[Senate Hearing 113-654]
[From the U.S. Government Publishing Office]
S. Hrg. 113-654
PRIVACY IN THE DIGITAL AGE: PREVENTING DATA BREACHES AND COMBATING
CYBER CRIME
=======================================================================
HEARING
before the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
TUESDAY, FEBRUARY 4, 2014
__________
Serial No. J-113-48
__________
Printed for the use of the Committee on the Judiciary
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
94-640 PDF WASHINGTON : 2015
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON THE JUDICIARY
PATRICK J. LEAHY, Vermont, Chairman
DIANNE FEINSTEIN, California CHUCK GRASSLEY, Iowa, Ranking
CHUCK SCHUMER, New York Member
DICK DURBIN, Illinois ORRIN G. HATCH, Utah
SHELDON WHITEHOUSE, Rhode Island JEFF SESSIONS, Alabama
AMY KLOBUCHAR, Minnesota LINDSEY GRAHAM, South Carolina
AL FRANKEN, Minnesota JOHN CORNYN, Texas
CHRISTOPHER A. COONS, Delaware MICHAEL S. LEE, Utah
RICHARD BLUMENTHAL, Connecticut TED CRUZ, Texas
MAZIE HIRONO, Hawaii JEFF FLAKE, Arizona
Kristine Lucius, Chief Counsel and Staff Director
Kolan Davis, Republican Chief Staff Director
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Leahy, Hon. Patrick, a U.S. Senator from the State of Vermont.... 1
prepared statement........................................... 53
Grassley, Hon. Chuck, a U.S. Senator from the State of Iowa...... 2
prepared statement........................................... 55
WITNESSES
Witness List..................................................... 51
John Mulligan, Executive Vice President and Chief Financial
Officer, Target Corporation, Minneapolis, Minnesota............ 4
prepared statement........................................... 58
Michael R. Kingston, Senior Vice President and Chief Information
Officer, The Neiman Marcus Group, Dallas, Texas................ 6
prepared statement........................................... 64
Delara Derakhshani, Policy Counsel, Consumers Union, Washington,
DC............................................................. 8
prepared statement........................................... 72
Fran Rosch, Senior Vice President, Security Products and
Services, Endpoint and Mobility, Symantec Corporation, Mountain
View, California............................................... 9
prepared statement........................................... 78
The Honorable Edith Ramirez, Chairwoman, Federal Trade
Commission, Washington, DC..................................... 36
prepared statement........................................... 98
William Noonan, Deputy Special Agent in Charge, Criminal
Investigative Division, Cyber Operations Branch, U.S. Secret
Service, Washington, DC........................................ 38
prepared statement........................................... 110
Mythili Raman, Acting Assistant Attorney General, Criminal
Division, United States Department of Justice, Washington, DC.. 39
prepared statement........................................... 121
QUESTIONS
Questions submitted by Senator Patrick Leahy for John J. Mulligan 133
Questions submitted by Senator Chuck Grassley for John J.
Mulligan and Michael R. Kingston............................... 134
Questions submitted by Senator Patrick Leahy for Michael R.
Kingston....................................................... 135
Questions submitted by Senator Patrick Leahy for Delara
Derakhshani.................................................... 136
Questions submitted by Senator Patrick Leahy for Fran Rosch...... 137
Questions submitted by Senator Chuck Grassley for Fran Rosch..... 138
Questions submitted by Senator Patrick Leahy for Edith Ramirez... 139
Questions submitted by Senator Patrick Leahy for William Noonan.. 140
Questions submitted by Senator Patrick Leahy for Mythili Raman... 141
ANSWERS
Responses of John J. Mulligan to questions submitted by Senator
Leahy.......................................................... 142
Responses of John J. Mulligan to questions submitted by Senator
Grassley....................................................... 145
Responses of Michael R. Kingston to questions submitted by
Senators Leahy, Blumenthal, and Grassley....................... 148
Responses of Delara Derakhshani to questions submitted by Senator
Leahy.......................................................... 158
Responses of Fran Rosch to questions submitted by Senator Leahy.. 160
Responses of Fran Rosch to questions submitted by Senator
Grassley....................................................... 162
Responses of Edith Ramirez to questions submitted by Senator
Leahy.......................................................... 164
Responses of William Noonan to questions submitted by Senator
Leahy.......................................................... 167
Responses of Mythili Raman to questions submitted by Senator
Leahy.......................................................... 170
MISCELLANEOUS SUBMISSIONS FOR THE RECORD
Confidentiality Coalition, February 3, 2014, statement........... 177
Credit Union National Association (CUNA), Bill Cheney, President
and CEO, February 4, 2014, letter.............................. 179
American Bankers Association, The Clearing House, Consumers
Bankers Association, Credit Union National Association,
Financial Services Information Sharing and Analysis Center, The
Financial Services Roundtable, Independent Community Bankers of
America, National Association of Federal Credit Unions:
February 3, 2014, joint letter................................. 182
Michaels Stores, Inc., Irving, Texas, Michael J. Veitenheimer,
Secretary and General Counsel, January 31, 2014, letter........ 185
National Business Coalition on E-Commerce and Privacy,
Washington, DC, Thomas M. Boyd, Partner, DLA Piper LLP,
February 4, 2014, statement.................................... 186
National Association of Federal Credit Unions (NAFCU), Arlington,
Virginia, B. Dan Berger, President and CEO, February 3, 2014,
letter......................................................... 190
National Retail Federation, Washington, DC, Mallory Duncan,
General Counsel and Senior Vice President, February 14, 2014,
statement...................................................... 194
Payment Card Industry (PCI) Security Standards Council,
Wakefield, Massachusetts, Bob Russo, General Manager, February
4, 2014, statement............................................. 207
Retail Industry Leaders Association (RILA), Arlington, Virginia,
William Hughes, Senior Vice President, Government Affairs,
February 4, 2014, letter....................................... 212
Dianne Feinstein, a U.S. Senator from the State of California,
February 4, 2014, statement for the record..................... 215
PRIVACY IN THE DIGITAL AGE: PREVENTING DATA BREACHES AND COMBATING
CYBER CRIME
TUESDAY, FEBRUARY 4, 2014
U.S. Senate,
Committee on the Judiciary,
Washington, DC.
The Committee met, pursuant to notice, at 10:23 a.m., in
Room SD-226, Dirksen Senate Office Building, Hon. Patrick J.
Leahy, Chairman of the Committee, presiding.
Present: Senators Leahy, Feinstein, Durbin, Whitehouse,
Klobuchar, Franken, Coons, Blumenthal, Hirono, Grassley, Hatch,
and Lee.
OPENING STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM
THE STATE OF VERMONT
Chairman Leahy. Good morning. Because of the time of the
opening of the Senate, we are starting a little bit late, and I
apologize for that, but I appreciate everybody who is here
today from all over, including now snowy Colorado. I see Mr.
Bronstein here.
We are going to meet to examine how we can protect
Americans from the growing dangers of data breaches and cyber
crime in the digital age. Safeguarding American consumers and
businesses from data breaches and cyber crime has been a
priority of this Committee since 2005. For years, we tried to
make sure that everybody understands this is not a Democratic
or Republican issue. I have worked closely with Members on both
sides of the aisle to advance meaningful data privacy
legislation. In fact, I want to thank Senator Grassley for
working with me very closely on this hearing, and I hope we can
continue working together to advance the Personal Data Privacy
and Security Act that I recently reintroduced to protect
American consumers.
Now, you watch the news, you pick up the papers, you listen
to the news. Most Americans, myself included, have been alarmed
by the recent data breaches at Target, Neiman Marcus, and
Michaels stores. The investigations into those cyber attacks
are ongoing. But they have compromised the privacy and security
of millions of American consumers--potentially putting one in
three Americans at risk of identity theft and other cyber
crimes. I have never had a time when my wife and I have been so
assiduous at checking our credit card bills, but that is the
same with everybody.
But public confidence is crucial to our economy. I
mentioned those three stores. Those are all excellent stores.
They are a major part of our economy. But we have to have faith
in them. If we do not have faith in businesses' ability to
protect their personal information, then our economic recovery
is going to falter. And in the digital age, major data breaches
involving our private information are not uncommon. There have
been significant data breaches involving Sony, Epsilon, and
Coca-Cola, but also in Federal Government agencies--the
Departments of Veterans Affairs and Energy. In the past few
days, we have also learned of data breaches at Yahoo! and White
Lodging, which is the hotel management company for national
hotel chains such as Marriott and Starwood. In fact, so it will
not seem like we are singling out just a few businesses,
according to the Privacy Rights Clearinghouse, more than 662
million records have been involved in data breaches since 2005.
Now, we all agree that businesses need to thoroughly assess
the damage when a cyber attack is discovered. But time is of
the essence for law enforcement seeking to catch the
perpetrators and also for consumers who want to protect
themselves against further exposure. It is not like when
somebody comes in and robs a store. You know where it happened,
and you have some general idea of where the perpetrator is.
Here the perpetrator could be thousands upon thousands of miles
away in another country. American consumers deserve to know
when their private information has been compromised and what a
business is doing in response to a cyber attack, because most
of us rely on being able to do a lot of our business
electronically.
We should also remember that the businesses that suffer
cyber attacks are also often the victims of a cyber crime. A
recent study sponsored by Symantec found that data breaches
involving malicious cyber attacks are the most costly data
breaches around the globe. The per capita cost of such cyber
attacks in the United States was $277 per compromised record in
2013. Times that by millions upon millions upon millions. It is
the highest cost for any nation that has been surveyed. And, of
course, if you are in a fragile economic recovery, this is a
significant hindrance.
So before the Judiciary Committee today are representatives
of Target and Neiman Marcus, as well as Consumers Union and
Symantec. Later we will hear from the U.S. Secret Service, the
Department of Justice, and the Federal Trade Commission.
We are facing threats to our privacy and security unlike
any time before in our Nation's history. We have also had
hearings about questions of the threats to our privacy by our
own government agencies. So I hope in this particular one we
can get some good bipartisan support responding to it and get
some data privacy legislation out here. I think we will all be
better for it.
[The prepared statement of Senator Leahy appears as a
submission for the record.]
Senator Grassley.
OPENING STATEMENT OF HON. CHUCK GRASSLEY, A U.S. SENATOR FROM
THE STATE OF IOWA
Senator Grassley. It is very important that we have this
hearing. We have had well-publicized commercial data breaches.
We are still learning about the details. This hearing will help
bring more details out, I hope. But it is clear that these and
other breaches have potentially impacted tens of millions of
consumers nationwide.
Today is an opportunity to learn about the challenges that
both industry and law enforcement face in combating cyber
attacks from well-organized criminals. The witnesses have a
unique ability to provide us various important perspectives as
we consider the government's role in securing sensitive data
and crafting a breach notification standard.
I hope to learn where the Committee's expertise could be
helpful in combating future attacks. Furthermore, I would like
to use this hearing to explore areas of common ground so that
we can determine what might be accomplished quickly.
It has been a couple of years since our Committee has
considered data security legislation. In that time, we have
learned a lot about this subject, thanks to broader
cybersecurity conversation. The proposals offered by the
administration and discussed in Congress, along with other
government initiatives, can be helpful for us to proceed as we
consider what to do with this legislation.
When considering data security requirements, our approach
should provide flexibility and also account for businesses of
different sizes and different resources. In a world of crafty
criminals, it seems to me that a one-size-fits-all approach
will not work, or at least will not work for everybody.
Instead, let us see how the government can partner with private
business to strengthen data security.
An example may be the National Institute of Standards and
Technology's cybersecurity framework, which has received
bipartisan support. And as far as the Senate is concerned,
unless it is bipartisan, it is not going to go anywhere. That
is not because there is something wrong with Democrats or
Republicans. That is the institution itself.
As we discuss the creation of a federal breach notification
standard, we must avoid the risk of consumer overnotification.
Just as there is a potential for harm when a victim is not
notified of a breach, overnotification can lead to harm and
apathy.
As time permits, I want to explore these and other issues
today and will be available to discuss things beyond the
Committee process, either with colleagues or with other people.
If everyone works together, it seems to me we can tackle these
problems and hopefully limit future attacks.
Thanks again, Mr. Chairman, and I would ask unanimous
consent to include my full statement in the record along with
statements that we received from these groups: the National
Business Coalition on E-Commerce and Privacy, the Payment Card
Industry, the National Association of Federal Credit Unions,
the American Bankers Association, the National Retail
Federation, and the Retail Industry Leaders Association.
Chairman Leahy. Without objection, they will be included in
the record.
[The prepared statement of Senator Grassley appears as a
submission for the record.]
Chairman Leahy. Could I ask the four witnesses to please
stand and raise your right hand? Do you swear that the
testimony you will give in this matter will be the truth, the
whole truth, and nothing but the truth, so help you God?
Mr. Mulligan. I do.
Mr. Kingston. I do.
Ms. Derakhshani. I do.
Mr. Rosch. I do.
Chairman Leahy. Let the record show that the four
witnesses--Mr. Mulligan, Mr. Kingston, Ms. Derakhshani--I hope
I came close--and Mr. Rosch--all took the oath. I thought what
we would do is hear from each of the witnesses first, and then
we will ask questions.
John Mulligan is chief financial officer and executive vice
president for Target, the second largest general merchandise
retailer in the U.S. Mr. Mulligan joined Target in 1996. His
responsibilities include treasury and internal and external
financial reporting, financial planning and analysis, financial
operations, tax assurance, investor relations, flight services.
He graduated from the University of Wisconsin in 1988. In 1996,
he earned a Master's of Business Administration degree from the
University of Minnesota, I would mention to Senator Klobuchar
and Senator Franken.
Mr. Mulligan, please go ahead.
STATEMENT OF JOHN MULLIGAN, EXECUTIVE VICE PRESIDENT AND CHIEF
FINANCIAL OFFICER, TARGET CORPORATION, MINNEAPOLIS, MINNESOTA
Mr. Mulligan. Good morning, Chairman Leahy, Ranking Member
Grassley, and Members of the Committee. My name is John
Mulligan. I am the executive vice president and chief financial
officer of Target. I appreciate the opportunity to be here
today to discuss important issues surrounding data breaches and
cyber crime.
As you know, Target recently experienced a data breach
resulting from a criminal attack on our systems. To begin, I
want to say how deeply sorry we are for the impact this
incident has had on our guests--your constituents. We know this
breach has shaken their confidence in Target, and we are
determined to work very hard to earn it back.
At Target, we take our responsibility to our guests very
seriously, and this attack has only strengthened our resolve.
We will learn from this incident, and as a result, we hope to
make Target and our industry more secure for consumers in the
future.
I would now like to explain the events of the breach as I
currently understand them. Please recognize that I may not be
able to provide specifics on certain matters because the
criminal and forensic investigations remain active and ongoing.
We are working closely with the Secret Service and the
Department of Justice on the investigation--to help them bring
to justice the criminals who committed this widespread attack
on Target, American business, and consumers.
On the evening of December 12th, we were notified by the
Justice Department of suspicious activity involving payment
cards used at Target. We immediately started our internal
investigation.
On December 13th, we met with the Justice Department and
the Secret Service. On December 14th, we hired an independent
team of experts to lead a thorough forensics investigation.
On December 15th, we confirmed that criminals had
infiltrated our system, had installed malware on our point-of-
sale network, and had potentially stolen guest payment card
data. That same day, we removed the malware from virtually all
registers in our U.S. stores.
Over the next two days, we began notifying the payment
processors and card networks, preparing to notify our guests
and equipping our call centers and stores with the necessary
information and resources to address the concerns of our
guests.
Our actions leading up to our public announcement on
December 19th--and since--have been guided by the principle of
serving our guests, and we have been moving as quickly as
possible to share accurate and actionable information with the
public.
What we note today is that the breach affected two types of
data: payment card data, which affected approximately 40
million guests, and certain personal data, which affected up to
70 million guests. We believe the payment card data was
accessed through malware placed on our point-of-sale registers.
