what we call guest payment devices to read chip
cards. And we introduced our Target Visa card, actually, with
chips enabled in it 10 years ago.
The real benefit for consumers comes with wide adoption,
though, when those cards are widely used and they are widely
read throughout the economy. And we have seen that in other
geographies. After we went about 3 years by ourselves, we
determined that it didn't make much sense for us to continue,
given that there was no real benefit to consumers broadly.
We have continued to support, in our case, chip and PIN,
but we agree that moving to at least chip-enabled technology is
a positive step forward.
Senator Klobuchar. Are you speeding up your adoption of
that now?
Mr. Mulligan. We are. We have accelerated that. It is a
$100 million investment for us. And we will have the guest
payment devices in September, and we will issue cards, chip-
enabled cards, and read them early next year.
Senator Klobuchar. And, Mr. Wagner, as a subsidiary of
Datacard, which is also a Minnesota company, how does your
company view the transition to chip cards? And how have Entrust
and Datacard been involved in making recommendations to the
finance and payment networks on implementing new cards and new
security methods?
Mr. Wagner. Well, Datacard is, in fact, the world leader in
producing equipment to encode financial transaction cards, both
magnetic stripe and of course EMV other places in the world.
And so we are a big supporter of the EMV technology.
You know, one of the things, when you combine security, you
know, it is clear that the chip and PIN is a more secure way to
do it, but there is obviously balance and usability that needs
to be considered. But when you consider from a security
perspective, the chip and PIN is a more secure way to go about
it. But either is better than the current mag-stripe
environment.
Senator Klobuchar. And, Mr. Chair, if I could just ask one
more question----
The Chairman. Of course.
Senator Klobuchar.--of Chair Ramirez?
Many of the large data breaches and the hacking operations
are perpetrated by people outside the U.S. And there is no
shortage of crimes that they could be charged with, but it can
be very hard to bring them into our courts because they operate
largely overseas.
In the case of the Target breach, I understand that
Business Weekly has identified a Ukrainian operation that could
be responsible. Again, the investigation is under way; this is
just what we read in Business Weekly.
But can you discuss how you work with law enforcement on
investigations? I know I asked this of the Justice Department
in a Judiciary hearing, but what steps do you think we could be
taking to make it easier to get these international hackers
into a courtroom to stop them?
Ms. Ramirez. As to your specific question, I do have to
defer to the criminal law enforcement authorities to get into
the details of that. But I will say that the FTC works very
closely, in terms of our own work, in parallel with our
criminal law partners in these areas.
We, of course, are focused on the front end, how retailers
and other businesses are protecting consumer information. But,
again, we work in parallel with and I think our efforts are
complementary to the efforts of criminal law enforcers who are
seeking to locate and punish perpetrators.
Let me also add that we do a tremendous amount of work on
the international front, working with civil law enforcement
agencies around the world to address these issues. That is a
significant part of our own engagement. And we use authority
that has been given to us by Congress under the SAFE WEB Act to
be able to pursue civil law enforcement where needed. And so we
do want to partner with other law enforcers, because we have to
these days.
Senator Klobuchar. And so do you think we should be doing
more, as we negotiate trade agreements, as we work with these
other countries as part of security agreements, in terms of
trying to come up with some international standards?
Because it seems to me that more and more of these cases
are outside of our borders, in terms of who is perpetrating
them.
Ms. Ramirez. Absolutely. I think increasingly we need to be
working with international partners around the world, and we
absolutely have to focus on that set of issues, as well.
Senator Klobuchar. Thank you very much.
The Chairman. Thank you.
Senator Pryor?
Senator Pryor. Thank you, Mr. Chairman.
And let me follow up on that, if I can, Chairwoman Ramirez.
With the FTC working with other agencies, other Federal and
state and other law enforcement agencies generally, plus the
international community, is there a formal process there? I
mean, do you have these formal relationships where you sit down
every day or every week or every month with these folks? Or is
it more on a case-by-case, ad-hoc basis?
Ms. Ramirez. We do work regularly with sister agencies here
domestically. It does operate on a case-by-case basis.
We do also have specifically a Criminal Liaison Unit,
because as part of our overall enforcement work we do partner
with U.S. attorney's offices. We also do close work with main
Justice and then also with the FBI, Secret Service. But
specifically on these issues, it tends to be in conjunction
with specific investigations.
On the more global level, we do work through multilateral
organizations as well as through specific bilateral
relationships that we have with counterpart law enforcers
around the globe who also have consumer protection authority.
And then we do also engage, where necessary, where appropriate,
with criminal authorities around the world, as well.
Senator Pryor. You know, one reason I ask is my experience
with law enforcement is that sometimes they will form what are
sometimes called task forces, you know, where they will have
multi-agency or multi-jurisdiction.
I didn't know if FTC serves in, like, a task force-type
setting where you have regular meetings, where people are
focused on this, trying to find solutions, trying to head some
of this off before it starts. Are you all involved in anything
like that?
Ms. Ramirez. It really is on more a case-by-case basis.
Again, our focus is on the civil law enforcement side and on
the front end. But we absolutely will cooperate very closely
where it is necessary, and we do stay in close contact with
domestic criminal law enforcers.
Senator Pryor. OK, let me go down to the other end of the
table there.
Mr. Wagner, I know in both the Rockefeller bill and also
the Toomey bill, they use the word ``reasonable'' policies--
``reasonable'' is the key word--policies to ensure consumers'
private data is protected.
And, you know, obviously, ``reasonable'' is a little
elastic, a little situational. And that may be the best word to
use, but could you please speak to that and kind of talk about
what principles are contained within the, kind of, concept of
``reasonable''?
Mr. Wagner. Well, the key principles that we would espouse
are those of information security governance, understanding the
risks that the enterprise has around information security at a
high level, at a corporate, at a board level, understanding
which information assets have value, and making sure that that
is not just an assessment of the value to your organization
but, as we are seeing, the effect can be ecosystem-wide, and so
making sure that those, you know, asymmetric values get
considered at the risk officer level, at the corporate level,
so it can be dealt with.
Senator Pryor. Does anybody else on the panel want to
comment on ``reasonable'' and, you know, what that means in the
context of what you do?
Ms. Richey. Well, there are a whole set of well-known
security standards applicable either on an industrywide basis
or broadly across all industries. And I believe that many of
them have very specific things that need to be done but that at
the same time they are flexible.
So there is a whole custom and practice of the trade that
you would want to look at based on the risks that you have
identified as to whether the measures that you took were in
accordance with those standards.
Senator Pryor. And is that a good starting point here?
Ms. Richey. I believe so, yes.
Senator Pryor. Yes.
Did you have something?
Mr. Loh. Yes. The word ``reasonable'' was what caught my
attention in Section 2 of the bill, ``requiring reasonable
measures and procedures for information security.''
Even though it has only been about 5 weeks since our major
data breach, I have already asked for the estimates of the cost
to have, quote, ``reasonable'' defenses and reasonable''
perimeter defenses, penetration testing, and protection of
sensitive information.
It can range from a few million dollars to as high as $30
million to $50 million. They have quoted me figures from other
studies that say that, at least in academic settings, it is
approximately $100 per every identity stolen. So if we had
310,000 stolen, the cost, as a rough estimate, is 310,000 times
$100.
And the question I think that Mr. Mulligan raised, which I
thought was an excellent question: Who shares in the
responsibility for protection?
It would bankrupt most universities to spend $20 million,
$30 million in cybersecurity protection, especially when there
is no 100 percent guarantee anyway. Is this something that
should be shared more widely between private business,
universities, and the Federal Government?
To take one example, Social Security numbers. Why don't we
devalue Social Security numbers? Why not require financial
institutions not to use Social Security numbers so that there
is no longer the incentive to steal Social Security numbers?
If one doesn't do that, one shifts all of those costs to,
at least in this case, higher education institutions. And so it
is a balancing between risks and costs. And all I can tell you
is that the costs can be staggering. And even then, all of the
experts that we have retained are telling us there is no 100
percent guarantee.
Ms. Ramirez. I wanted to add a few words from the
perspective of the Federal Trade Commission on this issue.
We do believe that the reasonableness is the right
approach. Given the different types of companies that we have
jurisdiction over across many industries, we think that it is
critical to have flexibility and, again, to have a very fact-
specific approach. At the same time, we certainly understand
the challenges that Dr. Loh has identified.
And going back to your question about certain things that
the Federal Government can do, one area where we have been
participating in a task force has been in connection with
identity theft. And as part of that task force that was set up
under the Bush administration, a number of different Federal
agencies have made recommendations about how to deal with
issues such as Social Security numbers to minimize the risks of
ID theft.
So I do think that while this is a complicated question,
there are many places where the government can play an
important role. And, to me, data security legislation is one
step in that effort, but I think there are other things that
need to be examined, including the way personal information is
being utilized.
Senator Pryor. Thank you, Mr. Chairman.
Thank you.
The Chairman. Thank you, Senator Pryor.
Philosophically and realistically, that was an interesting
discussion because--and it gets back to something that I talk
about as often as I can. Unless this country is willing to get
serious about infrastructure, from which I mean cybersecurity
to 200,000 pound water tankers crossing 75,000 max pound
bridges all over West Virginia so that they can build a
fracking platform--if we don't have the infrastructure, which
is research, which is NIH, which is the Cancer Institute, which
is Alzheimer's, which is everything, plus the hard stuff, the
roads--I mean, you know, we have a lot of pipelines in West
Virginia. Nobody knows where they are. They carry gas, but
somebody goes in to build a house and breaks through five
layers of pipelines that nobody knew were there.
At some point, the sense of forgiveness runs dry, that if
we are going to be a serious country, continue to be a serious
country, we have to do infrastructure. We have no choice.
If you said, Senator Rockefeller, are you for raising the
gas tax, I would say yes. I believe in user fees; I always
have. If you have an objective that you want--you want to build
roads and bridges--then you do that thing which is necessary to
make it happen.
If you choose not to--you are ideologically pure--you
probably win your next election, and your state declines and
fritters away. Or people, young people, make the conclusion, as
they have, or some of them already, on our water spill, the
toxic water spill, for which there was no state regulation
whatsoever--of which I was partly responsible, because I was
Governor for 8 years. And I told you, I kept looking at these
tanks and wondering what they were doing there but did nothing
about it.
If you don't take responsibility for your future, you have
no future. And that gets to the very bottom of what divides
this Congress. It is not Republicans and Democrats. Roy Blunt
and I have been friends for years. I got him to do something
which he didn't want to do, for which he has forgiven me for
getting him to do it because he finds it not that undoable.
Plus, he likes me and I like him. OK? So things work.
But you have to be willing to raise taxes to pay for things
where we are eons behind. STEM, modern bridge structures--I
mean, the list is endless: NSF, NIH, NIST. You want a good way
to find out where a good standard is? You go to NIST. That is
where the cybersecurity people want to go. They will do it
fairly. They will do it, but it will cost.
And so to Dr. Loh, who runs a university, which does not
have endless amounts of money, I am full of sympathy. But I
can't walk away, as a Senator, from being part of the solution
to his problem. And that is what we are doing here; we are
walking away year after year from being part of the solution to
the problem.
If you want good infrastructure, you have to pay for it. If
you are going to pay for it, you have to raise taxes. Then the
question is, how do you raise taxes? Then you get into the 1
percent versus the--and then that becomes a lot of talk. But
the point is you either get the infrastructure or you don't.
And if you don't, your future is dim.
It was very interesting when the President called,
accurately, Russia an important regional power. Mr. Putin must
have been unhappy at that, but it was accurate because of the
size of his economy and because of what he has not done and
they have not done over the years. In projecting power,
projecting toughness and all the rest of it, they have not
built things up. My son-in-law lives there; he knows. You can't
escape that.
So that is my little editorial. But, to me, it is the way
we improve this country. The way we help Dr. Loh, the way we
help everybody, is that we are in this together, that we have
to share responsibility, that we don't point fingers. We are
all to blame.
We are in the habit of being comfortable. We are in the
habit of thinking that the world is as it was 30 years ago.
Now, that is a stupid and trivial thing to say, but it is just
totally true. It is totally true. So I am trying to make life
tougher on us.
I am not running for re-election, so it is easy for me to
talk like that. But if I were running for re-election, I would
talk like that. Or else I don't belong in this job; I shouldn't
run for the job.
So that is just my thought. Now, I have gone over my time.
And Senator Markey has been here, and he doesn't like it if I
go for over a minute and a half. But I am just going to ask my
question and hope for Roy and Ed's forbearance.
Mr. Mulligan, this is for you. According to press reports,
attackers gained access to the Target network through the
Pennsylvania vendor, which we have discussed already. Does
Target require any particular level of security of its third-
party vendors?
Mr. Mulligan. We do assess the inherent risks of our third-
party vendors and rate them on a risk scale and determine which
of those we need to review, which of those we don't, Senator.
We have a process for doing so.
The Chairman. I am not sure what the answer is.
Mr. Mulligan. We do. We do. We have standards, Senator. And
we have an audit process to ensure they are meeting them.
The Chairman. A lot of people have audit practices. Not all
of them are enforced. That is a high bar question, I admit.
Mr. Mulligan. We have a process where we routinely review
the inherent risk. And those with high risk we evaluate
periodically. Those with a medium risk we evaluate less often.
And those we deem low-risk we don't evaluate, Senator. We----
The Chairman. OK.
Do any third-party vendors have access to Target's point-
of-sale systems? And if so, what security standards apply to
them?
Mr. Mulligan. Anyone who has access to our point-of-sale
networks, the same security standards would apply: two factor
authentication, as is required by PCI. And beyond that, anyone,
whether our own team members or if we have, say, technology
contractors working on them, they would apply similarly.
The Chairman. See, Senator Markey, we have the rhetoric of
attention and auditing but not necessarily the fact of. One can
still get away with rhetoric in this country. One can get on
the evening news with brilliantly sculpted rhetoric. It doesn't
mean you are doing anything.
I just threw that your direction. You are not a media
hound, so I am not accusing you of being that kind of person. I
mean, I would if I knew my audience better, because I would
have fun doing it and you would have fun squashing me.
At the same time of the breach, who at Target was
ultimately responsible for the company's data security?
Mr. Mulligan. Senator, we have multiple teams that work in
data security. At the time of the breach, various elements
reported it to several different executives.
The Chairman. Now, you see, that worries me. That worries
me. You had a former CIO, Beth Jacob, and I want to make sure
she doesn't get run over by a bus in this discussion.
It is true that Target data security responsibilities have
been divided up, as you indicate, among a variety of staff and
not under a chief information security officer. But what I am
obviously getting at is, at some point, the CEO and the Board
of Directors have to accept responsibility for what is
happening.
That is why I mentioned this morning with data breaches--
that you should have to report it to the SEC. And there was no
law. I just called up Mary Schapiro, who was there at the time;
she said, sure, I will do it.
And I did the same thing with coal mines. We have a lot of
coal mine disasters in West Virginia. So any time somebody is
killed or there is a coal mine disaster, it has to be reported,
because that is helpful to investors and shareholders about
their decisions.
But I believe in responsibility. I think it has to come
down to a point, a source point. And I think that has to be a
Board of Directors and the CEO. And then you can scatter the
responsibility however you want.
I have talked too long, and now I have to figure out who
got here first.
I think, Roy, did you get here first?
Senator Blunt. I was here first.
The Chairman. Roy was here first.
So, Senator Blunt, I am sorry. Senator Blunt.
STATEMENT OF HON. ROY BLUNT,
U.S. SENATOR FROM MISSOURI
Senator Blunt. I thank the Chairman.
