[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
PROTECTING CONSUMERS: FINANCIAL
DATA SECURITY IN THE AGE OF
COMPUTER HACKERS
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
MAY 14, 2015
__________
Printed for the use of the Committee on Financial Services
Serial No. 114-23
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
_______________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
HOUSE COMMITTEE ON FINANCIAL SERVICES
JEB HENSARLING, Texas, Chairman
PATRICK T. McHENRY, North Carolina, MAXINE WATERS, California, Ranking
Vice Chairman Member
PETER T. KING, New York CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma BRAD SHERMAN, California
SCOTT GARRETT, New Jersey GREGORY W. MEEKS, New York
RANDY NEUGEBAUER, Texas MICHAEL E. CAPUANO, Massachusetts
STEVAN PEARCE, New Mexico RUBEN HINOJOSA, Texas
BILL POSEY, Florida WM. LACY CLAY, Missouri
MICHAEL G. FITZPATRICK, STEPHEN F. LYNCH, Massachusetts
Pennsylvania DAVID SCOTT, Georgia
LYNN A. WESTMORELAND, Georgia AL GREEN, Texas
BLAINE LUETKEMEYER, Missouri EMANUEL CLEAVER, Missouri
BILL HUIZENGA, Michigan GWEN MOORE, Wisconsin
SEAN P. DUFFY, Wisconsin KEITH ELLISON, Minnesota
ROBERT HURT, Virginia ED PERLMUTTER, Colorado
STEVE STIVERS, Ohio JAMES A. HIMES, Connecticut
STEPHEN LEE FINCHER, Tennessee JOHN C. CARNEY, Jr., Delaware
MARLIN A. STUTZMAN, Indiana TERRI A. SEWELL, Alabama
MICK MULVANEY, South Carolina BILL FOSTER, Illinois
RANDY HULTGREN, Illinois DANIEL T. KILDEE, Michigan
DENNIS A. ROSS, Florida PATRICK MURPHY, Florida
ROBERT PITTENGER, North Carolina JOHN K. DELANEY, Maryland
ANN WAGNER, Missouri KYRSTEN SINEMA, Arizona
ANDY BARR, Kentucky JOYCE BEATTY, Ohio
KEITH J. ROTHFUS, Pennsylvania DENNY HECK, Washington
LUKE MESSER, Indiana JUAN VARGAS, California
DAVID SCHWEIKERT, Arizona
FRANK GUINTA, New Hampshire
SCOTT TIPTON, Colorado
ROGER WILLIAMS, Texas
BRUCE POLIQUIN, Maine
MIA LOVE, Utah
FRENCH HILL, Arkansas
Shannon McGahn, Staff Director
James H. Clinger, Chief Counsel
C O N T E N T S
----------
Page
Hearing held on:
May 14, 2015................................................. 1
Appendix:
May 14, 2015................................................. 63
WITNESSES
Thursday, May 14, 2015
Dodge, Brian A., Executive Vice President, Communications and
Strategic Initiatives, the Retail Industry Leaders Association
(RILA)......................................................... 8
Moy, Laura, Senior Policy Counsel, New America's Open Technology
Institute...................................................... 13
Orfei, Stephen W., General Manager, PCI Security Standards
Council........................................................ 11
Oxman, Jason, Chief Executive Officer, the Electronic
Transactions Association (ETA)................................. 9
Pawlenty, Hon. Tim, President and Chief Executive Officer, the
Financial Services Roundtable.................................. 6
APPENDIX
Prepared statements:
Hinojosa, Hon. Ruben......................................... 64
Dodge, Brian A............................................... 67
Moy, Laura W................................................. 74
Orfei, Stephen W............................................. 90
Oxman, Jason................................................. 96
Pawlenty, Hon. Tim........................................... 110
Additional Material Submitted for the Record
Hensarling, Hon. Jeb:
Written statement of the American Council of Life Insurers... 120
Written statement of the National Association of Federal
Credit Unions.............................................. 121
Written statement of the National Association of Insurance
Commissioners.............................................. 123
Capuano, Hon. Michael:
Written statement of the Office of the Attorney General of
the Commonwealth of Massachusetts.......................... 132
Fincher, Hon. Stephen:
Comments for the record submitted by the Secure ID Coalition. 138
Foster, Hon. Bill:
Written responses to questions for the record submitted to
Jason Oxman................................................ 141
Written responses to questions for the record submitted to
Hon. Tim Pawlenty.......................................... 142
Luetkemeyer, Hon. Blaine:
Written statement of the Credit Union National Association... 144
Stivers, Hon. Steve:
Written statement of the National Retail Federation.......... 149
PROTECTING CONSUMERS: FINANCIAL
DATA SECURITY IN THE AGE OF
COMPUTER HACKERS
----------
Thursday, May 14, 2015
U.S. House of Representatives,
Committee on Financial Services,
Washington, D.C.
The committee met, pursuant to notice, at 10:01 a.m., in
room 2128, Rayburn House Office Building, Hon. Jeb Hensarling
[chairman of the committee] presiding.
Members present: Representatives Hensarling, Royce, Lucas,
Garrett, Neugebauer, Pearce, Posey, Fitzpatrick, Westmoreland,
Luetkemeyer, Huizenga, Duffy, Hurt, Stivers, Fincher, Stutzman,
Mulvaney, Hultgren, Ross, Pittenger, Barr, Rothfus, Messer,
Schweikert, Guinta, Tipton, Williams, Poliquin, Love, Hill;
Waters, Maloney, Sherman, Meeks, Capuano, Hinojosa, Clay,
Lynch, Scott, Green, Cleaver, Moore, Ellison, Perlmutter,
Himes, Carney, Sewell, Kildee, Murphy, Delaney, Beatty, and
Vargas.
Chairman Hensarling. The Financial Services Committee will
come to order.
Without objection, the Chair is authorized to declare a
recess of the committee at any time.
Today's hearing is entitled, ``Protecting Consumers:
Financial Data Security in the Age of Computer Hackers.''
Members, welcome home. I assume many of our colleagues are
furiously running here from HVC-210 as we speak. For our
witnesses and for the audience, we have been nomads since the
beginning of the year.
So you will notice a few changes in the room. This
renovation was caused by an upgrade of the audiovisual systems.
Although I did not specifically request it, I now notice there
are twice as many microphones in our hearing room as before. I
wish to notify Members that that does not mean they can speak
for twice as long. That doesn't go along with the microphones.
In addition, you will notice that our witnesses are quite a
ways away, and that we have less room for the public. As
hearing rooms are renovated, they must be made and should be
made compliant with the Americans with Disabilities Act (ADA).
This room complies with the ADA statute, which means that every
row has been enlarged. This means that we have lost part of our
gallery, but the overflow room is still alive and well.
In addition, for those who have ever moved into a new home
or new apartment, there is such a thing known as a ``punch
list.'' And so, for some of the subcommittees, you may be
kicked out of this room over the next 5 to 7 days as that punch
list is completed.
Another change in our committee room: If you will look over
my left shoulder, you will see the portrait of our most recent
chairman, Spencer Bachus. For those who have some tenure on the
committee, including myself and the ranking member, to have
Barney over one shoulder and Spencer over the other kind of
seems like old times.
We certainly know of Barney's fierce intellect and
tenacity, but I also hope that Members will remember Spencer's
gentle and kind leadership of this committee. And sometimes
when emotions and passions start to run high, let's remember
the example he set for us with respect and decency and, yes,
humor.
Somehow, at any moment, I expect these two to carry on one
of their classic debates. We will see if that actually happens
or not.
I believe that is all I need to say about the hearing room
at the moment, in which case the Chair now recognizes himself
for 3 minutes for an opening statement.
At today's hearing, we will be focused on protecting
consumers and their private financial information in an age of
computer hackers.
The world has experienced a technology revolution, one that
has brought remarkable benefits to consumers and the broader
economy, but has also increased risks on consumers by making
the theft of personal financial information a profitable
enterprise for cyber criminals and computer hackers.
In the era of big data, large-scale security breaches are
unfortunately all too common. And every breach leaves consumers
exposed and vulnerable to identity theft, fraud, and a host of
other crimes. We have certainly all read about the high-
profile, headline-grabbing breaches at Target and Home Depot.
According to the Identity Theft Resource Center, there were 783
U.S. data breaches in 2014, an increase of more than 27 percent
over the prior year. The Center for Strategic and International
Studies and McAfee Security estimate that such attacks cost the
U.S. economy $100 billion--that is ``billion'' with a ``B''--
annually.
American consumers rightfully expect their personal
information to be protected by their financial institutions,
and by retailers, card networks, payment processors, and, yes,
their Federal Government. Consumers shouldn't be left to simply
hope and pray their personal information will be safe every
time they swipe their debit or credit card or enter their
information online. They deserve protection.
So today the committee will hear from representatives of
organizations whose members constitute the major participants
in the payment system. We welcome their expertise and insight.
My hope is that this hearing affords Members on both sides
of the aisle an opportunity to better understand what security
measures are currently in place to prevent data breaches, how
consumers are notified following a breach, what types of
emerging technologies will help reduce the frequency and
severity of breaches, what steps are being taken by the
merchants and financial services communities to address the
problem, and where additional Federal legislation may be
warranted.
I further hope that the committee will engage in a
thoughtful and constructive dialogue on a bipartisan basis.
And, in that regard, I wish to thank Chairman Neugebauer and
the gentleman from Delaware, Mr. Carney, for starting this
bipartisan dialogue off on the right foot by introducing a
bipartisan bill to address this important problem.
I will now yield back the balance of my time and recognize
the ranking member for 3 minutes.
Ms. Waters. Thank you, Mr. Chairman.
Americans are increasingly reliant on electronic means to
communicate, shop, and manage their finances. While new
technologies bring substantial opportunity, they also bring a
range of new vulnerabilities for consumers. Massive attacks on
some of our Nation's largest retailers and financial
institutions are impacting virtually every sector of our
economy and our national security.
Consumers are not the only ones who pay the price of a
breach. The cost of recovering losses by retailers and card
issuers can be extensive and weigh particularly heavy on small
community banks and credit unions.
We all know companies face a number of challenges in
determining how best to secure customers' financial and
personally identifiable information. In addition, we know that
there are significant costs to complying with various State
laws and providing notice after a breach.
However, as we consider setting national standards for
safeguarding consumers' personal information and ensuring
timely notification, we must again acknowledge the good work of
those States that for years have been at the front lines of
this fight. I believe that any Federal preemption should
complement States' protections and ensure at a minimum that
State attorneys general continue to play an important role in
enforcement and notification standards.
In setting minimum standards, we need to be careful not to
hamstring our State and Federal regulators' ability to continue
adapting and strengthening protections for consumers.
Otherwise, we will limit regulators' ability to keep up with
technological change.
And we must preserve a private right of action for
consumers and for financial institutions to ensure that
affected entities and breach victims have legal recourse.
Further, consumers must be consistently provided with clear
disclosures of the rights and remedies available to them so
that they remain aware of the various ways in which they can
protect themselves from identity theft, fraud, and other cyber
crimes.
Mr. Chairman, efforts to guard against cyber threats are
critically important and shouldn't devolve into the same
partisan fault lines we have seen on far too many other issues
before this committee, such as the baseless attacks on
watchdogs like the CFPB, and blocking efforts to reauthorize
the charter of the Export-Import Bank, which expires in just 22
legislative days.
With that, I look forward to hearing from the witnesses
today, and I yield back the balance of my time.
Chairman Hensarling. The gentlelady yields back.
The Chair now recognizes the gentleman from Texas, Mr.
Neugebauer, chairman of our Financial Institutions
Subcommittee.
Mr. Neugebauer. Thank you, Mr. Chairman.
We live in a world where the global marketplace is
supported by a global payments system. It delivers payment
services to consumers in the blink of an eye. Immense amounts
of sensitive consumer information is transferred and processed
and stored in any one transaction.
The security of the system is only as strong as its weakest
link, and today I look forward to learning more about new
payment technologies that continue to facilitate payment
efficiency, speed, and security. I am hopeful we can have a
robust policy discussion about what new data security standards
are needed to level the playing field.
This month, Congressman Carney and I introduced bipartisan
legislation which builds on the work of Senators Carper and
Blunt. Our starting point was to look at Gramm-Leach-Bliley,
which laid out a robust data security framework for financial
institutions. Almost 16 years later, this framework has worked
very well.
The data security standards in H.R. 2205 are based on
certain core principles.
First, because we have a global payment system, we need a
national data security standard and a national breach
notification standard. This standard must minimize regulatory
requirements but must carry with it a strong Federal
enforcement mechanism.
Second, the data security standard must be technology-
neutral and process-specific. It must reasonably identify
certain core elements in the absence of an FTC rulemaking.
Third, it is absolutely necessary that the data security
standard is scalable based on the size of the business, the
scope of the operation, and the type of information that it
holds. Legislation must recognize that the corner market cannot
and should not have the same standard as the largest retailer
operating in 50 States.
While I am confident in our bipartisan legislation, I am
open to working with any member of the interested groups to
minimize unintended consequences and to continue tailoring this
legislation. We have a shared interest in seeing this
legislation signed into law, giving consumers the safest
payment system possible.
And with that, I want to thank our panel for being here
this morning. Based on my review of the testimony that has been
submitted, I think this is going to be very informative for our
Members. And I think it is good that we have these different
interests at the table today.
And so, Mr. Chairman, I look forward to a very informative
hearing.
Chairman Hensarling. The gentleman yields back.
The Chair now recognizes the gentleman from Delaware, Mr.
Carney, for 2 minutes.
Mr. Carney. Thank you, Mr. Chairman.
Mr. Chairman, over the last decade alone, data breaches
have compromised nearly a billion records containing sensitive
consumer financial information. Experts estimate that when a
data breach occurs in the United States, it directly costs
consumers an average of $290 per victim. Studies show that
cyber criminals are costing U.S. companies approximately $100
billion a year.
One thing is clear: The current patchwork of 47 different
State data breach laws is failing to protect American
consumers. That is why Mr. Neugebauer and I have worked
together on a bipartisan effort to develop a data security and
breach notification framework within which all relevant
stakeholders can operate. We think consumers and the companies
that handle their personal financial data should all know the
rules of the road when it comes to the standard for protecting
this data.
Our bill, H.R. 2205, the Data Security Act, builds off the
efforts by Senators Carper and Blunt across the Capitol. The
bill implements a strong national data breach notification
standard. It requires companies to enact a data security
program that is robust and scalable and with the goal of
protecting consumers' personal information from breaches. And
it sets reasonable standards for accurate and timely notice to
consumers when a breach occurs.
Importantly, the bill's requirements avoid a one-size-fits-
all approach and allow companies of varying sizes and
complexity to find a program that is tailored and effective for
their business.
As with any comprehensive piece of legislation, our bill
can always be improved. The example clarifying that the
preemption provision does not have unintended consequences
outside the issues covered in this bill merits further
attention. I am looking forward to working with my colleagues
on both sides of the aisle to make improvements to this
legislation where necessary.
The fact is, though, that the White House, Congress, and
the private sector and consumers all agree that the status quo
is not acceptable. And I am encouraged that this committee is
having this hearing today and that we are moving forward to
protect consumers, businesses, and the American economy.
I would like to thank Mr. Neugebauer for his leadership on
this issue, and I look forward to hearing the witnesses'
testimony and feedback in this hearing.
Thank you. I yield back.
Chairman Hensarling. The gentleman yields back.
And, indeed, it is time to hear from our witnesses. We
welcome each and every one of them to the panel.
The Honorable Tim Pawlenty is the president and chief
executive officer of The Financial Services Roundtable, and a
former Governor of the State of Minnesota.
Mr. Brian Dodge is the executive vice president of
communications and strategic initiatives at the Retail Industry
Leaders Association.
Mr. Jason Oxman is the chief executive officer of the
Electronic Transactions Association.
Mr. Stephen Orfei is the general manager at PCI Security
Standards Council.
And last but not least, Ms. Laura Moy is a senior policy
counsel at New America's Open Technology Institute.
Several of you have testified before Congress before; I am
not certain about all of you. So we have a rather simple
lighting system. Green means go. Yellow means hurry up because
the red light is soon to follow. And red means stop. The yellow
light comes on with 1 minute to go.
Each of you will be recognized for 5 minutes to give an
oral presentation of your testimony. And without objection,
each of your written statements will be made a part of the
record.
And since we are brand-new in our refurbished space--in the
old hearing room, you had to pull these microphones very close
to you. I think now you can keep them a somewhat comfortable
distance from your mouth.
Governor Pawlenty, you are about to be our guinea pig on
the new sound system. And, Governor Pawlenty, you are now
recognized for your testimony.
STATEMENT OF THE HONORABLE TIM PAWLENTY, PRESIDENT AND CHIEF
EXECUTIVE OFFICER, THE FINANCIAL SERVICES ROUNDTABLE
Mr. Pawlenty. Good morning, Chairman Hensarling, Ranking
Member Waters, and members of the committee. Thank you for the
opportunity to share a few thoughts with you this morning about
one of the most pressing issues facing our country, and that is
the emerging, growing, and exponentially threatening cyber
warfare that is taking place both commercially and otherwise
across the globe and being visited upon American businesses and
consumers in ways that I think deserve the Congress' attention.
Just to give you a sense of a few measures of what we are
up against in this regard, 80 percent of the companies that
were breached in 2014 did not know they were breached until
somebody else told them, a third party told them--sometimes the
government, sometimes a vendor, but a third party. And the
average length of time between the breach actually happening
and the discovery was months after the fact.
In addition, here is another interesting fact. Over half of
the adult American population had their personal data exposed
last year, according to a CNN published report.
And the list goes on, including that we now know through
public and confirmed reports that this is no longer college
kids in their basements having some fun trying to get into some
systems. These are nation-state actors, including--or semi-
state-nation actors, including China, North Korea, Iran,
Russia, and former Soviet Union-sponsored states and
individuals and enterprises associated with them, and very
sophisticated international crime syndicates.