The malware was designed to capture payment card data that
resided on the magnetic strip prior to its encryption within
our systems.
From the outset, our response to the breach has been
focused on supporting our guests and strengthening our
security. In addition to the immediate actions I already
described, we are taking the following concrete actions: first,
we are undertaking an end-to-end forensic review of our entire
network and will make security enhancements, as appropriate.
Second, we increased fraud detection for our Target REDcard
guests. To date, we have not seen any fraud on our proprietary
credit and debit cards due to this breach. And we have seen
only a very low amount of additional fraud on our Target Visa
card. Third, we are reissuing new Target credit and debit cards
immediately to any guest who requests one. Fourth, we are
offering one year of free credit monitoring and identity theft
protection to anyone who has ever shopped in our U.S. Target
stores. Fifth, we informed guests that they have zero liability
for any fraudulent charges on the cards arising from this
incident. And, sixth, Target is accelerating our investment in
chip technology for our Target REDcards and stores' point-of-
sale terminals.
For many years, Target has invested significant capital and
resources in security technology, personnel, and processes. We
had in place multiple layers of protection, including
firewalls, malware detection, intrusion detection and
prevention capabilities, and data loss prevention tools.
But the unfortunate reality is that we suffered a breach.
All businesses--and their customers--are facing increasingly
sophisticated threats from cyber criminals. In fact, news
reports have indicated that several other companies have been
subjected to similar attacks.
To prevent this from happening again, none of us can go it
alone. We need to work together.
Updating payment card technology and strengthening
protections for American consumers is a shared responsibility
and requires a collective and coordinated response. On behalf
of Target, I am committing that we will be an active part of
the solution.
Senators, to each of you and all of your constituents and
our guests, I want to once again reiterate how sorry we are
this happened and our ongoing commitment to making this right.
Thank you for your time today.
[The prepared statement of Mr. Mulligan appears as a
submission for the record.]
Chairman Leahy. Well, thank you very much, Mr. Mulligan.
Michael Kingston is senior vice president and chief
information officer for Neiman Marcus. In his role as chief
information officer, he oversees approximately 500
professionals responsible for all aspects of information
technology and security, including technology strategies,
system development, information technology service delivery for
all Neiman Marcus brands, both in stores and its Web site, and
has over 20 years of experience in the field.
Mr. Kingston, thank you for being here. Please go ahead,
sir.
STATEMENT OF MICHAEL R. KINGSTON, SENIOR VICE PRESIDENT AND
CHIEF INFORMATION OFFICER, THE NEIMAN MARCUS GROUP, DALLAS,
TEXAS
Mr. Kingston. Mr. Chairman, Senator Grassley, Members of
the Committee, good morning. My name is Michael Kingston, and I
am chief information officer at Neiman Marcus Group. I want to
thank you for your invitation to appear today to share with you
our experiences regarding the recent criminal cybersecurity
incident at our company. I have submitted a longer written
statement and appreciate the opportunity to make some brief
opening remarks.
We are in the midst of an ongoing forensic investigation
that has revealed a cyber attack using very sophisticated
malware. From the moment I learned that there might be a
compromise of payment card information involving our company, I
have personally led the effort to ensure that we were acting
swiftly, thoroughly, and responsibly to determine whether such
a compromise had occurred, to protect our customers and the
security of our systems, and to assist law enforcement in
capturing the criminals. Because our investigation is ongoing,
I may be limited in my ability to speak definitively or with
specificity on some issues, and there may be some questions to
which I do not have the answers. Nevertheless, it is important
to us as a company to make ourselves available to you to
provide whatever information we can to assist in your important
work.
Our company was founded 107 years ago. One of our founding
principles is based on delivering exceptional service to our
customers and building long-lasting relationships with them
that have spanned generations. We take this commitment to our
customers very seriously. It is part of who we are and what we
do daily to distinguish ourselves from other retailers.
We have never before been subjected to any sort of
significant cybersecurity intrusion, so we have been
particularly disturbed by this incident.
Through our ongoing forensic investigation, we have learned
that the malware which penetrated our system was exceedingly
sophisticated, a conclusion the Secret Service has confirmed. A
recent report prepared by the Secret Service crystallized the
problem when they concluded that a specific type of malware,
comparable and perhaps even less sophisticated than the one in
our case, according to our investigators, had a zero percent
detection rate by anti-virus software.
The malware was evidently able to capture payment card data
in real time, right after a card was swiped, and had
sophisticated features that made it particularly difficult to
detect, including some that were specifically customized to
evade our multilayered security architecture that provided
strong protection for our customers' data and our systems.
Because of the malware's sophisticated anti-detection
devices, we did not learn that we had an actual problem in our
computer system until January 2, and it was not until January 6
when the malware and its outputs had been disassembled and
decrypted enough that we were able to determine that it was
able to operate in our systems. Then, disabling it to ensure it
was not still operating took until January 10. That day we sent
out our first notices to customers potentially affected and
made widely reported public statements describing what we knew
at that point about the incident.
Simply put, prior to January 2, despite our immediate
efforts to have two separate firms of forensic investigators
dig into our systems in an attempt to find any data security
compromise, no data security compromise in our systems had been
identified.
Based on the current state of the evidence in the ongoing
investigation: One, it now appears that the customer
information that was potentially exposed to the malware was
payment card information from transactions in 77 of our 85
stores between July and October 2013, at different time periods
within this date range in each store; two, we have no
indication that transactions on our Web sites or at our
restaurants were compromised; three, PIN data was not
compromised, as we do not have PIN pads and we do not request
PINs; and, four, there is no indication that Social Security
numbers or other personal information was exposed in any way.
We have also offered to any customer who shopped with us in
the last year at either Neiman Marcus Group stores or Web
sites--whether their card was exposed to the malware or not--
one year of free credit monitoring and identity theft
insurance. We will continue to provide the excellent service to
our customers that is our hallmark, and I know that the way we
responded to this situation is consistent with that commitment.
Thank you again for your invitation to testify today, and I
look forward to answering your questions.
[The prepared statement of Mr. Kingston appears as a
submission for the record.]
Chairman Leahy. Thank you very much, Mr. Kingston.
And our next witness is Delara Derakhshani, who serves as
policy counsel in Consumers Union's Washington office. She is
the lead advocate for the organization's telecommunications,
media, and privacy efforts. Consumers Union is the policy and
advocacy division of Consumer Reports. Ms. Derakhshani
graduated from the University of Virginia and earned a law
degree from Catholic University's Columbus School of Law.
We are glad to have you here. Please go ahead.
STATEMENT OF DELARA DERAKHSHANI, POLICY COUNSEL, CONSUMERS
UNION, WASHINGTON, DC
Ms. Derakhshani. Chairman Leahy, Ranking Member Grassley,
and esteemed Members of the Committee, thank you for the
opportunity to testify before you today about data breaches. My
name is Delara Derakhshani, and I serve as policy counsel of
Consumers Union, the policy and advocacy arm of Consumer
Reports.
This past December--at the height of the holiday shopping
season--40 million unsuspecting consumers learned that
criminals may have gained unauthorized access to their credit
card and debit card information. Subsequently, 70 million more
learned that personal information such as names, addresses, and
telephone numbers may have also fallen into the hands of
suspected hackers. Since then we have learned of similar
breaches at other retailers: Neiman Marcus has confirmed
unauthorized access to payment data, and Michaels has stated
that it is investigating whether a similar breach occurred. The
press is reporting that the malware that was reportedly used in
the Neiman Marcus and Target breaches was sold to criminals
overseas. So what we have seen thus far may just be the tip of
the iceberg.
This is truly disturbing. As Consumer Reports and Consumers
Union have reported with regularity in our publications,
consumers who have their data compromised in a large-scale
security breach are more likely to become victims of identity
theft or fraud. And although federal consumer protection
lending laws and voluntary industry standards generally protect
consumers from significant out-of-pocket losses, policymakers
and consumers should take these threats seriously.
Then there are the very practical and time-consuming
concerns for consumers whose data has been breached. Of
particular concern is debit cards, which carry fewer legal
protections. And while consumers might not ultimately be held
responsible if someone steals their debit card data or pin
number, data thieves can still empty out a consumer's bank
account and set off a cascade of bounced checks and late fees
which victims will have to settle down the road.
What can happen to the data after it is stolen is
disconcerting, to say the least. Sometimes data is resold to
criminals outside of the country. Other times it is used to
create counterfeit cards, debit cards which have direct access
to your checking account. The result is decreased consumer
confidence in the marketplace and uncertainty with the
realization that your private financial information is out
there in the ether for anybody to use for an unauthorized
purpose.
When Consumers Union learned of the breach, we wrote to the
CFPB and urged them to investigate the matter and for increased
public disclosure. And just last week, Attorney General Eric
Holder confirmed that the Department of Justice is also
investigating the matter. We know that lawmakers have urged the
Federal Trade Commission to investigate as well, and we are
grateful for these federal agencies' efforts and State
Attorneys General's efforts so that we can figure out what
happened and get to the bottom of this and figure out how to
come up with a solution together to prevent these breaches from
occurring in the future.
We have also provided consumers with a number of tips,
including checking transaction data, notifying your bank
immediately of any suspicious activity; for extra protection,
replacing credit cards, debit cards, and PIN numbers; placing
fraud alerts and also security freezes so that lenders will be
blocked from access to your credit report. And Target and
affected retailers are also offering consumers credit
monitoring, which we would be happy to speak about and answer
questions about as well.
Many other countries have shifted or are in the process of
shifting to what is known as EMV technology or chip-and-PIN
technology, which uses multiple layers of security, including a
computer chip in each card that stores and transmits encrypted
data, as well as a unique identifier that can change with each
transaction.
What we have reported in the past is that when this
technology has been adopted in Europe, it has significantly
decreased fraud. So we need a strong commitment from all
stakeholders to adopt this technology sooner rather than later.
These incidents reinforce just how timely and relevant
these issues are. We are very appreciative of the Committee's
efforts and the Chairman for introducing the Data Privacy and
Security Act. We think that the sooner consumers know their
data has been compromised, the sooner they can take steps to
protect themselves.
We would also urge the Committee to consider shortening the
timeline for notification from the 60 days to require more
immediate notification.
We do also--we would like to strengthen some provisions,
including those related to preemption. We want to make sure
that any national standard results in strong, meaningful
protections.
In closing, we thank you for the opportunity to speak
before you today. We appreciate your interest in data security,
and we want to ensure that there is consumer confidence in the
marketplace, and we look forward to working with you and all
interested parties.
Thank you very much.
[The prepared statement of Ms. Derakhshani appears as a
submission for the record.]
Chairman Leahy. Well, thank you, and thank you for what you
said about the legislation. I am hoping we can move it quickly.
Fran Rosch is the senior vice president of user protection
productivity, product management, and mobility solutions at
Symantec. He drives the development and execution of Symantec
and Norton's endpoint and mobile management. He was vice
president of identity and authentication services before that.
Obviously he has a background in this field.
Please, sir, go ahead.
STATEMENT OF FRAN ROSCH, SENIOR VICE PRESIDENT, SECURITY
PRODUCTS AND SERVICES, ENDPOINT AND MOBILITY, SYMANTEC
CORPORATION, MOUNTAIN VIEW, CALIFORNIA
Mr. Rosch. Thank you, and good morning. Chairman Leahy,
Ranking Member Grassley, distinguished Members of the
Committee, thank you for the opportunity to testify today on
behalf of Symantec Corporation. We are the world's largest
security software company with over 31 years of experience
developing information security and management technology.
Our Global Intelligence Network is composed of millions of
sensors all over the world and records thousands of events per
second, and we maintain 10 Security Response Centers that
operate 24/7 around the globe. This gives us a view of the
entire Internet threat landscape. At Symantec, we also invest
over $1 billion a year in R&D on advanced security technologies
to help our customers stay ahead of the bad guys.
The hearing today is critically important and will focus
attention on what businesses and consumers can do to protect
themselves from cyber attacks and data breaches. Attacks on
point-of-sale, or POS, devices are not new, but it does appear
the pace is increasing. This increase brings with it media
attention and citizen concern, but this cannot be just about
one or two high-profile crimes. Not just retailers but every
organization with sensitive information is at risk, because
cyber crime is a big business.
In 2013, we estimate that the identities of over 435
million people were exposed, and that number is rising as new
reports surface. The cost of these breaches is very real and is
borne directly by both consumers and organizations.
For example, we estimate that in 2012 the global price tag
of consumer cyber crime was $113 billion. The Ponemon Institute
looked at the impact on companies and found that the average
total cost of a breach in 2012 was $5.4 million. Ponemon also
found that strong security before a breach and good incident
management post-breach can dramatically cut the cost of these
incidents.
These breaches are increasingly caused by targeted attacks,
which were up 42 percent year over year. Some are direct
attacks on a company's servers, where attackers search for
unpatched vulnerabilities or undefended connections to the
Internet.
All attacks have essentially one goal: to gain control of
the user's computer. After infiltrating an organization,
attackers can move laterally until they find what they are
looking for. In the case of a retailer, this can include
compromising point-of-sale systems to obtain valuable consumer
information.
The best way to prevent these attacks starts with the
basics. Though criminals' tactics are continually evolving,
good cyber hygiene is simple and cost-effective. Strong
passwords, two-factor authentication, ubiquitous encryption are
important elements of any good security program.
But suboptimally deployed security can also lead to a
breach, and a modern security suite that is being fully
utilized is essential. Advanced security protection is much
more than anti-virus software. In the past, the same piece of
malware would be delivered to thousands or even millions of
computers and was easily blocked through signature-based
systems. Today cyber criminals can take the same malware and
create unlimited unique variants that can slip past basic AV
software. That is why modern security software does much more
than look for known malware. It monitors your computer or
mobile device, watching for unusual traffic patterns or
processes that could be indicative of malicious behavior.
At Symantec we have developed and provide reputation-based
and behavior-based heuristic security technologies, which can
identify and block more advanced threats. These solutions put
files in context, using their age, frequency, location, and
other characteristics to expose emerging threats that might
otherwise be missed. If a computer is trying to execute a file
that we have never seen anywhere in the world and that comes
from an unknown source, there is a high probability that it is
malicious and it should be blocked.
Security should also be specific to the device being
protected, and in some ways, point-of-sale system devices have
advantages over other systems because the functions they need
to perform can be narrowly defined. Allowing these devices to
only run approved applications will reduce the attack surface
and render many strains of malware ineffective.
Yesterday Symantec released a special report called
``Attacks on Point of Sales Systems'' that provides an overview
of the methods that attackers may use and provides
recommendations on how to protect these systems from attack.
Unfortunately data breaches and cyber threats are part of
our day-to-day lives. We will never be able to prevent every
data breach or cyber attack, but working together, industry and
government can make it increasingly more difficult for cyber
criminals to succeed.
Thank you again for this opportunity to be here today, and
I am happy to take any questions that you may have.
[The prepared statement of Mr. Rosch appears as a
submission for the record.]
Chairman Leahy. Well, thank you very much, Mr. Rosch.
I think we are all united in the same thing. We all want to
stop these attacks, number one. Number two, as you just pointed
out, Mr. Rosch, we are always going to have these attacks. No
matter what we do, there will be more attacks. The question is:
Can we successfully stop them? And are we keeping up to date
with the realities of today as compared to years ago?
Now, Mr. Mulligan, the data breach at Target, of course,
became front-page news. I am not just going after your company,
obviously, but it did have the potential to place one in three
Americans at risk of fraud or identity theft--identity theft
being probably one of the most difficult things somebody has to
deal with.
So what have you found so far? Are you any closer to
finding who did it? And tell us just briefly what are the steps
you are taking to protect privacy.