And the Chairman and I are good friends, and the thing he
talked me into doing was co-chairing with him an effort to be
sure we understood what all the alternatives are out there at a
staff level on health care. And whether I wanted to know it or
not, I needed to know it. And, once again, he figured out
something that was better for me than I probably thought it
would be.
But thank you all for being here. It has been a long
afternoon, people coming and going. I may very well ask a
question that has already been asked, but as a rule here, even
if everything has been said, if everybody hasn't said it yet,
it is still OK to repeat it.
[Laughter.]
I just sort of--you know, whenever we set this hearing, I
think there were 46 different requirements to comply. There may
be more than that by the time we get to the end of the hearing,
but there were at least that many.
And my first question is simply a ``yes'' or ``no''
question. Do you believe that a uniform national standard for
data breach notification would benefit consumers? And just
``yes'' or ``no'' is all I would like to have there.
Ms. Ramirez. I will start. Yes.
Senator Blunt. Dr. Loh? A uniform standard of notification?
Mr. Loh. Yes.
Mr. Mulligan. Yes.
Ms. Richey. Yes.
Mr. Beshar. Yes.
Mr. Wagner. And yes.
Senator Blunt. Well, that is what I think too. And
hopefully we can figure out how to do that. And I think the
Attorney General recently called for that uniform standard, as
well, and it is something that hopefully this Congress can
accomplish. [Editor's note: Senator Blunt requested that the
Attorney General's statement in this regard be placed in the
record. See pp. 76-77, herein.]
One of the questions the Chairman asked--and maybe it was
your answer, Mr. Mulligan. At the time of the breach, was there
more than--weren't there multiple breaches of data in what
happened in Target in the last part of last year?
Mr. Mulligan. We had breach of our systems, Senator, and
two types of data were removed.
Early in December, or mid-December, on December 19, we
indicated that approximately 40 million credit card account
numbers had been removed from our systems.
And then, once verified, we also, on January 10, provided
notice that certain personal information, including name,
address, e-mail, and phone number, in various combinations, had
also been removed in the same breach.
Senator Blunt. So if I understand this right, in the same
breach, does that mean you had all the information for all 40
million people? Or did you have some of them you had individual
information and others you just had card information that
didn't identify it to an individual?
Mr. Mulligan. That is correct. And the overlap between the
two, while one would think it would be a relatively simple
process, it was not. We know that there was at least 12 million
of the records that overlapped and likely more than that.
Senator Blunt. So where you had the breach of information
but you didn't know who that related to, is there any way you
could have--who could you have notified there if you wanted to
notify an individual customer that their card information had
been shared in ways you wouldn't have wanted and stolen, in
effect, from you?
Mr. Mulligan. Given the nature of our breach, Senator, we
felt that the best way to notify customers was very broad
public disclosure. We did so on December 19 through the media,
through our website, through social media. We did so again on
January 10 related to the personal data.
In both cases, we augmented that public disclosure by e-
mailing. In the first case we e-mailed about 17 million of our
guests and in the second case about 47 million guests.
Senator Blunt. How did you know who those 47 million were?
Mr. Mulligan. We had their e-mail addresses.
Senator Blunt. And that was for everybody in that
particular file, or everybody that had shopped within a window
of time, or how did you know that?
Mr. Mulligan. For the 70 million records, those are the
individuals we had accurate e-mail addresses for.
Senator Blunt. For the 47 million e-mails out of the 70
million.
Mr. Mulligan. Correct.
Senator Blunt. I see.
And, Ms. Richey, I think--what did the Chairman say? Does
Visa--no. A level of security for--it was asked about the
company. I thought of a question then. Does your company
require any level of security for the merchants who use Visa?
And are you changing what that level of security is?
Ms. Richey. Yes, we do require a level of security. It is
the level embodied in the PCI data security standards.
And we also require for large merchants that they provide
us a validation by an independent security assessor once each
year that they are in compliance. For the smaller merchants, we
require a self-assessment questionnaire that is administered by
the merchant bank that has set them up to accept payments.
So that is what we have in place today. The PCI Council
actually administers that standard, and they review it
periodically and promote improvements to it.
Senator Blunt. And have you given notice of a new level of
standard that you want merchants to have by sometime in 2015?
Ms. Richey. So there are two different things going on
here. One is the security standard, how they secure the data in
their environment.
Senator Blunt. Right.
Ms. Richey. And the other is to devalue the data in their
environment so that they would no longer have valuable data and
no longer be targeted by thieves.
So the standard for October 2015 is for these EMV chip
cards, where the card actually sends a one-time-use signal so
that even if you steal all the data relative to the card it
can't be reused to commit fraud.
So the standard for 2015 is to implement the EMV standard
by placing EMV terminals in the stores and outfitting them with
the proper technology on the back end, failing which the
merchant would be liable for the fraud if a chip card, an EMV
chip card, is used in that terminal. So that is that standard.
Senator Blunt. OK.
My last question for you and then anybody else who wants to
answer it is, do you believe there is any benefit in Congress
in the law trying to specify exactly what the card standard
should be? If we said in law you would have to have a chip in
the card or you would have to have a chip and a PIN number in
the card, is that, in your view, a good thing or an unhelpful
thing?
Ms. Richey. Generally speaking, I would say that our
success across the world has been through this liability-shift
mechanism. It allows the flexibility in the different merchant
environments for them to move in that direction.
Senator Blunt. So ``liability shift'' means if they don't
secure things as you required, they would have a higher level
of liability as a merchant.
Ms. Richey. Right. And that allows them to set the pace of
their transition according to their environment and the risk in
their environment. So we believe that should be effective. We
have seen it over and over again across the world.
I hesitate--naturally, we would like to get out of the
business of having to administer this ourselves, but when we
have seen the few governments that have tried to mandate
technologies in other parts of the world, they tend to have
unintended consequences and actually make it more difficult to
move forward with new types of technology that can leapfrog
current technology. So that would be my hesitation on that.
Senator Blunt. Anybody disagree with that?
My sense has been that the thieves, the hackers would
always be more nimble than the Congress. And we prove that on a
regular basis, our lack of nimbleness. And if you are too
specific in law, all you do is create a roadmap as to what you
have to do if you want to break the code.
But what were you going to say, Ms. Ramirez?
Ms. Ramirez. I was going to agree with what Ms. Richey has
testified to. We believe that a flexible approach is the right
way to go here.
Senator Blunt. Thank you, Chairman.
The Chairman. Thank you very much.
Ah, you have made it back.
STATEMENT OF HON. RICHARD BLUMENTHAL,
U.S. SENATOR FROM CONNECTICUT
Senator Blumenthal. I have made it back, Mr. Chairman. I
have a reprieve on my presiding because I felt this committee
hearing was so important. And thank you for----
The Chairman. So then I have the pleasure of putting you in
front of Senator Markey and watching him fume.
[Laughter.]
The Chairman. Senator Blumenthal was here and is
recognized.
Senator Blumenthal. I was here before and----
The Chairman. Yes.
Senator Blumenthal. Thank you, Mr. Chairman. Thank you. And
thank you for your leadership in convening this hearing.
Thank you to the panel. You know, I feel that this
afternoon is, in a certain way, a missed opportunity for all of
us because we have been bouncing in and out due to the votes
and our schedules and so forth. But this panel's contribution I
think has been very, very useful and I think could be even more
useful. And I am going to be submitting some additional
questions for the record that perhaps you can address.
And speaking of missed opportunities, the report done by
the majority staff of this committee I think performs an
extraordinary service and provides an excellent backdrop and
summary and analysis of what happened here. And it uses the
term ``opportunities''--missed opportunities'' is the way I
would interpret them--that, very unfortunately, were failed
here.
And it brings home to me one of the truths that I think
maybe Senator Blunt was alluding to: The best technology in the
world is useless unless there is good management.
And here, to be quite blunt, there were multiple warnings
from the company's anti-intrusion software. They were missed by
management, maybe because of lack of training, perhaps simply a
sense of confidence or complacence. And the automated warnings,
the specific kinds of signals that should have been an
indication not only of intrusion but the need for action were
missed. And that has created enormous costs.
So one of the lessons of this incident for me is that
better management has to come with better technology. Do any of
you disagree?
I take it by your silence you are agreeing.
The other area that has not been explored so far is the
notification here. And the breach occurring on 11/12, November
12, happened well before there was notification to consumers,
December 19 I think it was.
And the question that arises, I think, in the minds of a
lot of consumers, and justifiably, is: Was there timely enough,
quick enough, fast enough notification here? And what can be
done to improve that pace in the future?
So let me ask Mr. Mulligan first and then perhaps the
others about what you think about the timeliness of
notification.
Mr. Mulligan. Senator, first, we identified the malware on
our system on the morning of December 15. From that moment
forward, we were very focused on public notification.
Senator Blumenthal. But should you have discovered it
earlier?
Mr. Mulligan. That is a reasonable question, Senator, and
one--you know, the report, as you indicated, is very well done.
It is asking a lot of hard questions, questions we are asking--
--
Senator Blumenthal. And, in my view, let me just state very
simply, there should have been earlier discovery. Whether you
could have prevented the intrusion and stopped it earlier, that
may be a subject of debate, but certainly it should have been
discovered and notified earlier.
Mr. Mulligan. We are certainly going back to understand
that, Senator.
As the alerts were surfaced, our team assessed them. They
assess hundreds of alerts every day and make judgments based
upon those. Given the circumstances we were in, we identified
the malware on the morning of December 15 and provided public
notice 4 days later.
We were very focused, your point is exactly right, on speed
and doing so quickly. And we balanced that with ensuring that
we could provide accurate information to our guests and respond
to their questions, given the volume, that we knew were coming
in both our call centers and our stores.
Senator Blumenthal. Chairwoman Ramirez?
Ms. Ramirez. Thank you.
From our perspective, reasonably prompt notice is, of
course, quite critical, but we also understand that it is very
important for companies who have been victims of a breach
incident to be able to assess exactly what transpired. And I
think, as Mr. Mulligan has noted, it is critical that consumers
receive accurate information, as well.
So we understand that that can take time. From our
perspective, ultimately, notice should happen reasonably
promptly. In our view, at the very outside, it should be about
60 days. Of course, it is critical that consumers have an
opportunity to be able to take steps to protect themselves if
their information has been exposed.
Senator Blumenthal. I want to thank all of you for your
answers. My time has expired, and I am going to yield to
Senator Markey before he truly starts fuming, with good reason.
And I want to follow up on this question of notification.
Because anybody can be a victim of hacking or intrusion, but no
one should in any way delay notification to consumers once it
has happened. And even when there is something less than
complete certainty, a warning to consumers can save literally
hundreds of millions, if not billions of dollars.
And the ultimate cost, often, is borne by those consumers
in identity theft. So Senator McCaskill earlier was talking
about, you know, who is bearing the cost in terms of the
suffering and the pain resulting from identity theft? Consumers
bear it, even if they get money, even if they are told by a
monitoring--or even if they get insurance.
So I want to thank you all for your cooperation. I know
that Target has cooperated with my office and with this
committee, and I want to thank you for the contribution that
you made here today and before now.
Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Blumenthal. And thank you;
I don't know how you pulled it off, but you got a leave of
absence. And I have been here 29 years, and you are the first
person who has ever gotten that. So you clearly care, and so we
are grateful for your coming back.
But now we are treated to the one and only, great Mr.
Edward Markey.
[Laughter.]
STATEMENT OF HON. EDWARD MARKEY,
U.S. SENATOR FROM MASSACHUSETTS
Senator Markey. Thank you, Mr. Chairman.
Dr. Loh, the University of Maryland decided to provide 5
years of credit protection to those impacted by the data breach
at your school. How did you determine that 5 years was an
appropriate time period?
Mr. Loh. Well, as you know, we announced it within 24
hours, notified everybody within about 4 or 5 days. And very
quickly, the way most students communicate is by social media--
--
Senator Markey. But why the 5-year period to offer
protection?
Mr. Loh. And so, what they were complaining about was that
we initially offered one year, and they said one year is not
adequate.
Senator Markey. And what was your conclusion?
Mr. Loh. And my conclusion is I think they are right. It is
going to cost more money, but it is the right thing to do. And
then----
Senator Markey. And why is it the right thing to do?
Mr. Loh. I am sorry?
Senator Markey. Why is it the right thing to do?
Mr. Loh. Why is it the right thing to do? Because, after
all, it did happen. It is our responsibility to provide the
maximum protection possible of our sensitive data. We did not
do it. I think we have very strong defenses, yet even so they
were penetrated in a very sophisticated way. But that is no
defense.
Senator Markey. OK. So----
Mr. Loh. And so we decided to up it from 1 year to 5 years.
Senator Markey. OK. Great.
So, Mr. Mulligan, Target has offered victimized consumers
just one year of credit monitoring service. My concern is the
same as Dr. Loh's and the students at the University of
Maryland that 1 year is too brief a period a time, given the
compromise of this information.
So why did you choose one year and not have a longer period
of time, even though, as Dr. Loh said, it costs more money, but
it is consistent with the risk that the consumer now runs?
Mr. Mulligan. We certainly evaluated this. Not having
experience, we reached out to other entities that had had
similar experiences. Our understanding at the time we made the
offer was that one year was appropriate, would provide
appropriate coverage.
We are certainly not dogmatic about that. We have not
received the same feedback from our guests. We have issued
millions of access codes to our coverage and have not received
that feedback. But certainly if we did, we would reconsider
that.
And I think, importantly, part of our coverage is that you
have access to a fraud specialist ongoing beyond that one year.
That goes on forever.
Senator Markey. Yes, I mean, my concern is, of course, this
information has been compromised and it is sitting out there,
and 1 year is just an arbitrary period of time to select to say
that it can't be used in a way that comes back to haunt the
individuals whose information has been compromised. And I just
think that a more lengthy period of time makes more sense. I
think the University of Maryland reached the correct decision.
I also understand the credit monitoring Target is offering
tracks only one credit report, Experian, and not the credit
files maintained by TransUnion and Equifax.
Why do you believe that one bureau monitoring is good
enough? Wouldn't free monitoring all of three reports provide
consumers with better protection following the breach?
Mr. Mulligan. Here again, we reached out to several other
entities who had similar situations. We understood Experian is
a well-established company. They had a product that we felt
would work very well for our consumers, our guests, because it
offered, in addition, identity theft protection, identity theft
insurance, and, additionally, the ongoing access to the fraud
specialist, which we thought was particularly important. So we
went with their particular product.
Senator Markey. Yes. Again, I would suggest to you that you
look perhaps to a broader group of companies here that would be
helpful.
Credit monitoring may also provide consumers with a false
sense of security because these services monitor only attempts
to open new lines of credit; they do not watch for day-to-day
unauthorized charges on your credit card.
So tell us what Target is doing to help consumers with that
problem.
Mr. Mulligan. That is an excellent question. And as we have
communicated to our guests, we have talked consistently about
the need to monitor your existing accounts.
And, again, we understand that this has impacted them. We
have tried to provide resources, tools, communication. We have
provided one spot on our website which has all the information
we have provided to them. We have provided e-mails and
additional information to our REDcard holders, all with a focus
to keep them informed about the information we have.
Senator Markey. Thank you.
And let me move to you, Mr. Wagner, if I could. What steps
are you taking today to ensure that better ways of ensuring
data security keep up with new payment technologies?
Mr. Wagner. Well, as Visa has testified, the EMV technology
is a major improvement for payment security, so that is
something that Datacard is interested in supporting.