If one of those entities triangulates on a company, it is
likely not going to end well for that company or their
customers. So we need a more robust, more muscular response to
these threats. And we appreciate very much the fact that this
committee is paying attention to these issues.
And, Mr. Chairman, thank you to the House for passing on
more than one occasion threat information legislation, CISA and
CISPA legislation. We hope the Senate does the same. And,
again, we are not talking about sharing personal information,
but that threat-information-sharing bill is very helpful to
this cause and making the country more prepared to defend
against these threats.
As it relates to the financial services sector and the
payment system, our sector, as the chairman mentioned, has been
dealing with these issues in a regulated context for quite some
time. The Gramm-Leach-Bliley Act passed in 1999. Part of that
Act, of course, was to visit upon this industry data security
standards and enforcement mechanisms, including part of the
examination process.
That, I think, has served the industry well. As you look at
the percent of breaches that have taken place in recent years,
our sector has the lowest breach incident rate. We still have a
lot of work to do, but compared to other major sectors, that is
progress. And that is because of some of the good work that has
been done since Gramm-Leach-Bliley and otherwise.
We are about to launch some more secure top-level domains,
dot-bank and dot-insurance, which should help with these
issues. We have been involved in an information sharing and
analysis center, one of the first in the country that is most
robust, the FS-ISAC, and more.
As it relates to the payment system, it is about to get a
lot better. We are going to move, as a next step, to the chip-
enabled cards. It is already happening. The networks have said,
look, if you want to avoid fraud liability, you have to make
this transition towards the end of 2015. There are some saying,
``Look, we are not ready. It is going to take a little
longer.'' But over the course of the next couple of years,
almost all cards are going to be chip cards, and that is going
to help.
But don't be focused just on that. That is technology from
the 1960s. Magnetic strips were invented in the 1960s. PINs
were invented in the 1960s; chips, of course, more recently.
But it is moving well beyond that discussion. The new
technologies that are coming forward and being actively
considered include voice recognition, facial recognition,
biometrics, location confirmation, gesture recognition, and a
lot more. So this space is evolving extremely rapidly and is
going to continue to evolve as new technology emerges.
As to the legislation that is before you, Congressman
Neugebauer, Congressman Carney, thank you very much. We
strongly support H.R. 2205. We think it is an excellent piece
of work. May need some modifications, as Congressman Carney
mentioned, but it does some important things.
It creates for all sectors, not just the healthcare sector
or the financial services sector, a data security standard,
which is really important. And it is flexible. We are only as
strong as the weakest link in the chain. If we have strong
standards but one of the other links in the chain doesn't, the
whole system is exposed. So thank you for putting the marker
down on a strong national data security standard. We strongly
support that.
Another important piece of the bill is a uniform data
breach notification law. Many States, including my own, have
strong laws in this regard, but as you think about cyberspace
and how commerce gets conducted now, it doesn't make a lot of
sense to have 50 different standards, 50 different approaches,
50 different responses to a breach and the notification
relating to it.
And, in closing, as you think about this, we are not asking
for any current State initiatives to be diluted. We think, if
you set a standard, set it high. Make it nation-leading.
And I am out of time. Mr. Chairman, again, thank you for
the chance to be here this morning. Thank you to Congressmen
Neugebauer and Carney for their leadership on these issues. We
strongly support what you are trying to do.
[The prepared statement of Mr. Pawlenty can be found on
page 110 of the appendix.]
Chairman Hensarling. Thank you, Governor.
Mr. Dodge, you are now recognized for 5 minutes for your
testimony.
STATEMENT OF BRIAN A. DODGE, EXECUTIVE VICE PRESIDENT,
COMMUNICATIONS AND STRATEGIC INITIATIVES, THE RETAIL INDUSTRY
LEADERS ASSOCIATION (RILA)
Mr. Dodge. Thank you, and good morning.
Chairman Hensarling, Ranking Member Waters, and members of
the committee, my name is Brian Dodge, and I am an executive
vice president with the Retail Industry Leaders Association.
Thank you for the opportunity to testify today about data
security and the steps the retail industry is taking on this
important issue and to protect consumers.
RILA is the trade association of the world's largest and
most innovative retail companies. Retailers embrace innovative
technology to provide American consumers with unparalleled
services and products. While technology presents great
opportunities, nation-states, criminal organizations, and other
bad actors are also using it to attack businesses,
institutions, and governments.
As we have seen, no organization is immune from attacks.
Retailers understand that defense against cyber attacks must be
an ongoing effort. As leaders in the retail community, we are
taking new and significant steps to enhance cybersecurity
throughout the industry.
To that end, last year RILA formed the Retail Cyber
Intelligence Sharing Center, or R-CISC, in partnership with
America's most recognized retailers. The Center has opened a
steady flow of information-sharing between retailers, law
enforcement, and other relevant stakeholders.
Also, the R-CISC has recently established a formal working
relationship with the Financial Services ISAC, a move that
will, among other things, ensure collaboration across the
payments ecosystem on these issues.
RILA applauds the House for passing cyber information-
sharing legislation, and we hope the Senate will quickly take
up and adopt H.R. 1560's flexible approach to electronic
sharing.
While I expect we will discuss many cybersecurity topics
today, one area of security that needs immediate attention is
payment card technology. The woefully outdated magnetic stripe
technology used on cards today is the chief vulnerability in
the payments ecosystem. Retailers are estimated to be investing
more than $8.6 billion to upgrade card terminals to accept chip
cards by later this year. However, the new cards will not be
issued with PINs.
Chip and PIN technology has proven to dramatically reduce
fraud when it has been deployed elsewhere around the world. In
contrast, chip and signature technology falls short of
providing American consumers the best security available today.
Retailers believe that the two-factor authentication
enabled through chip and PIN will prevent criminals from
duplicating cards with ease and devalue the data that retailers
collect at the point of sale. Ultimately, these steps have been
proven to substantially reduce the economic incentive for cyber
criminals to launch these kinds of cyber attacks.
Before I discuss what RILA believes are important data
breach policy considerations, I will briefly highlight the
significant data security and data breach notification laws
with which retailers currently comply.
Forty-seven States, the District of Columbia, Guam, Puerto
Rico, and the U.S. Virgin Islands have adopted data breach
notification laws. In addition, retailers are subject to robust
data security regulatory regimes. The Federal Trade Commission
has prosecuted more than 50 cases against businesses that it
charged with failing to maintain reasonable data security
practices. These actions have created a common law of consent
decrees that clearly spell out the data security standards
expected of businesses.
Additionally, inadequate data security measures for
personal information can lead to violations of express State
data security laws. Also, many States have so-called ``little
FTC acts'' that can be used to enforce against what attorneys
general deem to be unreasonable data security practices.
Finally, retailers voluntarily and by contract follow a
variety of security standards, including those maintained by
PCI, NIST, and ISO.
While retailers diligently comply with this range of data
breach notice and data requirements, a carefully crafted
Federal data breach law can clear up regulatory confusion and
better protect and notify customers. RILA supports Federal data
breach legislation that is practical and proportional and sets
a single national standard.
RILA supports data breach legislation that creates a single
national notification standard that allows businesses to focus
on quickly providing affected individuals with actionable
information; that ensures that targeted notice is required only
when there is an actual risk of identity theft, economic loss,
or harm; that ensures that the responsibility to notice is that
of the entity breached but provides flexibility for entities to
contractually determine the notifying party; that establishes a
precise and targeted definition for ``personal information;''
and that recognizes that retailers already have robust data
security obligations and that security must be able to adapt
over time.
I thank the committee for inviting me today, and I look
forward to answering your questions.
[The prepared statement of Mr. Dodge can be found on page
67 of the appendix.]
Chairman Hensarling. Mr. Oxman, you are now recognized for
5 minutes for your testimony.
STATEMENT OF JASON OXMAN, CHIEF EXECUTIVE OFFICER, THE
ELECTRONIC TRANSACTIONS ASSOCIATION (ETA)
Mr. Oxman. Thank you, Mr. Chairman, Ranking Member Waters,
and members of the committee for the opportunity to be here
today.
I am Jason Oxman, the CEO of the Electronic Transactions
Association. ETA is the trade association of the payments
industry. Our more than 500 member companies are focused on
providing the world's most secure, reliable, and functional
payment systems to American merchants and consumers.
Electronic payments in the United States are largely
invisible to consumers because, simply put, they just work.
U.S. consumers carry 1.2 billion credit, debit, and prepaid
cards in their wallets, and they can use those cards to pay
electronically at more than 8 million merchants in the United
States. Indeed, ETA member companies process more than $5
trillion in U.S. consumer spending every year. That means
thousands of transactions are moving across our network every
second.
Now, consumers enjoy a wide variety of ways to pay
electronically, including in person, with a card or a mobile
device or a watch, or remotely via phone or over the Internet.
And from the moment that a consumer initiates a payment, the
transaction is securely transmitted, authorized, and processed
within a matter of seconds. ETA member companies take very
seriously the obligation to protect the security of their
customers' information.
Consumers in the United States choose electronic payments
because they benefit from zero liability for fraud, making
electronic payments the safest and most secure way to pay.
Today, criminal fraud amounts to less than 6 cents of every
$100 processed in transactions. It is a fraction of a tenth of
1 percent.
Now, even though fraud represents a tiny percentage of
overall transaction volume, we are deploying cutting-edge new
technology and using self-regulatory industry guidelines to
bolster the fight against fraud. I would like to highlight
three concrete steps our industry is taking to protect consumer
information and prevent data breach.
First, ETA members are deploying EMV-enabled chip cards to
fight the number one cause of card fraud: counterfeit cards.
Counterfeit cards represent about two-thirds of card-present
fraud in the United States today. Chip cards prevent cards from
being counterfeited. They don't stop data breaches, but they do
make it harder for criminals to reap the rewards of those data
breaches.
Chip migration happening now in the United States is the
most complicated overhaul of our payments technology system in
the 40 years since the magnetic stripe card was introduced. Our
banks need to replace more than 1 billion cards. Merchants need
to upgrade point-of-sale equipment at more than 10 million
locations. But we are working together, and we are getting it
done.
Second, our industry is deploying new tokenization
technology that replaces card information with a one-time-use
token. Even if intercepted by criminals, these tokens cannot be
used to generate fraudulent transactions. Think of a token as a
mathematical cryptogram that can't be reproduced.
One well-known implementation of tokenization is in mobile
payments, where the customer's phone or watch generates that
token for use. Tokens can also be used in card environments, as
well. And we are working with our merchant partners to deploy
tokenization technology at both brick-and-mortar and online
retail.
Third, ETA members are helping merchants secure the point
of sale by deploying new encryption technologies. Point-to-
point encryption is a way to secure all entry points against an
attack. It denies cyber criminals the access they need to
install malware and other cyber hacking tools.
As our industry deploys all of these layered technologies,
I also want to affirm ETA's strong support for legislation that
creates uniform national data standards and data protection
breach standards as well. Such standards must be industry-
neutral, and they must be preemptive of State law. And this is
the approach set out in H.R. 2205, which ETA strongly supports.
We applaud Chairman Neugebauer and Mr. Carney for engaging in
this important dialogue with this legislation.
ETA also supports legislation to promote information-
sharing. Sharing of information across government and across
technology and manufacturing companies will support prevention
of and investigation of breaches and ensure against cyber
attacks.
Cyber criminals are increasingly sophisticated, they are
global in scope, and we are working proactively to address
every threat. We must not forget that these data breaches of
merchants and consumers make them victims of crime. We share a
desire to stamp out fraud, and we take seriously our
responsibility to all of our customers to do so.
Thank you for the opportunity to be here, and I look
forward to your questions, Mr. Chairman.
[The prepared statement of Mr. Oxman can be found on page
96 of the appendix.]
Chairman Hensarling. Mr. Orfei, you are now recognized for
your testimony.
STATEMENT OF STEPHEN W. ORFEI, GENERAL MANAGER, PCI SECURITY
STANDARDS COUNCIL
Mr. Orfei. Thank you, Mr. Chairman.
Good morning. My name is Steven Orfei. I am the general
manager of the PCI Security Standards Council. I have the
privilege of leading a talented and deeply committed membership
organization that is responsible for the developing and
maintaining of the global data security standards for the
payment card industry.
Our approach combines people, process, and technology.
Continuous effort in applying our standards is the best line of
defense against organized crime, state-funded actors, and
criminals who threaten our way of life and attempt to undermine
our confidence in the financial system. Everyone has been
victimized by these criminals, and we know the very real harm
caused by breaches.
Developing standards to protect payment card data is
something the private sector and specifically PCI is uniquely
qualified to do. Consumers are understandably upset when their
payment card data is put at risk. The Council was created to
proactively protect consumers' payment card data.
Our community of over 1,000 of the world's leading
businesses is tackling data security challenges, from simple
issues--for example, the word ``password'' is still one of the
most commonly used passwords--to complex issues like
encryption.
Our standards are a solid foundation for a multilayered
security approach. We aim to remove payment card data if it is
no longer needed. Simply put, if you don't need it, don't store
it. If it is needed, then protect it, and reduce the incentives
for criminals to steal it.
And here is how we do that. The data security standard is
built on 12 principles, covering everything from logical to
physical security and much more. It is updated regularly
through feedback from our global community. We manage eight
other standards that cover card production, PIN-entry devices,
payment applications, and much, much more. We work on
technologies, best practices, and provide market guidance. We
have laboratories to vet solutions that we list on our Web
site. All of our information is free. Our mission is to
educate, empower, and protect.
Now, our end-game strategy is to devalue the data so that
it is useless in the hands of the bad guys. We have three
technologies that will allow us to do so: EMV at the point of
sale; point-to-point encryption; and tokenization. When bundled
and implemented properly, the data becomes useless; then there
is no reason to break in.
That is why the Council supports adoption of the EMV in the
United States through organizations such as the EMV Migration
Forum, and our standards support EMV today in other worldwide
markets.
But EMV chip is not a silver bullet. Additional controls
are needed to protect the integrity of payments online and in
other channels. This includes encryption, tamper-resistant
devices, malware protection, network monitoring, and more. All
are vital parts of the PCI standards.
Effective security requires more than just standards, for
standards without supporting programs are just tools, not
solutions. The Council's training and certification programs
have educated tens of thousands of security professionals and
make it easier for businesses to choose products that have been
lab-tested, certified as secured.
Finally, we conduct global campaigns to raise awareness of
payment card security.
The committee's leadership on this critical issue is
important, and there are clear ways in which the Federal
Government can help--for example, by leading stronger
cooperative law enforcement efforts worldwide, by encouraging
stiff penalties for these crimes, and recent initiatives on
information-sharing are also proving to be invaluable.
The Council is an active collaborator with government. We
work with NIST, DHS, Treasury, the Secret Service, and many
other government entities, including global law enforcement
such as Interpol and Europol.
In conclusion, payment card security is complex. Silver-
bullet solutions do not exist. Unilateral action is usually a
disappointment. Alliances, partnerships, information-sharing,
and collaboration between the public and private sector is
critical.
The PCI Council stands ready and willing to do more to
combat global cyber crimes that threaten our way of life and
confidence in the financial systems of the world. We thank the
committee for taking a leadership role and seeking solutions to
one of the largest security concerns of our time.
Thank you.
[The prepared statement of Mr. Orfei can be found on page
90 of the appendix.]
Chairman Hensarling. Thank you.
And Ms. Moy, you are now recognized for your testimony.
STATEMENT OF LAURA MOY, SENIOR POLICY COUNSEL, NEW AMERICA'S
OPEN TECHNOLOGY INSTITUTE
Ms. Moy. Thank you. Thank you so much, Chairman Hensarling.
And thank you, Ranking Member Waters, and members of the
committee. Thank you so much for your commitment to addressing
data security and data breaches and for the opportunity to
testify on this important issue.
Consumers today share tremendous amounts of information
about themselves. Consumers benefit from sharing information,
but they can be harmed if that information is compromised.
For the most part, the States are actively dealing with
this issue in ways tailored to address the needs of their own
residents but with a large body of common elements. At least 29
States have introduced or are considering breach notification
bills or resolutions this year alone. Bills in 27 of those
States would amend existing laws to account for changing needs
and changing threats.
Only three States have no breach notification law on the
books, and two of those States have considered bills this year
to change that.
Consumers would therefore be best served by a Federal bill
on this subject that sets a floor for disparate State laws, not
a ceiling. But to the extent Congress seriously considers broad
preemption, any new Federal standards should strengthen or at
least preserve important protections that consumers currently
enjoy at both the State and Federal levels.
Because any broadly preemptive Federal bill would bring an
end to the rich legislative activity on the issue taking place
in State legislatures, it would also need to provide a
similarly agile mechanism for quickly adjusting the law in the
future to match developing technology and new threats.
Unfortunately, a number of recent legislative proposals
would actually diminish consumer protections in a number of
ways by replacing strong and broad State protections with a
weaker Federal standard. In addition, a number of the bills do
not provide the flexibility we need to make sure consumers'
personal information remains protected as the information
landscape changes.
Don't get me wrong. Most of the bills we have seen would
certainly offer some new benefits for consumers, but many
consumer and privacy advocates, myself included, question
whether those new benefits outweigh the potential harm to State
jurisdictions and to consumers' existing protections.
I will therefore focus today on four potential shortcomings
of Federal legislation that would need to be addressed in order
to ensure that any new bill represents a net gain for all
consumers.
First, Federal legislation should not ignore the serious
physical, emotional, and other nonfinancial harms that
consumers could suffer as a result of misuses of their personal
information. A bill that would both preempt State laws and
condition breach notification on demonstrated risk of financial
harm could actually reduce consumer protections in 33 States
and the District of Columbia, where the existing law either has
no harm trigger or has one that is not limited to financial
harm.
Second, Federal legislation should not eliminate data
security and breach notification protections for types of data
that are currently protected under State or Federal law. Some
current legislative proposals feature a narrow class of
protected information along with broad preemption. Such
legislation would eliminate protections consumers currently
rely on at the State and sometimes Federal level. For example,
many bills would eliminate protections in 10 States for health
information or eliminate Federal protections for
telecommunications, cable, and satellite records.