Mr. Mulligan. So, Senator, as I said earlier, the intruder
came in through a set of compromised vendor credentials and
took two sets of data. The first set of data was malware was
placed on our point-of-sale registers, and there they grabbed
payment card information in the time between it being swiped
from the magnetic stripe until we encrypt it within our
systems. They then encrypted that and removed it from our
systems.
Separately, they took information from certain personal
data--name, address, phone number, email address--for up to 70
million records, similarly encrypted that, and removed that
from our systems.
We have had an ongoing forensic investigation and an end-
to-end review of our entire network to understand what went on.
Since that time, we have removed the malware from our system.
We have closed the point of entry. We have narrowed the scope
of who has access to our systems. We have provided the malware
to security firms for their review. And we have the ongoing
end-to-end review where we will have additional learnings, and
we are committed to taking additional actions.
Chairman Leahy. You talk about discovery. As I understand
it, the Justice Department told you about this on--well, you
said this--on December 12 of last year. You found and removed
the malware three days later, December 15. Am I correct on
those dates?
Mr. Mulligan. That is accurate, Mr. Chairman.
Chairman Leahy. Had you had any knowledge that malware was
there before the Department of Justice gave you that
notification?
Mr. Mulligan. We did not, Senator, Mr. Chairman. Despite
the significant investment in multiple layers of detection that
we had within our systems, we did not.
Chairman Leahy. So you had all your systems in place, but
you found out about it from the Department of Justice.
Mr. Mulligan. That is correct, Mr. Chairman.
Chairman Leahy. But the breach did not involve online
purchases or transactions. Is that correct?
Mr. Mulligan. That is correct. That is my understanding,
Mr. Chairman.
Chairman Leahy. And, Mr. Kingston, you testified that the
breach that you saw at your company could affect 1.1 million
American consumers. Is that correct?
Mr. Kingston. What we have learned, Mr. Chairman, in our
investigation is that this malware, which was inserted into our
systems by the criminals, was operating in many of our stores
at certain times between July and October 2013. And the maximum
number of account numbers in our stores at that time that were
exposed to the malware was 1.1 million accounts. But we do
believe, because the malware was only operating at certain
times, that the number is actually less than that.
Chairman Leahy. Well, when did you first find out about it?
As you said, it was operating during the summer. But when did
you first find out about it?
Mr. Kingston. The first time that we found out about the
malware was when our forensic investigation teams discovered it
on January 2, 2014.
Chairman Leahy. When did you first receive information
about it?
Mr. Kingston. The forensic investigation firm first alerted
us that there was some suspicious malware that they had found
as part of the investigation on our systems on January 1.
Chairman Leahy. But didn't you say that you first received
information on December 17?
Mr. Kingston. On December 17, we were notified by our
merchant processor that MasterCard had found in its fraud
systems 122 account numbers that had been fraudulently used
that were used prior to that at Neiman Marcus locations.
Chairman Leahy. Now, in the last month, since January when
you first had this, have you changed any of your malware
protection protocols or equipment?
Mr. Kingston. Yes, we have. We have actually made a number
of different changes. As I mentioned in my testimony, the
malware, unfortunately, was not detected by our anti-virus
systems, which we maintain and keep up to date. Since then, we
have shared the malware both with forensic investigations
teams, the Secret Service, and our anti-virus company, and they
have provided us with updated signatures so that we can remove
it and disable it.
Chairman Leahy. How has the cooperation been with law
enforcement?
Mr. Kingston. We have been working with law enforcement all
along the investigation, and they have actually been very, very
helpful and very cooperative.
Chairman Leahy. Would you say the same, Mr. Mulligan?
Mr. Mulligan. I would, Senator. We have a long relationship
with law enforcement, and they have been--our interactions
throughout this time have been very productive.
Chairman Leahy. Thank you.
Senator Grassley.
Senator Grassley. Yes, I want to associate myself with the
remarks that the Chairman made just before he asked questions,
and that is, I think we are all trying to find the same
solution. This is not a case of a group of business people on
one side and the government on the other side. We have got a
major problem we have to deal with, and it is going to take
cooperation. The Senator did not say it exactly that way, but I
think--I hope I----
Chairman Leahy. I agree with you.
Senator Grassley. Thank you.
As we have heard today, even companies with tremendous
resources and multilayered--by the way, I am going to ask
Mulligan, Kingston, and Rosch this. As we have heard today,
even companies with tremendous resources and multilayered
security systems can be attacked and breached. This means
smaller businesses are more vulnerable to similar attacks. One
thing I have heard repeatedly is that businesses of all sizes
need flexibility in creating and implementing their security
programs. What works for one may not work for another. But
companies must be proactive, and guidelines for what they
should be doing are helpful.
So to you three, how can the government encourage the
private sector to strengthen data security that provides
businesses that flexibility and guidance that they need as
opposed to burdensome government regulation?
Mr. Mulligan. Start with me, Senator?
Senator Grassley. Yes.
Mr. Mulligan. We agree, Senator, that this is an evolving
threat and one that is well beyond retail or Target to all
industry. There were hundreds of breaches last year, and we
think, therefore, the solution needs to be a combination of
efforts across all participants in the space, Senator.
I think for payment card information, similarly, there are
a number of participants in the payment card world, and we need
to work collectively to move to chip-and-PIN technology. That
would have rendered the account numbers that were taken far
less useful. But it is technologies like that that we think are
important, and we are committed to moving forward and
accelerating our efforts in that particular area.
Senator Grassley. Mr. Kingston.
Mr. Kingston. First of all, I think shedding light on this
issue as the Committee is doing today is extremely helpful, and
we appreciate that. I think one of the things that the
government can do--there are a lot of actors in this ecosystem.
There are technology companies. Obviously there is the private
sector. There are law enforcement, government agencies. There
are security experts. I think collectively all of those actors,
all of those stakeholders, who have intelligence and are able
to share it with the community, should be encouraged to do
that. Information sharing can help us try to keep up with this
problem, which is continuing to evolve and continuing to become
more sophisticated.
Senator Grassley. Mr. Rosch.
Mr. Rosch. Yes, I would agree with what Mr. Kingston said.
This is definitely a shared responsibility between companies
and security vendors and consumers themselves to follow good
practices. But we do believe it would be helpful for the
government to recommend, in a very flexible way, some
preventative measures that companies can take to at least give
a guideline to be able to protect their systems.
You mentioned the NIST standard. We believe that is a good
voluntary and flexible framework that companies can use to
guide in developing good security solutions.
Senator Grassley. To the three of you again, you know, and
this gets back to some people, maybe, think this ought to be
completely government driven, and then there are people that
think it is entirely industry, government stay out of it. The
Chairman and I have talked about a partnership. Recently the
National Institute of Standards and Technology was just
mentioned here.
So for you three, if government is going to create federal
data security standards, what role, if any, should the private
sector have in that process? Mr. Mulligan and then Kingston and
then Rosch.
Mr. Mulligan. Senator, I think private industry and
government have to work together here. I agree with what you
have heard. It is a shared responsibility, and communication
between both the private sector and the public sector is
important. We have had ongoing relationships and information
sharing with law enforcement. That needs to happen more broadly
between our organization and private organizations more broadly
and the government to find solutions here.
Senator Grassley. Mr. Kingston.
Mr. Kingston. I think guidelines and standards are always
very helpful, particularly in this case. So I would encourage
that all of the stakeholders provide input into that.
Mr. Rosch. Yes, I would agree, and I think, you know, the
key word here is ``flexibility.'' I think what we have to
recognize is that this is kind of an ongoing war, and the types
of threats are changing all the time, and the new technology
comes on the market to protect all the time. So we are
constantly kind of raising the bar. So whatever gets developed
needs to allow for that to happen versus locking in at any
particular time what might seem acceptable.
Senator Grassley. I am not going to ask a question. I did
have a question, but I kind of want to make a statement that I
hope that we can avoid a situation where the government says
you do something and you do it, and it is abiding by the
regulations and that may come up short of what we need to do.
That is why I think cooperation is so important.
Thank you, Mr. Chairman.
Chairman Leahy. And I had indicated I agree with that,
because we know we are dealing with something that even with
the expertise of the four of you here, you could not tell me
specifically what would be the greatest threat you might face
18 months from now, because these things are evolving, just as
our best intelligence agencies and others cannot either. But we
want to give you a framework. We want to have a framework, one
that protects consumers so they know where their rights are and
being protected, but also protect our businesses, because you
have to maintain the trust between both the businesses and the
consumers for the good of our country. We have a fragile
recovery. We are slowly recovering. But without that
credibility, we cannot do it.
I am going to yield to Senator Feinstein, then Senator
Hatch, and go back and forth. I have to step out for a moment.
Senator Feinstein.
Senator Feinstein [presiding]. Thank you very much, Mr.
Chairman.
I want to begin by thanking Mr. Mulligan and Mr. Kingston
for being here, because up until very recently, companies would
not step forward. Companies would not make it public. I
introduced the first data breach notification bill in 2003, and
I could not get any cooperation in that data breach. And I
pulled the record and would like to introduce the particulars
of what happened in 2002 and 2003 into the record. That will be
the order.
[The information referred to appears as a submission for
the record.]
Senator Feinstein. I am a shopper at your business then,
Mr. Kingston. I do not recall getting any notice that my data
may have been breached. When would I have had notice? And I
would have shopped during the period of time.
Mr. Kingston. Senator, we have actually sent out a number
of different notifications, and I will start with the 10 of
January when we learned----
Senator Feinstein. But you said you did not learn--the
breach took place months before you actually learned then that
there was a breach.
Mr. Kingston. It was not until January 6, actually, that we
learned that this very sophisticated malware that was put in
our systems had the ability to scrape card data in our systems.
And then we quickly put in actions to contain and eradicate
that malware, and then we immediately began notifying
customers.
Senator Feinstein. And you said that 1.1 million customers
had been affected?
Mr. Kingston. During that period of time, that was the
total number of accounts that we transacted in our stores.
Senator Feinstein. Now, can I assume that all 1.1 million
were affected and notified, so somewhere in my record I should
be able to find a record of having been notified?
Mr. Kingston. We have notified all customers who shopped in
our stores or on our Web sites, which is a greater number of
customers than were affected in this 1.1 million number. We
have notified all of those customers.
Senator Feinstein. And when did you do that?
Mr. Kingston. We did that on January 22.
Senator Feinstein. Okay. And, Mr. Mulligan, when did you
notify your customers? And how many did you notify?
Mr. Mulligan. Senator, we notified--sorry, we refer to them
as ``guests''--on December 19, four days after we found the
malware. For those guests which we had email addresses for, we
notified them by email. But given the scope, we thought it
appropriate that broad disclosure was the best path to go, and
so we had very broad disclosure through the media, on our Web
site, through social media, a multitude of channels.
Senator Feinstein. But you did not notify individual
customers?
Mr. Mulligan. We did not have specific contact information
for all----
Senator Feinstein. So you were depending on the public for
your notice. Can you explain to me why--see, I document cases
going back to 2003 and 2002. Nobody would notify. And I had a
bill that was notification, and it was fiercely fought.
Companies did not want to notify their customers. And I have
worked on that bill. It is not going to go anywhere because of
the notice provisions. So here we are, sort of, again with
respect to notices.
I believe that if somebody has an account or uses their
credit at your institution and their data is breached, they
should be notified so they can protect themselves.
Do you want to respond to that? I do not mean to----
Mr. Mulligan. No. We agree with your view completely,
Senator. Our focus has been on having accurate and actionable
information balanced with providing that notice as quickly as
possible and ensuring that we had the capability to respond to
what were going to be millions of requests for information.
We felt, given the scope of our breach, that public
dissemination was appropriate and would let all of our guests
know virtually immediately. And as I am sure you are aware, we
were on the front page of every newspaper in this country.
Senator Feinstein. But here is the problem with that. The
public notification is always vague. It is sort of non-
specific. You really do not know. And then you find out, kind
of brutally, in other ways if you have money missing.
Now, you happen to be retail establishments. In 2003, a
hacker broke into electronic records of the payroll facility
for California State employees, and some 265,000 Social
Security numbers were compromised. Now, you said there was no
compromise of Social Security numbers. But my point is those
people deserve to know that their data was hacked. And this has
been the big resistance out there in the commercial community
in the 11, 12 years that I have worked on this. And so as far
as I am concerned, any bill that is forthcoming from this
institution should provide notification of customers that their
data may have been breached so they can protect themselves.
If anyone has a comment on that, if you disagree, please
tell me. No comment?
Mr. Kingston. We agree, Senator, which is why we did
exactly as you said. Once we knew that we had criminal activity
inside of our systems and who was impacted, we reached out
individually to customers. In fact, we reached out to more
customers just to be cautious, because it is important to us
that our customers understand that this is our primary concern,
their privacy and their information. And so all customers that
shopped the entire year in Neiman Marcus stores and Web sites
were notified.
Senator Feinstein. I will go home and look for my notice.
Thank you very much.
Ms. Derakhshani. We also agree that notification is an
extremely important aspect of this discussion, and as you
indicated, the sooner consumers are made aware, the sooner they
can take actions to protect themselves.
Senator Feinstein. Thank you very much.
Senator Hatch.
Senator Hatch. Well, thank you, Senator.
I know that many retailers are migrating toward secure
point-of-sale terminals capable of processing chip-and-PIN
transactions. Yet I have heard that some credit cards will only
require chip and signature, not chip and PIN. Why would that be
the case, especially when a chip-and-PIN credit card would be
more secure for in-store purchases? Anybody who cares to answer
that, I would just throw it to all of you.
Mr. Mulligan. Senator, it is my understanding today the
standards have been set for chip-enabled card technology. The
chip-and-PIN standards are not set yet. We are advocates, as
you mentioned, of getting to chip-and-PIN technology. We think
that is a safer form. But we think also waiting, we think
making the next step is important, and getting to a place where
we have guest payment devices and retailers that can read chips
and cards are issued with chips so that we can begin to migrate
away from magnetic strips is an important next step.
Senator Hatch. Okay. It is my understanding that chip-and-
PIN technology does not make online purchases more secure. In
fact, the reports confirm that as Europe transitioned to chip-
and-PIN cards, fraud losses from online transactions actually
increased at a greater pace. As chip-and-PIN cards make in-
store transactions more secure in the United States, how will
you make online sales similarly secure, Mr. Mulligan?
Mr. Mulligan. I think that is an excellent question,
Senator, and I think, first, we need to not let the perfect get
in the way of the good, so making progress in stores makes a
lot of sense, and installing chip-and-PIN technology there, we
think, is important.
As you said, the threat continues to evolve, and so there
is a shared responsibility here and continuing to have all
parties that ensure payment transactions are processed
appropriately here in the U.S. be participants in moving that
forward to find solutions to the online transactions. We are
part of the EMV Migration Forum, and that is a topic there
where all interested parties in the payment space come together
and discuss that, so that we can find solutions to online. But
your point is right on.
Senator Hatch. Okay. Thank you.
Mr. Kingston, you said that credit card information was
scraped. What about other information like birthdays and Social
Security numbers? Did the hackers--were they able to get that
information, too?
Mr. Kingston. Senator, our investigation, which is still
ongoing, has shown no evidence that other personal information
outside of card holder information was scraped.
Senator Hatch. Okay. Mr. Rosch, could you please describe
both the advantages and the disadvantages or shortcomings of
chip-and-PIN technology as well as any alternatives that may
exist that are not currently being considered? As you know,
chip-and-PIN technology itself is more than 20 years old. Are
there more secure alternatives that we should be considering?
Mr. Rosch. Well, I think we would agree with the other
panelists and yourself that chip and PIN is definitely a step
in the right direction. While it is not a panacea, it
definitely adds three primary benefits to the ecosystem: One,
it is more encryption. So the credit card information would
stay encrypted longer, and it would make it much more difficult
for the hackers to be able to obtain that information. So that
is a big benefit of chip and PIN. The second is it makes it
more difficult to duplicate the card. So if the information is
stolen, sometimes with the regular magstripe, it is easy enough
to go and create another credit card. The fraudsters can create
another credit card. Because the chip in these cards have a
unique credential, they cannot be copied, so it reduces the
risk of multiple cards being generated. And then I think,
third, with the PIN, that combines what we call two-factor
authentication, when you have something you have and something
you know, the card being something you have and the PIN
something you know. So if someone was to actually steal your
physical card, it would do no good unless they knew your PIN.