From an Entrust perspective, you know, our commitment is to
help our customers have the identity technologies that they
need to, you know, provide a strong layer of security in their
defense mechanisms.
And one of the things that is really key to understand is
that the malware has changed the way it operates in the last
several years. And this idea of being someone on the network,
being able to overtake a network administrator's credential and
move freely inside the corporate network as if you have a
ticket to Disneyland is a very different security risk than we
were dealing with, you know, 4 and 5 years ago.
So trying to educate the industry, get governance processes
in place that help companies understand their risk, and provide
tools to mitigate those risks are what Entrust is trying to do.
Senator Markey. You know, and I guess what I would suggest
is this, OK? That it doesn't make any sense for the Congress to
mandate specific technologies. What it does make sense to do,
however, is to say to industries that you have to keep up with
the changes, and if you don't keep up with the changes, that
you are liable. So to say that any of this is a surprise is
just to say that you are not keeping up with what is going on.
And so the Chairman here could call a hearing of the five
or six smartest young geeks in America, and they could explain
it to this committee right now. But the truth is that the five
or six smartest geeks in each one of your companies should be
having that meeting right now with the CEOs, just saying, these
are the changes and these are the recommendations that we make
in order to provide the extra protection, because the law
requires us to keep up. OK?
And so, to just keep saying we are surprised at the changes
means that you haven't kept up. But it doesn't mean that
younger people in your own organizations have kept up. And so,
in and of itself, it is no excuse, OK? It just isn't.
And the Congress shouldn't require a specific technology,
but it should require a standard. You know? If you don't have a
radio on your boat in 1900, you are not derelict. You don't
have one on your boat in 1920, now you have a problem. It
evolved, you know? There are two-way radios now. If you don't
have one, you can't say, ``Oh, my God, I didn't have one when I
bought the boat,'' huh? That is not an excuse, OK? You had to
have noted that a guy named Marconi came along, you know, in
the interim and that, you know, young people have these devices
now and you might have learned that there was a storm coming,
huh? And you just can't exempt yourself from the liability.
So that is kind of the challenge here. And that is why
Senator Blumenthal and I have introduced legislation to give
the Federal Trade Commission much greater authority, so that
they can require these security measures to be put in place and
that consumers receive immediate notification, as well, of any
breach that occurs.
And I think it is important for us to act this year,
because this has been occurring over and over and over. And
T.J. Maxx is in my congressional district, my old congressional
district, and they had a similar breach in 2007. So it is not
as though this doesn't keep happening over and over again. It
is that we keep treating it as though it is a huge surprise
that it is going to happen.
And I just think we need to put in place the highest
possible standards. That is why Senator Blumenthal and I
introduced the legislation to help to accomplish that goal, and
that is why Chairman Rockefeller is having these hearings,
because we ultimately have to deal with the issue.
I thank you, Mr. Chairman.
The Chairman. That was very good questioning. I would like
to be a part of the bill.
Senator Markey. Your staff was the first group of human
beings on the planet to receive a copy of the bill.
The Chairman. Good.
But, see, you raise a very important point, and that is
that we measure everything based upon what it was. And that
absolves us of the responsibility of saying what it might
become. And the only important question, whether you are
talking about national security, anything, appropriate
security, is what it might become. And that is why we are
constantly surprised.
You know, the painful memory of the Boston Marathon, I am
not sure what the teaching of that was. Because that was kind
of a traditional act. Did we have something that we should have
known, that there had been an advance in technology or in
technique or in dispersion or whatever that we missed?
But regardless of what the answer to that is, you are
basically right. NIST's job is not to say exactly what it
should be for this month, the next month, the next month. It
should be the highest possible, practicable--the highest
possible--standard. And that will reach many people who will
object.
Senator Markey. May I just say that it is a good example,
where the Russians had given information about these suspects.
The Chairman. And that is correct.
Senator Markey. So the technology had worked, in fact, in
gathering the information, but the human judgment then, in
terms of what to do----
The Chairman. Yes.
Senator Markey.--with the information, you know?
So here, the technology is something that now is available
to deal with the threats. And it is there and available, and
younger people, of course, are familiar with it. But it just
becomes, in most instances, do you want to spend the money?
The Chairman. Yes.
Senator Markey. Do you want to spend the money to keep up
with this technological arms race that you necessarily have to
because it is concomitant with the electronic era that each of
these companies are embracing?
And so you can't think of that as a loss that you now have
to suffer because you have to build in the security. You have
to think of it as a necessary investment that you have to make.
The Chairman. Yes, and we are not accustomed to that----
Senator Markey. We are not.
The Chairman.--pattern of thought. But you are suggesting
that we need to be.
Senator Markey. Exactly.
The Chairman. And that is what NIST is there for.
You missed my speech on spending money on infrastructure,
and I will not pain you with repeating it. But you already
agree with it.
[Laughter.]
The Chairman. Look----
Senator Markey. Does that mean we are passing a
transportation bill out of this committee this year?
The Chairman. No. No, don't tease me with that.
[Laughter.]
The Chairman. This has been a very interesting and a very
frustrating hearing for a couple of reasons. One is that it is
a very complicated subject. I mean, we have the FTC, the
President of the University of Maryland, this vast institution
my former Chief of Staff, Kerry Ates, got her degree from,
magna cum laude. And you all have great experience, and you
bring great experiences to this.
But we are under the stricture of the sense that time is
running out on us. And are we going to have the time to
energize people? As Senator Markey has indicated, young people
are already knowledgeable. The question is, will they be
energized to go into these fields? Will they be energized to go
work at the University of Maryland and help you? Or at your
firm, Mr. Mulligan, to help you?
And I think it also makes the point that I made earlier,
that at some point there is more reason there for it to have a
point of responsibility. Ultimately, whether you are a senator
or whether you are a President of a company or President of a
university or playing first for the Boston Red Sox, it is not
just holding on to your job, but it is how you do it, how
people assess it with a hard eye, that makes the difference.
Accountability is everything. We have tended to forget that
in this country because somehow America always muddles through.
America is not now muddling through, and it is not a pretty
sight.
You have been fantastic. You have been alert, you have been
helpful. You have put up with our absences. We had nine votes.
That is not a lot of fun for us, but we got nine judges, did we
not? And that is a wonderful thing for America.
So I want to profoundly thank you, each one of you, for
being here and for being here this long.
Mr. Beshar, I am feeling guilty about you. You haven't
talked enough.
[Laughter.]
The Chairman. Would you like to talk for 2 or 3 minutes?
[Laughter.]
Mr. Beshar. I will decline your very kind invitation.
The Chairman. Why? It is the perfect opportunity. Nobody is
going to get up and leave while you are talking.
[Laughter.]
The Chairman. Say something that is on your heart that you
want to say.
Mr. Beshar. I will say very briefly, Senator, that I think
the Government has really been out front of the bulk of
industry and the nonprofit sector in identifying the
significance of cybersecurity and in prodding business and the
nonprofit sector to try to accelerate the pace of the
commitment that they are showing.
And you have done it in this committee. The FBI, the DHS,
the White House--there are various government agencies that
have really advanced the ball. And I think it is incumbent upon
the bulk of business and the nonprofit sector to try to follow
the lead that has been set.
The Chairman. Yes. We have to get our act together, no
question. And we are all part of it--part of the future, part
of the wrongs of the present, part of the forgetfulness of the
past, or taking too much comfort in the past.
I have nothing wise to say, so I will end this hearing. I
don't tend to bang a gavel because I think that is kind of
showmanship, so I just end it by saying it is at an end. So you
are free.
[Laughter.]
The Chairman. But you have our great gratitude.
[Whereupon, at 5:17 p.m., the hearing was adjourned.]
A P P E N D I X
Prepared Statement of the Electronic Transactions Association
Chairman Rockefeller, Ranking Member Thune and Members of the
Committee, the Electronic Transactions Association (ETA) appreciates
the opportunity to submit this statement for the record for the
Committee's hearing, ``Protecting Personal Consumer Information from
Cyber Attacks and Data Breaches.''
ETA is an international trade association representing companies
that offer electronic transaction processing products and services. The
purpose of ETA is to help the merchant acquiring industry by providing
leadership through education, advocacy, and the exchange of
information. ETA's membership spans the breadth of the payments
industry, from financial institutions and transaction processors to
independent sales organizations and equipment suppliers to merchants.
More than 500 companies worldwide are members of ETA.
As the trade association for the payments industry, ETA recognizes
the critical importance of data security. With more than 70 percent of
consumer spending now done electronically, consumers depend on the
security and reliability of payment systems. Consumers prefer
electronic payments due to their convenience, efficiency, and low cost,
but data theft and cybercrime, if not properly combatted, could cause
some consumers to forgo these benefits out of concern about the
security of their personal financial information. And if consumers do
not have confidence in electronic commerce, then neither will the
entrepreneurs and investors who spur financial innovation. Accordingly,
the continued development of online commerce and other technology-based
sources of economic growth rest on effective data security.
ETA is committed to ensuring that payment systems are fully secure
and that customer information is protected. While recent high-profile
data breaches remind us of the gravity of the threat posed by
cybercriminals, existing data security systems have proven remarkably
effective overall. Last year, U.S. payment systems processed more than
$5 trillion in payments, and only a small fraction of those payments
(less than one tenth of one percent) were fraudulent and consumers had
no liability for such fraud. Nevertheless, data security will only be
effective if it continues to stay ahead of the always evolving
techniques and technologies of criminal enterprises.
Because ETA members are on the front lines of fighting data theft,
our members have dedicated significant resources annually to developing
secure payment systems. ETA's members have worked with their merchant
customers to employ advanced technologies to prevent data theft and the
fraudulent use of personal information. Due to these efforts, for
example, fraud accounts for less than 6 cents of every $100 of credit
and debit card transactions. Even in the relatively small number of
cases where fraud does occur, consumers are usually not responsible for
those amounts as financial institutions have adopted zero customer
liability policies for fraudulent activity.
To further reduce the threat of fraud, ETA members that provide
credit and debit cards are also beginning the phase-in of chip smart
card technology beginning in 2015. This technology will replace
magnetic stripe technology on credit and debit cards with cards
containing embedded computer chips, which prevent criminals from
producing counterfeit credit and debit cards. The adoption of EMV is a
costly undertaking since it requires ``point of sale'' (POS) terminals
to be updated to handle the new cards, but the investment is expected
to yield a significant reduction in the incidents of card fraud and
ensure the integrity of payment systems. Our industry is also working
hard to deploy other technology solutions to fraud, like tokenization
and end-to-end encryption, which hold real promise for thwarting
criminal activity against merchants.
ETA recognizes that protecting the personal financial information
of consumers is a responsibility shared among payments processors,
retailers, and banks. Accordingly, we recently joined with 14 leading
retail and financial services trade groups in a partnership aimed at
ensuring that our shared infrastructure is secure. This partnership
seeks to enhance information sharing to prevent cyber attacks, promote
new technologies to stay ahead of increasingly sophisticated threats,
and collaborate on comprehensive solutions to threats growing to card-
not-present transactions and the mobile environment. ETA believes that
such industry collaboration offers the best means for the development
of industry standards and innovative solutions to strengthen data
security.
With respect to how government can best promote data security, ETA
believes that the Federal government has an important role to play in
creating a legal and regulatory environment conducive to technological
innovation and the efficient and effective protection of consumer
information. As Congress considers possible legislative measures to
address data security, therefore, ETA would like to offer several
recommendations.
1. Congress should adopt national data breach standards. ETA
believes that a uniform national standard for data breach
notification will help make sure consumers are notified when a
security breach puts at risk their personally identifiable
information, while minimizing the compliance risks to
businesses. Today, payment processors must comply with an ever-
changing array of 46 different state laws on data breach. These
ambiguous laws unnecessarily increase the cost of data security
and confuse consumers with inconsistent rights and
responsibilities. A better approach is for a Federal standard
that preempts state laws with a clear notification trigger and
that provides a reasonable time for notifying consumers
following a breach. In addition, Federal data breach
legislation should avoid applying duplicative and inconsistent
requirements by providing a safe harbor for entities subject to
the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act,
while not subjecting additional entities to these statutes.
2. Congress should not legislate technology standards. Since the
advent of electronic payments, payments technologies have
rapidly evolved to better protect consumer information and
further improve the efficiency of electronic payments. While
cybercrime has become increasingly complex, payments systems
have continued to make the investments in new technology
required to keep ahead of criminal efforts. Because future
cybercrimes are impossible to predict, payments systems need to
have the flexibility to quickly respond to new threats. Thus,
Congress should avoid mandating any particular technology
standards. Any standard Congress would adopt is likely to be
quickly rendered obsolete by new criminal tactics and,
therefore, could have the unintended consequence of restricting
the ability of payment systems to protect customer information
and the integrity of electronic commerce.
3. A layered approach to data security is the best strategy. There
is no one solution that will prevent every attempt by criminals
to steal data. Accordingly, in the same way that banks do not
rely solely on vaults to thwart bank robberies, but also
utilize in-house security guards, video cameras, and secure
facilities, payments systems need to deploy a layered approach
to data security. The utilization of multiple defenses--from
chip and tokenization to firewalls and encryption--is the best
strategy for minimizing data theft. Therefore, ETA recommends
that Congress not mandate a particular method of data security.
We want to thank you for the opportunity to present this statement
for the record on this important topic. If you have any questions about
this statement or the issues discussed, please contact Jason Oxman,
President of ETA.
______
Department of Justice
For Immediate Release--Monday, February 24, 2014
Attorney General Holder Urges Congress to Create National Standard for
Reporting Cyberattacks
WASHINGTON--In a video message released today, Attorney General
Eric Holder called on Congress to create a strong, national standard
for quickly alerting consumers whose information may be compromised by
cyberattacks. This legislation would strengthen the Justice
Department's ability to combat crime, ensure individual privacy, and
prevent identity theft, while also helping to bring cybercriminals to
justice.
The complete text of the Attorney General's weekly address is
available below:
``Late last year, Target--the second-largest discount retailer in
the United States--suffered a massive data breach that may have
compromised the personal information of as many as 70 million people,
in addition to credit and debit card information of up to 40 million
customers. The Department of Justice is currently investigating this
breach, in close coordination with the U.S. Secret Service. And we are
moving aggressively to respond to hacking, cyberattacks, and other
crimes that harm American consumers--and expose personal or financial
information to those who would take advantage of their fellow citizens.
``As we've seen--especially in recent years--these crimes are
becoming all too common. And they have the potential to impact millions
of Americans every year. Just days after the Target breach was made
public, another major retailer--Neiman Marcus--reported that it also
suffered a suspected cyberattack during the holiday season. And
although Justice Department officials are working closely with the FBI
and prosecutors across the country to bring cyber criminals to justice,
it's time for leaders in Washington to provide the tools we need to do
even more: by requiring businesses to notify American consumers and law
enforcement in the wake of significant data breaches.
``Today, I'm calling on Congress to create a strong, national
standard for quickly alerting consumers whose information may be
compromised. This would empower the American people to protect
themselves if they are at risk of identity theft. It would enable law
enforcement to better investigate these crimes--and hold compromised
entities accountable when they fail to keep sensitive information safe.
And it would provide reasonable exemptions for harmless breaches, to
avoid placing unnecessary burdens on businesses that do act
responsibly.
``This legislation would strengthen the Justice Department's
ability to combat crime and ensure individual privacy--while bringing
cybercriminals to justice. My colleagues and I are eager to work with
Members of Congress to refine and pass this important proposal. And we
will never stop working to protect the American people--using every
tool and resource we can bring to bear.''