Third, Federal legislation should provide a means to expand
the range of information covered by the bill as technology
develops. The 10 State breach notification laws that now cover
health information represent a clear trend, as States are
currently updating existing consumer protections to respond to
the growing threat of medical identity theft.
We can't always forecast the next big threat years in
advance, but, unfortunately, we know that there will be one.
Federal legislation on this topic must provide flexibility to
meet new threats, whether by continuing to allow States to
protect classes of information that fall outside the four
corners of the bill or by establishing agency rulemaking
authority on the definition of ``personal information.''
Fourth, and finally, Federal legislation should include
enforcement authority for State attorneys general. Thousands of
data breaches are reported each year, many of which affect only
a small number of consumers. Federal agencies are well-equipped
to address large data security and breach notification cases,
but they could be overwhelmed if they lose the complementary
support of State AGs, especially when it comes to handling
smaller cases, providing guidance to small businesses, and
providing resources for local consumers.
I and many of my fellow privacy stakeholders are not
unequivocally opposed to the idea of Federal data security and
breach notification legislation, but any such legislation must
strike a careful balance between preempting existing laws and
providing consumers with new protections. The Open Technology
Institute therefore appreciates your close examination of this
issue, and I am looking forward to your questions.
Thank you.
[The prepared statement of Ms. Moy can be found on page 74
of the appendix.]
Chairman Hensarling. The Chair now yields himself 5 minutes
for questioning.
So, based on my unofficial survey of the good folks in the
Fifth District of Texas, whom I have the privilege of
representing, data breach, although they don't typically use
that phrase, certainly make their top 20 anxiety list and
probably their top 10 when they think of identity theft, other
forms of theft, or privacy loss.
So it is a very serious matter, but, as Ms. Moy was
positing in her testimony, there is a cost and a benefit
associated with anything we do around here. To state the
obvious, we are lawmakers. And there was a law made about 15
years ago, Gramm-Leach-Bliley, that dictated standards. There
has been a lot of innovation since Gramm-Leach-Bliley was
written into law.
Let's start with you, Governor Pawlenty. What exactly is
broken? What needs fixing here? Where does Gramm-Leach-Bliley
work? Where doesn't it work?
Mr. Pawlenty. Mr. Chairman, thank you. It is a great
question.
If you just step back from how individuals might
characterize it and ask them this question: How is the current
system working? Half of the adult American population has their
personal data exposed in one year. It is not a stretch of the
imagination to think somebody could get into the electrical
grid and shut it down in a big part of the country, not for a
day but for a month or months on end. You do that, and you lose
electricity in your district, lose pressure for natural gas
pipelines, points of sales go down, you can't transact anything
electronically. You have a very--not existential but very
dramatic impact on the country.
So it requires, I think, a sense of urgency and a sense of
understanding regarding the magnitude of the threat.
As to Gramm-Leach-Bliley, it works. It is flexible; it
makes accommodations for the size of the business. But it says,
given the importance of this infrastructure to the country, if
the payment system doesn't work, if it is stalled or people
lose confidence in it, you are going to have a big piece of the
economy grind to a halt.
There are trillions of dollars of payments that flow
through the northeastern United States per day. If that gets
shuts down or disrupted or interrupted, you have a material, I
would say bordering on existential, threat to the economy of
the country.
So this is an urgent deal. It is growing in terms of its
concern exponentially. Gramm-Leach-Bliley works. However, no
institution is immune. We have some of our biggest institutions
that have been breached. The best in the world, the NSA, by
everybody, 10 out of 10 in terms of world-class capabilities in
this regard, breached by an insider threat.
So there is much more work to be done on all fronts. And we
are the best of class. Financial services gets breached from
time. We manage it. People get their money back. It is
convenient. But the other sectors that don't have these kind of
standards and capabilities need to up their game, and you can
help lead that effort.
Chairman Hensarling. Mr. Oxman, you, in your testimony, I
think, were lauding the elements of the legislation by Mr.
Neugebauer and Mr. Carney, about preemption and national
standards. It seems to be an open question in Ms. Moy's mind
regarding preemption and perhaps national standards. So why do
you consider preemption and national standards to be so
important?
Mr. Oxman. Mr. Chairman, as a number of witnesses noted, we
all share an interest in ensuring that consumers and merchants
are protected. But when something does go wrong, we also need
to make sure that we get the word out as quickly and
efficiently as possible and make sure those protections that
are available under law kick in.
The reason consumers use electronic payments is because
they are 100 percent protected against any liability for fraud,
but we still need to get information out to them.
There are 47 different regimes that companies have to
subscribe to. And it is not just the payments industry; it is
every company in the country that has to subscribe to these 47
different regimes. They all appoint different time, place, and
manner for the notification. They all have different triggers
for what kind of notification has to take place.
Some of them are even contradictory. There is one State
that actually requires the breach notification to include
detailed information about the breach itself. There is another
State that makes it illegal to include any information about
the breach itself. So, in some cases, they are contradictory.
If we had a uniform national standard, it would allow
everyone in the ecosystem to work together toward the same
goal, which is to provide that reasonable notice that needs to
be provided as quickly as possible.
Chairman Hensarling. In my remaining time, Governor
Pawlenty, back to you. Our colleagues on the Energy and
Commerce Committee have reported a piece of legislation with
regard to a national breach notification law that only impacts
retailers. Should this committee not act, from your vantage
point, what does the world look like if that Energy and
Commerce bill becomes law?
Mr. Pawlenty. Mr. Chairman, I know time is short. Don't let
the perfect get in the way of the good. We would like to have
these standards apply across-the-board, otherwise, their effect
is diluted.
We can be really good, but if our partner in payments has a
flawed, outdated, weak system at a point of sale or in a back
room at, say, fill-in-the-blank retailer or a different sector,
the whole chain of events gets compromised.
So it is only as good as the whole chain. And if you just
do one piece, you are missing a very important part or
opportunity to up the game of the whole system. It is an
ecosystem. It has to be addressed holistically, or the whole
system is compromised.
Chairman Hensarling. My time has expired.
The Chair now recognizes the ranking member for 5 minutes.
Ms. Waters. Thank you very much, Mr. Chairman.
First, I would like to thank Mr. Carney and Mr. Neugebauer
for the work that they have done on this legislation.
I believe that both sides of the aisle are concerned about
getting a strong piece of legislation that will protect our
consumers. This is a bipartisan issue, and we should not spend
a lot of time fighting about some aspects of this initiative,
but, rather, we should work out whatever the differences may
be.
From what I understand, there are those who believe that
the Federal law should be a floor rather than a ceiling. And
there are those who believe that, where you have States who
have stronger laws, we should not preempt those States.
As I understand it, despite the fact that we have varying
laws in our States now, they all have similarities. And so,
rather than thinking about this as States with such different
laws that would somehow cause great complications, let's think
about this in terms of the fact that we want our State
attorneys general to be involved. We want them to be involved
in enforcement. I think that is very important.
So let us take a look at what I think is the biggest
obstacle to us getting the best legislation and deal with the
preemption question and think about States like California.
Ms. Moy, can you tell us, for example, in my State of
California, what are we doing with the cybersecurity? And is
that stronger than what is being proposed here now?
Ms. Moy. Sure. Yes. Thank you.
That is a good question and a good place to start because
California passed the first breach notification law years ago
and has really been a leader in this area. So thank you for
your work on that.
For one thing, California recently passed a law to include
log-in and password for account authenticators, so not just for
financial accounts but for other types of accounts as well. For
example, my email account, if my log-in and my password were
breached, I would get a notification, which I certainly would
want to, because there is a lot of information in there that,
while it may not lead to financial harm, could lead, certainly,
to emotional harm if that information were breached and if it
were misused.
California also has a reasonable security standard, much
like the Federal standard right now, but California does
enforce that standard and has had a number of cases over the
past few years and, along with that, has some very rich
guidance for businesses attempting to comply with the
reasonable security standard.
So one thing that I think California is also very strong on
is the type of guidance that the State AG's office provides to
the consumers and the way that the State AG's office interacts
with consumers and businesses to provide that important
guidance.
Ms. Waters. Thank you very much.
I am sure that none of us would want to interfere with
States' abilities to have the strongest possible laws for
cybersecurity.
And so, Ms. Moy, don't you think that perhaps the Federal
law should be a floor and that we should certainly allow States
that have tougher laws to be able to enforce those laws? And
that would require the attorneys general to be involved. Do you
think that is the best way to approach this?
Ms. Moy. I do think from the consumers' perspective, that
would provide the strongest protection.
And you had mentioned previously that there is a
discernible pattern among the various States' laws. I think
that is the case. When you look at the various breach
notification laws of the States, most of them cover a core of
common information and have very similar requirements in terms
of what ought to be provided in the notification, when the
State AG and the consumer reporting agencies ought to be
notified.
And then, in addition to that, some States have added on to
that. And so that is where, for example, you see States like
Texas and Wyoming and just this year Hawaii and Montana have
added medical information to the class of protected information
in order to extend protection to categories where they see a
developing threat that must be addressed.
Ms. Waters. So we certainly would not want Texas to be
preempted, with the good law that they have, particularly as it
relates to medical information, would we, Ms. Moy?
Ms. Moy. I do think that it is important not to preempt the
protection for pieces of information like medical information
in, including other States, the very State of the chairman,
Texas.
Ms. Waters. Thank you very much.
And I yield back.
Chairman Hensarling. The Chair understood the subtle point.
The Chair now recognizes another gentleman from Texas, the
chairman of our Financial Institutions Subcommittee, Mr.
Neugebauer, for 5 minutes.
Mr. Neugebauer. Thank you, Mr. Chairman.
I would note that if you let the Federal standard be the
floor and all the States then have an opportunity to start one-
upping each other, then basically we are right back where we
are now, and it defeats the purpose of having a Federal
standard.
Mr. Dodge, in reading your testimony last night on our
proposed data security legislation, there is actually a lot
that I think you and I agree on. I am hoping that maybe today
we can discuss some of the provisions where we maybe have a
little bit of a difference of opinion, in hopes that we could
have a better understanding of where everybody is on this
issue.
On page 7 of your testimony, you state, ``Retailers support
a carefully calibrated, reasonable data security standard.''
Under H.R. 2205, Mr. Carney and I laid out a data security
standard that is process-specific and based on certain key
elements of data security programs that have worked well under
Gramm-Leach-Bliley. To ensure the smaller retailers are not
unduly burdened, we calibrate the standard to match the size,
scope, and type of information that those entities hold. Where
there are some process requirements that don't apply to you,
you don't have to necessarily implement them.
So the question is, can you identify the specific processes
we have laid out that aren't carefully calibrated and
reasonable, in your estimation?
Mr. Dodge. Thank you for the question.
And I think, first, it is important that we are having this
debate about proper national data security standards to help
businesses address this growing and sophisticated threat.
It is the perspective of retailers that the Gramm-Leach-
Bliley Act, which is the baseline for the legislation you
introduced, especially the data security standards within it,
were expressly written for the financial services community.
The industries are very different. Anybody who has ever filled
out a mortgage understands that the information that a bank
holds is very different from that of a retailer.
If we were to pursue legislation that replicated the--or
shoehorned the Gramm-Leach-Bliley Act to apply to the rest of
the business community, we would be applying this law to
industries beyond the retail industry, of course, well beyond
us, into high-tech, Internet, app makers big and small.
And so we think that the history of enforcement through the
Federal Trade Commission provides a good standard that is very
clear and strong for businesses to adapt to, to meet today's
challenges, and it evolves for the future.
We don't think that you can regulate your way to security,
that we need to employ layers of security. We need to start
with the baseline that we believe is a strong standard and
embolden the Federal Trade Commission to enforce these
standards and then look at other ways for us to work together,
including strengthening the payments system by advancing the
security that is in that system today.
Mr. Neugebauer. Now, you mentioned, I think, 50 FTC
enforcement actions since 2001. That would be 3.1 a year. And
so, if you believe that the FTC is your enforcement agency, do
you support giving the FTC rulemaking authority to make a
uniform standard?
Mr. Dodge. The FTC has enforced these cases under the
Unfair and Deceptive Practices Act or Section 5 of the FTC Act.
We think that giving them the express authority from Congress
is the right way to go about it, and it would preserve that
flexibility that they needed in order to adapt to the threats
as they changed over time.
Mr. Neugebauer. Yes. The question is, would you support
them then promulgating standards that make sure that the
playing field is level and that you are doing the things that
are specifically necessary in your industry to have a uniform
standard?
Mr. Dodge. We wouldn't support rulemaking, because we think
that is the purpose of passing a law. We think Congress has the
privilege of defining the law and then leave it to the agency
to adapt it over time. They have the flexibility under current
law--
Mr. Neugebauer. Isn't that what we are trying to do, then?
Congress is trying to pass a uniform standard--
Mr. Dodge. Exactly. And we believe that providing the FTC
the authority to enforce data security laws based on the case
law today, the common law based on the 50 cases, would provide
businesses not only with the clarity that they need on what the
expectations are of government but the flexibility for the
enforcement agency--in this case, the FTC--to evolve over time
to meet new threats.
Mr. Neugebauer. So do your members take steps to protect
consumers' data?
Mr. Dodge. Absolutely. There is no more important
relationship in the retail business than that which they build
and maintain with their customers. And obviously a breach, a
data breach, would be a breach of trust with those consumers.
They work extremely hard to prevent data breaches.
Mr. Neugebauer. So, if they are already doing it, what is
the objection, then, to just codifying that those are standards
and they are reasonable and they should be applied across the
industry?
Mr. Dodge. You are speaking specifically about a law that
was written for the financial services community.
Mr. Neugebauer. I am talking about the law written for--I
am talking about my bill.
Mr. Dodge. Right. So , which you would be expanding under
your legislation, expanding Gramm-Leach-Bliley to the rest of
the business community. What we are saying is that we should
stick within the current regulatory structure that has the
Federal Trade Commission as the regulator for most industries,
and Gramm-Leach-Bliley can remain for the financial services
community.
Mr. Neugebauer. Yes. We took principles from that, but this
isn't a Gramm-Leach-Bliley rewrite. This is a uniform national
Federal standard.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Delaware, Mr.
Carney.
Mr. Carney. Thank you, Mr. Chairman, and thank you to the
panelists for coming today.
I would like to talk a little bit about this preemption
issue because I know it is a concern for many of the members,
and we have worked hard to try to address it.
I said in my opening comments that the preemption provision
in our bill should not have unintended consequences outside the
issues covered in the bill. So we don't believe that it affects
the medical debt issue which was raised a moment ago with
respect to California. We would certainly be willing to make
that plain.
Ms. Moy, I thought I heard you say that 50 different
standards is not the answer. Is that what you said, or did I
mishear your comments?
Ms. Moy. What I have said is that I think that the best for
consumers would be to create a floor not a ceiling so that
States can continue to--
Mr. Carney. So set a national standard and then allow
States to--
Ms. Moy. Allow States to protect additional categories of
information. For example--
Mr. Carney. Right. So my understanding is that 13 States
currently have data breach notification and standards like
this, and that our legislation, our Federal legislation, would
be better than all of all of them, except maybe one, which is
Massachusetts, and I have been talking to some of my colleagues
from Massachusetts.
Would you agree with that?
Ms. Moy. I think that Oregon also has a pretty good
standard, and I also think that there are elements of other
State laws that you might not consider specific data security
lawsuits, but they do have elements--
Mr. Carney. So a pretty high standard.
Ms. Moy. It is a pretty high standard, yes.
Mr. Carney. So that is the starting point for us.
How about the--there has been some discussion about the
standard in Energy and Commerce. Would you say that is a high
standard or a higher standard than what our bill would propose
or--
Ms. Moy. That standard is a reasonableness standard that
looks more like what the Federal Trade Commission is currently
doing. And so I think the difference here is not only might be
there be a difference in what the language says in that bill, I
think also, we would be looking to the common law of the
Federal Trade Commission and others to flesh out what the
specific requirements are. But it is also really important as
we are thinking about how strong the security standard is to
think about who has the enforcement power and who is actually
going to be guiding the parties there because if the Federal
agencies are solely responsible for it, then even a very strong
standard might not provide a strong protection as a general
reasonableness standard that allows State AGs to continue to
work on a piecemeal basis with entities that are trying to
comply.
Mr. Carney. Okay. So you think that the standard in our
bill is a pretty good, pretty high standard in terms of a
Federal standard, but you believe that the States ought to have
the flexibility to go beyond that, notwithstanding some of the
issues that might create in terms of having different
standards.
How about this enforcement question? Have you looked at our
bill in terms of the enforcement provisions in the bill, and
how would you suggest that they be improved, from your point of
view?
Ms. Moy. I have looked at it, but unfortunately, I am not
prepared to provide a detailed response on the enforcement
provision. So I would be happy to respond in writing if you
would prefer that, but I do think that the key issue with
respect to enforcement is that I believe your bill would only
facilitate enforcement by Federal agencies, and, as I said, I
really think--
Mr. Carney. You have said a number of times--I think what I
heard you say is that allowing the State AGs some kind of role
there would be an improvement, again, not having looked at the
details there. Not to put words in your mouth.
Ms. Moy. Yes. I believe that a very critical element here
is that we must have enforcement authority.
Mr. Carney. I explore these issues just because, as I said
in my opening statement, Mr. Neugebauer and I are willing to
try to improve the bill so that we can get a greater consensus
around--we believe, I think as you said, that a national
standard is important to have, and 50 different standards is
not the way to go. It has to be a high bar and one that is
enforceable.
Would any of the other panelists like to comment on the
conversation that we have just had about preemption, about the
standard and the enforceability of that standard?
Mr. Oxman. If I could, Congressman Carney, I think the bill
on a bipartisan basis really takes on this issue in the right
way, and that is to recognize that the act of legislating to
unify 47 disparate State regimes with a Federal regime that is
not preemptive would merely be adding a 48th regime and
wouldn't serve the purposes that the legislation seeks to
undertake, which is to protect consumers' financial
information. And, from ETA's perspective, the bill takes the
right approach to ensure that the Federal regime is operative
and is not interfered with.