So the three primary advantages, it definitely raises the
bar on security.
Senator Hatch. Okay. Now, I have a related question about
so-called mobile wallets. Although companies like Google are
just starting to roll out these types of products, I have no
doubt that this technology that allows you to pay by simply
tapping your smartphone at a register will be widespread in
just a few years. Could you describe the security features of
these payment platforms and whether chip-and-PIN technology is
compatible?
Mr. Rosch. Yes, I think we would agree with you that mobile
payments are certainly going to be the future. It is still yet
to determine exactly which of those different models that are
out there will be the future, but I think it is important to
note that when you use a mobile device, that is basically a new
opportunity for the criminals to be able to attack. That
broadens the attack surface. So there are a lot of good
technologies that can lock down these devices and keep that
information safe, and those things are in progress.
Chip and PIN would not apply in that case. As you
mentioned, it is really for card present when you have a swipe.
But there are other ways using behavioral analysis to be able
to fingerprint some of these devices and recognize a user that
can add security in the mobile payments ecosystem.
Senator Hatch. Thank you. My time is up.
Senator Feinstein. Thank you very much, Senator Hatch.
Senator Klobuchar.
Senator Klobuchar. Thank you very much, Senator Feinstein.
As Chairman Leahy noted, these are good companies. We
certainly know that in Minnesota, the home of Target. And we
also know that if these companies can see these kinds of data
breaches, these companies that employ so many people in our
country, it can happen to anyone.
And as Senator Feinstein expressed, a lot of times when we
have pushed some of these cyber bills, whether it is about
government security, whether it is about private security, we
get a lot of pushback. And I think that, if anything, we have
learned from this major, major breach that we can no longer do
nothing, that we have to take action.
And as a former prosecutor, of course, my first reaction to
this is to find the crooks that did this and punish them, and I
know that that investigation is continuing.
My second reaction is that we have to find the technical
solutions here and that our laws have to be as sophisticated as
the crooks that are breaking them, and I start there.
So I thought I would start with following up with what
Senator Hatch talked about, which was this new technology that,
I understand, is adopted in Europe. Is that true, Mr. Rosch?
Mr. Rosch. Yes, it has been adopted in Europe, and it has
showed some significant benefits.
Senator Klobuchar. And is it true in Great Britain that
they have seen a major decrease in these kinds of breaches?
Mr. Rosch. They have seen a reduction in in-store or card-
present breaches. They have also seen, however, some of that
shift to the online channel where the chip and PIN does not
prevent that. But it has definitely helped in reducing fraud
in-store.
Senator Klobuchar. Okay. And so what is stopping us from
moving to this kind of technology? We have acknowledged, as
Senator Hatch has, that maybe there will be some other new
great thing that comes along. But what is stopping our country
when they are doing this in Europe? I know, Mr. Mulligan, that
Target had attempted using this technology. I think--was it
back in 2003? Is that right? And so what has stopped it from
being rolled out on a major basis? And how can we change that,
Mr. Mulligan?
Mr. Mulligan. As you know, there are many participants in
the payment card world that ensure transactions are processed
appropriately in the U.S. As you said, we tried this in 2003.
We put guest payment devices, as we call them, in our stores to
read chips. We introduced a new payment card, a Target Visa
card, with a chip in it. But without broad adoption, there is
not significant benefits for consumers.
Senator Klobuchar. And by broad adoption, you mean other
retail outlets using the same card?
Mr. Mulligan. Other retailer outlets having the ability to
read that card as well as the cards being issued with chip
technology on them. So it is both pieces of the payment
industry need to move together simultaneously.
We have been advocates of this, and all of us need to move
together simultaneously. It is a shared responsibility.
Senator Klobuchar. And how does this interact with the
financial industry?
Mr. Mulligan. The financial industry, obviously, they are,
in general, the issuers of the cards, and so, again, in
partnership with them, we need to move together collectively so
that the whole system is employing chip-and-PIN technology.
Senator Klobuchar. And would the NIST standard we were
talking about before--that is in development. Is that right?
Mr. Rosch. Yes, the NIST standard----
Senator Klobuchar. How long has it been in development?
Mr. Rosch. It has been in development for quite some time,
but it is due to be released in a week.
Senator Klobuchar. Okay. Like 20 years or----
Mr. Rosch. No. Just more on a year time frame.
Senator Klobuchar. Okay, good.
Mr. Rosch. But it is due to be released next week, so we
are making good progress.
Senator Klobuchar. Okay. Well, that is good timing. And so
would that cover this kind of new technology and it would set a
standard for these companies? Or do we need to do something
more aggressive to get the new technology out there?
Mr. Rosch. I think the NIST standard does provide some
guidelines and objectives for companies to follow. It is not
specific in requiring chip and PIN.
Senator Klobuchar. Okay. Did you want to add anything, Mr.
Kingston or Ms. Derakhshani?
Ms. Derakhshani. We are definitely supportive of chip-and-
PIN technology and of the efforts to--of any efforts to
expedite wide adoption of this technology.
Senator Klobuchar. Okay. And then I just want to go back
quickly to something that was raised at the beginning, about
the time in between when it was confirmed this malware was on
the system and when the consumers found out about it. Mr.
Mulligan, could you give me just the time in between the time
it was confirmed and the time you notified customers?
Mr. Mulligan. We confirmed malware on our systems on
December 15, and we notified customers on December 19, Senator.
Senator Klobuchar. And by ``notified,'' to make clear--this
was Senator Feinstein's question--it was done publicly.
Mr. Mulligan. Broad public disclosure, yes.
Senator Klobuchar. Okay. And then, Mr. Kingston, what was
your timeline?
Mr. Kingston. We were first notified by our forensic
investigators on January 2 that they saw suspicious malware. It
was not until January 6 that they understood how it operated.
And then we spent the next few days containing, disabling, and
removing the malware, and it was on January 10 that we started
notifying the public and customers directly.
Senator Klobuchar. All right. And did both companies have
policies in place on how you would do this consumer
notification before it started?
Mr. Mulligan. We have several crisis communications plans,
and we enacted those immediately upon finding the malware in
our systems.
Senator Klobuchar. Okay. Mr. Kingston.
Mr. Kingston. Yes, we do.
Senator Klobuchar. All right. Very good. Well, I think you
know Senator Leahy has a bill that is focused on some of these
notification issues, but I continue--which I think is very
important, and I think some of the issues Senator Feinstein
raised are worth discussing. I also think that we really have
to push on this technology, understanding some of the smaller
retailers are going to have different situations than the
bigger retailers. But if we want to fix this going forward so
this just does not keep happening and happening--we just
recently found out hotel chains are now being affected by
this--we are really going to have to put something in place. So
thank you very much for being here today.
Senator Feinstein. Thank you very much, Senator Klobuchar.
Senator Lee, Senator Hatch has asked to make just one small
statement before I recognize you, if that is agreeable. Please
go ahead.
Senator Hatch. Well, thank you, and thank you, Senator Lee.
Just an article that came up actually today, it starts off
by saying, ``U.S. intelligence agencies last week urged the
Obama administration to check its new health care network for
malicious software after learning that developers linked to the
Belarus Government helped produce the website.''
I will just read two other sentences. `` `The U.S.
Affordable Care Act software was written in part in Belarus by
software developers under state control, and that makes the
software a potential target for cyber attacks,' one official
said.''
And then, ``Cybersecurity officials said the potential
threat to the U.S. health care data is compounded by what they
said was an Internet data `hijacking' last year involving
Belarussian state-controlled networks.''
I just wanted to bring that up because this is a really
serious set of discussions, and it goes far beyond just maybe
what the retail community is concerned about.
Thank you.
Senator Feinstein. You are right, Senator. Thank you.
Senator Lee.
Senator Lee. Thank you, Senator Feinstein, and thanks to
all of you for joining us today. This is an important topic. I
know it is important to each of you and to America's consumers.
I generally trust that the marketplace will create the
right kinds of incentives for retailers to protect the personal
data of their consumer base. But I think the creation of those
incentives really requires, as a condition, precedent that
there be adequate notification procedures in place. In other
words, consumers, I think, have to have received notification
in order for any of this to work. They have to receive
notification in order to take the steps they need to take to
protect their identity, and they also need notification so that
they can decide where to take their business. If they do not
trust a particular business with their data, they are not going
to shop there.
So I will start with you, Mr. Mulligan. What factors do you
weigh in deciding at what point to notify consumers--
``guests,'' as you put it. I do not want to denigrate the
Target consumer base by calling them just ``consumers.'' We
have to call them ``guests.'' At what point do you decide to do
that? Because there are some countervailing considerations,
aren't there? I mean, you do not necessarily want to notify
immediately upon discovering that there is a problem.
Mr. Mulligan. Our view, Senator--and you are right. After
18 years, it almost rolls off my tongue without thinking about
it. But our view is there is a balance to be struck here.
Certainly speed is very important to let consumers know what is
going on, but balancing that, as we look through the lens of
our guests, is ensuring that we are providing them with
accurate information so they can understand what happened, and
then actionable information so they can understand what to do
about it. And balancing those two factors is the lens we look
through, and that ultimately led us to our time frame.
I would also add, for us in particular, given the magnitude
and the size of our company, ensuring that we had the
appropriate ability to respond to our guests, as we knew the
questions were going to come, ensuring our call centers were
staffed up and prepared with information for our guests, and
that our stores were able to provide that information. So there
was a large training element that also went on to ensure we
were able to handle their questions and concerns appropriately.
But all of that came together and balanced our decision making
on how quickly to provide notification.
Senator Lee. But it could cause problems if you notified
too soon. If you notified before you know the nature and extent
of the threat and before you know what you are going to do
about it, that could cause issues.
Mr. Mulligan. We believe it is important to provide
accurate information once notification is made, Senator, yes,
what has gone on and helping our consumers understand what to
do about it.
Senator Lee. Okay. Thank you.
Mr. Kingston, one potential legislative response to all of
this could involve establishing some kind of national security
standard, to codify certain security standards, perhaps
standards that are already accepted within the industry. I am
always a little bit concerned about creating a new federal
regulatory authority, in part because sometimes once you
establish something like that, it quickly becomes ineffective,
especially if it is in an area like this one where
technological advances can very quickly render a codified
national security standard irrelevant or outdated.
There is also, I think, some risk that if we create a
national security standard, that would be seen not just as a
floor but as a floor and a ceiling, and you could see some
people complying with that, and then that creates an easy
target for would-be thieves to go after, because they know what
the security standards are because they are codified in law. Do
you see some risks associated with adopting federal legislation
that codifies a uniform security standard?
Mr. Kingston. I think there are going to inherently be
risks for some of the reasons that you stated, Senator. I think
the thing that we have to keep in mind is that the
cybersecurity threat landscape continues to evolve. Every day
it becomes more and more complicated. And so as soon as we
establish the standards--and I think standards are helpful but
as soon as we establish those, as you pointed out, the whole
world knows about it and that gives them the ability to try to,
as in our case, come up with ways to defeat those standards.
I think it is obviously healthy to be able to communicate
to people what some of the standards and good practices are.
But I agree with you; I think there are risks there as well.
Senator Lee. Okay. In the two seconds I have remaining, Mr.
Rosch, I saw you nodding. Do you have anything you want to add
to that?
Mr. Rosch. Yes. I think it is not only that the cyber
threats are evolving very quickly so it is difficult to lock
things in; our environments are changing so quickly. If we look
at what a company's infrastructure looked like five years ago,
it was pretty much contained within their data centers and
their devices. Today information is everywhere. It is in our
data centers. It is in the cloud. It is in, you know, software
that sits in the cloud on mobile devices. So the threats are
exploding, but so is the attack surface. So we need to be
flexible to be able to adjust, because both of those
environments change.
Senator Lee. Thank you very much.
Thank you, Chair.
Senator Feinstein. Thanks, Senator Lee.
Senator Franken.
Senator Franken. Thank you, Madam Chair.
First of all, I think on those--Chairman Leahy has a bill
that I am a cosponsor of that talks about having some
standards, but I think you can write them in a flexible manner.
And I see you nodding, Mr. Rosch.
As some of you may know, I am Chair of the Subcommittee on
Privacy, Technology, and the Law. I think the people have a
fundamental right to privacy, and for me, part of that right is
knowing that your sensitive information is protected and
secure. And when millions of consumers have their credit and
debit card data stolen, we have a big problem. We need to fix
it.
Minnesotans shop at Target all the time, as do millions of
other Americans. Minnesotans shop at Neiman Marcus, too. We
need to get to the bottom of these breaches.
But what is clear to me is that we are not just dealing
with the problem of Target and Neiman Marcus, or Michaels, for
that matter. We are dealing with a systemic problem. A big part
of that problem, as we have discussed, is the security of our
credit and debit cards. The U.S. has one-fourth of the world's
card transactions, and yet we are victims to half of all card
fraud.
Two weeks ago, I wrote to each of the Nation's largest
credit and debit card companies to ask them what they were
doing to make our cards safer, and their responses are due
tomorrow.
The Federal Government has a role to play here, too.
Congress needs to pass laws that promote data security. Right
now there is no federal law setting out clear security
standards that merchants and data brokers need to meet, and
there is no federal law requiring companies to tell their
customers when their data has been stolen. And I am glad to say
that Chairman Leahy has a bill that would fix this problem, and
I am glad to be a cosponsor of it. And I think it contains
enough flexibility that it is not a signal to how to overcome
that to criminals.
First I want to get a little better handle on how Target
and Neiman Marcus had their breaches occur. Mr. Mulligan,
retailers are on the front line when it comes to stopping the
breach of their customers' data. I understand Target has spent
considerable resources on data security systems. But a January
17 article in the New York Times states that your systems at
Target were ``astonishingly open'' and ``particularly
vulnerable to attack.''
I know that you had had independent audits before, a couple
of them, saying that you had passed muster and you were among
the best in the industry. Can you respond to these charges?
Mr. Mulligan. Sure. Respectfully, Senator, we would not
share that view. Over the past several years, we have invested
hundreds of millions of dollars in several areas in technology
to prevent data loss. This includes segmentation, malware
detection, intrusion detection and prevention, data loss
prevention tools, multiple layers of firewalls. But beyond
that, as you said, we have ongoing assessments and third
parties coming in doing penetration testing of our systems,
benchmarking us against others, assessing if we are in
compliance with our own processes and control standards. And we
have invested in team. We have hundreds of team members
responsible for this. We go so far as training 370,000 team
members annually on the importance of data security. So we have
taken a holistic view of our approach to data security and
invested significant resources.
Senator Franken. Okay. It is kind of spy versus spy, is
what we are talking about.
Mr. Mulligan. Yes.
Senator Franken. You said in your oral testimony that you
are for--and Senator Hatch brought this up--that you are for
the smart chip plus PIN. And, Mr. Rosch, Visa and MasterCard
are pushing to roll out smart chip cards in the U.S. in October
2015. I wish that could be hurried. It is my understanding
these cards will not require or may not require PINs for every
transaction, and this is surprising to me because, as we have
heard from you, the incidence of fraud is far higher for
signature debit transactions than for PIN debit transactions.
And maybe this is for Ms. Derakhshani. Is there a reason that
Visa and MasterCard do not want to put the PIN in there?
Ms. Derakhshani. So we are aware of the promises that have
been made to implement the technology by 2015. I think the
answer comes down to money. It is expensive to update the
technology at the point of sale. It is expensive to reissue
cards. So we would be supportive of efforts to encourage
widespread adoption of these technologies, and we think that
more of a push would be a good thing.