The full video is available at http://www.justice.gov/agwa.php
______
Prepared Statement of the American Bankers Association
Chairman Rockefeller, Ranking Member Thune, and members of the
Committee, ABA appreciates the opportunity to submit for the record
comments regarding the recent Target and other data security breaches.
The ABA represents banks of all sizes and charters and is the voice for
the Nation's $14 trillion banking industry and its two million
employees.
The subject of today's hearing, ``Protecting Personal Consumer
Information from Cyber Attacks and Data Breaches,'' is an important
one. Notwithstanding these recent breaches, our payment system remains
strong and functional. No security breach seems to stop the $3 trillion
that Americans spend safely and securely each year with their credit
and debit cards. And with good reason: Customers can use these cards
confidently because their banks protect them from losses by investing
in technology to detect and prevent fraud, reissuing cards and
absorbing fraud costs.
At the same time, these breaches have reignited the long-running
debate over consumer data security policy. ABA and the thousands of
community, mid-size, regional, and large banks we represent recognize
the paramount importance of a safe and secure payments system to our
Nation and its citizens. We thank the Committee for holding this
hearing and welcome the ongoing discussion. From ABA's perspective,
Congress should examine the specific circumstances of the Target breach
and the broader data security issues involved, and we stand ready as a
resource to assist in your efforts.
In our statement for the record we will focus on four main points:
Protecting consumers is the banking industry's first
priority. As the stewards of the direct customer relationship,
the banking industry's overarching priority in breaches like
that of Target's is to protect consumers and make them whole
from any loss due to fraud. Despite what others maintain, it is
the banking industry that reimburses consumers for any losses,
only later seeking reimbursement from the preached party.
A National data breach standard is essential. Consumers'
electronic payments are not confined by borders between states.
As such, a national standard for data security and breach
notification is of paramount importance.
All players in the payments systems, including retailers,
must significantly improve their internal security systems as
the criminal threat continues to evolve.
Protecting the Payments System is a Shared Responsibility.
Banks, retailers, processors, and all of the participants in
the payments system must share the responsibility of keeping
the system secure, reliable, and functioning in order to
preserve consumer trust. That responsibility should not fall
predominantly on the financial services sector.
Before addressing each of these points in detail, it is important
to understand the data security vulnerabilities in our system. The
numbers are telling and point to the need for shared responsibility to
fight off the continual attacks on data.
I. Data Security: Where are the Vulnerabilities?
It is a sobering fact that, since January 2005, a total of over
4,200 breaches exposing almost 600 million records have occurred
nationwide. (Source: Identity Theft Resource Center) There were over
600 reported data breaches during 2013 alone, an increase of 30 percent
over 2012 and the third highest number of breaches over the last nine
years. The two sectors reporting the highest number of breaches were
the healthcare sector at 43 percent of reported breaches and the
business sector, including merchants, which accounted for nearly 34
percent of reported breaches.
Moreover, the business sector, because of the Target breach,
accounted for almost 82 percent of 2013's breached records. The
Banking, Credit and Financial sector accounted for only 4 percent of
all breaches and less than 2 percent of all breached records.\1\
However, in spite of the small percentage of actual data breaches, the
Banking, Credit and Financial sector bears a disproportionate share of
breach recovery and fraud expenses. This is a consistent trend since
2005, where over this nine year period our sector accounted for
approximately 8 percent of all reported breaches. The business sector
accounted for approximately 36 percent and health care sector
approximately 23 percent of all breaches over the same time period.
---------------------------------------------------------------------------
\1\ 2013 Data Breach Category Summary, Identity Theft Resource
Center, January 1, 2014, Available at: http://www.idtheftcenter.org/
images/breach/2013/BreachStatsReportSummary
2013.pdf
---------------------------------------------------------------------------
Source: Identity Theft Resource Center
These numbers point to the central challenge associated with
breaches of financial account data or personally identifiable
information: while the preponderance of data breaches occur at entities
far removed from the banking sector, it is the bank's customer
potentially at the end of the line who must be protected.
II. Protecting Consumers is Our First Priority
While the facts of the Target breach remain fluid, the company has
acknowledged that the breach occurred within its internal systems,
affecting nearly 40 million credit and debit card accounts while also
revealing the personally identifiable information (e.g., name, address,
e-mail, telephone number) of potentially 70 million people. On average,
the Target breach has affected 10 percent of every bank's credit and
debit card customer base.
Paying for Fraud
When a retailer like Target speaks of its customers having ``zero
liability'' from fraudulent transactions, it is because our Nation's
banks are making customers whole, not the retailer that suffered the
breach. Banks are required to swiftly research and reimburse customers
for unauthorized transactions, and normally exceed legal requirements
by making customers whole within days of the customer alerting the bank
of the fraud, if not immediately.\2\
---------------------------------------------------------------------------
\2\ With traditional card payments, the rights and obligations of
all parties are well-defined by Federal statute when an unauthorized
transaction occurs. For example, Regulation E describes consumers'
rights and card issuers' obligations when a debit card is used, while
Regulation Z does so for credit card transactions. The payment networks
also have well-established rules for merchants and issuers. For
instance, while Regulation Z limits a customer's liability for
unauthorized transactions on a lost or stolen credit card to $50, the
card networks require issuers to provide their cardholders with zero
liability.
---------------------------------------------------------------------------
After the bank has reimbursed a customer for the fraudulent
transaction, it can then attempt to ``charge-back'' the retailer where
the transaction occurred. Unfortunately, the majority of these attempts
are unsuccessful, with the bank ultimately shouldering the vast
majority of fraud loss and other costs associated with the breach.
Overall, for 2009, 62 percent of reported debit card fraud losses were
borne by banks, while 38 percent were borne by merchants.\3\
---------------------------------------------------------------------------
\3\ 2009 Interchange Revenue, Covered Issuer Cost, and Covered
Issuer and Merchant Fraud Loss Related to Debit Card Transactions, June
2011, Board of the Governors of the Federal Reserve System,, available
at: http://www.federalreserve.gov/paymentsystems/files/debitfees
_costs.pdf
---------------------------------------------------------------------------
It is an unfortunate truth that, in the end (and often well after
the breach has occurred and the banks have made customers whole) banks
generally receive pennies for each dollar of fraud losses and other
costs that were incurred by banks in protecting their customers. This
minuscule level of reimbursement, when taken in concert with the fact
that banks bear over 60 percent of reported fraud losses yet have
accounted for less than 8 percent of reported breaches since 2005 is
clearly inequitable. We believe banks should be fully reimbursed for
the costs they bear for breaches that occur elsewhere.
Reissuing and Ongoing Monitoring
Each bank makes its own decision as to when and whether to reissue
cards, which on average costs banks about $5 per card, but could be
more. In the case of the Target breach, the decision of whether to
reissue cards was made even more difficult considering the
inconvenience this can cause during the holiday season: breach or no
breach, many consumers would not have wanted their cards shut down
leading up to Christmas. Those cards that have not been reissued are
being closely monitored for fraudulent transactions. In some instances,
banks gave customers an option of keeping their cards open through the
holidays until they could reissue all cards in January or, if they were
concerned, to shut their card down and be reissued a new card
immediately.
The Target compromise was also unique in terms of the high
awareness of the ``Target'' name, the sheer number of people affected,
and the media coverage of the event. In addition to proactively
communicating with customers about the breach, bank call centers and
branches have handled millions of calls and in-person inquiries
regarding the card compromise. Many smaller and community banks have
increased staffing to meet consumer demand. At the end of the day,
consumers expect answers and to be protected by their bank, which is
why they call us, not Target or whoever actually suffered the breach.
We also remain vigilant to the potential for fraud to occur in the
future as a result of the Target breach. Standard fraud mitigation
methods banks use on an ongoing basis include monitoring transactions,
reissuing cards, and blocking certain merchant or types of
transactions, for instance, based on the location of the merchant or a
transaction unusual for the customer. Most of us are familiar with that
call from a card issuer rightfully questioning a transaction and having
a card cancelled as a result. In many cases, however, the lifespan of
compromised consumer data extends well beyond the weeks immediately
following the breach itself. Just because the headlines fade away does
not mean that banks can afford to relax their ongoing fraud protection
and screening efforts. In addition there are ongoing customer support
issues as customer's setup new card numbers for recurring transactions
related to health club memberships and online stores such as iTunes.
III. A National Data Breach Standard is Essential
In many instances, the identity of the entity that suffered the
breach is either not known or, oftentimes, intentionally not revealed
as there is no requirement to do so. Often, a retailer or other entity
would rather pass the burden on to the affected consumers' banks rather
than taking the reputational hit themselves. In such cases, the bank is
put in the position of notifying their customers that their credit or
debit card data is at risk without being able to divulge where the
breach occurred. Many banks have expressed great frustration regarding
this process, with their customers--absent better information--blaming
the bank for the breach itself and inconvenience they are now
suffering.
Like the well-defined Federal regulations surrounding consumer
protections for unauthorized credit or debit transactions, data breach
notification for state and nationally-chartered banks is governed by
the Gramm-Leach-Bliley Act and guidance from the from the Federal
Financial Institutions Examination Council (FFIEC), requiring every
bank to have a customer response program. Retail establishments have no
comparable Federal requirements. In addition, not only are retailers,
healthcare organizations, and others who suffer the majority of
breaches not subject to Federal regulatory requirements in this space,
no entity oversees them in any substantive way. Instead they are held
to a wide variety of state data breach laws that aren't always
consistent. Banks too must also abide by many of these state laws,
creating a patchwork of breach notification and customer response
standards that are confusing to consumers as well as to companies.
Currently, 46 states, three U.S. territories, and the District of
Columbia have enacted laws governing data security in some fashion,
such as standards for data breach notification and for the safeguarding
of consumer information. Although some of these laws are similar, many
have inconsistent and conflicting standards, forcing businesses to
comply with multiple regulations and leaving many consumers without
proper recourse and protections.
Establishing a national data security and notification law that
brings others up to bank standards, requiring any business that
maintains sensitive personal and financial information to implement,
maintain, and enforce reasonable policies and procedures to protect the
confidentiality and security of sensitive information from unauthorized
use, would provide better protection for consumers nationwide.
Our existing national payments system serves hundreds of millions
of consumers, retailers, banks, and the economy well. It only stands to
reason that such a system functions most effectively when it is
governed by a consistent national data breach policy.
IV. All Players in the Payments System Must Improve Their Internal
Systems as the Criminal Threat Continues to Evolve
While some details of the Target breach are still unknown, what is
clear is that criminal elements responsible for such attacks are
growing increasingly sophisticated in their efforts to breach the
payments system. This disturbing evolution, as demonstrated by the
Target breach, will require enhanced attention, resources, and
diligence on the part of all payments system participants.
The increased sophistication and prevalence of breaches caused by
criminal attacks--as opposed to negligence or unintentional system
breaches is also borne out in a recent study by the Ponemon Institute.
Evaluating annual breach trends, the Institute found that 2012 was the
first year in which malicious or criminal attacks were the most
frequently encountered root cause of data breaches by organizations in
the study, at 41 percent.\4\
---------------------------------------------------------------------------
\4\ 2013 Cost of Data Breach Study: United States, May 2013,
Ponemon Institute, available at: http://www.symantec.com/content/en/us/
about/media/pdfs/b-cost-of-a-data-breach-us-report
-2013.en-
us.pdf?om_ext_cid=biz_socmed_twitter_facebook_markewire_linkedin_2013Jun
_worldwide_CostofaDataBreach
---------------------------------------------------------------------------
Emerging details of the Target breach are allowing us to see a
troubling picture of the direction the criminal evolution is taking,
and what it means for at-risk consumer data. For example:
While Target's last public statement on the issue stated
that the PINs that were compromised as part of the breach were
encrypted, the company originally stated that PINs were not
compromised at all. If the PINs were unencrypted, this would be
particularly troubling, as that would make bank customer
accounts vulnerable to ATM cash withdrawals as well as
unauthorized purchases. We call on law enforcement and those in
the forensics process to be as transparent as possible in
outlining what are the precise threats to our customers.
Even if the PINs that were breached were in fact encrypted,
there is still the potential that they could be decrypted,
placing our customers at just as much risk as if unencrypted
PINs had been captured.
Banks also do not know the extent to which their customers'
bank account numbers, which are linked to Target's RedCard,
were compromised as a result of the breach. If this information
was compromised, customers could be vulnerable to unauthorized
Automated Clearing House (ACH) transactions directly from their
accounts.
More generally, banks have also encountered significant
customer confusion as to the nature of Target's RedCard and the
bank's ability to help. Many believe the bank can cancel the
card and reissue it even though the card was issued by Target.
This confusion points to a broader problem with the emergence
of many non-traditional payments providers: customers have a
hard time understanding which payment entity is responsible for
what, and often just assume the bank is the responsible party.
These threats to bank customer accounts point to the security
vulnerabilities associated with non-traditional payments companies,
such as Target, having direct linkages to the payments system without
information security regulatory requirements comparable to that of
financial institutions.
V. Protecting the Payments System is a Shared Responsibility
While much has recently been made about the on-going disagreements
between the retail community and the banking industry over who is
responsible for protecting the payments system, in reality our Nation's
payments system is made up of a wide variety of players: banks, card
networks, retailers, processors, and even new entrants, such as Square,
Google, and PayPal. Protecting this system is a shared responsibility
of all parties involved and we need to work together and invest the
necessary resources to combat increasingly sophisticated threats to
breach the payments system.
We must work together to combat the ever-present threat of criminal
activity at our collective doorstops. Inter-industry squabbles, like
those over interchange, have had a substantial impact on bank resources
available to combat fraud. Policymakers must examine that impact
closely to ensure that the necessary resources are not diverted from
addressing the real concern at hand--the security of our Nation's
payment system and the need to protect consumers. All participants must
invest the necessary resources to combat this threat.
In the wake of this breach, there has been significant discussion
over how to enhance payment card security, focusing on the
implementation of chip-based security technology known as EMV.\5\ This
technology makes it much harder for criminals to create duplicate cards
or make sense of encrypted data that they steal.
---------------------------------------------------------------------------
\5\ EMV stands for Europay, Mastercard, and Visa, the developers of
a global standard for inter-operation of integrated circuit, or
``chip'' cards and chip card compatible point-of-sale terminals and
automated teller machines.
---------------------------------------------------------------------------
We encourage the implementation of chip technology, both on the
card and at the point-of-sale. In fact, the rollout of this technology
in the U.S. is well underway, with the next set of deadlines for banks
and retailers coming in late 2015. It takes time for full
implementation of chip technology in the U.S., as our country supports
the largest economy in the world, with over 300 million customers, 8
million retailers, and 14,000 financial institutions.
Even though EMV is an important step in the right direction, there
is no panacea for the ever-changing threats that exist today. For
instance, EMV technology would not have prevented the potential harm of
the Target breach to the 70 million customers that had their name,
address, e-mail, and/or telephone number compromised. Moreover, EMV
technology will help to address potential fraud at the point-of-sale,
but it does not address on-line security, nor is it a perfect solution
even at the point-of-sale as criminal efforts evolve. Because it is
impossible to anticipate what new challenges will come years from now,
we must therefore be cautious not to embrace any ``one'' solution as
the answer to all concerns.
VI. The Path Forward
Any system is only as strong as its weakest link. The same
certainly holds true in our rapidly-changing consumer payments
marketplace. The innovations that are driving the industry forward and
presenting consumers with exciting new methods of making purchases is
also rapidly expanding beyond the bounds of our existing regulatory and
consumer protection regimes. And, as has historically been the case,
the criminals are often one step ahead as the marketplace searches for
consensus. That said, there are several positive steps policymakers can
take to facilitate a higher level of security for consumers going
forward. For example:
Raise all participants in the payments system to comparable levels
of security. Security within the payments system is currently uneven.