Mr. Carney. And everybody agrees that we need a higher
standard and kind of one standard across the country?
Mr. Dodge. We fully agree that there should be a national
standard. We think that the States deserve a tremendous amount
of credit for having acted in a place where the Federal
Government has not yet. And that is why we believe that, as a
broad concept, preemption--a strong law should offer State
preemption and, as a broad concept, State AGs should have the
ability to play a role in the enforcement of it.
Mr. Carney. I see I am out of time.
Thank you, Mr. Chairman.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from New Jersey, Mr.
Garrett, chairman of our Capital Markets Subcommittee.
Mr. Garrett. Thank you, Mr. Chairman.
Thank you for holding this hearing on an issue that really
hits home for a lot of folks.
Let me just start--I also have a couple of questions--with
the basics, if I can.
And, Governor, I will throw it to you.
When there is a breach or if someone does steal your card
and they go to a retailer and buy a TV, who actually is
responsible for that? Does Target have to pay the bill for
that? Is it the bank or is it the Visa or MasterCard or
Discover that is paying for that?
Mr. Pawlenty. Congressman Garrett, the answer is a little
complicated, but the oversimplified version is that--
Mr. Garrett. That is what I am looking for, the
oversimplified version.
Mr. Pawlenty. The consumer is made whole, and the issuing
bank is the one who makes them whole.
However, there is a secondary process managed and run by
contract between the payment networks and various players in
the payment system that gets resolved through a, shall we say,
contractual process between Visa and MasterCard retailers,
merchant acquirers, the issuer--people take issue with how that
all works from time to time, but that is how it gets sorted out
after the fact.
Mr. Garrett. Oh. Okay. Does anybody else want to give an
over--
Mr. Dodge. I would just add to that, yes, it is obviously--
the merchant ultimately pays for fraud in the wake of a data
breach, should the data breach have occurred at a retailer.
They also pay a variety of fees. There are three real fees that
they pay in total. The first one is on every transaction ever
processed. It is an interchange fee. A component of it is a
prepayment of fraud or prepayment of the data breach should one
ever occur. And then post-breach there is a fee associated with
reissuing the cards and--
Mr. Garrett. Right. So that is where the banks actually end
up having to pay the 15 bucks or whatever it is to actually pay
to send me a new card every so often.
Mr. Dodge. But the merchant reimburses for those fees based
on a--
Mr. Garrett. Really? Because I hear different stories on
that.
Mr. Dodge. Yes. I have included a schedule of that
repayment in my written testimony.
Mr. Garrett. I will look it up.
So, I just got one of these cards that have the little chip
on it. And, also, just to be clear on this, putting this chip
on the card may help to some degree as far as the lost card or
the stolen card and the data breach as far as going to the
retailer, but as someone else on the panel said, and I know it
was in the testimony, this chip does absolutely nothing with
regard to when they steal that information and they use it
online. Is that correct?
Mr. Dodge. I think it is important to note, the chip--the
technology that is available in the United States today,
predominantly the magnetic stripe, is 1960's-era technology.
Europe introduced something called chip and PIN technology more
than a decade ago.
Mr. Garrett. Right. And, in Europe, my understanding is
that you saw an uptick of the data breaches not on--at the
store anymore or the retailer anymore but now online. Is that
correct?
Mr. Dodge. That is true. In fact, fraud moved in two
directions when chip and PIN went into place in Europe. It
moved online, and it moved to the United States because
suddenly the United States had the weakest security in the
world. It still does today.
When chip-only goes into effect later this year, the United
States will still have the weakest card technology in the
world.
Mr. Garrett. Right. And somebody said--and maybe down here.
You said that all--we can't solve all this stuff, and putting--
so the bottom line is, doing the chip is not going to solve it
entirely, but also to the point of what seems to be a lot of
discussion in the bill as well as far as the disclosure
information that--as Ms. Moy is talking about a lot and others
as well--that doesn't do anything to--actually none of this--
that doesn't do anything to do as far as preventing the fraud
in the first place. That just tells me as a consumer: You were
robbed, and now this is who is going to pay for it.
Mr. Oxman. Yes. Congressman, if I could answer your
specific question about the chip, you are absolutely right. The
chip in the card prevents the card from being counterfeited.
Mr. Garrett. Yes.
Mr. Oxman. And that is today the number one source of card
fraud in the United States. It is about two-thirds of card
fraud at retail, but it does not address the online issue.
The online fraud issue is addressed by those other layers--
Mr. Garrett. And really quick on this, because my time is
running out a little faster than I want it to, the data that is
on the card when I use this chip and I put it through has my
number right on it. I hope nobody can see this. Does the
retailer keep that information?
Mr. Dodge. The retailer transacts that information--
Mr. Garrett. Yes. So they have that information. So if
somebody now breaches in--
Mr. Dodge. But retailers are instituting--many have and all
are moving towards it to make sure that information--
Mr. Garrett. So it is still a place that--it is still a
target for, not to use that company, but it is still a target
for the hacker to go into the--or any of them. Not--medical or
whatever. The hospital keeps that information too, I guess as a
data source where they will go, try to breach it, and they
won't be going to the retailer to use it, but they will be
doing it online. So it is still a target and maybe even a
larger target. Is that true now with the chip? Gosh, my time is
going quickly. Is it a larger target because of that well?
Mr. Orfei. I think it is important that we recognize the
chip technology is really designed to button down the point of
sale to defend against counterfeit, lost, and stolen. It is but
one critical layer of security. There are other technologies
that have been referenced in testimony here today, such as
point-to-point encryption and tokenization, that will protect
that data from the cyber breach you are referencing,
Congressman.
Mr. Garrett. Okay.
Ms. Moy. If I may just add a short comment in response to
the point about notification and--
Mr. Garrett. Fine with me.
Chairman Hensarling. Short.
Ms. Moy. Thank you. Thank you so much.
Yes, I just wanted to say I think that notification does
actually provide an important incentive for companies to keep
information more secure. I can't remember actually whose
written testimony it was, but someone's written testimony
pointed out that companies do suffer reputational harm as a
result of reporting breaches. And I also think it is important
because that provides information to consumers who are
considering where to vote with their wallet, so to speak, as
they are determining which service to go with.
Mr. Garrett. I get that. Thanks.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentlelady from New York, the
ranking member of our Capital Markets Subcommittee, Mrs.
Maloney.
Mrs. Maloney. Thank you, Mr. Chairman, and Ranking Member
Waters, for putting this hearing together. It is an incredibly
important issue because it affects everyone: consumers;
government; retailers; and financial institutions.
And I also want to commend Mr. Carney and Mr. Neugebauer
for putting forward a bill that would create a national data
security standard for all businesses that handle sensitive
financial information for consumers. And this bill would
significantly strengthen the data security procedures for
businesses but in a way that is flexible and can evolve as
cyber threats change and evolve.
I am still concerned about the scope of the state of
preemption in the bill, and I want to keep working on the
preemption and enforcement provisions, but I have signed on to
this bill as a cosponsor because I think it is a serious good-
faith effort to tackle what is a critically important issue to
our economy.
And, again, I would like to commend Mr. Neugebauer and Mr.
Carney for their hard work and leadership on this issue, and I
look forward to working with them, particularly in the
enforcement provisions in it.
My first question is to Governor Pawlenty. I would like to
ask you about the data security standards that Gramm-Leach-
Bliley put in place for the financial institutions. You
mentioned they had worked well in the financial institutions,
but I also want to know, have they proven to be overly
burdensome for smaller banks and credit unions?
Mr. Pawlenty. Congresswoman Maloney, no. The standards have
been flexible, and I think Congressman Neugebauer and
Congressman Carney have done a good job in doing the same thing
in their bill, which is to say: Look, we are going to have
standards, but we are going to allow them to be scaled to the
size and complexity of the enterprise in question. I think that
is a good model.
Mrs. Maloney. In other words, they have worked well and not
been too burdensome for smaller financial instructions, and
they won't be too burdensome for smaller retailers.
And I would also like to know your feelings about having a
minimum or a floor standard. I know that California and Oregon
have a standard that is higher. I think it is important--you
have to have a floor. Do you think it should be a floor, or do
you think it should be a ceiling, and why?
Mr. Pawlenty. Congresswoman, again, another great question,
and if--right now we have nothing--
Mrs. Maloney. Right.
Mr. Pawlenty. --in many sectors. So something is better
than nothing.
Mrs. Maloney. Absolutely.
Mr. Pawlenty. And so the floor would be progress, but a
ceiling if it is set high. I would just encourage you--in
Minnesota, when I was Governor, we passed what we thought were
Nation-leading data protection standards and notification
standards. You wouldn't want a bill that undercuts the 13 or so
States that have done this. If you are going to set it, set it
high. Set it aspirationally, and I think that would be the best
place to be, and it would serve the country best. And think
about the way that people place data centers, where they store
data, how they store data. The fact that there is going to be
wide variance between States doesn't sync with how we know
cyber commerce gets done.
Mrs. Maloney. But as a Governor, you know how valuable the
creativity of the State system is to come out with solutions
that--and are adopted in this area. It seems to evolve every
day with new technologies, new ways to threaten consumers, and
really the security of our information.
I would like to ask Stephen Orfei, given your
organization's experience in establishing data security
protocols and procedures, what would you say are the most
important aspects of a company's data security plan? In other
words, what is the most important thing that a company could do
to protect their customers, to protect their company against
data breaches?
Mr. Orfei. Thank you, Congresswoman, for that question. I
think what is most important is that the PCI standard is, in
our view, the best defense against cybercriminal attacks. It
really becomes a question of vigilance and being methodical and
disciplined in your approach and looking at and paying special
attention to the fundamentals. Doing the blocking and tackling.
Looking at the physical and logical security. It is day in and
day out. It needs to be 24/7. It needs to be built into the DNA
of an organization from the CEO right down to the working
level.
Mrs. Maloney. Okay. Thank you.
And you mentioned in your testimony, Mr. Oxman, that you
thought that sharing information was so important, and can you
just expand on that, on what we need to do additionally in
expanding information in this area?
Mr. Oxman. Thank you, Congresswoman Maloney. The issue is
companies are barred from sharing cyber threat information with
each other and, in some cases, even with the government. The
House fortunately passed a measure that we support that will
eliminate those impediments to that kind of important
information sharing. We support that legislation. We hope the
Senate will move forward on it. And we need to make sure that
companies can, without liability, share information with each
other and the government to prevent future threats.
Mrs. Maloney. Okay. Great. Thank you. My time has expired.
Thank you.
Chairman Hensarling. The Chair now recognizes the gentleman
from Missouri, Mr. Luetkemeyer, chairman of our Housing and
Insurance Subcommittee.
Mr. Luetkemeyer. Thank you, Mr. Chairman.
I am kind of curious--I want to approach this from a little
bit different angle this morning from the standpoint of, when
we have a data breach, whose fault is it? If there is somebody
at all, there is going to be some liability. It would seem to
me--and my experience has been from the--of institutions I have
been aware of, and I appreciate the Governor's description a
minute ago of who winds up paying the bill on this, but
generally the banks wind up--or the financial institution who
issues the cards originally are the ones that wind up footing
most of the bill.
And it would seem to me to be that at some point, as a
regulator, I would think that you would go into a financial
institution and see a number of retailers, a Target line of
credit, for instance, or any other local line of credit--in our
area, we had a supermarket that issued debit cards. The
information was accessed, and suddenly everybody in the whole
area--whole region, actually, their information was broached,
and as a result, there was a tremendous cost to the financial
institutions. And it would seem to me that as a regulator, you
would look at this as a liability exposure for the bank from
the standpoint of what you are going to have to incur by all of
these retailers not having adequate protections.
From Mr. Dodge's perspective, it looks like--I would think
that the regulators would ask the financial institutions to
force the retail folks to have a policy in place, an insurance
policy in place that would protect them against a data breach
so that the banks would not be the fallback position for a data
breach.
Governor, would you like to comment on that thought
process? Am I off on that?
Mr. Pawlenty. I think you have connected the dots exactly
correctly, Congressman, and I think on your last point about
cyber insurance, that is an evolving area. There are some who
think their traditional insurance covers it. There are some
disputes around that. There is some uncertainty about how you
underwrite it when you can't get your arms around the magnitude
of it and what it looks like in the future. So that is an
evolving and developing space, and one that is--
Mr. Luetkemeyer. How do the standards fit into that
situation?
Mr. Pawlenty. The standards fit into that because I think
if you set standards, like the financial services sector has,
on other sectors and we get more resilient better systems as a
result of that, you decrease risk. You de-risk the system. That
is good for financial institutions. It is good for the payment
system. And, frankly, it is good for everybody involved.
I will say to the chairman's point on Energy and Commerce's
bill, that is a bill that says, ``Have reasonable standards.''
We are going to get a standard one way or the other in this
country because everybody is suing everybody. And, over time,
the courts are going to develop a standard, and it is going to
say, ``Be reasonable.'' And that is a 10-year pathway. It is
too slow, and it is too vague. Or you are going to have a bunch
of States doing a hodgepodge of standards, some of which will
be great, and some of which will be not so great. So Congress
can play a really important role here bringing this debate
forward more quickly and at a more--a level of rigor in the
standard, and it will help.
Mr. Luetkemeyer Mr. Dodge, would you like to comment on my
question?
Mr. Dodge. Yes. First, the suggestion that banks are not
reimbursed in the wake of a data breach is simply not true. As
we talked about earlier, there are three major ways in which
they pay, and there are certainly more than just those three.
But the first is in the fees that they pay on every
transaction. Then, after a breach, through the contracts that
they sign with the card networks, there is a formula for
reimbursement which--
Mr. Luetkemeyer. They still suffer a loss, Mr. Dodge. From
a business, I can tell you--
Mr. Dodge. But the issuing bank--the issue is--if the banks
have an issue with that, it is with their facilitator, which in
this case is Visa and MasterCard. Retailers sign those
contracts, and if there is a suggestion that there has been a
violation of those contracts, then there is certainly the legal
avenue for resolving that.
Mr. Luetkemeyer. Okay. My question, though, is with regards
to the exposure, liability exposure, that a bank would have
with regards to this situation. You have lots of retailers. And
this seems to be almost an epidemic. Every week you have
another entity that has been breached. If that is the case,
pretty soon those institutions are going to have a tremendous
liability sitting there. And if you have lots--if you do a lot
of commercial lending to retailers, I see that as a problem
that is going to have to be fixed. And I would assume that you
would be supportive of the idea of having the retailers
purchase a liability policy of some sort that would protect
them as well as the institution against a breach.
Mr. Dodge. As Governor Pawlenty said, the cybersecurity
insurance market is a new market, but many retailers are buying
that kind of insurance. There is no question about that. But
the level of standard--the suggestion that there are no
standards on retailers is belied by the fact that there were 50
cases, some of which were retailers, but many were not, where
strong enforcement was brought down by the Federal Trade
Commission, enforcement of that includes not only substantial
fines, but the prospects of consent decrees that allow the
Federal Trade Commission to take up residence in the business
for 20 years. So there are very, very strong standards that
retailers are bound by today.
Mr. Luetkemeyer. I just have a few seconds left. Just one
comment: Mr. Orfei, I am disappointed that you gave everybody
my password to my computers.
But with that, I yield back. Thank you, sir.
Chairman Hensarling. The gentleman yields back, and he
better put a fraud alert on all of his credit cards.
The Chair now recognizes the gentleman from California, Mr.
Sherman.
Mr. Sherman. Governor Pawlenty, I do weird things that
cause my credit card company to get very concerned, like I buy
gasoline in Los Angeles, and a day later, I buy gasoline in
Washington. So, of course, their computers flip out. And you
would think what they would do is send me an email. But they
don't. They either call me, usually at the worst possible time,
or if they are too lazy to do that, they freeze the account and
force me to call them.
Is this entirely because they are not handling it right, or
is there something in our statutes that we could do to
facilitate or prod credit card companies to check with their
cardholders by email rather than by telephone?
Mr. Pawlenty. Congressman, great question. I have had some
interesting experience with cards myself personally. So--
Mr. Sherman. You engage in similar unusual activity?
Mr. Pawlenty. I am not admitting to unusual activity, sir,
but anyhow, as to--
Mr. Sherman. Another guy--we have another guy going to
Iowa.
Mr. Pawlenty. I think the concern that you raise is a good
one, but it is being addressed in realtime by technology. The
controls that you can now set on many cards--and it is
advancing by the day and the month--are getting really good.
So, for example, on one card that I have, I can get a text or
email alert if it goes over a certain amount, any transaction.
I can get a text or email alert if it goes over a certain
number of transactions per month. I can get a text or email
alert if it goes over a certain amount. And soon, I think, I am
going to be able to get an alert if--
Mr. Sherman. I am not looking for more alerts. I am simply
looking for them to contact me by email rather than by phone,
rather than by freezing my account without telling me about it.
Mr. Pawlenty. The short answer is, I think if you can't,
many cards already do or will soon offer you the chance to be
in the driver's seat as to exactly how you want to get that
message.
Mr. Sherman. I am sure your members are aware of email--we
are here talking about how to upgrade to technology, and I am
hoping that email is--
Mr. Pawlenty. If you can't, I can recommend a card that--we
will get it to you.
Mr. Sherman. Yes, but not with the United Airlines miles.
Basic economic theory is that you apply liability against
the entity that should be investing in safety measures so that
you get that entity to spend the appropriate amount of money on
safety measures.
Retailers ought to be spending more on safety to protect
consumers and to protect the entire business system from the
extraordinary costs that happen every time somebody hacks into
one of these accounts. But retailers face no liability except
the reputational liability, which Ms. Moy referenced.
But then we have these lesser known data breaches where the
media doesn't know or barely reports to the general public some
of the data breaches.