Senator Franken. Mr. Rosch, could you follow up on that? In
particular, do Visa and MasterCard have a reason?
Mr. Rosch. Sure. I think that, you know, chip and PIN, we
think, is the best and most secure solution.
Senator Franken. Sure.
Mr. Rosch. I think the chip on its own still does provide
more advanced security around encrypting and preventing the
cloning of the cards. The PIN is just an additional thing, and
we think that is the way to go.
Senator Franken. Okay. Thank you.
Thank you, Madam Chair.
Senator Feinstein. Senator Franken, it is my understanding
it has been arranged that you chair. I must leave now.
Senator Franken. Yes.
Senator Feinstein. And I believe Senator Durbin is next.
Senator Franken [presiding]. Yes. So go ahead, Senator
Durbin. And I will move over to the chair. Senator Durbin.
Senator Durbin. I believe under the early bird rule that
Senator Coons is next.
Senator Feinstein. It is not early bird. It was by
seniority.
Senator Durbin. Oh. Well, I am going to defer to Senator
Coons.
Senator Franken. As Chair, Senator Coons.
Senator Coons. Thank you very much, Senator Durbin and
Senator Franken.
If I could just follow up on the line of questioning
Senator Franken was on, first, I just want to thank all the
witnesses because it is very helpful when you take the time to
share with us the details of these incidents. And as we in
Congress work hard to try and strike the right balance between
a robust and a vibrant marketplace where we all benefit from
the ease and the convenience of using credit cards and debit
cards, but we also try to make sure we are sufficiently
protected in our privacy and against theft and fraud. These are
delicate balancing choices we have to make, and I think this
has been very helpful for us to better understand standards,
what is possible, what is desirable, and what it would cost and
what the impact is.
So if I could just continue, Ms. Derakhshani, does the
Consumers Union believe that October 2015 is a reasonable
deadline for the implementation of this chip technology?
Ms. Derakhshani. I think we are supportive of efforts to
expedite it even more quickly.
Senator Coons. So you think it is possible for it to be
done even more quickly, it is just a matter of cost?
Ms. Derakhshani. Well, I would not be able to speak to the
exact--you know, everything that it takes for it to be
implemented. But we would like to see it be implemented more
quickly.
Senator Coons. And if I understand correctly, chip plus
PIN, which is now possible, a PIN is possible in many debit
card cases, and there is a sevenfold increase in fraud when you
use debit cards without a PIN than when you use them with a
PIN. Do you believe PIN technology ought to be enabled for
credit cards as well?
Ms. Derakhshani. That is an interesting question. We have
spoken about the differences between debit card protections and
credit card protections, and I think it would be a good thing
for debit card--you know, you are less protected under debit
cards, and it would be a good thing for debit card technology
to come in line with credit card protection.
Senator Coons. Mr. Kingston, do you have the option
currently requiring customers who present a debit card at point
of sale to input a PIN?
Mr. Kingston. We do not use PIN pads in our stores
currently, and we do not require PINs.
Senator Coons. And just help me understand why not.
Mr. Kingston. I think the issue that we are talking about
here is that there are a lot of different technologies that are
available, and this is something that right now in the industry
consumers actually do not really have a lot of these cards in
their wallet. I am a consumer. I have several credit cards in
my wallet. None of them have chips on them. So while it is an
option, it is something that just has not been widely adopted
by the industry at this point.
Senator Coons. But my specific question was about PINs on
debit cards rather than chips, but I understand your point that
the trajectory of cards with chips in them, the trajectory of
that adoption is not easily predictable.
A broad question, Mr. Rosch, if I might. You testified
breach notification standards are not enough. Federal
legislation is needed to ensure pre-breach security measures.
Can you grade the sufficiency of the cybersecurity efforts
currently in place by retailers? We have talked about data
security and cybersecurity. If you could give us some insight
into how the PCI compliance factor weighs in to cybersecurity.
Mr. Rosch. Yes, it is a great question, and I think, you
know, there are a lot of companies that have put in very
effective security solutions and some that have a ways to go. I
think the trick here is--we focus very much on chip and PIN,
which is just one kind of potential breach point. What
companies really need to do is look at very layered securities
at every part of their ecosystems and ensuring good basics,
like putting stronger authentication in place so bad people
cannot get into the networks, into their companies and start
laying the foundation for this threat. The more we can encrypt
the data throughout its entire--as it traverses around, then if
the bad guys do get it, they cannot decrypt it and it is of no
value to them.
We talk about anti-virus missing some of these things, and
it does. Anti-virus is a great foundational technology, but
there are things that we can do on top of that to recognize and
stop some of these emerging threats.
So it is really about putting this layered security
approach, and we think any legislation should reflect those
layers.
Senator Coons. Thank you. My last question, if I might, to
Mr. Mulligan and Mr. Kingston. Just if you would help us
understand what are the key impediments that your companies
face in trying to achieve this sort of more robust
cybersecurity. Obviously it is expensive. But as you try to
strike the right balance, whether it is guests or customers,
those of us who enjoy shopping at your stores and enjoy the
flexibility and freedom of having cards we can use anywhere
also want to make sure that our data is protected and that we
are not, as a country, subject to vast amounts of fraud.
What are the major impediments to your companies actually
implementing stronger cybersecurity measures?
Mr. Mulligan. I can start. For us, we agree, layers of
protection are important broadly across the entire enterprise.
As we think about it, this is an evolving threat, and we think
one of the keys going forward is, again, shared responsibility,
to share information across the industry, not just retail but
broadly across industry, and, you know, we have a history of
doing that with law enforcement, but with other parts of the
government, so that we can all understand the evolving threat
and respond to it as we design our data security systems and
protocols.
Mr. Kingston. I talked earlier about the importance of all
the actors in this ecosystem being able to share intelligence.
As we have learned, these recent cyber attacks are very, very
sophisticated. Things that have not been seen before are done.
So I think that is one thing.
I think the other thing that is really important is that
all of the actors be able to adopt these technologies at the
same time. So consumers obviously have to be able to adopt it,
technology companies, financial institutions, and private
sector as well.
Senator Coons. Well, thank you. I do think there is a
strong federal role here in ensuring strengthening
cybersecurity and privacy.
Thank you both to Senator Durbin and to Senator Franken.
Thank you.
Senator Franken. We actually are using the early bird rule,
so you are the late bird. So we go to Senator Blumenthal.
Senator Blumenthal. Thank you. Thank you all for being
here. It is not easy to be the face of the industry which
really bears a responsibility here for what I see as a record
of failure. And this comment is not directed at Target or
Neiman Marcus. It is directed at an industry, and I think you
deserve a lot of credit for coming here today and representing
that industry, and also for the steps that you have taken in
the wake of breaches that certainly victimized you, and those
measures include credit monitoring, insurance, measures that I
sought for others in this industry and in other worlds to adopt
voluntarily while I was Attorney General of the State of
Connecticut and literally had to bludgeon and pummel them into
doing--not physically but legally. And I just want to commend
you for appearing here and for the proactive steps that you
have taken.
But I have introduced a bill that I think builds on the
very good measures that Senator Leahy and Senator Rockefeller
have introduced to establish standards so that there will be,
in effect, a bar--a bar that everybody has to follow, a
standard of care--because this information is not yours. It is
entrusted to you. It belongs to the consumers. And that kind of
basic principle is the bedrock of this legislation, a standard
of care applied industrywide, and enforcement, because rights
are not real unless they are enforceable--so enforcement by the
FTC but also by consumers themselves, a private right of action
for consumers to take when they are victimized, as your stores
may be victimized, by those hackers, a standard of care
enforceable by an individual right of action, and a
clearinghouse so that you can share the kind of information
everybody has said here this morning that is so important for
you to be able to exchange among yourselves and help to be
flexible and raise that bar. And I do agree that the standard
has to be flexible. Right now we are talking about chip and
PIN, but the threats are emerging and evolving, and so does the
standard in its specifics.
But, you know, I sit here with the attitude of most of your
consumers, which is half the fraud occurs in the United States,
but only a quarter of the credit card use. Something is wrong
with this picture. Isn't that fact and the continuing series of
significant, even sensational, breaches an indictment of the
American retailing industry in its failure to protect consumer
information? We are talking here, after all, not about some
exotic, novel science fiction technology in chip and PIN? We
are talking about something that is widely used in Europe and
could easily have been imposed here much earlier.
So my question to you, Mr. Rosch, in light of your very
welcome and important recommendations--and you have had the
good sense to make them somewhat simple in a graph that is
understandable to us rudimentary laymen--would your
recommendations have helped to prevent this kind of massive
breach at Neiman Marcus and Target?
Mr. Rosch. Yes, well, to start out, I am unable to speak
about any specifics of the incidents. You know, all the
evidence based on public information is that these were very
sophisticated attackers and they were very well resourced.
However, in general, we do believe that, you know, if companies
put in this good layered security approach while leveraging the
strong authentication, the encryption, the heuristics on top of
AV, the chip and PIN, all these things would contribute to a
safe ecosystem.
Senator Blumenthal. That is basically a yes, it would have
helped prevent--I am not asking you to go into the details, but
network segmentation, two-factor authentication--and you also
recommend the chip and PIN or something like it--would have at
least helped to prevent this kind of massive breach.
Let me ask you, gentlemen, Mr. Kingston and Mr. Mulligan,
were you then in the process of adopting some of these
recommendations or not knowing they were recommendations of
Symantec but recommendations in substance like them? And if not
then, are you now?
Mr. Kingston. Senator, as I said in my written statement,
we actually do have a multilayered security architecture and
had prior to these attacks at Neiman Marcus. Many of the
technologies----
Senator Blumenthal. Was this information encrypted?
Mr. Kingston. The information was encrypted during
processing. Many of the technologies that are being discussed
here today by the Committee--two-factor authentication,
segmentation, network monitoring for suspicious traffic--these
are all technologies that we have deployed and utilized at
Neiman Marcus.
Unfortunately, the sophistication of this particular attack
was able to evade detection of all of those best practices, and
I think what we have learned and what is important here is that
just having tools and technology is not enough in this day and
age. These attackers, again, are very, very sophisticated, and
they have figured out ways around that.
It is often how you are deploying those technologies and
what else are you doing, which comes back to making sure that
we are sharing intelligence as much as we can so that we can
try to stay as close to or ahead of the attacks.
Senator Blumenthal. Thank you. My time has expired, so you
may be spared, Mr. Mulligan, an answer to that question. But I
would like to ask both of you to provide perhaps some detailed
answers in writing to the question about whether you are going
beyond your present practices and procedures to adopt these
steps that Symantec has recommended. I am not saying they are
the only solutions, but just a kind of benchmark. And if you
could provide that in writing, I would appreciate it.
[The information referred to appears as a submission for
the record.]
Senator Blumenthal. I also want to say that my bill would
provide for mandatory notification, and I also want to thank
you for the notification steps that you did take, both of your
companies took to notify consumers.
Thank you very much, Mr. Chairman. Thank you, Senator
Durbin.
Senator Franken. Yes, just one. I know Mr. Mulligan did not
answer on this, but Target, as Senator Klobuchar pointed out,
10 years ago tried to implement the EMV technology and found
that so few others were doing that that they abandoned that.
But that is something I want to find out from the banks and the
credit card issuers and debit card issuers about how fast they
can go to this technology, because right now it is October
2015.
But let us go to Senator Hirono.
Senator Hirono. Thank you. Following what appears to be the
protocol on this side of the table, I would certainly be happy
to defer to Senator Durbin if he would like to ask his
questions.
Senator Durbin. Mr. Chairman, I would like to defer to
everyone except Senator Whitehouse.
[Laughter.]
Senator Hirono. Thank you.
Senator Franken. I am the Chair of this Committee, and I
will determine----
[Laughter.]
Senator Franken. But that is about right, okay. Senator
Hirono.
Senator Hirono. I would like to thank Target and Neiman
Marcus for coming here today because I think all of us--most of
us shop at both of these establishments. And there has been
discussion about by 2015 Visa and MasterCard are required--
basically using the power of the--their power, to require that
the merchants and banks agree to issue cards and you all have
readers that will read cards with chips in them. So I take it
that, Mr. Kingston and Mr. Mulligan, both of you are prepared
to meet that deadline with the chip technology.
Mr. Mulligan. Senator, we have been proponents of chip and
PIN, as you just heard, for a very long time. We are in the
process of rolling this out in our stores. Over 300 of our
stores already have, we call them, ``guest payment devices,''
and we are accelerating that $100 million investment to get
those in our stores by the fourth quarter of this year, and
then the products we offer will have the chips in them early
next year.
Senator Hirono. Are you also prepared to adopt the PIN
portion of what is being suggested?
Mr. Mulligan. We are advocates for the PIN. As the industry
in total becomes capable of handling that for credit
transactions, we will be ready for that as well, as we are
advocates of that as a double authentication.
Senator Hirono. What about you, Mr. Kingston?
Mr. Kingston. Senator, Neiman Marcus is certainly willing
and will consider anything that is going to make this process
and consumer information safer, including chip and PIN. As I
pointed out earlier, at Neiman Marcus we do not use PIN pads
today, and as a practical matter, I think it is important for
the Committee to understand that while I think the industry
would be safer with that, there is lots of work to do in order
to make that happen. Obviously there are PIN pads that have to
be able to process this. There are software changes that will
have to happen. And, of course, all of the integration with the
other actors, such as the banks and the merchant processors has
to occur, and then finally, of course, getting all the cards
with the chips in consumers' hands.
I think we are very supportive of considering those and
other technologies and capabilities that will make us safer,
but I think we all need to understand that there is a lot of
work involved in doing that.
Senator Hirono. Well, what I heard is that Target is
prepared to establish or go with both a chip-and-PIN
technology, but you are raising some concerns. So does that
mean that at Neiman Marcus you would not be able to meet a 2015
deadline with both of these factors?
Mr. Kingston. I am not saying that we are not prepared to
do it. What I am saying is that we would definitely want to
evaluate that as a safer measure for our customers and move as
quickly as we possibly can to do that.
Senator Hirono. Would federal legislation help if we were
to say--because right now it is just Visa and MasterCard saying
here is what is going to happen in the arena. Would federal
legislation that says here is what we would like to see?
Mr. Kingston. I think we would have to consider that. If we
have to do it under the law, obviously we will follow the law.
Senator Hirono. It may be coming down the pike. But, of
course, we would want to have all the parties at the table so
that we can proceed in a reasonable way. And, also, the cost
was mentioned, and I do not know whether in the non-federal
arena this cost was going to be borne by Target and Neiman
Marcus and all the other retailers and financial institutions
to comport with what MasterCard and Visa----
Mr. Mulligan. It is a shared responsibility and a shared
interest in payment processing, and the costs will be borne
by--a portion of the costs will be borne by all participants.
Senator Hirono. Including the consumers?
Mr. Mulligan. No. It would be the companies involved in
payment processing, Senator.
Senator Hirono. So what would be the cost to implement this
kind of technology? And perhaps Ms. Derakhshani can enlighten
us on that.
Ms. Derakhshani. Well, we think that it is very important
for costs not to be borne by the consumer. Consumers have lost
this information through no fault of their own. I think it is
really important to remember that.
Senator Hirono. So do you have any idea what the cost of
putting in place a chip-and-PIN system would be?
Ms. Derakhshani. I would be happy to maybe look into and
get back to you all, but I do not have figures at this time.
Senator Hirono. I know I am running out of time, but one of
the areas that I was very interested in is the prevention side
of things. Mr. Rosch, you mentioned that one of the first lines
of defense is for the consumers to use different kinds of--that
they should use certain kinds of PINs and all of that. How do
we get this information out to consumers so that, as you say,
they are the first line of defense in terms of prevention? What
can we do to enable consumers to know that they can take some
of these prevention elements into their own hands and protect
themselves?