In addition to adhering to the Payment Card Industry Data Security
Standards, banks and other financial institutions are also subject to
significantly higher information security requirements than others that
facilitate electronic payments and house bank customer payment data.\6\
More must be done to buttress and enforce the current regulatory
requirements that merchants face.
---------------------------------------------------------------------------
\6\ For instance, banks are subject to the information security
requirements contained within the Gramm-Leach-Bliley Act, the FFIEC Red
Flag Rules regarding identity theft, and are continually examined
against these requirements.
---------------------------------------------------------------------------
Establish a national data security breach and notification
standard. A national data breach standard, replacing the current
patchwork of state laws and establishing one set of national
requirements, would provide better and more consistent protection for
consumers nationwide.
Make those responsible for data breaches responsible for their
costs. Banks bear the majority of costs associated with the fraud
caused by breaches even though our industry is responsible for only a
small percentage of the breaches that have occurred since 2005. When
any entity--be it a bank, merchant, college or hospital--is responsible
for a breach that compromises customer payment data or personally
identifiable information, that entity should be responsible for the
range of costs associated with that breach to the extent it was not
adhering to the necessary security requirements.
Increase the speed and transparency with which the results of
forensic investigations are shared with the financial community. When a
breach occurs, there is much banks and others do not know and are not
told for extended periods of time regarding the vulnerability of
certain aspects of their customers' data. Similar to the robust manner
in which banks and law enforcement currently share other cybersecurity
threat data, we must examine ways to share the topline threat data from
merchant and other breaches that does not impede the overall
investigation. For example, banks and payment networks currently share
an increasing amount of cybersecurity threat and fraud information
through groups such as the Financial Services Information Sharing and
Analysis Center and other groups within ABA. Our efforts would be
greatly enhanced if that information sharing capacity expanded to
include the merchant community. We would welcome such expansion and
look forward to working collectively with merchants to combat our
common adversaries.
Banks are committed to doing our share, but cannot be the sole
bearer of that responsibility. Policymakers, card networks, and all
industry participants have a vital role to play in addressing the
regulatory gaps that exist in our payments system, and we stand ready
to assist in that effort. Thank you for giving ABA the opportunity to
provide this statement. We look forward to continuing to work with
Congress to enhance the security of our Nation's payment system, and
maintain the trust and confidence hundreds of millions of Americans
place in it every day.
______
Prepared Statement of the National Retail Federation
Chairman Rockefeller, Ranking Member Thune, members of the
Committee, on behalf of the National Retail Federation (NRF) we want to
thank you for giving us this opportunity to provide you with these
comments on data security and protecting American's financial
information. NRF is the world's largest retail trade association,
representing discount and department stores, home goods and specialty
stores, Main Street merchants, grocers, wholesalers, chain restaurants
and Internet retailers from the United States and more than 45
countries. Retail is the Nation's largest private sector employer,
supporting one in four U.S. jobs--42 million working Americans.
Contributing $2.5 trillion to annual GDP, retail is a daily barometer
for the Nation's economy.
Collectively, retailers spend billions of dollars safeguarding
consumers' data and fighting fraud. Data security is something that our
members strive to improve every day. Virtually all of the data breaches
we've seen in the United States during the past couple of months--from
those at retailers that have been prominent in the news to those at
banks and card network companies that have received less attention--
have been perpetrated by criminals that are breaking the law. All of
these companies are victims of these crimes and we should keep that in
mind as we explore this topic and public policy initiatives relating to
it.
This issue is one that we urge the Committee to examine in a
holistic fashion: we need to reduce fraud. That is, we should not be
satisfied with deciding what to do after a data breach occurs--who to
notify and how to assign liability. Instead, it's important to look at
why such breaches occur and what the perpetrators get out of them so
that we can find ways to reduce and prevent not only the breaches
themselves, but the fraudulent activity that is often the goal of these
events. If breaches become less profitable to criminals then they will
dedicate fewer resources to committing them and our goals will become
more achievable.
With that in mind, these comments are designed to provide some
background on data breaches and on fraud, explain how these events
interact with our payments system, discuss some of the technological
advancements that could improve the current situation, raise some ways
to achieve those improvements, and then discuss the aftermath of data
breaches and some ways to approach things when problems do occur.
Data Breaches in the United States
Unfortunately, data breaches are a fact of life in the United
States. In its 2013 data breach investigations report, Verizon analyzed
more than 47,000 security incidents and 621 confirmed data breaches
that took place during the prior year. Virtually every part of the
economy was hit in some way: 37 percent of breaches happened at
financial institutions; 24 percent happened at retail; 20 percent
happened at manufacturing, transportation and utility companies; and 20
percent happened at information and professional services firms.
It may be surprising to some given recent media coverage that more
data breaches occur at financial institutions than at retailers. And,
it should be noted, even these figures obscure the fact that there are
far more merchants that are potential targets of criminals in this
area. There are hundreds of times as many merchants accepting card
payments in the United States than there are financial institutions
issuing and processing those payments. So, proportionally, and not
surprisingly, the thieves focus far more often on banks which have our
most sensitive financial information--including not just card account
numbers but bank account numbers, social security numbers and other
identifying data that can be used to steal identities beyond completing
some fraudulent transactions.
Source: 2013 Data Breach Investigations Report, Verizon
Nearly one-fifth of all of these breaches were perpetrated by
state-affiliated actors connected to China. Three in four breaches were
driven by financial motives. Two-thirds of the breaches took months or
more to discover and 69 percent of all breaches were discovered by
someone outside the affected organization.\1\
---------------------------------------------------------------------------
\1\ 2013 Data Breach Investigations Report, Verizon.
---------------------------------------------------------------------------
These figures are sobering. There are far too many breaches. And,
breaches are often difficult to detect and carried out in many cases by
criminals with real resources behind them. Financially focused crime
seems to most often come from organized groups in Eastern Europe rather
than state-affiliated actors in China, but the resources are there in
both cases. The pressure on our financial system due to the overriding
goal of many criminals intent on financial fraud is acute. We need to
recognize that this is a continuous battle against determined
fraudsters and be guided by that reality.
Background on Fraud
Fraud numbers raise similar concerns. Just a year ago, Forbes found
that Mexico and the United States were at the top of the charts
worldwide in credit and debit card fraud.\2\ And fraud losses in the
United States have been going up in recent years while some other
countries have had success reducing their fraud rates. The United
States in 2012 accounted for nearly 30 percent of credit and debit card
charges but 47 percent of all fraud losses.\3\ Credit and debit card
fraud losses totaled $11.27 billion in 2012.\4\ And retailers spend
$6.47 billion trying to prevent card fraud each year.\5\
---------------------------------------------------------------------------
\2\ ``Countries with the most card fraud: U.S. and Mexico,'' Forbes
by Halah Touryalai, Oct. 22, 2012.
\3\ ``U.S. credit cards, chipless and magnetized, lure global
fraudsters,'' by Howard Schneider, Hayley Tsukayama and Amrita
Jayakumar, Washington Post, January 21, 2014.
\4\ ``Credit Card and Debit Card Fraud Statistics,'' CardHub 2013,
available at http://www.cardhub.com/edu/credit-debit-card-fraud-
statistics/.
\5\ Id.
---------------------------------------------------------------------------
Fraud is particularly devastating for retailers in the United
States. LexisNexis and Javelin Strategy & Research have published an
annual report on the ``True Cost of Fraud'' each year for the last
several years. The 2009 report found, for example, that retailers
suffer fraud losses that are 10 times higher than financial
institutions and 20 times the cost incurred by consumers. This study
covered more than just card fraud and looked at fraudulent refunds/
returns, bounced checks, and stolen merchandise as well. Of the total,
however, more than half of what merchants lost came from unauthorized
transactions and card chargebacks.\6\ The founder and President of
Javelin Strategy, James Van Dyke, said at the time, ``We weren't
completely surprised that merchants are paying more than half of the
share of the cost of unauthorized transactions as compared to financial
institutions. But we were very surprised that it was 90-10.'' \7\
Similarly, Consumer Reports wrote in June 2011, ``The Mercator report
estimates U.S. card issuers' total losses from credit-and debit-card
fraud at $2.4 billion. That figure does not include losses that are
borne by merchants, which probably run into tens of billions of dollars
a year.'' \8\
---------------------------------------------------------------------------
\6\ A fraud chargeback is when the card-issuing bank and card
network take the money for a transaction away from the retailer so that
the retailer pays for the fraud.
\7\ ``Retailers are bearing the brunt: New report suggests what
they can do to fight back,'' by M.V. Greene, NRF Stores, Jan. 2010.
\8\ ``House of Cards: Why your accounts are vulnerable to
thieves,'' Consumer Reports, June 2011.
---------------------------------------------------------------------------
Online fraud is a significant problem. It has jumped 36 percent
from 2012 to 2013.\9\ In fact, estimates are that online and other
fraud in which there is no physical card present accounts for 90
percent of all card fraud in the United States.\10\ And, not
surprisingly, fraud correlates closely with data breaches among
consumers. More than 22 percent of breach victims suffered fraud while
less than 3 percent of consumers who didn't have their data breached
experienced fraud.\11\
---------------------------------------------------------------------------
\9\ 2013 True Cost of Fraud, LexisNexis at 6.
\10\ ``What you should know about the Target case,'' by Penny
Crosman, American Banker, Jan. 23, 2014.
\11\ 2013 True Cost of Fraud, LexisNexis at 20.
---------------------------------------------------------------------------
Source: 2013 True Cost of Fraud, LexisNexis
These numbers provide insights as to how to get to the right
solutions of better safeguarding consumer and cardholder data and the
need to improve authentication of transactions to protect against
fraud. But before delving into those areas, some background on our
payments system could be helpful.
The Payments System
Payments data is sought in breaches more often than any other type
of data.\12\ Now, every party in the payment system, financial
institutions, networks, processors, retailers and consumers, has a role
to play in reducing fraud. However, although all parties have a
responsibility, some of those parties are integral to the system's
design and promulgation while others, such as retailers and consumers,
must work with the system as it is delivered to them.
---------------------------------------------------------------------------
\12\ 2013 Data Breach Investigations Report, Verizon at 445, figure
35.
---------------------------------------------------------------------------
As the following chart shows, while the banks are intimately
connected to Visa and MasterCard, merchants and consumers have
virtually no role in designing the payment system. Rather, they are
bound to it by separate agreements issued by financial intermediaries.
Typically contract between merchant bank and its retailers requires
retailers to reimburse merchant bank for any costs, penalties, or fees
imposed by the system on the merchant bank (including chargebacks--
i.e., disputed charges--and costs of data breaches)
Thus consumers are obligated to keep their cards safe and secure in
their wallets and avoid misuse, but must necessarily turn their card
data over to others in order to effectuate a transaction. Retailers are
likewise obligated to collect and protect the card data they receive,
but are obligated to deliver it to processors in order to complete a
transaction, resolve a dispute or process a refund. In contrast, those
inside the triangle have much more systemic control.
For example, retailers are essentially at the mercy of the dominant
credit card companies when it comes to protecting payment card data.
The credit card networks--Visa, MasterCard, American Express, Discover
and JCB--are responsible for an organization known as the PCI (which
stands for Payment Card Industry) data security council. PCI
establishes data security standards (PCI-DSS) for payment cards. While
well intentioned in concept, these standards have not worked quite as
well in practice. They have been inconsistently applied, and their
avowed purpose has been significantly altered.
PCI has in critical respects over time pushed card security costs
onto merchants even when other decisions might have more effectively
reduced fraud--or done so at lower cost. For example, retailers have
long been required by PCI to encrypt the payment card information that
they have. While that is appropriate, PCI has not required financial
institutions to be able to accept that data in encrypted form. That
means the data often has to be de-encrypted at some point in the
process in order for transactions to be processed.
Similarly, merchants are expected to annually demonstrate PCI
compliance to the card networks, often at considerable expense, in
order to benefit from a promise that the merchants would be relieved of
certain fraud inherent in the payment system, which PCI is supposed to
prevent. However, certification by the networks as PCI Compliant
apparently has not been able to adequately contain the growing fraud
and retailers report that the ``promise'' increasingly has been
abrogated or ignored. Unfortunately, as card security expert Avivah
Litan of Gartner Research wrote recently, ``The PCI (Payment Card
Industry) security standard has largely been a failure when you
consider its initial purpose and history.'' \13\
---------------------------------------------------------------------------
\13\ ``How PCI Failed Target and U.S. Consumers,'' by Avivah Litan,
Gartner Blog Network, Jan. 20, 2014, available at http://
blogs.gartner.com/avivah-litan/2014/01/20/how-pci-failed-target-and-u-
s-consumers/.
---------------------------------------------------------------------------
PCI has not addressed many obvious deficiencies in cards
themselves. There has been much attention to the fact that the United
States is one of the last places on earth to put card information onto
magnetic stripes on the backs of cards that can easily be read and can
easily be counterfeited (in part because that data is static and
unchanging). We need to move past magstripe technology.
But, before we even get to that question, we need to recognize that
sensitive card data is right on the front of the card, embossed with
prominent characters. Simply seeing the front of a card is enough for
some fraudsters and there have been fraud schemes devised to trick
consumers into merely showing someone their cards. While having the
embossed card number on the front of the card might have made sense in
the days of knuckle-buster machines and carbon copies, those days are
long passed.
In fact, cards include the cardholder's name, card number,
expiration date, signature and card verification value (CVV) code.
Everything a fraudster needs is right there on the card. The bottom
line is that cards are poorly designed and fraud-prone products that
the system has allowed to continue to proliferate.
PCI has also failed to require that the identity of the cardholder
is actually verified or authenticated at the time of the transaction.
Signatures don't do this. Not only is it easy to fake a signature, but
merchants are not allowed by the major card networks to reject a
transaction based on a deficient signature. So, the card networks
clearly know a signature is a useless gesture which proves nothing more
than that someone was there purporting to be the cardholder.
The use of personal identification numbers (PINs) has actually
proven to be an effective way to authenticate the identity of the
cardholder. PIN numbers are personal to each cardholder and do not
appear on the cards themselves. While they are certainly not perfect,
their use is effective at reducing fraud. On debit transactions, for
example, PIN transactions have one-sixth the amount of fraud losses
that signature transactions have.\14\ But PINs are not required on
credit card transactions. Why? From a fraud prevention perspective,
there is no good answer except that the card networks which set the
issuance standards have failed to protect people in a very basic way.
---------------------------------------------------------------------------
\14\ See 77 Fed. Reg. 46261 (Aug. 3, 2012) reporting $1.11 billion
in signature debit fraud losses and $181 million in PIN debit fraud
losses.
---------------------------------------------------------------------------
As noted by LexisNexis, merchant fraud costs are much higher than
banks' fraud costs. When credit or debit card fraud occurs, Visa and
MasterCard have pages of rules providing ways that banks may be able to
charge back the transaction to the retailer (which is commonly referred
to as a ``chargeback''). That is, the bank will not pay the retailer
the money for the fraudulent transaction even though the retailer
provided the consumer with the goods in question. When this happens,
and it happens a lot, the merchant loses the goods and the money on the
sale. According to the Federal Reserve, this occurs more than 40
percent of the time when there is fraud on a signature debit
transaction,\15\ and our members tell us that the percentage is even
higher on credit transactions. In fact, for online transactions, which
as noted account for 90 percent of fraud, merchants pay for the vast
majority of fraudulent transactions.\16\
---------------------------------------------------------------------------
\15\ Id. at 46262.