Is it problematic that consumers at some stores may have
their data hacked, but they never hear about it? And does this
mean that the merchant that has mishandled the data faces no
liability and no reputational risk?
Ms. Moy, in order to have that reputational risk, do we
have to do more to make sure that every data breach is known by
the public?
Ms. Moy. Yes, I think we do. And I think that there are a
couple of ways to do that. And one is to make sure, as I
mentioned multiple times, that the bill is written in such a
way that it covers classes of information that entities may
hold that consumers consider personal but they would want to be
notified about but currently might not be notified about. So,
for example, email address and password. That is one that a lot
of retailers hold. It is one that could be breached. If my
email address and my password are breached, I would certainly
like to know about it.
And another thing that could be done is, again--sorry to be
a broken record--but providing State AGs with the authority to
enforce is really important because they will help work to make
sure that these breaches are notified. And, in particular, many
States have a threshold for notification of State AGs and for
consumer reporting agencies that is much lower than what we
have in a lot of Federal legislations. And in a lot of the
Federal bills that we have seen proposed, the threshold would
be 10,000 affected consumers. Many States have a threshold of
1,000, for example.
I believe that just a couple of months ago, the
Massachusetts State AG's office appeared at another hearing on
breach notification and data security and they said that the
average breach--the size of the average breach was about 74
consumers. So it is really important that we have State AGs
working to ensure that consumers are notified.
Mr. Dodge. Congressman, if I could just jump in on that?
Mr. Sherman. Yes, and I will add another question and let
you jump in on both.
We are proposing Federal legislation. Is the work of the
State AGs and the States enough to prod retailers to spend
enough on safety?
Mr. Dodge. So, to your question about liability, retailers
face considerable liability. Obviously, there is reputational
harm. You cited that. But under the enforcement available
through the FTC's current authority and what we have endorsed
for stronger authority and at the State level, there is
enforcement liability and the prospects of consent decrees that
could take--allow the FTC to take up residence in a business
for 20 years.
Mr. Sherman. I will see if the Governor can just chime in.
Do the retailers face enough reputational and financial
liability to spend enough on safety, or do we need to do more?
Mr. Pawlenty. Congressman, I would respond with a
rhetorical question. How is the current system working? Not so
good.
Mr. Dodge. The Verizon report, which is the gold standard
for reporting on data breaches, says there were 2,100 breaches
last year: 277 were financial institutions; 166 were merchants.
There were 1,000 times more merchants. So the standards that
are applied to the financial industry are not perfect.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Michigan, Mr.
Huizenga, chairman of our Monetary Policy and Trade
Subcommittee.
Mr. Huizenga. Thank you, Mr. Chairman.
And I appreciate the opportunity to spend a little time
with you all.
Mr. Orfei, while we are on the breaches, I would be remiss
not to say that Mr. Garrett's credit card has now purchased at
least three things online and is available widely on a Russian
Web site.
But, in all seriousness, that is the concern all of us
have. Right? When we are calling in somewhere or buying
something online in the very transient kind of economy that we
have, I think we all have a legitimate and serious concern.
But I am curious, Mr. Orfei, from your perspective, have
you evaluated how many breached companies are in compliance
with your PCI standards at the time of their breach? Or have
they had those standards, and then it has caused them to take
action? Or did they have them already, and they still were
breached?
Mr. Orfei. What I would reference is the Verizon report,
which is an objective third party that looks at the data for
breaches for the past 10 years. And the findings--there are two
significant data points that I would give you, Congressman. One
is that 99.9 percent of the breaches that have occurred were
preventable and covered by the PCI standard.
The second point is that I think that the PCI standard has
done a very effective job, and there hasn't been one single
compromise where the merchant or the entity was found in
compliance.
Mr. Huizenga. Okay. I am a former State legislator as well,
and, Governor, it is good to see you again.
And I, like you, had those situations where we were sitting
in the State capitals saying, ``What in the world is Washington
trying to do to us now?'' Yet, at the same time, I understand
when you have States doing various actions and not
coordinating, and oftentimes that is somebody like the Council
of State Governments and ALEC and other organizations like that
are trying to get States to harmonize oftentimes.
But what I am struggling with on this--and, Ms. Moy, you
had mentioned this earlier, as did my friend, Mr. Neugebauer--
is how is setting a national floor but then allowing States to
maintain a patchwork of other requirements different than what
we have now? And I think maybe it was you, Mr. Oxman, who said
we would go from 47 regimes to 48. So help me out, somebody,
with what we do on this. I would love to hear from Governor
Pawlenty.
Mr. Pawlenty. Congressman, I would think about this--I am a
big fan of the 10th Amendment. I am a big fan of States'
rights. I am a big fan of laboratories of democracy for public
policy at the State level. I believe in all of that profoundly.
But I have come to think of this issue as a threat to the
national security and critical infrastructure of the United
States of America, not just in the payment space but in the
ability to do most of what we do. And so I think it rises to
the level of being worthy of being viewed in that light and
setting the table nationally because it does threaten our
ability to function. It presents, taken to any sort of
reasonable extension, an existential threat to our economy and
to our Nation's security. And I could walk you through the
scenarios, and they don't take a lot of imagination. But I
think if you view it in that light, it rationalizes an
aggressive and muscular Federal involvement.
Mr. Huizenga. And that is where I struggle as well, and we
can have a constitutional debate later, whether this is part of
a commerce clause or how this is affected.
But, Ms. Moy, I don't know--quickly. Briefly.
Ms. Moy. Thank you. Thank you so much. Yes. So just to
repeat again, I think most States certainly with breach
notification, there is a common core of elements that we see
across the various--across the 47 plus, I think, three
territories, laws. And then there are some additional elements
above that. But I do think that it is really important. For
example, I believe in your own State, there is a harm trigger
for the breach notification law that is broader than just
applying to financial harm. It is really important that we take
that into account, as Governor Pawlenty has said. If we are
going to set a preemptive Federal standard, let's set it high.
Let's not reduce protections like those in your own for
consumers who are benefitting from that.
Mr. Huizenga. And I would agree. I think it would have to
be high. And somebody help me out on what--as Mr. Sherman had
said, he doesn't want more notifications. Now, I am a little
confused as to how, if you have an email breach, are they
supposed to notify you through email if that has been breached?
But what of this ``cry wolf'' overnotification, is that a real
concern?
Mr. Dodge. Congressman, we think that it is. We think it is
important and on--I align myself with the most recent points
made by the Governor. We agree entirely on this. We think it is
important that consumers be able to get information quickly and
information that they can take action on in order to protect
themselves from financial harm.
A standard beyond the financial harm would subject
customers to repeat notifications. And the worst case scenario
is the customer would stop paying attention to those
notifications and not take action to protect himself or herself
in the wake of something that could put them at risk.
Ms. Moy. If I may just add a brief point about that, which
is that I think in order to determine the answer to that, we
should really look to the State AGs, who have a ton of contact
with consumers who are suffering from breaches. And in the
words of Illinois attorney general, State AG--I'm sorry--
Illinois Attorney General Lisa Madigan, ``Consumers may be
fatigued over data breaches, but they are not asking to be less
informed about them.''
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Massachusetts,
Mr. Capuano.
Mr. Capuano. Thank you, Mr. Chairman.
I can barely see you guys. They kind of moved everybody
apart, but we will try to communicate.
Mr. Chairman, I would like to submit a letter from the
Massachusetts Attorney General for the record.
Chairman Hensarling. Without objection, it is so ordered.
Mr. Capuano. Thank you, Mr. Chairman.
Did anybody at this table think that 5 or 10 years from now
the data security--the issues and the challenges you face will
be the exact same that you face today? Does anybody believe
that to be true?
Mr. Oxman. Technology is changing so quickly, Congressman,
I think it is highly unlikely that the issues will be exactly
the same.
Ms. Moy. Yes. I think it is highly unlikely. I mention in
my written testimony the example of several apps that now exist
that allow you to photograph your physical keys to your house
and your car--
Mr. Capuano. That is great. Well, thank you. I don't think
so either, but then, again, I don't know much about technology.
I struggle with a cell phone. And that is life.
But the one thing I do know is that something is going to
be changing, and I guess I raise the issue because to advocate
for a congressional solution with no ability to change a year,
or 2, 3, or 4 years from now when the problems change except to
come back to Congress, you are sitting here today because the
Congress is last to the issue. States are first to the issue,
like in most issues. The Federal Government is oftentimes the
last one to the fight because we are the biggest; we are the
most diverse; and that is the way it has always been. And yet
you are advocating for a situation that we have one great--
let's assume it is a fantastic law that has no ability to be
upgraded through regulation, which is why we have regulatory
bodies, because they can act quicker than us, except to come
back to us and ask us to do this all over again, which in and
of itself, to me, is the main problem here.
But the other issue I ask, do--I don't know where any of
you live, but I am going to presume that since I think you are
all part of associations and like that you must live in the
general Washington area, at least have an apartment here. Do
you think that the Federal Government, the EPA, should tell the
State of Maryland that they have to have only Federal standards
on their drinking water, that the State of Maryland would then
be totally preempted from saying, ``No, no, no, we like a
little less arsenic in our drinking water than the Federal
Government requires, and, therefore, we would like to do it?''
Do you think that the State of Maryland should be told,
``Sorry, you can't do that?''
Mr. Oxman. Congressman, I spent 7 years in the great
Commonwealth of Massachusetts. I had the pleasure of living
there for a long time, and I think you raise a very important
question, and that is, how can we bring uniformity to an issue
that has nationwide implications, and indeed international
implications when we are talking about cybercrime without
interfering with the power of the Commonwealth of
Massachusetts?
Mr. Capuano. Not just the power, the responsibility, as I
look at it. I actually like the idea. I am very happy that we
are talking about Federal standards. I have gotten in trouble
on a regular basis because what the heck, I am a liberal
Democrat. I am all for Federal regulation. My friends over
they, they know it. I would regulate everything. Don't worry
about it. But then again, I didn't know that some of my friends
on the other side apparently want to join the Socialist Party.
They are welcome to; Bernie Sanders has cards and you can sign
up.
That is my problem. I don't have any problems. I love the
idea of creating Federal standards and a Federal floor, but I
like two other things: I like flexibility in that because,
let's be honest, most Members of Congress are not
technologically capable. I know some guys here, but every one
of us fumbles with our cell phones. I call my staff all the
time. I kick the damn things. I drop them. This one was broken
7 times because I threw it. And I know none of you have done
that because you are technologically capable. We need
flexibility. We need the ability to move quickly because
whatever the threat is today is going to change tomorrow. That
is the only thing I know.
Mr. Oxman. That is right. And, Congressman, I would submit
that ETA, on behalf of the payments industry, supports the
approach that Chairman Neugebauer and Mr. Carney have taken in
this bill because it has the exact flexibility you are--
Mr. Capuano. That is critical.
Mr. Oxman. It doesn't dictate any technical standards. And,
in fact, it makes very clear that it is not up to the Federal
Government to dictate how we protect data security, but it is a
requirement of the Federal Government that security be
implemented.
Mr. Capuano. And we also have to have somebody who knows
what they are talking about, not necessarily the United States
Congress, number one. And, number two, I really don't see why
you would want to take away the ability of the States to be
more flexible than anybody else. Holding to a minimum standard?
Absolutely totally agree. And, again, we have the same issue on
everything that we do. Every financial issue we deal with, we
deal with this issue. How much of a Federal standard,
including, we deal with insurance every day. Insurance is
totally regulated at the State level, and every time we come
close to even thinking about the Federal involvement, everybody
gets all worked up because the States do it. And I strongly
suggest the concept is right. The approach needs to be
significantly changed on those two issues, to provide
flexibility, number one, and to maintain the States' ability to
deal with it as they see fit. Thank you.
Mr. Neugebauer [presiding]. I thank the gentleman.
And now the gentleman from Wisconsin, Mr. Duffy, the
chairman of our Oversight Subcommittee, is recognized for 5
minutes.
Mr. Duffy. Thank you, Mr. Chairman, and it nice to see that
we are making news today with Mr. Capuano endorsing Bernie over
Hillary, my good friend. Also great visuals of you throwing
your flip phone around the Capitol.
As Mr. Huizenga said, he was a State legislator. I was not,
Governor, but I was a former hockey player like yourself.
Do you agree with Mr. Dodge that the banks don't pay any
fees when there is a data breach? I haven't heard you respond
to that claim.
Mr. Pawlenty. Congressman Duffy, the banks--again, the
system of how this all gets sorted out is complicated, but it
is certainly true that the issuing banks pay in all sorts of
ways if there is a breach, including the cost of reissuing the
cards, subject to possible partial reimbursement in the future,
as well as making the consumer whole through a complicated
series of transactions. So--
Mr. Duffy. Okay. And just to be clear, does the whole panel
support Federal preemption? Does anyone disagree with that
concept? I think I have heard everyone say they agree.
Ms. Moy. Only if it is a high standard that preserves
protections for consumers.
Mr. Oxman. We support it.
Mr. Duffy. Okay. So, quickly, just so I understand, talking
about when the card is present, what percentage of the fraud
comes from a fraudster who steals data and reproduces cards and
makes purchases as opposed to the guy who had his wallet
lifted, and someone goes in and uses actually the cards--
Mr. Pawlenty. The majority of it--excuse me, Congressman.
The majority of it is people scraping cards and using
counterfeit cards. And the people who do the lost and stolen,
some of that happens, but that is the minority of the
transactions, not counting the online stuff.
Mr. Duffy. So when we talk of chip versus chip and PIN, if
we just at least get to chip, we are going to address a vast
majority of the fraud that is talking place right now when the
card is present. Is that fair to say?
Mr. Dodge. I would say in a static world, it would have an
effect. But we don't live in a static world. The reality is
that there is a single line of defense between the fraudsters
and their ability to commit fraud. In this case, it would be
chip. And they will focus all of their energy on breaking that.
We have seen examples where they have done it already, and we
have simply argued that one of the baseline tactics of cyber
hygiene is two factor authentication. We should require that at
the point of sale as well.
Mr. Duffy. But by you saying that, are we going to see more
pocket thieves out there?
Mr. Dodge. No, no, no. I am saying that fraudsters will
develop new and innovative ways to crack the chip and commit
fraud.
Mr. Duffy. Is that happening--
Mr. Orfei. Congressman Duffy, if I may--
Mr. Duffy. You may.
Mr. Orfei. --the chip will defend against counterfeit,
lost, and stolen at the point of sale. It will button down the
point of sale at physical environment. Once that environment is
secured, fraud will then move to the card-not-present
environment. It is what we observed in the Asia-Pacific and
European theaters who have had chip technology. Now, the chip
technology is--you cannot clone it. So what we will see is, it
will migrate.
Mr. Duffy. So how far away are we from tokenization for
online purchases?
Mr. Orfei. Tokenization is a technology that has been
around for 10 years. And now the acquiring community and
technology venders and the price points have come down. So
point-to-point encryption coupled with tokenization coupled
with EMV at the point of sale is how we get to devaluing the
data so that it is useless.
Mr. Duffy. So if the card-not-present online purchases, the
technology is there but just not implemented yet to secure--
Mr. Pawlenty. Apple Pay has a--what I call an early stage
version of--I don't want to say primitive--but early stage
version of tokenization, and it has had some other breach
issues, but it is kind of the first--one of the first kind of
tokenization platforms to come to market.
Mr. Duffy. I just want to be clear. So, when we have a
chip, does a retailer--are they able to maintain data about the
card in their database if you just have a chip card as opposed
to a magnetic strip?
Mr. Orfei. Again, Congressman, the chip is just going to
work at the point of sale. How that merchant stores data--
Mr. Duffy. But can they store--so what my question is--
listen. We have heard about all the retailers who have had data
breaches. If we migrate to the exclusive use of chips, does
that mean that retailers are no longer keeping personal
consumer data in their databases, which means--
Mr. Orfei. No. No, sir.
Mr. Duffy. --they are not at risk to have breaches any
longer?
Mr. Orfei. No. Again, it is just taking off the threat at
the point of sale. So it is a critical layer, but it is not a
silver bullet.
Mr. Duffy. But on the back end, retailers still keep
information--
Mr. Orfei. On the back end, the information could be
replaced, though, by tokenization, could be protected by point-
to-point--
Mr. Duffy. Do you have recommendations on how long
retailers are recommended to keep financial information about
consumers? How long should a retailer keep that information?
Mr. Orfei. It is really not necessary to keep that
information.
Mr. Duffy. So--
Mr. Dodge. Congressman, if I could just jump in.
Mr. Duffy. Sure.
Mr. Dodge. A couple of things. First, many retailers have
instituted encryption for that information when it comes in so
that if it ever was acquired, it would be in a format where it
would be useless to a criminal. Further, they have no desire to
keep information they don't need nor to keep information--
Mr. Duffy. But do they need any information, is my
question? Could retailers, after 30 days, wipe those databases
clean so you don't have 6 months of consumer data or a year of
consumer data; you might only have 15 days or 30 days of
consumer data? Isn't that really one of the risks that we have
with so much data being collected and stored, not just from the
government, but from retailers?
Mr. Dodge. The information that retailers collect is
designed to allow them to provide the concierge-type services
that they want. Consumers generally want receipt-less returns.
So there is an element of information that consumers have
voluntarily said: We want to be able to--you have this
information so that we can do these--
Mr. Duffy. I don't know that I have ever been asked to
volunteer to enter into one of the concierge services. I think
they are just offered to me, and that information is kept on my
card. And I do think there is a consumer protection issue here
when we are not asked, it is just given to us, and you keep
that information on--my time--
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Texas, Mr.
Hinojosa.
Mr. Hinojosa. Thank you, Chairman Hensarling and Ranking
Member Waters, for holding this important hearing today.
And thank you to our panelists for your testimony.
Mr. Chairman, before asking my questions, I request
unanimous consent that my opening statement be made a part of
today's record.
Chairman Hensarling. Without objection, it is so ordered.
Mr. Hinojosa. My first question is to the Honorable Tim
Pawlenty and Ms. Laura Moy.