Mr. Rosch. It is a great question. I do think that there
are things that consumers can do around stronger passwords,
changing them frequently, getting their credit reports,
watching their bills. So I think we all have that shared
responsibility to try to get that communication out. I know
Consumer Reports is an excellent--makes excellent
recommendations directly to consumers. We do that as part of
our business. The Better Business Bureau has good
recommendations, so I think it is just kind of that shared
getting the news out there that these basic hygiene things can
help keep them protected.
Senator Hirono. I think that is very important aspect
because, for a lot of consumers--and I am one of them. I am
trying to simplify my life by just using very few passwords.
You are suggesting the exact opposite, so I think that kind of
information needs to get out and have consumers adopt the kind
of suggestions you are giving.
Thank you.
Senator Franken. Senator Durbin.
Senator Durbin. Thank you very much, Mr. Chairman.
I want to return to those thrilling days of yesteryear,
2010 and the Durbin interchange fee amendment on debit cards,
where we basically finally asked publicly a question about
something that was known to retailers across the United States,
and not very well known to anyone else, and that was the amount
that was being charged on each transaction by the card issuers
and banks when a retailer used the card. And what the Federal
Reserve reported to us was that the average was 44 cents on
transactions; the actual cost to the card issuer and the bank,
seven cents. So we asked them to find some reasonable fee,
interchange fee, for debit cards, and the Federal Reserve came
up with about 24 cents. I do not know exactly how they made
that calculation. It is currently being litigated.
Within that 24 cents, though, was one penny or one cent for
fraud prevention, and it is ironic, or at least coincidental,
that just weeks after this law was passed and signed by the
President and implemented, we had an announcement by Visa that
they were finally adopting a road map for chip card technology
in the United States. They had a dedicated source coming off
the interchange fee that they represented to the Federal
Reserve was going to be an anti-fraud effort. So we are moving
in that direction, albeit slowly, considering the circumstances
we are talking about today.
It is ironic--my staff had me cover the numbers, but it is
ironic that I have had a chip card in my wallet with American
Express for years, and I do not know that it has ever been used
for any purpose other than this, but it is clear that it is
there and it has been around for a while.
So let me go to a study that came out recently in 2012.
There was about $5.3 billion in credit and debit card fraud
loss in the United States in 2012--$5.3 billion. One-fifth the
payment card fraud loss has occurred with debit cards. The
Federal Reserve found that in 2011 there were $1.38 billion in
debit card fraud losses. The Fed said that card issuers bore 60
percent of these debit card fraud losses, merchants 38 percent,
card holders two percent.
So, Mr. Mulligan, in light of that fact that fraud losses
are divided among banks, merchants, and card holders, do you
agree it is a shared responsibility to support this move toward
new technology such as chip and PIN?
Mr. Mulligan. We absolutely agree it is a shared
responsibility among all participants in ensuring payment
transactions happen that are facilitated in the U.S. today. All
of us have an interest in ensuring that consumers or our guests
have trust in the system that they are using every day. That is
why we have been proponents of moving to chip and PIN over a
very long period of time, and we are currently looking to
accelerate our investment to bring those devices into our
stores more quickly.
Senator Durbin. You and I had a brief conversation when we
met yesterday, and one of the aspects of this is the card
reader, which retailers are responsible for paying for, right?
Mr. Mulligan. Yes.
Senator Durbin. So what is the--can you give me an idea of
what the cost is of a card reader today versus chip and PIN?
Mr. Mulligan. I do not know the incremental cost, Senator.
What I can tell you is that the total investment for us is
about $100 million. That is split about equally between putting
card readers in our point-of-sale system and reissuing the
cards with the chips in them, so about 50/50 percent.
Senator Durbin. So let me get back to the original point.
Retailers, and customers in many cases, are paying an
additional one cent on every transaction for anti-fraud
measures, so they are, in fact, giving the issuing banks and
card companies basically a subsidy to have anti-fraud
technology. So it is not as if we are not paying already to
move this technology forward.
Mr. Mulligan. The contractual arrangements provide for
retailers to provide revenue into the system for the processors
and the banks issuing those cards.
Senator Durbin. And I am sure the recurring concern among
members is the impact of new technology and cost of card
readers on smaller retail establishments, which is something
that we need to be sensitive to. But, in fact, the card issuers
and banks are receiving money currently, if they are alleging
to the Fed that they are using this money for anti-fraud
purposes, they can be.
Now, Ms. Derakhshani--did I pronounce that correctly?
Ms. Derakhshani. Perfectly, yes.
Senator Durbin. Thank you. There are lots of legislative
proposals designed to address data breach. There are fewer
proposals, however, that address the underlying issue: the
collection of personally identifiable information and practices
governing their retention by large brokerages and corporations.
That is largely unregulated.
We had a hearing a week or two ago here about the National
Security Agency collecting our telephone information, literally
phone numbers and what they are used for, and whether that was
a breach of privacy. So the question I ask you: In an
environment where sensitive consumer data is aggressively
sought after by both good guys and bad guys, do you believe
Congress should consider proposals that govern the collection
and retention of personally identifiable information by private
entities?
Ms. Derakhshani. So we think of this as a separate issue,
but you have touched on a lot of important things, among them
the fact that there are a lot of threats out there, and we are
really glad that there is attention brought to this important
issue, and the issue of privacy and data security in general.
Senator Durbin. Well, let us start with Mr. Rosch. I will
bring you into the conversation.
Mr. Rosch. Sure.
Senator Durbin. So we are talking about how much regulation
should there be on my personal information collected by a
private sector entity.
Mr. Rosch. I think that, you know, any data breach
legislation should include proactive measures that companies
can take to protect this information. That information should
be any sensitive information, including personal about myself,
my credit card information, about my financials. And, you know,
having that good security approach end to end is important.
I think it is also important that we are very transparent
with users, that if we are going to collect their information
for a particular business, legitimate business reason, that
they are aware of that and they are fully aware of how we are
going to use it, how any company would use it, and then when it
is no longer needed, it is eliminated.
So I think it is all these different layers, but it is
definitely about, you know, giving guidelines on proactive
measures to keep this information safe.
Senator Durbin. So I guess I am trying to sort out, as I
close here, who do we trust when it comes to our privacy.
Clearly there is some skepticism if the government is
collecting information about us, that it has more power than
most to misuse it. But we are finding on the private side the
collection of personal information can also be abused as well
if we are dealing with malware and hackers and the like that
can get into the system. And I think it is incumbent on us to
really try to establish a standard so that Americans feel
confident that their personal information is being protected in
a reasonable fashion.
Thank you.
Senator Franken. Thank you, Senator Durbin.
Senator Whitehouse.
Senator Whitehouse. Thank you, Chairman, and thank you to
all the witnesses.
Let me ask Mr. Mulligan from Target, clearly you have a
robust IT department. Correct?
Mr. Mulligan. Yes, Senator.
Senator Whitehouse. And clearly had robust Internet
security?
Mr. Mulligan. Yes.
Senator Whitehouse. And yet you were unaware of this breach
and were informed of it by the United States Secret Service.
Correct?
Mr. Mulligan. The Attorney General was the first notice,
but yes, Senator, that is correct.
Senator Whitehouse. I hope that for folks who are watching
this is really seen as an object lesson as to the vulnerability
that we all have to a whole variety of Internet penetrations. I
think that Target is an extraordinarily well-respected retailer
and does a very efficient business. And when a company like
that can be hacked without knowing it, the wrong reaction is to
say, ``Oh, well, Target must have done something wrong.'' The
right reaction is to say, ``Oh, my gosh, are we being hacked
and do we not know it, too? '' And I think we need to pay a lot
more attention in that regard.
As dangerous as this privacy breach was, as much as it is
likely to lead to criminal activity in the form of identity
fraud and other forms of fraud, we can thank God that you
provided a vital service but you are not running the electric
grid, and you are not running the servers behind all of our
banks and our financial systems. There are pieces of our
American critical infrastructure that are run by the private
sector that are facing very much these same threats, and we
need to be much more attentive to it. And if you are not doing
intellectual property but if you have a--sorry, if you are not
doing critical infrastructure but if you have significant
intellectual property that is an important part of your
business model, you better be watching out for that, too,
because there are folks across the Pacific who are probably in
your data already and who have a national policy of trying to
break into American computers, steal our intellectual property,
and give it to competitor companies in order to seek
competitive advantage.
So this is a window in a much larger problem, and I just
wanted to make that point. I am sorry that it was you, but I
think I am very gratified that you have had the courage and the
sense of what is going on around you to come here and make this
more transparent. And I will close with my appreciation to
Symantec. We came very close to getting a very comprehensive
piece of cyber legislation through the Senate not too long ago,
and some of the U.S. Internet security providers, particularly
Symantec and McAfee and Mandiant, were very, very helpful in
classified private briefings, walking Senators through the
scale of the problem and the scope of the problem, so that a
momentum could be developed toward legislation. Unfortunately
the U.S. Chamber of Commerce saw things otherwise and found
ways to defeat the progress that we had made. But I hope that
we can, nevertheless, continue to go forward because this is a
continuing threat. And I think I just--I am seeing a nod from
Mr. Rosch from Symantec. Yes, this is a continuing threat?
Mr. Rosch. Yes, continuing and growing, and we are happy to
work with you and others on making the ecosystem safer.
Senator Whitehouse. Your effort was very important and much
appreciated.
Mr. Rosch. Thank you.
Senator Whitehouse. Thank you, Chairman.
Senator Franken. Thank you, Senator Whitehouse.
I would like to thank this panel of witnesses. Thank you
for your testimony and your answers. You are dismissed.
Senator Franken. I would now like to call our second panel
of witnesses.
I am going to ask you to stand, so you might as well not
sit down.
I would like to ask the witnesses to raise their right
hands. Do you swear that your testimony will be the truth, the
whole truth, and nothing but the truth?
Ms. Ramirez. I do.
Mr. Noonan. I do.
Ms. Raman. I do.
Senator Franken. Thank you. You may be seated.
Chairwoman Ramirez, a Commissioner of the Federal Trade
Commission since 2010, was appointed Chairwoman of the FTC in
March 2013. Prior to this, Ms. Ramirez was a partner in the
office of Quinn, Emanuel, Urquhart & Sullivan, LLP, in Los
Angeles, where she focused her work on matters of intellectual
property, antitrust, and trademark issues.
Mr. Noonan is the Deputy Special Agent in Charge for the
Secret Service's Criminal Investigative Division, Cyber
Operations. He has over 20 years of Federal Government
experience. Throughout his career he has initiated and managed
a number of high-profile fraud investigations.
Ms. Raman is the Acting Assistant Attorney General for the
Criminal Division of the Department of Justice. She has worked
in the Criminal Division since 2008, where she previously
served as the chief of staff. Formerly, Ms. Raman served as an
Assistant United States Attorney in the U.S. Attorney's Office
for the District of Maryland.
Thank you all for joining us. You each have five minutes
for any opening remarks you would like to make. Chairman
Ramirez, would you like to begin?
Oh, I am sorry. Excuse me. I would like to recognize the
Ranking Member who has something he would like to say.
Senator Grassley. This will not take more than 45 seconds.
I am going to submit questions for answer in writing, but also
I wanted to point out two very significant things that I want
to discuss. One is unrelated to this hearing, but to Chairwoman
Ramirez, I sent you a letter on the LP gas shortage in the
Midwest. I just want to call to your attention I have not
gotten an answer yet. If you could answer that, I would
appreciate it.
And then, related to this question, for Mr. Noonan, I will
have a question on the fact that the morning Washington Times
said that there was a Belarus company involved in writing some
of the software for the health care reform act, and the extent
to which that could be indicative of somebody having access to
our records over here in the same vein that we have asked
Target to respond to it.
[The questions of Senator Grassley appear as submissions
for the record.]
Senator Grassley. Thank you very much.
Senator Franken. Sorry I did not go right to you.
Again, thank you all for joining us. Chairman Ramirez,
would you like to begin?
STATEMENT OF HON. EDITH RAMIREZ, CHAIRWOMAN, FEDERAL TRADE
COMMISSION, WASHINGTON, DC
Ms. Ramirez. Mr. Chairman, Ranking Member Grassley, and
Members of the Committee, thank you for the opportunity to
appear before you to discuss the Federal Trade Commission's
data security enforcement program. I am pleased to be
testifying here this morning with my colleagues from the
Justice Department and the Secret Service.
We live in an increasingly connected world in which vast
amounts of consumer data are collected. As recent breaches at
Target and other retailers remind us, this data is susceptible
to compromise by those who seek to exploit security
vulnerabilities.
This takes place against the background of the threat of
identity theft, which has been the FTC's top consumer complaint
for the last 13 years.
According to estimates of the Bureau of Justice Statistics,
in 2012 this crime affected a staggering seven percent of all
people in the U.S. age 16 and older.
The Commission is here today to reiterate its bipartisan
and unanimous call for federal data security legislation. Never
has the need for such legislation been greater. With reports of
data breaches on the rise, Congress needs to act. We support
legislation that would strengthen existing data security
standards and require companies, in appropriate circumstances,
to notify consumers when there has been a breach.
Legislation should give the FTC authority to seek civil
penalties where warranted to help ensure that FTC actions have
an appropriate deterrent effect. It should also provide
rulemaking authority under the APA and jurisdiction over
nonprofits which have been the source of a large number of
breaches. Such provisions would create a strong, consistent
standard and enable the FTC to protect consumers more
effectively.
Using its existing authority, the FTC has devoted
substantial resources to encourage companies to make data
security a priority. The FTC has brought 50 civil actions
against companies that we alleged put consumer data at risk. We
have brought these cases under our authority to combat
deceptive and unfair commercial practices as well as more
targeted laws such as the Gramm-Leach-Bliley Act and the Fair
Credit Reporting Act.
In all these cases, the touchstone of the Commission's
approach has been reasonableness. A company's data security
measures must be reasonable in light of the sensitivity and
volume of consumer information it holds, the size and
complexity of its data operations, and the cost of available
tools to improve security and reduce vulnerabilities.
The Commission has made clear that it does not require
perfect security, and the fact that a breach occurred does not
mean that a company has violated the law.
Significantly, a number of FTC enforcement actions have
involved large breaches of payment card information. For
example, in 2008, the FTC settled allegations that security
deficiencies of retailer TJ Maxx permitted hackers to obtain
information about tens of millions of credit and debit cards.
To resolve these allegations, the retailer agreed to institute
a comprehensive security program and to submit to a series of
security audits. At the same time, the Justice Department
successfully prosecuted a hacker behind the TJ Maxx and other
breaches.
As this case illustrates well, the FTC and criminal
authorities share complementary goals. FTC actions help ensure
on the front end that businesses do not put their customer's
data at unnecessary risk, while criminal enforcement help
ensure that cyber criminals are caught and punished. This dual
approach to data security leverages government resources and
best serves the interests of consumers, and to that end, the
FTC, the Justice Department, and the Secret Service have worked
together to coordinate our respective data security
investigations.
In addition to the Commission's enforcement work, the FTC
offers guidance to consumers and businesses. For those
consumers affected by recent breaches, the FTC has posted
information online about steps they should take to protect
themselves. These materials are in addition to the large stable
of other FTC resources we have for ID victims, including an ID
theft hotline. We also engage in extensive policy initiatives
on privacy and data security issues. For example, we have
recently conducted workshops on mobile security and emerging
forms of ID theft, such as child ID theft and senior ID theft.
In closing, I want to thank the Committee for holding this
hearing and for the opportunity to provide the Commission's
views. Data security is among the Commission's highest
priorities, and we look forward to working with Congress on
this critical issue.
Thank you.
[The prepared statement of Ms. Ramirez appears as a
submission for the record.]
Senator Franken. Thank you, Madam Chairwoman.
Mr. Noonan.
STATEMENT OF WILLIAM NOONAN, DEPUTY SPECIAL AGENT IN CHARGE,
CRIMINAL INVESTIGATIVE DIVISION, CYBER OPERATIONS BRANCH, U.S.