\16\ Merchants assume 74 percent of fraud losses for online and
other card-not-present signature debit transactions. 77 Fed. Reg.
46262.
---------------------------------------------------------------------------
Retailers have spent billions of dollars on card security measures
and upgrades to comply with PCI card security requirements, but it
hasn't made them immune to data breaches and fraud. The card networks
have made those decisions for merchants and the increases in fraud
demonstrate that their decisions have not been as effective as they
should have been.
Improved Technology Solutions
There are technologies available that could reduce fraud. An
overhaul of the fraud-prone cards that are currently used in the U.S.
market is long overdue. As I noted, requiring the use of a PIN is one
way to reduce fraud. Doing so takes a vulnerable piece of data (the
card number) and makes it so that it cannot be used on its own. This
ought to happen not only in the brick-and-mortar environment in which a
physical card is used but also in the online environment in which the
physical card does not have to be used. Canada, for example, is
exploring the use of a PIN for online purchases. The same should be
true here. Doing so would help directly with the 90 percent of U.S.
fraud which occurs online. It is not happenstance that automated teller
machines (ATMs) require the entry of a PIN before dispensing cash.
Using the same payment cards for purchases should be just as secure as
using them at ATMs.
Protecting all cards with a PIN instead of a signature is the
single most important fraud protection step that could be taken
quickly. It's proven, it's effective, and it's relatively easily
implementable. PIN debit cards are close to ubiquitous worldwide, and
readily producible in the U.S. Chip is desirable add-on. If speed of
implementation is of importance, then substituting PIN for signature is
preferable to implementing Chip. More than twice as many U.S. terminals
are ready to accept PIN cards today, than are chip ready. Despite this,
one major card brand continues to denigrate PINs in favor of signature,
in part because they can collect more fees with fraud-prone signature
transactions.\17\
---------------------------------------------------------------------------
\17\ See Appendix A. This document was unsealed in 2010 from the
record of the In re Visa Check/MasterMoney antitrust litigation.
---------------------------------------------------------------------------
Cards should also be smarter and use dynamic data rather than
magnetic stripes. In much of the world this is done using computer
chips that are integrated into physical credit and debit cards. It is
important to note, however, that there are many types of technologies
that may be employed to make this upgrade. EMV, which is an acronym for
Europay, MasterCard and Visa, is merely one particular proprietary
technology. As the name indicates, EMV was established by Europay,
MasterCard and Visa. A proprietary standard could be a detriment to the
other potentially competitive networks.\18\ Adopting a closed system,
such as EMV, means we are locking out the synergistic benefits of
competition.
---------------------------------------------------------------------------
\18\ There are issues with EMV because the technology is just one
privately owned solution. For example, EMV includes specifications for
near field communications that would form the technological basis of
Visa and MasterCard's mobile payments solutions. That raises serious
antitrust concerns for retailers because we are just starting to get
some competitors exploring mobile payments. If the currently dominant
card networks are able to lock-in their proprietary technology in a way
that locks-out competition in mobile payments, that would be a bad
result for merchants and consumers who might be on the verge of
enjoying the benefits of some new innovations and competition.
So, while chip cards would be a step forward in terms of improving
card products, if EMV is forced as the chip card technology that must
be used--rather than an open-source chip technology which would
facilitate competition and not predetermine mobile payment market-
share--it could be a classic case of one step forward and two steps
backward.
---------------------------------------------------------------------------
But even within that closed framework, it should also be noted that
everywhere in the world that EMV has been deployed to date the card
networks have required that the cards be used with a PIN. That makes
sense. But here, the dominant card networks are proposing to force
chips (or even EMV) on the U.S. market without requiring PIN
authentication. Doing that makes no sense and loses a significant part
of the fraud prevention benefits of chip technology. To do otherwise
would mean that merchants would spend billions to install new card
readers without they or their customers obtaining PINs' fraud-reducing
benefits. We would essentially be spending billions to combine a 1990s
technology (chips) with a 1960s relic (signature) in the face of 21st
century threats.
Another technological solution that could help deter and prevent
data breaches and fraud is encryption. Merchants are already required
by PCI standards to encrypt cardholder data but, as noted earlier, not
everyone in the payments chain is required to be able to accept data in
encrypted form. That means that data may need to be de-encrypted at
some points in the process. Experts have called for a change to require
``end-to-end'' (or point-to-point) encryption which is simply a way to
describe requiring everyone in the payment-handling chain to accept,
hold and transmit the data in encrypted form.
According to the September 2009 issue of the Nilson Report ``most
recent cyberattacks have involved intercepting data in transit from the
point of sale to the merchant or acquirer's host, or from that host to
the payments network.'' The reason this often occurs is that ``data
must be decrypted before being forwarded to a processor or acquirer
because Visa, MasterCard, American Express, and Discover networks can't
accept encrypted data at this time.'' \19\
---------------------------------------------------------------------------
\19\ The Nilson Report, Issue 934, Sept. 2009 at 7.
---------------------------------------------------------------------------
Keeping sensitive data encrypted throughout the payments chain
would go a long way to convincing fraudsters that the data is not worth
stealing in the first place--at least, not unless they were prepared to
go through the arduous task of trying to de-encrypt the data which
would be necessary in order to make use of it. Likewise, using PIN-
authentication of cardholders now would offer some additional
protection against fraud should this decrypted payment data be
intercepted by a criminal during its transmission ``in the clear.''
Tokenization is another variant that could be helpful. Tokenization
is a system in which sensitive payment card information (such as the
account number) is replaced with another piece of data (the ``token'').
Sensitive payment data could be replaced with a token to represent each
specific transaction. Then, if a data breach occurred and the token
data were stolen, it could not be used in any other transactions
because it was unique to the transaction in question. This technology
has been available in the payment card space since at least 2005.\20\
Still, tokenization is not a panacea, and it is important that
whichever form is adopted be an open standard so that a small number of
networks not obtain a competitive advantage, by design, over other
payment platforms
---------------------------------------------------------------------------
\20\ For information on Shift4's 2005 launch of tokenization in the
payment card space see http://www.internetretailer.com/2005/10/13/
shift4-launches-security-tool-that-lets-merchants-re
-use-credit.
---------------------------------------------------------------------------
In many models tokenization occurs ``after the fact''--generally
post authorization. Thus some fraud risk remains. To deal with this
point-to-point encryption is preferred and would be complimentary to
tokenization. The former would occur between the card being read and
the assignment of a token. From the merchant's perspective,
tokenization involves significant operational changes and could carry
significant out-of-pocket costs. Despite that, for the majority of
transactions, tokenization still may not address both ends of the
security/authentication equation as well as would PIN and Chip. It has
greatest utility in the 6 percent of transactions that currently do not
occur face-to-face. Consequently, while point-to-point encryption and
tokenization could be valuable adjuncts to PIN and Chip authentication,
they are not a substitute.
In addition, in some configurations, mobile payments offer the
promise of greater security as well. In the mobile setting, consumers
won't need to have a physical card--and they certainly won't replicate
the security problem of physical cards by embossing their account
numbers on the outside of their mobile phones. It should be easy for
consumers to enter a PIN or password to use payment technology with
their smart phones. Consumers are already used to accessing their
phones and a variety of services on them through passwords. Indeed, if
we are looking to leapfrog the already aging current technologies,
mobile-driven payments may be the answer.
Indeed, as much improved as they are, chips are essentially dumb
computers. Their dynamism makes them significantly more advanced than
magstripes, but their sophistication pales in comparison with the
common smartphone. Smartphones contain computing powers that could
easily enable comparatively state-of-the-art fraud protection
technologies. The phones soon may be nearly ubiquitous, and if their
payment platforms are open and competitive, they will only get better.
The dominant card networks have not made all of the technological
improvements suggested above to make the cards issued in the United
States more resistant to fraud, despite the availability of the
technology and their adoption of it in many other developed countries
of the world, including Canada, the United Kingdom, and most countries
of Western Europe.
In this section, we have merely described some of the solutions
available, but the United States isn't using any of them the way that
it should be. While everyone in the payments space has a responsibility
to do what they can to protect against fraud and data theft, the card
networks have arranged the establishment of the data security
requirements and yet, in light of the threats, there is much left to be
desired.
A Better System
How can we make progress toward the types of solutions that would
reduce the crimes of data theft and fraud? One thing seems clear at
this point: we won't get there by doing more of the same. We need PIN-
authentication of card holders, regardless of the chip technology used
on newly issued cards. We also need chip cards that use open standards
and allow for competition among payment networks as we move into a
world of growing mobile commerce. Finally, we need companies throughout
the payment system to work together on achieving end-to-end encryption
so that there are no weak links in the system where sensitive card
payment information may be acquired more easily than in other parts of
the system.
Steps Taken by Retailers After Discovery of a Breach of Security
In our view, it is after a fulsome evaluation of data breaches,
fraud, the payments system and how to improve each of those areas in
order to deter and prevent problems that we should turn to the issue of
what to do when breaches occur. Casting blame and trying to assign
liability is, at best, putting the cart before the horse and, at worst,
an excuse for some actors to ignore their own responsibility for trying
to prevent these crimes.
One cannot reasonably demand greater security of a system than the
system is reasonably capable of providing. Some participants act as if
the system is more robust than it is. Currently, when the existing card
products are hit in a criminal breach, that company is threatened from
many sides. The threats come from entities seeking to exact fines and
taking other penalizing action even before the victimized company can
secure its network from further breaches and determine through a
forensic analysis what has happened in order to notify potentially
affected customers. For example, retailers that have suffered a breach
are threatened with fines for the breach based on allegations of non-
compliance with PCI rules (even when the company has been certified as
PCI-compliant). Other actors may expect the breached party to pay for
all of the fraudulent transactions that take place on card accounts
that were misused, even though the design of the cards facilitated
their subsequent counterfeiting. Indeed, some have seriously suggested
that retailers reimburse financial institutions for the cost of
reissuing more fraud-prone cards. And, as a consequence of the breach,
some retailers must then pay higher fees on its card transactions going
forward. Retailers pay for these breaches over and over again, despite
often times being victims of sophisticated criminal methods not
reasonably anticipated prior to the attack.
Breaches require retailers to devote significant resources to
remedy the breach, help inform customers and take preventative steps to
ward off future attacks and any other potential vulnerabilities
discovered in the course of the breach investigation. Weeks or months
of forensic analysis may be necessary to definitively discover the
cause and scope of the breach. Any discovered weaknesses must be shored
up. Quiet and cooperative law enforcement efforts may be necessary in
an effort to identify and capture the criminals. Indeed, law
enforcement may temporarily discourage publication of the breach so as
to not alert the perpetrators that their efforts have been detected.
It is worth noting that in some of these cases involving payment
card data, retailers discover that they actually were not the source of
the breach and that someone else in the payments chain was victimized
or the network intrusion and theft occurred during the transmission of
the payment card data between various participants in the system. For
this reason, early attempts to assign blame and shift costs are often
misguided and policy makers should take heed of the fact that often the
earliest reports are the least accurate. Additionally, policy makers
should consider that there is no independent organization devoted to
determining where a breach occurred, and who is to blame--these
questions are often raised in litigation that can last for years. This
is another reason why it is best to at least wait until the forensic
analysis has been completed to determine what happened. Even then,
there may be questions unanswered if the attack and technology used was
sophisticated enough to cover the criminals' digital tracks.
The reality is that when a criminal breach occurs, particularly in
the payments system, all of the businesses that participate in that
system and their shared customers are victimized. Rather than resort to
blame and shame, parties should work together to ensure that the breach
is remedied and steps are taken to prevent future breaches of the same
type and kind.
Legislative Solutions
In addition to the marketplace and technological solutions
suggested above, NRF also supports a range of legislative solutions
that we believe would help improve the security of our networked
systems, ensure better law enforcement tools to address criminal
intrusions, and standardize and streamline the notification process so
that consumers may be treated equally across the Nation when it comes
to notification of data security breaches.
From many consumers' perspective payment cards are payment cards.
As has been often noted, consumers would be surprised to learn that
their legal rights, when using a debit card--i.e. their own money--are
significantly less than when using other forms of payment, such as a
credit card. It would be appropriate if policy makers took steps to
ensure that consumers' reasonable expectations were fulfilled, and they
received at least the same level of legal protection when using their
debit cards as they do when paying with credit.
In addition, NRF supports the passage by Congress of the bipartisan
``Cyber Intelligence Sharing and Protection Act'' (H.R. 624) so that
the commercial sector can lawfully share information about cyber-
threats in real-time and enable companies to defend their own networks
as quickly as possible from cyber-attacks as soon as they are detected
elsewhere by other business.
We also support legislation that provides more tools to law
enforcement to ensure that unauthorized network intrusions and other
criminal data security breaches are thoroughly investigated and
prosecuted, and that the criminals that breach our systems to commit
fraud with our customers' information are swiftly brought to justice.
Finally, and for nearly a decade, NRF has supported passage of
legislation that would establish one, uniform Federal breach
notification law that would be modeled on, and preempt, the varying
breach notification laws currently in operation in 46 states, the
District of Columbia and Federal territories. A Federal law could
ensure that all entities handling the same type of sensitive consumer
information, such as payment card data, are subject to the same
statutory rules and penalties with respect to notifying consumers of a
breach affecting that information, Further, a preemptive Federal breach
notification law would allow retailers and other businesses that have
been victimized by a criminal breach to focus their resources on
remedying the breach and notifying consumers rather than hiring outside
legal assistance to help guide them through the myriad and sometimes
conflicting set of 50 data breach notification standards in the state
and Federal jurisdictions. Additionally, the use of one set of
standardized notice rules would permit the offering to consumers of the
same notice and the same rights regardless of where they live.
Conclusion
In closing three points are uppermost.
First, retailers take the increasing incidence of payment card
fraud very seriously. We do so as Main Street members of the community,
because it affects our neighbors and our customers. We do so as
businesses, because it affects the bottom line. Merchants already bear
at least an equal, and often a greater, cost of fraud than any other
participant in the payment card system. We have every reason to want to
see fraud reduced, but we have only a portion of the ability to make
that happen. We did not design the system; we do not configure the
cards; we do not issue the cards. We will work to effectively upgrade
the system, but we cannot do it alone.
Second, the vast majority of breaches are criminal activity. The
hacked party, whether a financial institution, a card network, a
processor, a merchant, a governmental institution, or a consumer is the
victim of a crime. Traditionally, we don't blame the victim of violence
for the resulting stains; we should be similarly cautious about
penalizing the hackee for the hack. The payment system is complicated.
Every party has a role to play; we need to play it together. No system
is invulnerable to the most sophisticated and dedicated of thieves.
Consequently, eliminating all fraud is likely to remain an aspiration.
Nevertheless, we will do our part to help achieve that goal.
Third, it is long past time for the U.S. to adopt PIN and chip card
technology. The PIN authenticates and protects the consumer and the
merchant. The chip authenticates the card to the bank. If the goal is
to reduce fraud we must, at a minimum, do both.
Appendix A
Exhibit 499
______
Retail Industry Leaders Association
Arlington, VA, March 26, 2014
Hon. Jay Rockefeller,
Chairman,
Committee on Commerce, Science, and Transportation,
United States Senate
Washington, DC.
Hon. John Thune,
Ranking Member,
Committee on Commerce, Science, and Transportation,
United State Senate,
Washington, DC.