How can a Federal data security standard that creates a
floor provide for more consumer financial security while at the
same time providing certainty to industries that would need to
implement such a standard across all 50 States?
Mr. Pawlenty. Congressman Hinojosa, thank you for your
question.
For certain sectors, not including financial services and
health care and a couple others, they don't have standards
currently other than in the 13 States or so where they have
them. So, by Congress creating a floor or a ceiling--but we
hope a high standard--that is for the whole country, you will
lift the game and the expectations and the legal
responsibilities for those sectors in those places that don't
have a standard currently. And, again, this has migrated to
international proportions, and I think if the members of this
committee knew that Russia or China or semi-state agents were
about to compromise the payment system, the electrical grid,
you wouldn't say: Yes, let's kick it to the States; let's let
them handle it. I don't think you would do that. So whatever
you do will be helpful, even if directionally, it will be
better than what we have now for those sectors that don't have
any standard in those States.
Mr. Hinojosa. Ms. Moy?
Ms. Moy. I would say a couple of things. One is that
consumers are protected right now by the Federal Trade
Commission Section 5 authority, and the FTC is enforcing that.
As we have heard, they have enforced over 50 cases since 2001.
And consumers in 47 States and 3 jurisdictions are protected by
breach notification laws. So there are protections existing for
consumers. I think setting a floor and not a ceiling, as I have
mentioned before, there is a clear pattern in terms of what is
covered even by the disparate State laws. So, as a practical
matter, most companies that have to comply with the laws of
multiple States are just complying with the strongest standard
and are mostly okay under the other States, including--in fact,
many States have a provision that allows an entity to notify
some consumers who have been affected by a breach under the
standard of another State.
But I would add to that, if we are going to have a Federal
preemptive standard, as I said before, it has to be a high one,
and it has to provide flexibility to adapt to changing
technology, not only in terms of what the security standard is
but also in terms of what information is covered by the bill.
That is a critical element that I think we might be missing
here.
Mr. Hinojosa. Thank you for your response.
My second question is addressed to Mr. Jason Oxman and Mr.
Brian Dodge.
Given the ever-increasing sophistication and sheer number
of cyber attacks on our financial institutions and markets, do
you think a catastrophic attack, which can have severe
repercussions on the financial system as a whole, is imminent,
and what can the Federal Government do to help prevent such an
attack or prepare to respond to such an attack?
Mr. Oxman. Thank you for the question, Congressman
Hinojosa.
The possibility of such an attack is always on the minds of
the payments companies that ETA represents, and preparation for
those attacks is, of course, something that is always included
in all the operational plans of all the companies that we
represent. Our sincere hope is that something like that never
happens, but we do recognize the important role that the
payments infrastructure plays in empowering commerce in this
country. And protecting our customers, be they merchants or
consumers, is always at the top of our minds. So we are focused
on that. We are prepared for it, and it is our sincere hope
that nothing like that ever comes to--
Mr. Hinojosa. Thank you.
Mr. Dodge?
Mr. Dodge. So, in terms of your question about what
Congress can do, I think the focus on data security to avoid
such a catastrophic event is incredibly important. We believe
that the way that you get yourself to a stronger environment is
layers of security. And Congress can help with that by, as the
House did last month, passing information-sharing legislation,
but also as we are talking about today, providing clear and
strong guidance for businesses on how they should maintain
their systems to ensure cybersecurity, and then providing the
flexibility for businesses and for regulators to adapt to that
threat over time. There is no doubt that the threat is
increasing. The level of sophistication is growing extremely
fast. And we need to be able to stay involved in it.
The last point is we need to look to where our greatest
vulnerabilities are, and right now our greatest vulnerability
from the merchant community is the cards that we accept at the
point of sale. They are the weakest security technology enabled
in the world today, and when we move to chip technology without
the PIN like has been instituted in the rest of the
industrialized world, we will still have the lowest level of
security in the world, and fraud will continue to flow towards
us.
Mr. Hinojosa. Thank you.
My time has expired and I yield back, Mr. Chairman.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from South Carolina,
Mr. Mulvaney.
Mr. Mulvaney. Thank you, Mr. Chairman.
And thank you to everybody on the panel for helping us try
to do something we don't do enough here, which is just try and
collect information, which is what I am going to try and do. I
am not here to try and beat anybody up. I actually have an
honest-to-goodness question. And I think it is directed to Mr.
Pawlenty and Mr. Dodge, but I would welcome everybody to chime
in on this. Okay?
Let's say that Mr. Capuano steals my credit card, which is
possible because he is that kind of guy, even though he is not
here yet, and he goes to my local gas station or his local gas
station, slides it in there, happens to--maybe he knows my ZIP
code and buys the gasoline with my stolen credit card. I catch
it when my statement comes in the next week or maybe I get an
email notification, which I think is a service my bank actually
provides, which I enjoy very much. I catch it. I call my bank
and I say, ``Someone stole my credit card. And they just used
it to buy gas in Massachusetts.'' And they say, ``Okay, Mr.
Mulvaney, thank you very much. We will take it off your bill.''
Who eats that loss? Is it the retailer? Is it the bank that
issued my card? Is it Visa or is it somebody else? Who eats
that loss for that gasoline bought with a stolen credit card?
Mr. Dodge. First, I would say if a PIN was required in that
transaction, the fraud would have never occurred in the first
place. You wouldn't have had that.
Second, there is a difference between data breach fraud
repayment and traditional fraud repayment. And so there would
be, based on the contracts that the retailer signed with the
card networks, an evaluation of where was the weakest link in
the system. So if it was a stolen card and it was reused, then
it would probably--actually, I don't know the answer to that
question as how it would go, but it is determined by--
Mr. Mulvaney. Whoa, whoa, whoa. Is that--
Mr. Dodge. But in many cases, in almost all cases, fraud--
an element of that fraud is charged back to the retailers.
Mr. Mulvaney. Mr. Pawlenty?
Mr. Pawlenty. Initially, somebody has to give the cash back
where it is a debit transaction or the value to--
Mr. Mulvaney. Again, it was a credit transaction.
Mr. Pawlenty. It is the issuing bank, and then they sort it
out afterwards as to who pays what. But, in terms of who eats
most of it initially, in our view, over the long term of the
discussion, it is the banks.
Mr. Mulvaney. All right. Mr. Dodge, and here is why I asked
the question, because I have my banker friends come in, and
they say, ``Look. We have to do something about this because we
eat all of this loss.'' And just last week, I had some of my
convenience store people come in and say, ``Look, we have to do
something about because this because we eat all of this loss.''
Are both of them eating a little bit of the loss? Is that what
it comes down to? I see some people in the back row nodding
their heads, which is usually a good sign.
Mr. Dodge. I included in my testimony a schedule of
repayment that shows the fees of the structure of the contracts
that obligates merchants to repay in the wake of a breach.
Those are reissuance costs, the cost to reissue the cards, and
then fraud, fraud that is associated with the breach. But every
single day on every transaction that is processed, a merchant
pays a fee. It is called an interchange fee. Sometimes it is
called the swipe fee. And an element of that fee is a
prepayment of fraud. It goes into the account. Whether fraud
happens or not, they are prepaying it every single day. So how
that is divided up by the banks, is a great question for them.
But we know we pay it on every single transaction.
Mr. Mulvaney. Okay.
Mr. Oxman. Congressman, if I could--
Mr. Mulvaney. Yes.
Mr. Oxman. The hypothetical you asked actually has a pretty
simple answer, and that is the card issuer is responsible for
that fraud. The lost and stolen fraud you described is never
the responsibility of the merchant. Since your card was stolen
out of your pocket, and you hadn't yet reported it stolen when
that card was used and the transaction was authorized by the
issuing bank at the gas station, the issuing bank has a
responsibility for that. You don't and the merchant doesn't.
Mr. Mulvaney. Thank you, Mr. Oxman, because I think that
leads me to the next question, which is, does the analysis
change--I think I got it now for a stolen card out of my
pocket. Mr. Capuano steals my credit card. I get it. And he
would do that too. He is--what if the card is counterfeit? Is
it any different? If someone gets it from Target, gets my
information from Target, and they create a counterfeit card and
then use it, is the outcome any different? Is the distribution
of who bears the loss different? Mr. Oxman?
Mr. Oxman. So, as it stands today, the analysis is exactly
the same. In the case of a counterfeit card, the issuer would
have responsibility for that and the merchant would not.
The migration to EMV chips that we have been talking so
much about this morning actually changes that calculus, and the
responsibility for the fraud, after October of this year, will
actually fall on the party to the transaction, whether it is
the merchant side or the issuing side, that has deployed the
lesser form of security. Not to get too complicated, but if
that card that you are talking about has been counterfeited and
it was a chip card and the issuer has issued chip cards but the
merchant hasn't installed the chip readers, then the merchant
will have responsibility for that fraud. So that is a change to
the current system, which is the issuer takes responsibility.
Mr. Mulvaney. And then, finally, if I can have the
indulgence of the chairman for 15 more seconds, the third
example of the fraud we have talked about today is the online
fraud, which is there is no card present, we are online buying
airplane tickets. Who bears the risk of loss on that one?
Mr. Dodge. Merchant, 100 percent; 100 percent the merchant
is subject to the fraud cost.
Mr. Mulvaney. I thank the witnesses very much. I really
appreciate the information.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Missouri, Mr.
Clay, the ranking member of our Financial Institutions
Subcommittee.
Mr. Clay. Thank you, Mr. Chairman, and I wanted to note
that I am so glad to be back in this refurbished hearing room.
Mr. Orfei, you note at the end of your testimony that not a
single company has been found to be compliant at the time of
their breach, but in many cases, firms that have been breached
were at one point PCI-compliant.
How does your compliance framework lend itself, if at all,
to ongoing monitoring of the PCI compliance, and what role does
the PCI play in monitoring compliance?
Mr. Orfei. Thank you for that question. Yes, 99.9 percent
of the compromises were preventable and covered by the
standard. And if you think about our standard, what we are
advocating is a move away from compliance to a risk-based
approach, and we are advocating vigilance and discipline and
being methodical in close adherence to the standard. Security
is a 24/7 responsibility. It is not a matter of compliance.
What we see happens is a company works diligently to bring its
organization into compliance. They high-five each other on
Thursday, and on Friday, the environment starts to deteriorate.
So it is about being disciplined, methodical, and paying
attention to the fundamentals, sir.
Mr. Clay. Thank you for that response.
And, Mr. Oxman, although chip technology is fairly new to
the United States, it has been around for decades and is
ubiquitous in other parts of the world.
Given the rapid pace of technological development, are we
not at the point where other types of security measures are
more appropriate for use in connection with U.S. payment cards
and payments in general?
Mr. Oxman. Thank you for that question, Congressman Clay.
You are absolutely right that the chip is a well-developed
technology, and the good news is the payments industry
recognizes, as you have heard this morning, that the chip
addresses one type of fraud. That happens to be the most
prevalent form of fraud here in the United States today, and
that is counterfeit card fraud. So the chip implementation will
address that type of fraud. But, as you noted, other types of
security are important as well, which is why our industry is
deploying a layered security technology approach, which
includes the chip in cards, but also tokenization, which
replaces account information with a one-time use mathematical
cryptogram that can't be intercepted and reused. It also
includes point-to-point encryption, which secures all entry
points into the payment systems. So that layered approach with
multiple different technologies, as you suggested, is in
recognition of the fact that the chip card addresses one type
of fraud, but we need to do much more because criminals are
much more sophisticated.
Mr. Clay. Thank you.
And for anyone on the panel, how prevalent is fraud in the
case of online checking? Is that pretty secure? Can anyone
respond to that?
Mr. Dodge. Online checking?
Mr. Clay. Yes.
Mr. Dodge. Certainly, e-commerce is an environment where
there are limited security options for merchants to employ
right now. It is a frustration of merchants. The fact that e-
commerce is such a big part of the economy and there is no
strong means of security is a considerable frustration.
Back to your first question a moment ago, though, I want to
note that Jason's point about all the levels of the different
layers of technology is a good one, that we need to be evolving
to the next generation of technology, we need to be finding
ways to make tokenization, encryption, and all these other
things work, specifically for the e-commerce environment.
But today there are 1.2 billion cards circulating in the
United States, most of which have 1960s-era technology in them.
And later this year, when we start to see more chip cards, we
are going to see early-2000s technology issued in the United
States. So we aren't keeping up with the biggest area where
transaction is occurring, and we need to do a better job of
that.
Mr. Clay. All right. Thank you so much for your responses.
And, Mr. Chairman, I yield back.
Chairman Hensarling. The gentleman yields back.
The Chair now recognizes the gentleman from North Carolina,
Mr. Pittenger.
Mr. Pittenger. Thank you, Mr. Chairman. Thank you for
hosting this hearing.
And thank you to each of you for being with us today.
Governor Pawlenty, according to the Identity Theft Resource
Center, financial institutions were responsible for less than 6
percent of all breaches in the United States in 2014.
Some could draw a connection with this fact and the fact
that financial institutions have been subject to the Gramm-
Leach-Bliley Act since 1999. Do you think this is a fair
connection to make?
Mr. Pawlenty. Congressman, I do. I don't think there would
be much dispute that the financial services sector has the best
cyber defenses, cyber capabilities, and most resiliency in this
space. But, as everyone in this room knows, even financial
institutions get breached. But, relative to other sectors, we
are more advanced and get breached less.
So that is not a bragging point; it is just a point of,
well, what caused that? It is caused by investment, hard work,
and technology. And I do believe that Gramm-Leach-Bliley set a
standard and people tried to adhere to the standard. Plus, we
get examined by our regulators to that standard. And I would
say that contributed to the state of the industry's cyber
defenses and the relatively good quality of it.
Mr. Pittenger. Thank you.
Yes, sir, Mr. Dodge?
Mr. Dodge. Congressman Pittenger, I would note that the
Verizon report, the annual Verizon cybersecurity report, is
sort of considered to be the gold standard for cyber reporting.
And it found that last year there were 2,100 data loss
cybersecurity intrusions. Of that, 277--
Mr. Pittenger. You mentioned that.
Mr. Dodge. --were financial institutions, and 167 were
retail businesses. There are 1,000 times more retailers
operating in the United States.
So I don't think we should have the philosophy that a
single regulation can guide us to a successful cybersecurity--
Mr. Pittenger. Mr. Dodge, let me build on that. Building on
Chairman Neugebauer's statement earlier and the reference to
legislation, it says, ``to develop, implement, and maintain a
comprehensive information security program that ensures
security and confidentiality of the sensitive information that
is appropriate to the size, scope, and sensitivity of this
information.''
This was written to create some measure of flexibility so
the standards are modified in ways. Do you think this is a good
approach, in terms of creating these flexibilities of
standards?
Mr. Dodge. We applaud Congress for looking at lots of ways
to address this issue.
I think what is important is that we look at the regulatory
environment as it exists today and recognize that the Gramm-
Leach-Bliley Act was written specifically for the financial
services community and that there is a very strong regulatory
regime that applies to most of the rest of the business
community, and that is enforced through the FTC.
The FTC has moved aggressively on this over the last
decade, and they have established a clear and strong set of
standards that businesses have to comply with. We think that is
the way to go--
Mr. Pittenger. Let's refer to this. The provision of the
bill says, ``A covered entity's information security program
shall be appropriate to the size and complexity of the covered
entity, the nature and scope of the activities of the covered
entity, and the sensitivity of the consumer's financial
information to be protected.''
What other flexibilities do you see would be needed that
would ensure that consumers are protected but not prevent
adaptability for new future threats?
Mr. Dodge. The language that you cite is not dissimilar
from what we have endorsed for authority to the FTC. We think
that businesses need to have a clear understanding of what
their obligations are, and that the enforcement agency, as the
FTC does today, has the ability to evolve their interpretation
of that law over time to meet new threats, and that businesses
of different sizes and businesses that collect different kinds
of data should be treated based on their size and the kind of
information--
Mr. Pittenger. And this legislation seeks to do that; isn't
that right?
Mr. Dodge. Based on what you quoted, that sounds right.
But, as I said, we believe that you need to look at the
regulatory environment as it exists today and work within that.
The debate here today is about how do we pass a law that
could provide businesses with more clarity and the ability to
evolve with the threat. I don't think that the objective should
be to shoehorn a law that was written for one industry to apply
to the entire business community. We should--
Mr. Pittenger. And I don't think that is what this law
does, according to what I just read. I think it clearly states
that the provisions in there would reflect the size,
complexity, the nature and scope. It personalizes it. It
creates that flexibility.
Mr. Dodge. And I appreciate your focus on that, because we
agree with the need for that flexibility. We simply are looking
at the proposal in its entirety, and it is hard to separate
things out without talking about how it would affect it when it
is all merged together.
Mr. Pittenger. Thank you.
I yield back.
Chairman Hensarling. The gentleman yields back.
The Chair now recognizes the gentleman from Massachusetts
who did not steal Mr. Mulvaney's credit card in his
hypothetical, Mr. Lynch, for 5 minutes.
Mr. Lynch. Thank you, Mr. Chairman. I appreciate that.
I want to thank the witnesses for your testimony.
Ms. Moy, on the question of Federal preemption, when we
talk about complete Federal preemption, we are talking about a
Federal standard, and, at least as far as this legislation
goes, we are talking about Federal enforcement, as well, that
is being taken away from the attorneys general of the States.
And, even further, it looks like the notification for
breach will be taken away from the FEC and given to the FTC. So
we are consolidating that, as well.
And, as well, it might involve, if I am--I am not sure if I
am getting this correct. If we have a Federal standard, and a
retailer or a business complies with that Federal standard,
does that imply some type of immunity for that individual
retailer? If they are complying with what the Feds require, is
that also holding them harmless from any liability?
Ms. Moy. I'm sorry. You mean in an environment where this
creates a floor and not a ceiling and States continue to have--
Mr. Lynch. This would be a complete obliteration. This
would be--
Ms. Moy. Right.
Mr. Lynch. --just total preemption so you will have one
standard. You could call it--well, it would be a ceiling. It
would be a ceiling.