SECRET SERVICE, WASHINGTON, DC
Mr. Noonan. Good afternoon, Mr. Chairman and distinguished
Members of the Committee. Thank you for the opportunity to
testify on behalf of the Department of Homeland Security
regarding the ongoing trends of criminals exploiting cyberspace
to obtain financial and identity information as part of a
complex criminal scheme to defraud our Nation's payment
systems.
Our modern financial system depends heavily on information
technology for convenience and efficiency. Accordingly,
criminals, motivated by greed, have adapted their methods and
are increasingly using cyberspace to exploit our Nation's
financial payment systems to engage in fraud and other illicit
activities. The widely reported data breaches of Target and
Neiman Marcus are just recent examples of this trend. The
Secret Service is investigating these recent data breaches, and
we are confident that we will bring the criminals responsible
to justice.
However, data breaches like these recent events are part of
a long trend. In 1984, Congress recognized the risks posed by
the increase use of information technology and established 18
U.S.C. Sections 1029 and 1030 through the Comprehensive Crime
Control Act. These statutes defined access to vice fraud and
misuse of computers as federal crimes and explicitly assigned
the Secret Service authority to investigate these crimes.
It is a part of the Department of Homeland Security's
mission to safeguard cyberspace. The Secret Service
investigates cyber crime through the efforts of our highly
trained special agents and the work of our growing network of
33 Electronic Crimes Task Forces, which Congress assigned the
mission of preventing, detecting, and investigating various
forms of electronic crimes.
As a result of our cyber crime investigations, over the
past four years the Secret Service has arrested nearly 5,000
cyber criminals. In total, these criminals were responsible for
over $1 billion in fraud losses, and we estimate our
investigations prevented over $11 billion in fraud losses.
Data breaches like the recently reported occurrences are
just one part of a complex criminal scheme executed by
organized cyber crime. These criminal groups are using
increasingly sophisticated technology to conduct conspiracy
consisting of five parts: One, gaining unauthorized access to
computer systems carrying valuable protected information; two,
deploying specialized malware to capture and exfiltrate this
data; three, distributing or selling this sensitive data to the
criminal associates; four, engaging in sophisticated and
distributed frauds using the sensitive information obtained;
and five, laundering the proceeds of this illicit activity.
All five of these activities are criminal violations in and
of themselves. And when conducted by sophisticated
transnational networks of cyber criminals, this scheme has
yielded hundreds of millions of dollars in illicit proceeds.
The Secret Service is committed to protecting our Nation
from this threat. We disrupt every step of their five-part
criminal scheme through proactive criminal investigations and
defeat these transnational cyber criminals through coordinated
arrests and seizure of assets.
Foundational to these efforts are our private industry
partners as well as our close partnerships with State, local,
federal, and international law enforcement. As a result of
these partnerships, we were able to prevent many cyber crimes
by sharing criminal intelligence regarding the plans of cyber
criminals and minimizing financial losses by stopping their
criminal scheme.
Through our Department's National Cybersecurity and
Communications Integration Center, the NCCIC, the Secret
Service also quickly shares technical cybersecurity information
while protecting civil rights and civil liberties in order to
allow organizations to reduce their cyber risks by mitigating
technical vulnerabilities. We also partner with the private
sector and academia to research cyber threats and publish
information on cyber crime trends through reports like the
Carnegie Mellon CERT Insider Threat Study, the Verizon Data
Breach Investigations Report, and the Trustwave Global Security
Report.
The Secret Service has a long history of protecting the
Nation's financial system from threats. In 1865, the threat we
were founded to address was that of counterfeit currency. As
our financial payments system has evolved from paper to
plastic, now digital information, so too has the investigative
mission. The Secret Service is committed to protecting our
Nation's financial system even as criminals increasingly
exploit it through cyberspace.
Through the dedicated efforts of the Electronic Crimes Task
Forces and by working in close partnership with the Department
of Justice, in particular the Criminal Division and local U.S.
Attorney's Offices, the Secret Service will continue to bring
cyber criminals that perpetrate major data breaches to justice.
Thank you for the opportunity to testify on this important
topic, and we look forward to your questions.
[The prepared statement of Mr. Noonan appears as a
submission for the record.]
Senator Franken. Thank you, Mr. Noonan.
Ms. Raman.
STATEMENT OF MYTHILI RAMAN, ACTING ASSISTANT ATTORNEY GENERAL,
CRIMINAL DIVISION, UNITED STATES DEPARTMENT OF JUSTICE,
WASHINGTON, DC
Ms. Raman. Good afternoon, Mr. Chairman and Members of the
Committee. Thank you for the opportunity to appear before the
Committee today to discuss the Department of Justice's fight
against cyber crime.
Cyber crime has increased dramatically over the last
decade, and our financial infrastructure has suffered repeated
cyber intrusions.
The recent reports about the massive data breaches at
Target, which the Justice Department is investigating alongside
the Secret Service, have underscored that cyber crime is a
real, present threat and one that is growing. Cyber criminals
create botnets to systematically steal the personal and
financial information of Americans, they carry out Distributed
Denial of Service attacks on networks, and they steal sensitive
corporate and military data.
The Justice Department is vigorously responding to this
threat through the work of the Criminal Division's Computer
Crime and Intellectual Property Section, or CCIPS, which
partners with U.S. Attorney's Offices across the country as
part of a network of almost 300 Justice Department cyber crime
prosecutors.
In addition, the FBI has made combating cyber threats one
of its top priorities, working through cyber task forces in its
56 field offices, and continuing to strengthen the National
Cyber Investigative Joint Task Force. Every day our prosecutors
and agents strive to hold to account cyber criminals who
victimize Americans using all the tools available to us to
identify these criminals wherever in the world they are
located, break up their networks, and bring them to justice.
We are developing meaningful partnerships with foreign law
enforcement and with industry to strengthen our collective
capacity to fight and protect against cyber crime. And we use
our tools responsibly and consistent with the important long-
established legal safeguards that protect against abuse.
As just one example of our work in this area, just last
week CCIPS, the U.S. Attorney's Office in Atlanta, and the FBI
announced the guilty plea of a Russian citizen named Aleksandr
Panin, who admitted to developing and distributing
sophisticated malware called ``SpyEye.'' The SpyEye malware
created botnets, or networks of secretly hacked computers, by
surreptitiously infecting victims' computers, enabling cyber
criminals to remotely control the computers through command and
control servers. In that way, the criminals were able to steal
personal and financial information such as credit card
information, banking credentials, user names, and passwords.
Panin offered and sold this botnet software, including
specially tailormade versions of the malware, to at least 154
of his criminal clients, who in turn used it to infect an
estimated 1.4 million computers around the world. Panin will be
sentenced in April.
The Panin case is only the latest of our recent successes
against cyber criminals. Others include, for example, a 15-year
sentence handed down in September to a Romanian cyber criminal
who led a multimillion-dollar scheme to hack into U.S.
merchants' payment card data; an 88-month sentence handed down
last April to a Russian hacker who used online forums to sell
stolen credit and debit card information to purchasers around
the world; and the indictment last year of a China-based
manufacturer of wind turbines, which is alleged to have stolen
trade secrets from an American company, causing over $800
million in losses.
But without the tools that we have been provided, we would
not be able to bring such offenders to justice, and we must
ensure that the statutes we enforce keep up with technology so
that we can keep pace with the cyber criminals who are
constantly developing new tactics and methods.
The Administration is proposing several statutory
provisions to keep federal criminal laws up to date.
First, we recommend the establishment of a strong, uniform
federal standard requiring certain types of businesses to
report data breaches. Businesses should be required to provide
prompt notice to consumers in the wake of a breach and to
notify the Federal Government of breaches so that law
enforcement can pursue and catch the perpetrators.
Our prosecutors also rely on substantive criminal statutes
to bring cyber criminals to justice. One of the most important
of these is the Computer Fraud and Abuse Act, also known as the
CFAA. The Administration proposed several revisions to the CFAA
in May 2011, and we continue to support changes like those to
keep federal criminal law up to date. We also look forward to
working with Congress to address the CFAA's application to
insiders, such as bank employees or government employees, who
access computers in violation of their authorization and then
steal or misuse the information contained in the computers.
Finally, we recommend several statutory amendments,
including a proposal to address the proliferation of botnets,
which are described at greater length in my written testimony.
I very much appreciate the opportunity to discuss the
Justice Department's efforts to protect American citizens by
aggressively investigating and prosecuting hackers. We are
committed to using the full range of investigative tools and
laws available to us to fight these crimes and to do so
vigorously and responsibly.
Thank you for the opportunity to discuss the Department's
work, and I look forward to answering your questions.
[The prepared statement of Ms. Raman appears as a
submission to the record.]
Senator Franken. Thank you all.
I think we will go to Senator Klobuchar. Since I am
chairing this, I will be here to the end, so I can ask my
questions at the end. Senator.
Senator Klobuchar. Okay. Very good. Thank you very much.
Thank you all for coming today.
I think while we all know why we are here with the breaches
that we have seen and we just heard about with the last panel
at Target, Neiman Marcus, and Michaels, now hotel chains, are
there any other similar breaches that have occurred? Do you see
industries that are more targeted than others? And, Ms.
Ramirez, how successful has your agency been in getting
criminal hackers extradited from foreign countries? And what
challenges do you see when dealing with extradition issues?
Ms. Ramirez. Let me start by answering your initial
question. I cannot speak about any particular companies or
breaches. We cannot disclose information relating to non-public
investigations. But what I can tell you is that the FTC has
been very active in this area, having just announced last week
our 50th data security case.
We believe that the FTC's action has had an important and
sent an important signal to the marketplace, but based on the
information that we have available to us, including the Verizon
Data Breach Report, which Mr. Noonan referenced in his opening
remarks, by those indications it is clear that companies need
to do a lot more, that they continue to make very basic
mistakes when it comes to data security, so this is an area
where the Federal Trade Commission unanimously believes there
needs to be congressional action and, in particular, a strong
federal law that imposes robust standards for data security and
also for breach notification.
Senator Klobuchar. So this is what we have been talking
about earlier with the NIST standards and then taking this out
with the chip and PIN and those kinds of things. Is that what
you are talking about?
Ms. Ramirez. At the FTC we do not advocate for particular
technologies. We rather take a process-based approach in light
of the fact that the threats, as were identified in the prior
panel, are constantly changing and evolving. So we recommend a
process-based approach to attacking this problem.
Senator Klobuchar. Okay. The extradition question, the
reason I asked that is I think we already have learned that a
young Russian already claimed to be co-author of the malware
used in the attack with Target, and I think we know there is no
shortage of these crimes internationally. I wonder if the U.S.
should be asking that.
Ms. Ramirez. I will defer on that question to my colleagues
and the criminal authorities who are dealing with those issues.
Senator Klobuchar. Okay.
Ms. Raman. You point out one of our extraordinary
challenges in cyber crime cases, and that is that some of the
most notorious hackers are living halfway across the world, and
sometimes in countries with which we do not have extradition
relationships. And so that is a challenge that we have in a
number of these cases. We try to be as creative as we can to
ensure that we are able to catch the wrongdoers, and we have
had significant success. The Panin case that I just mentioned
in my opening statement is an example of a success, a Russian
hacker who had developed the SpyEye malware, and he pleaded
guilty just last week. And we have had numerous such successes.
Sometimes it just takes patience.
Senator Klobuchar. OkayK. Mr. Noonan.
Mr. Noonan. Yes, ma'am, the Secret Service has had a unique
success in this field. We have been able to arrest and
extradite a number of significant cyber criminals abroad with
the help of the Department of Justice, the Office of
International Affairs, and the State Department. Just to name a
few, the Dave and Buster's intrusion happened in 2007, we were
successful in arresting Maksym Yastremskiy, and in that
intrusion we also actually arrested and extradited Aleksandr
Suvorov. In the Carder.su case that we had in 2007, we were
successful in extraditing Sergei Litvinenko. There are a number
of other successes that we have had of high-value targets, of
high-value hackers that have been attacking our financial
infrastructure that, with the assistance of international law
enforcement and relationships, we have been able to arrest
those people and bring them to justice here domestically.
Senator Klobuchar. You know, one of the things we talked
about earlier was the time between the companies confirming the
breaches and then letting customers know and how quickly they
can find out what their policies are. And I assume, Ms.
Ramirez, that you would want that to happen as soon as
possible. But one of the questions I want to know, having been
in this law enforcement before, there is also this thing where
you want to catch people. And I would think when a data breach
is this big, you come down on the side of letting the public
know immediately. But how do you strike that balance with
putting information out there but then also trying to find the
perpetrators and not tipping them off? Anyone can answer.
Ms. Ramirez. Let me, if I may, start off the discussion on
this point. ``Balancing'' is exactly the right word. In our
view, a company should notify affected consumers as reasonably
practicable as possible. In other words, there should be enough
time for the company to assess the relevant breach, examine
exactly what took place, which customers were affected. But we
think that it is important that customers be notified
reasonably promptly, and we believe that the outside limit for
that ought to be 60 days.
At the same time, I will also note that when the FTC is
looking at these issues, we do coordinate very closely with
colleagues at the Department of Justice and Secret Service and
also at the FBI. And so if there is a need for there to be
certain delay due to the needs of these criminal
investigations, we think that that is also appropriate.
Senator Klobuchar. Okay.
Mr. Noonan. Yes, ma'am, it is a coordinated effort actually
between the Secret Service, our law enforcement, and the U.S.
Attorney's Office as well. But it is very important for us in a
timely manner to take what we know from an investigation as far
as the cybersecurity pieces of that, and then to get that and
share it out to greater infrastructure. We use the Department
of Homeland Security's NCCIC, which is the National
Cybersecurity Communications and Integration Center. We take
information that we learn from the malware and hacking tools
and such. We share that with the NCCIC, who then does some
reverse engineering, and they are able to push that out to the
greater infrastructure.
We also partner through our Electronic Crimes Task Forces--
we have 33 of those--in which we are able to take that same
type of information and put it out to our trusted partners that
are out in the community, out in the infrastructure, as well
and we also partner with various ISACs. Specifically in the
lane of financial services, we partner with the FS-ISAC to get
that information out to the industry, to be able to assist them
in finding and mitigating what other attacks may be happen to
themselves.
Senator Klobuchar. Okay.
Ms. Raman. Going back to your original question, we do
believe that the Administration's data breach notification
proposal allows the flexibility that would allow us to delay
consumer notification in small increments if there is a law
enforcement reason for that. There may be an undercover
operation that is necessary or other covert investigative steps
that can be taken immediately after a breach, and there may be
certain circumstances where delayed notification is
appropriate.
But that being said, we do believe that prompt notification
to consumers is important and prompt notification to law
enforcement is important.
Senator Klobuchar. Thank you very much.
Senator Franken. Thank you, Senator Klobuchar.
Senator Whitehouse.
Senator Whitehouse. Thank you again, Chairman.
Let me address myself briefly to the two law enforcement
witnesses who we have here. The theft of intellectual property
from American corporations purely across cyber networks by
hacking into corporate networks and exfiltrating their data has
been described on multiple occasions as ``the greatest illicit
transfer of wealth in history.'' Has any indictment yet
resulted from that conduct, foreign hackers purely through
cyber networks hacking into an American corporation's
intellectual property and exfiltrating it for competitive
purposes?
Ms. Raman. Well, I will say, Senator, that the threat that
you described is one that we are very aware of and we are
focused on. Last year, there was an----
Senator Whitehouse. Has there been an indictment of anyone
in such a case?
Ms. Raman. Last year, in a similar case, there was an
indictment of Sinovel Corporation and about five of its
executives--that is a Chinese corporation and five of its
executives--for stealing the proprietary information of an
American company.
Senator Whitehouse. How had they stolen it?
Ms. Raman. I am sorry?