Dear Chairman Rockefeller and Ranking Member Thune:
On behalf of the Retail Industry Leaders Association (RILA), thank
you for the opportunity to offer our comments on the record for the
Commerce, Science & Transportation Committee's hearing, ``Protecting
Personal Consumer Information from Cyber Attacks and Data Breaches.''
By way of background, RILA is the trade association of the world's
largest and most innovative retail companies. RILA promotes consumer
choice and economic freedom through public policy and industry
operational excellence. Its members include more than 200 retailers,
product manufacturers, and service suppliers, which together account
for more than $1.5 trillion in annual sales, millions of American jobs
and operate more than 100,000 stores, manufacturing facilities and
distribution centers domestically and abroad.
Retailers take the threat of cyber-attacks extremely seriously and
work diligently every day to stay ahead of the sophisticated criminals
behind them. Retail companies individually, and the industry
collectively, are taking aggressive steps to counter these threats.
While enhanced security measures help retailers thwart thousands of
cyber-attacks every day, unfortunately some attacks are successful and
the resulting incidents can affect millions of our customers. For
retailers, such a breach can damage the relationship that we have with
our customers. However, more broadly, a breach can undermine consumers'
faith in the electronic payments system as stolen information can be
used to produce fraudulent cards for illicit use or put the customer at
risk of identity theft.
Given these facts, retailers take extraordinary steps to strengthen
overall cybersecurity and prevent attacks. Retailers secure their
systems with substantial investments in experts and technology.
Further, they employ many tactics and tools to secure data, such as
data encryption, tokenization and other redundant internal controls,
including a separation of duties. While these enhanced security
measures help to rebuff attacks, retailers are constantly working to
expand existing cybersecurity efforts.
Collaboration within the industry and coordination with other
stakeholders is essential. In January, RILA launched its Cybersecurity
and Data Privacy Initiative which focuses on strengthening overall
cybersecurity. As part of this initiative, RILA has formed the Retail
Cybersecurity Leaders Council (RCLC) and we are additionally calling
for the development of Federal data breach notification legislation.
Made up of senior retail executives responsible for cybersecurity, the
RCLC will aim to improve industry-wide cybersecurity by providing a
trusted forum for all stakeholders to share threat information and
discuss effective security solutions.
Subsequently, RILA formed a partnership with the National Cyber-
Forensics and Training Alliance (NCFTA) to enhance cybersecurity
information sharing and expand retailers' proactive and vigilant
approach to cyber threats to protect consumers against criminals.
Partnering with the NCFTA is one of several approaches RILA is taking
to enhance collaboration across the entire payments system. This
partnership will help retailers leverage the NCFTA's vast network of
cybersecurity threat intelligence and resources, and will advance the
RCLC's mission of information sharing amongst retailers.
RILA and the retail industry have taken strides to improve security
and form strategic partnerships to improve information sharing. RILA
calls on Congress to enact Federal data breach notification legislation
that is practical, proportional and sets a single national standard,
replacing the patchwork of state laws currently in place. A Federal
standard will help ensure that customers receive timely and accurate
information following a breach, and any legislation considered by
Congress should include three essential provisions. First, strong state
pre-emption language that would create a single national standard
replacing the current patchwork of 46 state notification laws that add
unnecessary complexity to the process. Second, legislation should
consider the practical realities following a breach. Specifically,
adequate time must be given prior to notification in order to provide
reasonable time to secure the breached environment, conduct a thorough
forensics investigation, and then based off this assessment, the
ability to determine who may have been affected by the cyber-attack and
what information was compromised. Furthermore, reasonable delay
provisions should be included at the request of law enforcement for
investigative purposes or for national security reasons. Third,
notification requirements should be linked to risk of harm, whether or
not the compromised information is in usable form to commit financial
fraud or identity theft.
While retailers understand and manage their internal systems and
security, they have little or no influence over the actions taken by
other players in the payments universe, which may have enormous
implications on fraud. Instead, retailers must rely on others in the
payments ecosystem to dictate critical security decisions, including
card technology, retailer terminals, and when data can be encrypted
during the transmission between retailers and the card networks.
Retailers have long argued that the card technology in place today is
antiquated; the unfortunate reality is that criminals can use stolen
consumer data to create counterfeit cards with stunning ease. For
years, retailers have urged banks and card networks to adopt the
enhanced fraud prevention technology in use around the world here in
the United States. While their resistance to doing so has been great,
retailers continue to press all other stakeholders in the payments
system to make this a priority.
The RILA plan focused on four major steps that should be taken to
improve the security of debit and credit cards. First, quickly
establish a plan to retire antiquated magnetic stripe technology in
place today. Second, require cardholders to input a PIN on all card
transactions. Banks require that cardholders enter a PIN number to
withdraw money from an ATM; the same fraud protection should apply to
retail transactions. Third, establish a roadmap to migrate to chip-
based smart card technology with PIN security, also known as Chip and
PIN. Finally, recognizing that card security must outpace criminal
advancements, the members of the payments ecosystem must work together
to identify new technologies and long-term, comprehensive solutions to
the threats.
We recognize that retailers are only one piece of the payments
ecosystem, and so our Cybersecurity and Data Privacy Initiative also
called for collaboration among retailers, banks and card networks to
advance improved payments security. In February, RILA joined with the
Financial Services Roundtable (FSR) to form the Merchant and Financial
Services Industries Cybersecurity Partnership with 16 other trade
associations representing both merchants and financial services
companies. The Partnership will enhance system-wide collaboration and
will explore paths to increased threat information sharing, better card
security technology, and maintaining the trust of customers.
Specifically, the partnership is focusing on improving overall security
across the payments ecosystem, and bolstering consumer confidence in
the security of their payment data and the systems used to process
payments. The group has identified five focus areas to help achieve the
goals: threat information sharing, cybersecurity risk mitigation,
enhanced security for card present transactions, enhanced security for
card-not-present and mobile, and data breach notification and cyber
security legislation. We have little doubt that all parties share the
goals of protecting consumers and maintaining confidence in our
payments systems. In order to accomplish these goals, we must set aside
our previous disagreements and work together on common solutions. That
is why RILA is reaching out to representatives across the business
community, including the card networks and financial institutions of
all sizes, in an effort to work together to identify near-and long-term
solutions.
In closing, by working together with public-private sector
stakeholders, our ability to develop innovative solutions and
anticipate threats will grow, enhancing our collective security and
giving our customers the service and peace of mind they deserve. We
appreciate the opportunity to submit these comments for the record and
we look forward to working with you and your staff on these issues
moving forward.
Sincerely,
Bill Hughes
Senior Vice President, Government Affairs.
______
Response to Written Question Submitted by Hon. John D. Rockefeller IV
to Hon. Edith Ramirez
Question. Senators Feinstein, Pryor, Nelson, and I have introduced
S. 1976, the Data Security and Breach Notification Act of 2014. The
bill would, among other things, require entities that maintain personal
information on consumers to establish protocols that secure
information. The FTC would be tasked with issuing regulations that
detail the statutory scope of this mandate.
The FTC has a long history of using its existing authority under
Section 5 of the FTC Act to pursue companies that fail to adequately
protect consumers' personal information. The agency has also called for
data security legislation.
Given its success with using Section 5, please explain why the
agency sees the need for data security legislation such as S. 1976.
Answer. The FTC supports Federal legislation such as S. 1976 that
would (1) strengthen its existing authority governing data security
standards on companies and (2) require companies, in appropriate
circumstances, to provide notification to consumers when there is a
security breach. While the majority of states have data breach
notification laws, few have specific laws requiring general data
security policies and procedures. Breach notification and data security
standards at the Federal level would extend notifications to all
citizens nationwide and create a strong and consistent national
standard that would simplify compliance by businesses while ensuring
that all American consumers are protected.
Specifically, the FTC supports legislation that would give the
Commission the authority to seek civil penalties to help deter unlawful
conduct, jurisdiction over non-profits, and rulemaking under the
Administrative Procedure Act. We have urged Congress to allow the FTC
to seek civil penalties for all data security and breach notice
violations in appropriate circumstances to help ensure effective
deterrence. In addition, enabling the FTC to bring cases against non-
profits--such as educational institutions and health facilities, which
have been the subject of a number of breaches--would help ensure that
consumer data is adequately protected regardless of what type of entity
collects or maintains it.
Finally, rulemaking authority under the Administrative Procedure
Act would enable the FTC to respond to changes in technology when
implementing the legislation. For example, whereas a decade ago it
would be both difficult and expensive for a company to track an
individual's precise geolocation, the explosion of mobile devices has
made such information readily available. As technology and business
models change and new forms of consumer data can be used to perpetrate
identity theft, fraud, and other types of harm, APA rulemaking
authority would help ensure that the law is kept up to date.
______
Response to Written Questions Submitted by Hon. John Thune to
Hon. Edith Ramirez
Question 1. In your testimony, you reference ``geolocation
information'' as a rapidly emerging technology. The FTC has also
referred previously to ``precise geolocation data,'' for instance in a
2012 Commission report, proposing to protect the privacy of sensitive
data including ``precise geolocation data.''
In the 2012 report, the FTC recommended that, before any firm could
collect, store or use such data, it would be required to ``provide
prominent disclosures and obtain affirmative express consent before
using data in a manner materially different than claimed at the time of
collection.'' This sounds reasonable in certain circumstances. However,
the Commission did not define the term ``precise geolocation data.''
The Commission does advise that geolocation data that cannot be
reasonably linked to a specific consumer would not trigger a need to
provide a consumer protection mechanism, and further advises that if a
firm takes steps to de-identify data, it would not need to provide this
mechanism. However, because the FTC does not define relevant terms, I
have heard that there is some concern for how practitioners in the
mapping and surveying fields can comply with the guidance.
Specifically, some stakeholders are concerned that a private firm would
need to get a citizen's approval before developing mapping for an E-911
and emergency response management system. What does the FTC consider to
be ``precise geolocation data''?
Answer. Precise geolocation data includes any information that can
be used to pinpoint a consumer's physical location. For example, many
mobile applications (``apps'') collect a user's longitude and latitude
coordinates, which allows them to translate a user's exact location on
a map. It does not include general location data, such as a consumer's
zip code, city, or town. In the context of the Children's Online
Privacy Protection Act (COPPA), the statute and the Commission's COPPA
Rule require parental consent for the collection of geolocation
information sufficient to identify street name and name of city or
town.
Question 1a. When mapping for an E-911 or emergency response
management system, what level of de-identification is needed? Does a
company need to secure everyone's prior approval, or else redact from
the map every citizen for whom they did not get prior consent, when
mapping for an E-911 or emergency response management system?
Answer. In its 2012 Privacy Report, the Commission set forth a
privacy framework that calls on companies to incorporate privacy by
design, simplified consumer choice, and increased transparency into
their business operations. It is important to note that the framework
is a voluntary set of best practices designed to assist companies as
they operationalize privacy and data security practices within their
businesses. It neither imposes new legal obligations, nor is it
intended as a template for law enforcement.
The framework calls on companies to offer an effective consumer
choice mechanism unless the data practice is consistent with the
``context of the interaction'' between the consumer and the company.
Under this approach, whether a company should provide choice ``turns on
the extent to which the practice is consistent with the context of the
transaction or the consumer's existing relationship with the business,
or is required or specifically authorized by law.'' \1\ Mapping for an
E-911 or emergency response management system would generally fall
within the context of the interaction, and therefore companies that
collect and use of geolocation information for these purposes do not
need to provide a consumer choice mechanism.
---------------------------------------------------------------------------
\1\ Federal Trade Commission, Protecting Consumer Privacy in an Era
of Rapid Change 38-39 (Mar. 2012).
Question 1b. I understand the Commission received significant
public comment on this issue from engineers, architects, planners,
surveyors, mappers and the Federal Geographic Data Committee, which
represents Federal mapping agencies. Can you tell me what the FTC's
thinking is on this issue, and what its plans are to address the
stakeholders' concerns?
Answer. When members of the geospatial industry collect addresses,
parcel information, or other geolocation or survey data that is tied to
public land records, this practice would generally fall within the
``context of the interaction'' standard. As any consumer who has
purchased a house knows, public land record data is collected, used,
and linked to specific consumers as a matter of course in connection
with real estate transactions as well as property tax assessments and
similar purposes. Accordingly, companies that collect and use this data
for these purposes would generally not need to provide a consumer
choice mechanism.
______
Response to Written Questions Submitted by Hon. Kelly Ayotte to
Hon. Edith Ramirez
Question 1. Earlier this year, the FTC testified before the Senate
Banking Committee on safeguarding consumers when there is a security
breach. What precisely triggers notification? There are 46 different
state laws. In your opinion, what should be the threshold warranting a
notification? Since the combination of certain types of personal
information is more sensitive than each piece individually, what type
of information being breached should warrant a notification to
consumers?
Answer. It is important for both consumers and businesses that the
trigger for breach notification is balanced. We want to ensure that
consumers learn about breaches that could result in identity theft,
fraud, or other harm so they can take steps to help protect themselves,
but we do not want to notify consumers when the risk of harm is
negligible, as over-notification could cause consumers to become
confused or to become numb to the notices they receive.
Consumers should be given notice when information is breached that
could be misused to harm consumers. At a minimum, companies should
notify consumers of a breach of Social Security numbers because this
information can be used to commit identity theft, even if not paired
with an individual's name and address. Similarly, an account username
and password can be used to gain access to an account, even if the
thief does not have the name of the account holder. Additionally, in
the event of changing technology or business models, the FTC should be
able to exercise rulemaking authority to modify the definition of
personal information.
I am happy to work with the Committee as it considers legislation
on this important matter.
Question 2. You testified regarding your important work in civil
law enforcement against unfair or deceptive acts in data security
practices. Is it safe to assume that you believe the Commission has
existing authority to pursue enforcement actions against private
businesses that fail to adopt reasonable data security practices?
Answer. Yes. The Commission has authority to challenge companies'
data security practices that are unfair or deceptive under Section 5 of
the FTC Act, and we have used this authority to settle 52 data security
cases to date. In addition, Congress has given the FTC authority to
bring data security enforcement actions against non-bank financial
institutions under the Gramm-Leach-Bliley Act, against consumer credit
reporting agencies under the Fair Credit Reporting Act, and against
websites and online services directed at children under the Children's
Online Privacy Protection Act.
The Commission has called for data security legislation that would
strengthen its existing authority. For example, we currently lack
authority under Section 5 to obtain civil penalties, an important
remedy for deterring violations. Likewise, enabling the FTC to bring
cases against non-profits, which have been the source of a number of
breaches, would help ensure that whenever personal information is
collected from consumers, entities that maintain such data take
reasonable measures to protect it.
Question 3. What additional tools do law enforcement need to share
information about ongoing threats and attacks with the private sector?
Answer. Information sharing is an important part of the fight
against those who attempt to exploit consumers' personal information.
Information exchanges such as Information Sharing and Analysis Centers
(ISAC) enable companies to pool information about security threats and
defenses so that they can prepare for new kinds of attacks and quickly
address potential vulnerabilities. ISACs may also share information
with law enforcement agencies, and vice-versa. The FTC is considering,
at the request of members of Congress, the formation of an ISAC to
enable retailers to share information. We have begun consulting with
other ISACs and industry groups to explore the formation of such a
group.
______
Response to Written Questions Submitted by Hon. Deb Fischer to
Hon. Edith Ramirez
Question 1. In your testimony, you state that ``having a strong and
consistent national requirement would simplify compliance by businesses
while ensuring that all consumers are protected.'' Do you believe
preempting state laws in favor of a strong national requirement would
benefit, not harm, consumers?