So is that implying some type of immunity or protection
from liability for the complying company?
Ms. Moy. Yes, a company would then only be liable as it
would be held liable under the Federal law, and any additional
obligations of the State law that had previously existed would
no longer be actively enforced against them.
Mr. Lynch. Right. And, under this legislation, that would
be problematic, because, as your testimony indicated, it only
recognizes financial harm, right? There is a trigger--actually,
personal--there is a financial harm trigger, and I think there
is also a trigger for a very narrow set of personal
information.
Ms. Moy. Actually, I am not sure if there is. I was under
the impression that the financial harm trigger applies to
everything, but perhaps you are right. I will take a look at
that and--
Mr. Oxman. If I may, Congressman--
Mr. Lynch. Sure.
Mr. Oxman. --the provisions of the bill, of H.R. 2205, also
provide for triggers related to identity theft as well as
financial harm.
Ms. Moy. Right. Yes, although many States, as I noted in my
written testimony, have either no harm trigger at all,
recognizing that consumers want to be notified of the breach of
certain classes of information and want to be able to safeguard
that information regardless of whether or not it could be used
for identity theft or financial harm, and a clear majority of
States have either no trigger or a trigger that is broader than
just financial in nature.
Mr. Lynch. One of the problems I have is that this
introduces a Federal standard and it takes out the States.
Massachusetts happens to have a very robust consumer protection
privacy framework that I think will be harmed.
And we also have--we have been blessed with attorneys
general who have been very active in defending consumers. And
some of those cases, as you pointed out--I think the average
case of breach in Massachusetts--we had 2,400 last year, but
the average size was about 74 consumers. So that is not the
type of thing that the FTC is going to go after, in my opinion.
Ms. Moy. That is right. And that is why we think it is so
critically important--if we want to ensure that all consumers
are protected by a Federal standard, it is really important
that we have as many people keeping an eye on what is happening
with breaches and working with companies to help develop their
security standards and working with consumers to respond after
their information has been breached and to watch out for
potential harm that could be coming down the pike. It is really
important to have the involvement of the State AGs in all of
that.
Mr. Lynch. And if we did introduce--and I am in favor of
introducing a very high floor across-the-board that I think
would subsume maybe close to 40 States. But I would like to
have that flexibility for States that--number one, they are
more flexible. Congress is not known for its speed at all. And
so having the States out there with the ability to provide
additional protections, especially in the face of the
sophistication of some of these hackers, is very, very
important, in my mind.
There is some incongruity in this bill. It talks about a
Federal standard, but then it says every covered entity will be
responsible for adopting a system of security protection that
is commensurate with their size and their complexity. The
gentleman from North Carolina just brought this up in a
different context.
But how do we deal with that, where a pizza shop, a coffee
shop, a bank--well, banks are a different class--but each and
every company is going to be able to right-size the level of
protection, but, in reality, that stream of information that is
breached may not be compartmentalized?
Ms. Moy. I'm sorry. What do you mean by the information may
not be compartmentalized?
Mr. Lynch. If they hack into, as you said, your email and
your password, that opens up a whole other door of information
that they can access that might not be readily evident, based
on where they entered the stream of information.
Ms. Moy. Right.
May I just respond to him?
Chairman Hensarling. A very brief answer.
Ms. Moy. Sure.
Yes, I would just say there are certainly log-in
credentials that, because people recycle passwords, can be used
across accounts. And that is an important reason for--
Mr. Lynch. All right. Thank you.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from California, Mr.
Royce, chairman of the House Foreign Affairs Committee.
Mr. Royce. Thank you, Mr. Chairman.
There has been a lot of discussion here about the current
liability, what it looks like. I guess one of the questions is
what it should look like.
And if I could ask Governor Pawlenty--I had a question
here. When a data breach occurs, how should we allocate
financial responsibility for that breach?
For example, if a breach of sensitive customer information
occurs at a financial institution and it is shown that the
institution did not protect the customer information, as Gramm-
Leach-Bliley requires, do you agree that the financial
institution should be responsible for the cost of the breach?
Mr. Pawlenty. Congressman Royce, yes. We believe that the
entity that was negligent, or entities, plural, should be
responsible for their negligence.
Mr. Royce. Okay. Then, Governor, should the same be true of
the merchant? If there is a breach with a high likelihood of
harm being done to the consumer, should the merchant be
responsible for the costs associated with that breach to the
extent that the entity has not met minimum security
requirements?
Mr. Pawlenty. Congressman Royce, absolutely.
Mr. Royce. And, Mr. Dodge, do you agree on that point?
Mr. Dodge. I would tell you that we do agree because that
is what happens today. Today, merchants are obligated, if they
have a breach, by contracts signed with the card networks to
reimburse the banks for the fees associated with the costs, in
addition to the fees that they pay every day every time a
transaction--which is obligated to prepayment of fraud, if it
happens or even if it doesn't happen. So those fees are being
paid constantly.
Mr. Royce. So the next question I was going to ask Governor
Pawlenty is: It has been proposed by some that consumers should
receive notification of a data breach directly from the company
that was breached even if they have no relationship with that
company.
Wouldn't a simpler solution be to allow the notice to come
from the company that the consumer gave their financial
information to directly, while also allowing the company to
identify where the breach occurred if it is known?
It is my understanding that there is currently no law, no
contractual obligation that would preclude a financial
institution from identifying the institution where a data
breach occurred when sending out a notification to their
customer. Is that your understanding, as well?
Mr. Pawlenty. Congressman Royce, yes.
And, of course, you might imagine, if there is a breach, it
unfolds in the early hours and days with a great deal of
uncertainty and sense of crisis around it. So, as people think
about what they are going to say publicly in sending out
notices, particularly if it incriminates another company, you
want to make very sure that you are articulating that correctly
and accurately, for fear of liability. And so I think some
companies don't name names in those initial notices over some
of those concerns.
Mr. Royce. As we look at the cyber attacks, and we see this
increasingly as we talk to European and Asian governments, a
lot of these are being conducted now by state-sponsored or
state-sanctioned entities. We actually, for example, see
individuals traveling from a certain bureau in North Korea to
Moscow to be trained, and then we see their conduct with
respect to the banking system in South Korea and the attempt to
implode the financial system in South Korea with those direct
attacks.
What can or should be done, in the view of some of the
panel here, to hold these countries accountable in situations
like this? And how do we do that?
Mr. Pawlenty. Congressman, to the extent this has evolved
into an international dynamic and you have state-sponsored or
semi-state-sponsored activity, the United States is going to
have to respond in kind at a level of country-to-country
discussions and potential consequences.
As you may know, under current law, the only entity that
can fire back, if you will, in cyberspace is the U.S.
Government. Private entities cannot hack back. And so the
deterrent or consequences for this potential behavior can only
come from the U.S. Government.
And then, lastly, there needs to be rules of the road
internationally. We have rogue states, semi-rogue states acting
recklessly, irresponsibly, in a very concerted fashion. And
what you see now in terms of payment disruption is relatively
minor. The consumers get reimbursed. It is inconvenient, it is
menacing, it is concerning, and you should act on that alone.
But compared to some not-too-fanciful scenarios where the
entire payment system is disrupted or another piece of critical
infrastructure is disrupted, that is something you need to be
thinking about.
Mr. Royce. We have seen Iranian attempts here. Have you
seen that in your industry?
Mr. Pawlenty. We are cautioned not to attribute, other than
what has been reported publicly. But it has been reported
publicly that North Korea was involved in an incident, an
attack that was attributed to them. And I think you have seen
public reports of Russian or Russian-sponsored entities, and
Iranian and Iranian-sponsored entities, and on down the list.
Mr. Royce. Thank you very much, Governor. My time has
expired.
Mr. Chairman, thank you.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from New York, Mr.
Meeks.
Mr. Meeks. Thank you, Mr. Chairman.
First, I guess, Mr. Oxman, let me ask you this question in
the same line. After 9/11, we talked about having all of our
intelligence agencies working closely together, et cetera. And
so here, when you talk about preventing data breaches, there
are a number of entities that are concerned, whether you are a
device manufacturer, whether you are a network operator,
whether you are a financial institution or an app developer. It
seems to me that it would be important that these entities work
together to develop effective mobile data protection solutions.
In your estimation, is industry working in a collaborative
way, all of the interested parties, in doing that? And what, if
anything, do you think that Congress can do to ensure greater
collaboration so that we can make sure that everybody is
working together to try to eliminate this huge problem?
Mr. Oxman. Thank you, Congressman Meeks.
I think the good news is that the short answer to your
question is yes. The industry, the ecosystem is working
enormously smoothly together to deploy the next-generation
security products and services that we need out there in the
market to secure against these increasingly sophisticated cyber
attacks.
The industry is working collectively through standards
bodies, like PCI, to deploy next-generation security
technologies like chip technology in cards, like tokenization
to take account information out of the system, and like
encryption to secure points of entry against intrusion from
cyber attacks.
The industry, as you noted, is enormously complicated. It
does involve a number of different players, from financial
institutions to payment processors, merchants, consumers, and
device manufacturers. And as we move to new technology, like
mobile payments and wearables, it is going to get even more
complicated.
But, again, I think the good news is we are working very
well together to deploy all these next-generation technologies
because we all share an interest across the ecosystem in
ensuring that our customers feel comfortable shopping at our
stores and using electronic payments.
As to the second part of your question, Congressman, what
can Congress do, I think H.R. 2205 represents the ideal vehicle
for addressing what we do need Congress' help with, and that is
unifying a patchwork of State laws that are inconsistent and,
in some cases, incompatible with one another to address how we
let consumers know when something does go wrong. Because
criminals are sophisticated and they are going to keep acting,
and we need to make sure we are all on the same page when we
let our customers know if something happens. And that is where
I think Congress can be helpful.
Mr. Meeks. Thank you.
Let me ask Mr. Pawlenty, I know and you believe--in reading
your testimony, you noted that the EMV chip cards have proven
very effective. And I have a number of my cards now that are
coming, have to switch out on them, make sure you have the
chip.
But one of the questions--and this happens with my
daughters, et cetera, now, that they are doing more and more
shopping online. People are not going to the store as much, and
they are doing shopping online. And it seems as though there is
more fraud that is now taking place when people are doing this
shopping online.
So can you discuss ways in which firms are innovating to
prevent customers or consumers who rely more on the online
shopping so that we can prevent fraud in that regard? And,
again, like I asked Mr. Oxman, ways that Congress can ensure
greater data breach protection as we move away from in-store
purchases? It just seems that with this new generation, it is
just online. My daughters won't go to stores anymore;
everything is online. What can we do, in that regard?
Mr. Pawlenty. Congressman, that is a great question. And as
was mentioned earlier, the chip cards will go a long way
towards eliminating or greatly reducing card-present fraud for
the reasons that were mentioned earlier. So that is progress
and good, and we applaud that and enthusiastically embrace it.
But as we have seen in the other EMV-adopted countries, the
fraud then shifts to the online environment. And what happens,
of course, is, if you make an order online, over the phone, or
otherwise, you enter in your credit card number, you enter in
your three- or four-digit code and your expiration date, and
away you go. And so, if I have that information from you, I can
make that transaction online, and it is--let's just say it is
loose, to put it mildly.
So the future of that in the near term is a technology
platform called tokenization, which will allow that transaction
to occur with a unique set of data that connects needed data to
finalize the transaction, but the personally identifiable
information isn't necessarily transmitted as part of it. It is
a token, one unique signal that goes.
That is coming. It is just around the corner. And it is
already into market, to some extent. But as was mentioned
earlier, the cost of it is coming down, it is becoming more
ubiquitous. So that will be a big part of the solution. It was
invented 10 years ago. So there will be something else that
will come next.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Maine, Mr.
Poliquin.
Mr. Poliquin. Thank you, Mr. Chairman. I appreciate it very
much.
And thank you, all you folks, for being here today. I
really appreciate it.
Mr. Oxman, I know you and I are both from Maine, probably
the safest State in America. And we invite all kinds of other
folks to come up there and enjoy our State.
That being said, we are not immune to folks who are
stealing our credit card numbers, or using our debit cards
fraudulently, and what have you. So we know there is a problem.
The problem is across the country, even in our great State of
Maine.
That being said, one of the things that I have heard this
morning that I am delighted about is that there seems to be
some common ground, a lot of common ground, when it comes to
the fact that there is an issue with cybersecurity. We all know
it is there, and you folks all agree to it, even though you are
from different parts of this space, if you will.
And I have also heard, if I am not mistaken, that there is
a consensus that we need, instead of 48 individual laws that we
have to deal with, that one national standard would be very
helpful when it comes to notification.
What I would like to hear from each of you--we will start
with you, Governor, if you don't mind terribly--is what else is
on the top of your list. What else would you like to inform
this committee about that would be very helpful for all the
players in this space to make sure our consumers in Maine's
Second District and throughout the country are well-protected
with their bank accounts and their credit cards and what have
you? What could you advise us today?
Because your members are the folks who are on the ground.
You are much closer to this problem than we could ever be.
Please tell us.
Mr. Pawlenty. That is a great question. And when you think
about notification, it helps notify people that there was a
problem and now we need to clean up the mess.
Mr. Poliquin. Right.
Mr. Pawlenty. That is little consolation for people who
have the mess visited upon them. And so it is helpful.
As to standards, again, it will help as people raise their
game. I think this entire space is going to evolve in a very
interesting and probably disruptive fashion over the next 10
years. The things that we are talking about here today in terms
of technology platforms, as was mentioned earlier, will look
very different 10 years from now. I don't think we are going to
be walking around with pieces of plastic and PINs. The whole
thing is shifting increasingly to mobile and other ways to make
payments.
So I would say it is going to come from the technology
sector, big changes and good changes.
Mr. Poliquin. Mr. Dodge?
Mr. Dodge. I am glad some attention is being paid to
collaboration, because I think that is an important outcrop
from these catastrophes, this focus.
Last year, we collaborated with the Financial Services
Roundtable and the Electronic Transactions Association, with a
whole bunch of merchant and financial services associations, to
talk about these challenges, and to try to find some common
ground.
Collaboration has also found its way into the threat-
information-sharing world, where businesses can share threat
information, sort of a rising tides--for a Maine term, ``rising
tides lift all ships''--the ability to see a threat, deflect
it, and share with others what you saw and how you did it. That
is really important. And we congratulate Congress for passing
legislation on that last month.
I think one of the things that we really look towards is,
how do we enhance security to the 21st Century and beyond? Card
security today is weak. It needs to improve. There is a half-
step on the calendar for later this year, but it is only a
half-step. We need to get beyond that. And we really want to
see Congress focus on that, and we certainly want to see the
business community that is responsible for creating those cards
focus on it, as well.
Mr. Poliquin. Mr. Oxman?
Mr. Oxman. Thank you, Congressman Poliquin.
I am excited about the changes in technology that we are
seeing in our industry. And I think if there were one thing for
the committee to be aware of, it is that there actually is no
need for an inquiry into that technology because the industry
is working together to deploy it.
My first job was as a bank teller, during the summer after
my first year in college, at Mechanics' Savings Bank in the
heart of the Second District of Maine.
Mr. Poliquin. You bet.
Mr. Oxman. And the hot technology back then in the 1980s
was the ATM machine. Today, consumers can buy things with a
watch. It is absolutely amazing what is happening out there.
And I think the good news from Congress' perspective is
that the industry is deploying that technology safely,
securely, and reliably, and we are going to get it done.
Mr. Poliquin. What about Apple Pay, Google Wallet, Square,
these pieces of technology that are being developed much more
quickly than I can understand for how to pay for the goods and
services you buy online or through a mobile device? Do you see
any problems coming down the road with those types of
technology, or is that where it is going to go and where it
should go, in your opinion?
Mr. Oxman. Yes, I think this kind of technology is
incredibly exciting, particularly because it allows us to
deploy more robust security alongside.
The way to think about it is, it is a new means of
implementing a payments transaction, of initiating that
transaction. You are using your watch or your phone instead of
a plastic card. And that watch or phone or whatever device it
is has many more security capabilities to it than the plastic
cards, so it is actually a good thing for consumers.
Mr. Poliquin. Mr. Orfei, unless here in this country we go
down this path where we continue to work on this problem and
find solutions to it, aren't we exposing our consumers and our
families and our businesses to more cyber risk if Europe is
ahead of us and other developed countries or parts of the world
are ahead of us?
Mr. Orfei. May I answer that question?
Mr. Neugebauer [presiding]. Quickly.
Mr. Orfei. I think the technology is going to evolve here,
and we will have good answers. Particularly, mobile will be the
future of payments.
But I think what is really key is this information-sharing
effort that is in progress right now. Being able to collect
that information, translate it so it is actionable
intelligence, and then that will allow us to preempt attacks
from organized crime, rogue states, and state-funded actors.
Mr. Poliquin. All right.
Thank you all very much. I appreciate it.
Thank you, Mr. Chairman. I yield back.
Mr. Neugebauer. I thank the gentleman.
Now the gentleman from Georgia, Mr. Scott, is recognized
for 5 minutes.
Mr. Scott. Yes. Governor Pawlenty, I would like you to
address this, and anybody else can chime in, as well. But with
the challenge for our migration of the EMV chip technology in
the United States basically due by October 15th, why are U.S.
consumers only now receiving the chip cards when consumers in
Europe and Canada have had them for many years? Why are we
behind the eight ball?
Mr. Pawlenty. There is some unique history as it relates to
how Europe got to where it is relating to technology, their
telecommunications system, how they did batch processing, how
that works relative to how we did it in the United States.
I think, to sum it up here, I would say the transition from
what we had to what we need and where we are headed next is a
very big transition. You think about the millions and millions
and millions of point-of-sale terminals that would have to be
chip-ready. Right now, only about 25 percent of retailers can
even take a chip card. So they will have to flip over their
systems, their point-of-sale systems, their backroom systems.
Payment networks have to do the same; the banks have to do the
same. So it is a massive transition.
Would we have benefited from it being done earlier?