Senator Whitehouse. How had they stolen it? Was it through
a cyber hack? Or did it involve human----
Ms. Raman. A combination, but also an insider at the
American company.
Senator Whitehouse. Yes.
Ms. Raman. But I think that kind of case, where it would
show that we are willing to indict a Chinese company and
Chinese nationals, including the insider here, shows our
resolve to get to the bottom of these issues.
Senator Whitehouse. Actually the numbers involved show
anything but resolve, and I hope that there will be more
attention paid to this. And I say this with full appreciation
of how very, very challenging and difficult these cases are,
from a forensic point of view, from locating the foreign
defendant point of view, from an interference with intelligence
and diplomatic relations point of view, from a security point
of view. I mean, there is a whole array of reasons that these
are immensely difficult and complicated cases. But when we are
on the losing end of what has been on multiple occasions
described as ``the greatest illicit transfer of wealth in
history,'' I think one case that actually was not that, because
it involved a human exchange as well, just is not an adequate
response. So I urge you guys to improve your game on that, and
if you are getting pushback from the intelligence communities
and from the State Department and other people, push back
harder, because I think an indictment has a clarifying effect.
The other thing that has come up recently has been that
Chairwoman Mikulski of the Appropriations Committee, who is
also the Chairman in charge of your appropriations at the
Subcommittee level, has put into the omnibus spending bill that
we just passed a requirement that the Department of Justice
provide a multiyear strategic plan for cyber within 120 days.
That is not a long window. It is going to require the DOJ, the
FBI, the Secret Service, probably folks within FEMA and
Homeland Security, and certainly OMB, without whom no budget-
related discussion is possible, to get together and start to
figure out what we look like three, four, five years out, 10
years out, in terms of the structure.
We have the FBI deeply involved in this, and we have the
Secret Service deeply involved in this. We have two different
sections of the Department of Justice separately involved in
this. The different programs that we enforce and the different
strategies seem to be changing every six months or so as I have
pursued this. I think a lot of that is necessary and reflects a
sensible and good adaptation to an emerging threat.
But I think that we are a long way from having a clear
sense of what our cyber law enforcement structure should look
like. We are still, I think, evolving, and it has been hard for
me to find any place in which the thinking about what it should
look like three or four or five years out is taking place.
So could you give me a moment on what you are doing right
now to respond to the 120-day requirement for a multiyear
strategic plan?
Ms. Raman. Well, we are very aware, Senator Whitehouse, of
the 120-day requirement, and thankfully, even before that
requirement was put into place, we had been endeavoring for
several months to go through the exercise of putting on paper a
strategy for the Justice Department's cyber program. That
involves some of the issues that you have already touched on,
which is how we integrate all of our various capabilities.
I think that the way that the responsibilities are divided
now, which is the Criminal Division, the National Security
Division, and the FBI, works well together, and the reason that
we are able to work well together is that we communicate
literally on a daily basis, sometimes an hourly basis, about
how to respond to particular threats.
But, together, I am certain that we will be able to comply
with the 120-day requirement. We have been working on it, and
we will continue to work to meet that deadline.
Senator Whitehouse. Good. Well, I am very glad that you
work well together. I would hazard the thought that working
well together and having the proper administrative structure
are two different questions. And I would offer as an example
the challenge of trying to get the civil botnet takedown
capability, which the Department has demonstrated on several
occasions, properly integrated into the criminal and national
security and intelligence elements of this. I think it is a
bigger challenge than just having people work well together.
Ms. Raman. I agree with you, Senator. On the botnet
capabilities that we used in the Coreflood takedown, that was
civil authority, but the Criminal Division, along with the U.S.
Attorney's Office in Connecticut, used those civil authorities,
and we were able to do so because of the specific way that
botnet was structured. But botnets are high on our list of
priorities. We know that every botnet is different, and we know
that behind every botnet is an individual or individuals. And
so we are focused both on getting those individuals and finding
ways, creative ways, to dismantle botnets.
Senator Whitehouse. Good. My concern was that it is my
understanding that after the Coreflood botnet takedown, the
group, the kind of ad hoc group from different organizations
and the U.S. Attorney's Office and Main Justice that had gotten
together to accomplish the Coreflood botnet more or less
disintegrated back into their original positions, and that
there is not a robust and integrated ongoing administrative
structure for integrating those botnet takedowns. They seem to
be more episodic and to grab people from out of the Department
for that one event, and then they got a big award from the
Attorney General--which they merited. I was delighted that that
happened. But then I think the structure of it evaporated or
disintegrated.
So the structure question, I think, is one we can continue
to work on. Thank you.
Senator Franken. Thank you, Senator Whitehouse, for your
continued focus on cybersecurity.
I have a question for either Mr. Noonan or Ms. Raman. Can
you walk me through how a criminal could go about harvesting
the data on a magnetic stripe card and how they go about using
and selling that data once it is stolen?
Mr. Noonan. Yes, sir. If we are talking about the
intrusions that we are here today to discuss, it is generally--
it is not one criminal we are talking about. We are talking
about a sophisticated network of cyber criminals. I use the
analogy sometimes the movie ``Ocean's Eleven.'' This is an
organization that has specific skills when brought together, so
they will have their person that is looking for access in the
systems. They will have their people that are controlling the
bulletproof hosting system. They will have people that are
working on extracting the information from the network. They
will have wholesalers and vendors of that data. And then
ultimately there will be end users that take the data, use it
on a street level through either making counterfeit credit
cards and going into retail stores, buying goods and fencing
that. And then there is a money-laundering system as well in
this.
I think it is also important to understand that we are not
talking about currencies here. We are talking about virtual
currencies in which a lot of this money is moved, so in the
criminal underground, they are moving their money back and
forth through virtual currency, which is hard for U.S. law
enforcement and for others in the government to be able to
trace and track those finances.
Ms. Raman. I agree with that description. I think the
additional element I would add is that oftentimes after there
is this kind of harvesting of personal information through the
use of malware, often through botnets, the stolen information
is then sold in carding sites around the world and to other
criminals who may use it for their own financial profit,
sometimes for other purposes. And so that is also another chain
in the threats that we are seeing.
Senator Franken. It sounds like there is real justification
for putting the RICO piece in Chairman Leahy's bill, that this
is coordinated organized crime.
Right now the information on most cards in the United
States is static. It stays the same until the card is canceled.
What does that mean for criminals wanting to make counterfeit
cards? It will make it easier and more effective.
Mr. Noonan. Sure, so your question is that it is static
data that is coming across?
Senator Franken. Yes.
Mr. Noonan. Right. You have got to understand that the
magstripe data is roughly 30-year-old technology, so I would
agree with the fact that a 30-year-old technology is perhaps a
little bit more easy for them to utilize and put on to readily
available magnetic cards or magnetic stripe cards that are
available in industry today.
Senator Franken. We have been talking today about going to
the EMV technology and going to the EMV with a PIN. Do you all
agree here that that would be extremely helpful?
Mr. Noonan. We believe that anything that would assist in
the security of our Nation's payment systems would be a benefit
to the industry, of course.
Senator Franken. Okay. Thank you.
Chairwoman Ramirez, when a company has really poor digital
security practices, the FTC can initiate an enforcement action
against the company for committing what is called an ``unfair
trade practice,'' and the Commission has used this authority
admirably in the past. At the same time, there is no
comprehensive federal law that sets up a data security standard
for companies that store data, the data of tens of thousands of
customers.
Do you think that the Commission's existing authority in
this space precludes the need for a federal data security and
data breach law?
Ms. Ramirez. No, I do not. We have used our authority under
Section 5 of the FTC Act barring deceptive or unfair commercial
practices, and we think we have used that authority
effectively. But I think we could be even more effective in
this area if there were a federal data security law that the
FTC could enforce. And, in particular, we think there are three
areas where we could use additional authority. We would like to
see legislation that would give the FTC civil penalty
authority. We think this would enable us to deter more
effectively. We also believe that we need jurisdiction over
nonprofits. We have found that a number of breaches occur at
nonprofits, and currently we lack authority over nonprofits, so
that is a gap that we would like to see filled. And, in
addition, in order to implement a data security law
effectively, we believe that it would be appropriate to give
the FTC APA rulemaking authority to enable us to deal with the
evolving risks and harms that one sees in this area.
Senator Franken. Well, thank you. This is why it is so
important that we get to data privacy legislation. I look
forward to doing that.
I want to ask one--and then I see Senator Blumenthal has
arrived, is back. This is a little unrelated, but it is
something I have been interested in. Ms. Raman, in your written
testimony you said that the Department could use better tools
to go after the operators of cell phone spy software. This
software is a huge problem. Every year tens of thousands of
women are stalked through the use of what are called ``stalking
apps.'' These are apps specifically designed to facilitate
stalking. An abuser will install one of these apps on a
victim's phone and be able to track her whereabouts at all
times. We have received testimony, my Subcommittee, on this
time and again.
These apps can be found within minutes through a Web
search. One is called ``FlexiSPY.'' It brags, ``FlexiSPY gives
you total control over your partner's phone without them
knowing it. See exactly where they are, or were at any given
date in time. Buy now and start spying on a cell phone in
minutes.''
Another is called ``SpyEra.'' It says, ``The target user is
never interrupted from what they're doing and won't notice a
thing . . . . You'll not only know what is being said and done,
but you'll also know exactly when and where.''
I have a privacy bill specifically aimed at shutting these
apps down, and so I want to work with you to give you all the
tools that we need to do that. So can you and I work together
on this?
Ms. Raman. Absolutely. We appreciate any support that you
can give us in this area. As you describe, it is an incredibly
frightening capability. We are focused on the criminal threat,
but one of the tools that we think could be helpful in our
fight against this kind of software is civil authority to
forfeit proceeds of the crime, and we would be happy to speak
further with you and your staff about those particulars.
Senator Franken. Thank you.
Senator Blumenthal.
Senator Blumenthal. Thank you, Senator Franken.
Thank you all for your great work in this area, and thank
you, Chairman Ramirez, for your focus and your interest in
additional authority, which I agree is important. I think the
FTC has broad authority now to impose some rules and take some
enforcement action when there has been a failure to impose
sufficiently stringent safeguards to protect consumer
information, but certainly clarifying that authority and
expanding it in the ways you have suggested makes a lot of
sense. And, in fact, I have just introduced a bill that would
provide for rulemaking authority, but also stiff penalties, and
possibly even stringent penalties if the Congress would go
along with them, because I think that the potential damage to
consumers is so horrific from identity theft and associated
wrongs that emanate from these hacking and abusive activities.
It also provides for mandatory notification, a
clearinghouse, and, in my view, very importantly, a private
right of action as well as jurisdiction for Attorneys General
to enforce these rules.
What do you think about a private right of action and the
authority of Attorneys General to impose these rules?
Ms. Ramirez. The Commission has not taken a position on the
issue of a private right of action, but as regards concurrent
State enforcement, we believe that that is absolutely critical.
The States have done very important work in this arena, and we
think it is vital for them to continue to be involved.
Senator Blumenthal. What has been the reaction of
nonprofits? Have they been ahead of the for-profit sector or
behind?
Ms. Ramirez. Well, I think we see problems amongst all
companies, including nonprofits, and that is an area where we
currently lack jurisdiction, and we think it is a gap that
needs to be rectified so that we do have jurisdiction. But as I
mentioned earlier, the data that we have available today--and I
specifically referenced the Verizon Data Breach Investigation
Report that is issued annually. It continues to indicate that
companies need to do a lot more in this area, that very
fundamental mistakes are being made when it comes to data
security. And so that signals to me that action, further
action, needs to be taken. And, of course, this is a very
complex problem, multifaceted problem that requires a
multifaceted solution.
Senator Blumenthal. Am I right in thinking that the United
States is behind a lot of the rest of the world in its data
security safeguards? We heard testimony earlier about the lack
of use of chip-and-PIN methodologies, which is now prevalent in
Europe, and maybe the lack of use of it here is a reason not
only for the Neiman Marcus and Target breaches, but also for
the fact that almost half the world's credit card fraud occurs
here but only a quarter of credit card use. So there seems a
disparity that indicates we are behind the rest of the world.
Ms. Ramirez. Let me say that while at the FTC we do not
prescribe or recommend particular technologies, it is of
concern to me that our payment card systems really do need
improvement. So in my view, more work can be done in that area.
It is absolutely critical from my perspective that payment card
systems be secure and protect consumer information, and I
really think it is important that all of the players in the
ecosystem--retailers, banks, payment card networks--all work
together to find solutions.
Senator Blumenthal. Any of the other witnesses have
perspectives on these questions?
Mr. Noonan. Yes, sir, I have a perspective in the fact that
you can come up with devices that will secure credit card data,
but it does not alleviate the fact that we are talking about it
is still criminals that are doing it. These criminals are
motivated by money. They are financially motivated. They are
going to use whatever they have at their disposal to still go
after the pot of gold which is held in the payment card systems
piece.
So it does not take away the criminal element, but it does
add a layer, potentially could add a layer of security. So I
just wanted to make the point that, again, when we are talking
about the criminal element, it is law enforcement and the work
that is being done between the Department of Justice and law
enforcement that is going at the criminal to try to take them
and put them behind bars, taking the virtual world and making
it reality with handcuffs, if you will.
Ms. Raman. I agree that securing data is obviously
incredibly important for all American consumers. From a law
enforcement point of view, anything that strengthens our
ability to secure that data is a good thing. It makes our--
frankly, it makes us less necessary if there are fewer breaches
and if there are fewer attempts to try to get at sensitive
data. But that having been said, Mr. Noonan is absolutely
right. Malware adapts every day. Botnets adapt every day.
Criminals are early adopters of almost every kind of
technology, and our challenge is to stay ahead of them.
Senator Blumenthal. Well, there is an arms race. There
always has been, not only in this area but in so many others.
Having done a bit of law enforcement work myself, both federal
and State, I am well aware that there will never be the
foolproof safeguard or the impenetrable lock on the door. But
if you leave the door completely unlocked, it is almost an
invitation to the bad guys. And I do not want to say we have
left the door unlocked in the retail industry, but certainly
the locks are a lot less sophisticated than the technology
available would provide. And you may not have been here
earlier, but I think that the industry--or maybe I should say
industries--have some real soul searching to do about whether
they have been sufficiently protective of consumer information,
because as we know, you can apprehend, investigate, prosecute
criminals, but rarely does that compensate them when they are
victims of identity theft. And that is just the stark, tragic
fact of the matter, that preventing these crimes is often the
only way to really protect consumers, because you can prosecute
them, if you can apprehend them and investigate them. We are
talking about global criminal activity here. But the victims of
identity theft are often really marred and scarred for life.
So, you know, I respect your point of view, but I do think
that stronger preventive action that would come with rulemaking
authority, stiffer penalties on the retailers which provides an
incentive to do the right thing I think are very much needed.
Thank you all. Thank you, Mr. Chairman.
Senator Franken. Thank you, and thank you all. I think
following up on what Senator Blumenthal just said, today's
hearing has made it clear that we are dealing with a systemic
data security problem in this country, and we received
testimony in the first panel that our credit and debit cards
just are not secure enough, and we have no federal standard for
data security and breach notification. We have to update our
card technology and our laws to address these 21st century
threats to our data security. When millions of American
consumers have their data breached, we really cannot afford not
to.
That is why I have been pressing credit and debit card
companies on their plans to enhance card security through
improvements like smart chip technology and chip and PIN, and
that is why I was proud to join Chairman Leahy on his Data
Privacy and Security Act. I think it is just common sense that
the consumers should be told when their data has been stolen
and that we do everything we can to secure it before that
happens.
I want to thank the witnesses for their testimony today.
You have helped us understand not only how these breaches
occurred but how we can move forward from this point to better
protect consumers and better enforce our laws.
The record will be held open until February 11th for
questions and any further materials. You are now dismissed, and
this hearing is adjourned.
[Whereupon, at 1:07 p.m., the Committee was adjourned.]
A P P E N D I X
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]