Answer. I support a Federal data security and breach notification
law that would preempt state law, but only if such a standard is
sufficiently strong and the states are given the ability to enforce the
law. If a consistent nationwide standard came at the expense of
weakening existing state legal protections for consumers' information,
I would not support the law.
Question 2. Would a uniform Federal data breach notification law
enforced by the Commission, as well as states attorneys general,
provide a significantly greater level of protection for consumers than
currently exists?
Answer. While the majority of states have data breach notification
laws, few have specific laws requiring general data security policies
and procedures. Breach notification and data security standards at the
Federal level would extend notifications to all consumers nationwide
and create a level playing field so that businesses operating in
numerous states can apply one standard. A Federal law could create
uniform protections for all American consumers.
Question 3. Many different players in the Internet ecosystem
increasingly collect and store the same or similar information. Should
they all be subject to the same standards for data security?
Answer. All companies that collect and handle sensitive consumer
information should be required to implement reasonable data security
measures. We believe that reasonableness is the appropriate standard
because it allows a company flexibility to develop a data security
program based on factors such as the sensitivity and volume of consumer
information it holds; the size and complexity of its data operations;
and the cost of available tools to improve security and reduce
vulnerabilities. The Commission has emphasized a process-based approach
to data security that includes designating an individual or individuals
responsible for data security; conducting risk assessments; designing a
security program to address risks, including administrative, physical,
and technical safeguards; and adjusting the program to address changes.
Question 4. In your written testimony, you express concern about
data security legislation's ability to keep pace with technology. Would
a ``reasonableness'' standard help address that concern because what is
reasonable today may not be reasonable tomorrow as technology evolves?
Answer. That is correct. The Commission's reasonableness standard
and emphasis on a process-based approach to data security encourages
companies to reevaluate and adjust their programs periodically in light
of changes to the types of information they collect as well as changes
in the marketplace, including changes in technology.
Additionally, we support Federal data security and breach
notification legislation that would, among other things, authorize
rulemaking under the Administrative Procedure Act to give the
Commission the flexibility to implement the statute by making changes
when appropriate. For example, this authority should include the
authority to modify the definition of personal information in response
to changes in technology and changing threats.
Question 5. You mention in your testimony that the data security
provisions of both the Fair Credit Reporting Act and the Children's
Online Privacy Protection Act rely on a ``reasonableness'' standard.
Should comprehensive Federal data security legislation also be subject
to a reasonableness standard?
Answer. Yes. A reasonableness standard would ensure that companies
have strong protections in place to protect consumer information as
well as flexibility when developing and implementing any data security
program.
______
Response to Written Questions Submitted by Hon. John D. Rockefeller IV
to John J. Mulligan
Question 1. Target's representatives told us that its point-of-sale
(POS) devices at U.S. stores use different operating systems and
software than its devices at Canadian stores. According to published
reports, U.S. stores run on Target-designed software that is used with
Windows XP Embedded and Windows Embedded for Point of Service, while
Canadian locations use POS devices from Retalix, an NCR company.
Please explain why Target uses different POS operating systems and
software in the United States and Canada.
Answer. The U.S. and Canada have different payment card
technologies in use in the respective countries, resulting in the use
of different payment systems and software. As of 2013, the overwhelming
majority of payment cards issued in the U.S. were not chip-enabled.
This remains the case today.
In the U.S., Target processes point of sale transactions using a
Target-built application. We are in the process of completing the
implementation of Windows Embedded for Point of Sale (POS Ready 7) on
all of our registers in 2014. In Canada, Target processes point of sale
transactions using Retalix in order to process chip-enabled cards,
which are required in Canada.
Question 1a. The 2013 breach was limited to Target's U.S. stores;
its Canadian stores were not affected. Do you believe weaknesses in
Target's POS operating system or software used for U.S. stores allowed
or contributed to the breach?
Answer. As of 2013, the overwhelming majority of payment cards
issued in the U.S. were not chip-enabled. This remains the case today.
In Canada, credit and debit cards are required to be chip-enabled. The
malware that was designed to capture card data at Target stores in the
U.S. would not be able to capture the same information from a chip-
enabled card transaction. Unlike Canada, however, chip-enabled cards
are not common, let alone standard, in the U.S.
Target is accelerating our $100 million investment in the adoption
of chip technology because we believe it is critical to enhancing
consumer protections. We have already installed approximately 10,000
chip-enabled payment devices in Target stores and expect to complete
the installation in all Target stores by this September, six months
ahead of schedule. We also expect to begin to issue chip-enabled Target
REDcards and accept all chip-enabled cards by early 2015. As a founding
member and steering committee member of the EMV Migration Forum, we
will continue to lead the adoption of these technologies across the
payment ecosystem.
Question 1b. Going forward, does Target plan to upgrade its POS
operating systems and software used in its U.S. locations? If so, how?
Answer. While it is not a requirement, we believe the adoption of
chip technology is critical to enhancing consumer protections. As noted
previously, we have already installed approximately 10,000 chip-enabled
payment devices in Target stores and expect to complete the
installation in all Target stores by this September, six months ahead
of schedule. In the U.S., we are in the process of completing the
implementation of Windows Embedded for Point of Sale (POS Ready 7) on
all of our registers in 2014.
______
Response to Written Questions Submitted by Hon. Bill Nelson to
John J. Mulligan
Question 1. Looking beyond just the issue of credit and debit card
data, it is my understanding that Target--and many other retailers--
collect a substantial amount of personal consumer information for other
purposes.
For example, it is my understanding that a number of retailers
sometimes require customers to present a drivers' license--and either
scan or copy all of the information on that license--when they are
making a return, even when they have a receipt for the return.
Does Target collect this type of information from consumers when
they engage in returns or other related transactions?
Answer. Target swipes or scans guest government-issued
identification cards (IDs) in connection with the following limited
types of transactions:
1. For the purchase of age-restricted item transactions such as
alcohol and M-rated video games;
2. For the purchase of certain medically restricted item
transactions, such as pseudoephedrine and dextromethorphan;
3. For returns without receipt;
4. For transactions in which a guest pays for their merchandise and
then leaves the store without the merchandise, but later
returns to retrieve the merchandise;
5. For certain high-risk check transactions;
6. For cash transactions above $10,000 in order to complete the
Internal Revenue Service (IRS) Form 8300, Report of Cash
Payments over $10,000; and
7. For tax-exempt transactions, such as sales to nonprofit
organizations in order to complete tax-exemption certificates.
There are a handful of states in which IDs cannot be swiped because
of state laws prohibiting swiping or because of the absence of a
barcode on the state ID. In these states, cashiers manually key
information from a guest's ID.
When swiping a guest's ID, Target only collects the data that is
relevant to the type of transaction. Additionally, information obtained
during the ID swipe is not used for other purposes.
Question 1a. If so, how is this information stored and used?
Answer. When information is collected from a guest's ID, Target
does not collect more personal information than necessary for the
particular purpose for which the card is swiped and Target uses the
information exclusively for that purpose. Guest information is stored
for a fixed amount of time depending on the type of transaction. The
information is secured. The information is not used for other purposes.
Question 1b. Is that information also shared with any third-
parties?
Answer. Target only shares information collected through ID swipes
in the following instances: (1) for high risk check transactions Target
may share information with vendors that assist Target in authorizing
and processing check payments; (2) in certain states, as required by
state law, Target provides state authorities information relating to
pseudoephedrine purchases; (3) for cash transactions over $10,000,
Target submits Form 8300 to the IRS; and (4) for tax-exempt
transactions, Target may share tax exemption certificates with state
tax auditors upon request. However, Target does not use or share
information collected through ID swipes for marketing purposes.
Question 1c. Is it ever deleted from your systems?
Answer. Yes. Guest information is stored for a fixed amount of time
depending on the type of transaction. The information is secured.
Question 2. Do you allow customers to request a copy of any
personal information file that Target maintains on them?
Answer. In accordance with our privacy policy, Target guests can
access or update their personal information.
Question 2a. If so, how do they request it?
Answer. Our privacy policy is available to our guests on
Target.com. A guest can click a hyperlink, ``Contact Us'' to complete a
form and submit their request. A guest can also contact Target by
phone, e-mail or mail. If a guest has created a Target.com account,
they can log in and update their account information, including
contact, billing, and shipping information.
Question 2b. If not, why not?
Answer. N/A
______
Response to Written Questions Submitted by Hon. Kelly Ayotte to
John J. Mulligan
Question 1. As a former Attorney General, I can appreciate how
crucial information sharing is by law enforcement to both retail stores
and financial institutions. Can you both discuss your relationship with
the FBI and the Secret Service (or DHS in general) when it comes to the
flow of information that would affect a potential cyber-attack or data
breach? Could this relationship be improved? What do you see as the
best role for state and local law enforcement in this area?
Answer. All businesses and their customers are facing frequent and
increasingly sophisticated attacks by cyber criminals. In order to
address this threat, none of us can go it alone. Protecting American
businesses and consumers is a shared responsibility.
Target deeply values our longstanding and ongoing partnership with
law enforcement. For more than 20 years, we've established ourselves as
a valuable partner to law enforcement in their efforts to strengthen
public safety. We partner with public safety agencies on the local,
state, and national level.
Target participates in a number of initiatives to enhance
information sharing including with the U.S. Department of Homeland
Security (DHS). This outreach is focused on raising awareness,
educating and informing these leaders on our vast public safety
efforts, and educating them on our priorities and capabilities. Through
this outreach we are able to highlight our unique approach and non-
traditional partnerships to address public safety challenges by
developing crime solutions and supporting preparedness and resiliency
initiatives. Target has played the convener role enabling them to share
best practices across jurisdictions. Target also shared organizational
leadership insights that could be applied across groups and hosts
leadership training programs centered on Target's most effective
leadership development courses, but revised and geared toward law
enforcement and emergency managers.
The Secret Service has been a valuable partner to Target as they
continue to investigate the breach that occurred at Target in late
2013. For example, on the evening of December 12, we were notified by
the Justice Department of suspicious activity involving payment cards
used at Target stores. We immediately started our internal
investigation. On December 13, we met with the Justice Department and
Secret Service.
Target is a charter member and serves on the board of the FBI's
Domestic Security Alliance Council (DSAC). DSAC is a strategic
partnership between the U.S. Government and U.S. Private Industry. Its
goal is to advance the Federal Bureau of Investigation (FBI)'s mission
of preventing, detecting, and deterring criminal acts by facilitating
strong, enduring relationships among its private industry members. In
March 2014, Target became the first retailer to join the Financial
Services Information Sharing and Analysis Center (FS-ISAC). The
Financial Services Information Sharing & Analysis Center (FS-ISAC), is
a non-profit private sector initiative developed by the financial
services industry to help facilitate the detection, prevention, and
response to cyber attacks and fraud activity.
Target works closely with state and local law enforcement through
our accredited forensic laboratories that specialize in forensics,
audio and video analysis, and latent fingerprints. In addition, Target
operates 14 Investigations Centers (ICs) nationwide that focus on
providing investigative support to our stores and to law enforcement.
Today, 30 percent of Target's lab caseload provides pro bono services
to law enforcement agencies for violent felony cases that have nothing
to do with Target.
Question 2. What steps did Target take internally before notifying
your customers that the company had potentially suffered a breach of
security that may have affected their payment cards? Were you able to
complete a forensic analysis of the breach before notifying customers?
If not, why not?
Answer. Our actions leading up to our public announcement on
December 19--and since--have been guided by the principle of serving
our guests. We moved quickly to share accurate and actionable
information with the public. While the forensic analysis of the breach
was far from complete, on December 15, we confirmed that criminals had
infiltrated our system, installed malware on our point-of-sale network
and potentially stolen guest payment card data. We then began notifying
the payment processors and card networks, preparing to publicly notify
our guests, and equipping call centers and stores with the necessary
information and resources to address our guests' concerns. When we
announced the intrusion on December 19, we used multiple forms of
communication, including a mass-scale public announcement, e-mail,
prominent notices on our website, and social media. The forensic
analysis is estimated to be completed later in 2014.
Question 3. What steps do you believe are reasonable, if not
necessary, for breached companies to take before notifying potentially
affected customers of a breach? In Target's breach over the holidays,
for example, did you have all of the customer contact information you
needed to individually contact your customers to let them know that
they might be affected by the breach?
Answer. Our actions leading up to our public announcement on
December 19--and since--have been guided by the principle of serving
our guests. We moved quickly to share accurate and actionable
information with the public. On December 15, we confirmed that
criminals had infiltrated our system, installed malware on our point-
of-sale network and potentially stolen guest payment card data. We then
began notifying the payment processors and card networks, preparing to
publicly notify our guests, and equipping call centers and stores with
the necessary information and resources to address our guests'
concerns. When we announced the intrusion on December 19, we used
multiple forms of communication, including a mass-scale public
announcement, e-mail, prominent notices on our website, and social
media.
Question 3a. For customers who simply made purchases in your store
with payment cards and where you had no other contact information, did
you subsequently obtain that information in order to notify these
customers individually? If so, how did you do so?
Answer. Target sent e-mails to guests for whom we had e-mail
addresses. Target did not seek to obtain personal contact information
for those whom which we did not already have personal contact
information but we did take steps to notify individuals by following
state statutes that allowed for substitute notice. State substitution
notice methods include: (1) posting notice on our website; (2)
providing notice by e-mail to each relevant guest for whom Target had
an e-mail address; and (3) providing notice to national and state
media.
______
Response to Written Question Submitted by Hon. Kelly Ayotte to
Ellen Richey
Question. As a former Attorney General, I can appreciate how
crucial information sharing is by law enforcement to both retail stores
and financial institutions. Can you both discuss your relationship with
the FBI and the Secret Service (or DHS in general) when it comes to the
flow of information that would affect a potential cyber-attack or data
breach? Could this relationship be improved? What do you see as the
best role for state and local law enforcement in this area?
Answer. Law enforcement plays a critical role in the response to
any cyber-attack, and Visa works closely with state and Federal law
enforcement agencies to identify, impede, and stop cyber criminals. We
feel that broad and regular communication with law enforcement is
imperative to an effective cyber-security response policy.
Visa has relationships with a range of law enforcement agencies in
the U.S, including the United States Secret Service and the Federal
Bureau of Investigation. In addition, we maintain strong contacts with
law enforcement in many countries around the world and work
cooperatively on fraud and compromise investigations. While Visa
engages regularly with law enforcement, we do not share any personal
customer or merchant information without a subpoena or its equivalent.
Visa has varied systems for sharing information with industry
stakeholders as well as law enforcement, including through our website,
data security alerts, client communications, webinars, newsletters and
more. Visa has been actively involved in training and education
programs with law enforcement and lending our expertise on payment
system security issues.
Visa sees a key role for both state and Federal law enforcement to
address cyber-attacks, and in particular we regularly work with the
United States Secret Service and the FBI offices around the country to
address specific situations as they occur. Law enforcement gathers
information through criminal investigations that can assist in
deconstructing attacks which lend valuable insight into the prevention
of future breaches. We also partner with Electronic Crime Task Force
entities that have relationships with forensic investigation companies
to gather and analyze breach data. These entities are a rich source of
information to issuers and payment networks alike. Visa looks forward
to continuing to work with a broad spectrum of cybersecurity and data
breach specialists, both public and private, to further our efforts to
prevent and contain future breaches. We welcome all efforts to
strengthen and promote the involvement of state, local, and Federal law
enforcement in breach response activities.