Probably. But we are where we are, and now we just need to get
it done as quickly as possible. And all of this is highlighting
the urgency of it.
Mr. Scott. Okay.
Now, since we have such a brain trust of cybersecurity
before us in this distinguished panel, I want to shift gears
for a moment. Are you satisfied and how would you describe the
national security threat to our country as a result of
cybersecurity, as a national security issue? I think it is one
we really, really have to deal with.
And how would you relate that, particularly when we have
had attacks on our cybersecurity from China, from Russia, from
Iran, from North Korea, ISIS, Al Qaeda, other terrorists. Now
our military bases are being put on heightened terrorist attack
alert at a level we haven't seen since 9/11.
What is it that we need to do more? And how do you address
and how do you rate this threat at its present time as a
national security issue?
Governor Pawlenty, or any of you?
Mr. Pawlenty. I will say, Congressman, I would rate it as a
clear and present danger. And that is why I said what I said
earlier. I think, particularly for folks who are on the
Republican side of the aisle, it is not as comfortable to say
we are just going to do something uniform across the country,
but I think this is elevated, not just the card and processing
but many other aspects, to a national security issue.
We have known, identifiable threats to critical
infrastructure of this country that would impair not just the
economy but the health and well-being of our citizens if they
are deployed to any sort of scale. And so it is a clear and
present national security threat that I think needs to be
addressed with that kind of urgency and that kind of
seriousness and that kind of weight behind it.
Mr. Oxman. And, Congressman Scott, it is a question that is
answered largely by technology. And thank you for your
leadership in taking a founding role in the Congressional
Payments Technology Caucus, because technology companies,
including many from the great State of Georgia, are out there
deploying systems to secure networks against intrusion.
And there is no question that the payments industry is
focused relentlessly on this. Because the security of networks
and the reliability of networks and systems is why consumers
choose electronic payments as their preferred method of
engaging in commerce. And we need to make sure that remains a
confident factor for consumers.
Mr. Scott. And, Mr. Oxman, how ready will we be? October is
right around the corner. What are your expectations? Have we
set that date? Is it accomplishable?
Mr. Oxman. Yes, Congressman Scott, the migration in October
to the chip cards is a date that we have set as a milestone,
and it is a lot of work to do: 1.2 billion cards in consumers'
wallets need to be replaced, and more than 8 million merchants
in the United States need to upgrade their systems in order to
accept chip cards. That is going to take some time.
Will we be completely finished by October? The answer,
frankly, is, no, we won't be all done. But we will be largely
there. And, most importantly, the industry is entirely unified
in recognizing the importance of making this infrastructure
upgrade. We are doing it. We are working together--merchants,
financial institutions, payments companies, and consumers. And
we are going to get it done.
Mr. Scott. Thank you, Mr. Chairman. I yield back.
Mr. Neugebauer. I thank the gentleman.
The gentleman from Arkansas, Mr. Hill, is recognized for 5
minutes.
Mr. Hill. Thank you, Mr. Chairman.
And I thank the panel for being with us this morning.
On Mrs. Maloney's comments about Gramm-Leach-Bliley and the
impact on banks, having run a community bank for the entire
history of Gramm-Leach-Bliley's existence, I do think it was
flexible in the standards when it comes to examination and
practice, both in scope of business and not. So I think that is
something that has worked well in the financial services
industry.
One question I have I would like the panel to react to is,
what role does liability insurance coverage play here when you
think about standards?
I know in our company we took out the coverage at the very
modest premium for notification coverage, which was sort of
what was recommended by the underwriters. I didn't find it very
compelling or particularly useful, but in a large breach it
certainly would be helpful to pay the out-of-pocket expenses.
But what is happening in the liability arena on insurance
coverages for our entities beyond that? What standard are they
setting when they come to underwrite a retailer--let's start
with you, Mr. Dodge--about data breach. Because there is
obviously a mathematical loss potential for one of your
members.
Mr. Dodge. Sure. I will acknowledge at the outset that I
don't claim to be an expert on cybersecurity liability
insurance; however, my exposure to it offers me a little bit of
perspective.
First is it is a pretty immature market, pretty new, and it
is rapidly involving. And I know the Administration is working
on ways to make that a more mature, more competitive market.
Many retailers are looking into, many have purchased
liability insurance as it relates to cybersecurity. I don't
have a number for that, but I suspect that number is growing by
the day. And one of the challenges that they all face is where
exactly to price it. They don't know how much to get, and they
don't know if they are getting a great value for it. But they
know that it is important to have, and they are working on
making sure that improves over time.
But I think your point is a good one, sure.
Mr. Hill. Also, in the Verizon report that has been
mentioned, only about 20 percent of those breaches are as a
result of the retail and the banking industry, which means 80
percent aren't. And we haven't heard one question about that
today.
Just last week, I got a letter from the Arkansas Medical
Society, where over 60 physicians had their identity stolen
when they filed their income tax return. They didn't know it
until they went to hit ``send'' electronically to the IRS, and
they suddenly learned they had already filed their return,
which, of course, they hadn't.
So can you reflect on standards that we have talked about
today for that other 80 percent that is not represented here
today?
Or maybe, Mr. Oxman or Mr. Orfei, you might take that one?
Mr. Oxman. Yes. Thank you, Congressman Hill. And I do think
that is an important issue because the harm that consumers
suffer from identity theft can in some circumstances be as
impactful as the harm suffered from the theft of financial
data.
And I think H.R. 2205 does a good job of making sure that
all entities, not just retailers and financial institutions and
payments companies, but all entities that have the storage or
access to sensitive personal information are required to abide
by the Federal standards that H.R. 2205 would put in place. And
I do think that is a very important component of the bill.
Mr. Hill. Would anybody else like to add to that?
Mr. Orfei. I think the fundamentals of the PCI standard are
applicable across all vertical markets.
I also share your concern in my discussions with law
enforcement that the healthcare systems, in particular, will be
a next big target. Protecting that data and following adherence
to the PCI standard would benefit those industries, as well.
Mr. Hill. I think it is a little odd that HIPAA--we can't
even have a conversation about our aunt's health with the
doctor without everybody jumping through hoops, but we
obviously have healthcare data at risk. It is financial data,
and this IRS situation is financial loss. I think this is a
serious matter, certainly as serious as having your credit card
number compromised.
So I am glad to hear you say that you have some comfort
that the standards in this bill will help in this other 80
percent of the issue that we are not addressing today. Thank
you.
Mr. Dodge?
Mr. Dodge. I would say that we also endorse a strong
reasonableness standard, one that provides businesses with the
strong expectations of what government considers to be a
reasonable standard. We believe that it should be enforced by
the FTC, and we have endorsed the legislation that came out of
the Energy and Commerce Committee to do just that.
We think it is important, as we are addressing this issue,
that we first look at the regulatory landscape as it is today
and design solutions that fit within that, rather than moving a
regulation design for one industry--in this case, the financial
services industry--to apply to the entire rest of the economy.
Mr. Hill. Right. Thank you for that comment.
I yield back. Thank you.
Mr. Neugebauer. I thank the gentleman.
And now the gentlewoman from Wisconsin, the ranking member
of our Monetary Policy Subcommittee, Ms. Moore, is recognized
for 5 minutes.
Ms. Moore. Thank you so much, Mr. Chairman.
I just want to thank all of the witnesses for taking the
time and for being patient with us. And I can tell you that you
guys almost and Ms. Moy almost answered my questions when other
Members were asking, and so I do want to apologize if things
seem redundant.
Let me start with you, Ms. Moy. You talked about having a
Federal standard, a floor standard. And you talked about the
FTC really providing that service at this point. I guess I want
your opinion or knowledge about whether or not you think the
FTC is currently staffed up and resourced up enough to continue
this stewardship.
How much more would it cost to do it? How many more
employees do you anticipate? Or is there a necessity to create
a new agency?
Ms. Moy. I apologize because I don't have those numbers for
you, although I could do some research and try to help you
answer that question.
I do think that the FTC is doing a pretty good job
enforcing data security, specifically with the biggest cases.
And at the State level, the States are active in this area, as
well, also enforcing sometimes their own data security standard
and sometimes a standard that they are drawing from the
authority of their general consumer protection acts, their many
FTC acts.
I think it is really important, though, to preserve the
ability of what the States are doing, to preserve the ability
of State AGs to continue to provide that important service, and
to set our new standards at a level that will continue to
preserve protections for pieces of information that would not
be covered by the legislative proposals we have seen.
For example, in your own State of Wisconsin, the breach
notification standard would extend to DNA and biometric data
that is not necessarily covered by what we have seen in some
legislative proposals.
Ms. Moore. I really would like to know how much this will
cost.
And in keeping with the same theme, Mr. Mulvaney was sort
of going down this road about who pays for the cost of a
breach. And on October 1, 2015, there is going to be a merchant
liability shift.
And so we are at Gwen Moore's custard stand here, and I
have just gotten my little smartphone to be able to swipe my
card. How much is this going to cost me? Or do I just take
risks and say, I will just take chances for a few years until I
get my business up and start franchising my custard store? How
much will it cost me to be compliant?
Mr. Oxman. Congresswoman Moore, the good news is for a
small business that is interested in upgrading their
infrastructure, the costs are actually very low. You can get an
EMV chip device from Square for $30--
Ms. Moore. Oh, okay.
Mr. Oxman. --if you want to go that route, or you can get
it from a payments processor for not much more. So the cost is
actually very low for the merchant.
And the good news is that October liability shift date that
you are talking about, if the merchant makes that small
investment in the upgrade to accept chip cards, and if the card
issuer has issued chip cards, then the liability for a
fraudulent transaction and counterfeit card actually rests with
the issuer. So the merchant is exactly the same as they would
be today. As long as they have made that investment in the
infrastructure, they don't have liability for a counterfeit
card transaction in that scenario. So it is good news for the
merchant.
Ms. Moore. That was the answer that was escaping me this
entire hearing; how much is it going to cost Gwen's custard
stand to be able to do it.
Obviously, there will be a lot of costs for ATMs, and I
guess that is a little bit more costly. How much will it cost
to update all the ATMs?
Mr. Oxman. Yes, the ATMs and, actually, fuel dispensaries,
so gas stations--
Ms. Moore. Right.
Mr. Oxman. --actually have an extra 2 years to upgrade
their infrastructure simply because it is pretty complicated to
actually take the credit card equipment out of an ATM or out of
a gas pump. So they don't have to worry about upgrading their
infrastructure until October of 2017 for those two industries.
Ms. Moore. Okay.
In my remaining time, for Governor Pawlenty, as the head of
the Financial Services Roundtable, I guess I am just curious
about why it has taken us so long to do this, why we are behind
Europe and Canada? And you guys have testified that we are
going to stay behind.
Mr. Pawlenty. Yes. Some of the countries that went to EMV
didn't have much legacy technology to begin with, so they could
just jump to it as first adopters. Other countries have other
histories, like the U.K., for example. In an era where telecom
was really expensive, they loaded up all their transactions and
processed them at the end of the day, called batch processing.
So the ability to do, kind of, realtime communication via
telecom had something to do with how and when things evolved.
All that being said, I think the United States has been
slow to this issue, but the fact of the matter is we do see the
need, obviously--everybody does--and we are moving as quickly
now as possible to implement it and for good cause.
Ms. Moore. Mr. Chairman, I realize my time has expired, but
I just want to ask Governor Pawlenty, are the Vikings going to
be as bad as they were last season?
Mr. Pawlenty. Did you say the Packers? The Vikings. Well--
Mr. Neugebauer. I think the big question is, how do we get
some of that custard?
Mr. Pawlenty. The Vikings are going to be better this year,
Congresswoman.
Mr. Neugebauer. The gentleman from Florida, Mr. Ross, is
recognized for 5 minutes.
Mr. Ross. Thank you, Mr. Chairman.
And thank you, panelists.
I can only preface my remarks by thinking back to the early
1980s when I was installing computer systems, little 16-bit
processors in pharmacies across the eastern United States, and
we would use a dial-up modem to update their drug prices and to
process data. And then, at that time, the movie ``WarGames''
came out, starring Matthew Broderick, that showed how we can
hack into the WOPR, the intelligence computer that started an
international war game. And we have evolved today to where you
go to Walt Disney World and you get a magic band you wear that
has all your data, shows Disney exactly where you are, what you
are doing, what ride you want to be on, all your billing
information.
The evolution of technology has been a tremendous benefit
to us. It has given us a path of expanding our commerce and our
economy tremendously. And, obviously, it has given
opportunities to give those who seek ill will against us, and
that is why we are here.
One of the institutions of higher education, the University
of South Florida, rests in my district. And 2 years ago they
were designated by the Florida legislature to be the center of
cybersecurity, an academic program. Now, they have over 100
students seeking masters in this particular arena.
My question is, is there a great deal of cooperation
between the private sector and the academic sector in trying to
innovate ways to continue to fight cybersecurity? If anybody
can address that?
Mr. Dodge. I would just speak up and say, I know that the
retailers who have sought such partnerships have found welcome
partnerships in it.
Last year, we established something called the Retail Cyber
Intelligence Sharing Center. And at the core of that is a
retail ISAC, but wrapped around that is an opportunity for
educational opportunities. And I know that group has found
great partners already in the academic community looking for
ways to identify ways to bring future chief information
security officers up through the ranks but also to share
information so that everybody has the best skills available
today.
Mr. Ross. It would seem to me that would be a good
partnership, even though I would say that well over 80 percent
of our commerce in the cyber world is through the private
sector.
Mr. Dodge, let me ask you this particular question, because
as my colleague, Mr. Mulvaney, was asking you about who bears
the cost of a fraudulent transaction, is it between the banks
and the retailers? Is there not in existence any particular
either expressed or implied right of indemnification between
the parties that would allow that to be resolved absent
statutory or legislative involvement?
Mr. Dodge. The fraud payment requirements, who pays after a
breach or in the instance of fraud, is spelled out in the
contracts. So the retailers are bound by those contracts, and
their unwillingness to--if they violate those contracts, they
risk losing the right to accept cards.
Mr. Ross. So there is a limited negotiation, I guess, is
what you are telling me in order for a retailer--if a retailer
wants to accept a MasterCard, they accept all the terms and
conditions without, really, negotiation.
Mr. Dodge. It is not a negotiation. You sign the contract
presented to you.
Mr. Ross. Okay.
And, Mr. Oxman, one of the things that we have talked
about--you talked about very well and in depth is the EMV, the
electronic MasterCard/Visa chip. Now, for some time this has
been in practice in the European markets, has it not?
Mr. Oxman. It has.
Mr. Ross. And, just recently, had it not been for, I guess,
an Executive Order, we would not be pursuing it as fast as we
are in the United States.
What has been the reason for the delay of the
implementation of the chip technology here?
Mr. Oxman. The reason that chip technology is being
deployed today in the United States and has been deployed
already in Europe is the following: In Europe, they don't have
the ability that we have here to authorize a transaction
online.
When you swipe your card at the point of sale, what happens
is that transaction is transmitted through a payment network to
the card issuer for a ``yes'' or ``no'' answer. And when the
receipt is spit out 1.4 seconds later with a ``yes'' answer, it
is because that transaction was authorized and approved online.
Mr. Ross. I see.
Mr. Oxman. In Europe, they don't have the infrastructure to
do that. The card authorizes the transaction--
Mr. Ross. I see.
Mr. Oxman. --which means that chip with the swipe machine
isn't going anywhere--
Mr. Ross. It is making the decision right there.
Mr. Oxman. It is making the decision right there.
Mr. Ross. I see.
Mr. Oxman. And that is why the chip infrastructure is
necessary in Europe and hasn't been necessary--
Mr. Ross. And now we move into tokenization, which is
essentially protecting the database of all the private
information, and it is encoding or encrypting that particular
transaction with a one-time identification, and then that
allows anybody who captures that to have really nothing.
Mr. Oxman. That is exactly right. The way the system works
today, in many cases, your actual account number is
transmitted.
Mr. Ross. Right.
Mr. Oxman. So what are cyber thieves looking for? They are
looking for credit card numbers. Why do they breach retailers?
Because there are tens of millions of them there.
In a tokenized environment, it takes the actual account
number out of the equation, so there is nothing to steal and--
Mr. Ross. How fast are we moving in that direction? Are
we--
Mr. Oxman. We are moving in that direction very quickly.
Mr. Ross. So it is going to become the predominant barrier,
if you will?
Mr. Oxman. It is being ubiquitously deployed across all
retail segments. Again, we have an existing infrastructure that
needs to be replaced. It will take some time to get there, but
we will get there. It is a great technology, and everyone is
working together to make it happen.
Mr. Ross. Good.
One last thing. I know we have talked about point-of-sale
defenses predominantly today, but, after the data has been
breached and then the consumer's identity is stolen, how
effective are some of these companies out there that allegedly
protect consumers from having their identity stolen? Is that
good, or is it bad, or is it just somebody else's opportunity?
Mr. Dodge. I can't speak to any one of those companies. I
think, again, everybody needs to be vigilant. You need to
monitor yourself in addition to services you may provide.
But I want to go back to a point you made a second ago,
which is about advancing to the technology in cards to get to
where we are in Europe and have been in Europe for a decade.
The migration that is happening in the United States is only a
half-step. We are only instituting a chip; we are not requiring
a PIN.
Mr. Ross. Right.
Mr. Dodge. A PIN authenticates the cardholder, and we
believe that there is a redundancy. It is a belt-and-suspenders
approach to security that is needed in the card. It has worked
in Europe. It has worked in Canada. It has brought fraud down.
And so we should have it here.
Mr. Ross. So PIN and the chip eliminated almost--
Mr. Dodge. You need to have it together. And we are not
moving to that here in the United States because of decisions
made by the card networks.
Mr. Ross. Thank you.
I yield back.
Mr. Neugebauer. I thank the gentleman.
And now the gentleman from Arizona, Mr. Schweikert, is
recognized for 5 minutes.
Mr. Schweikert. Thank you, Mr. Chairman.
Okay. This may be a little way from the legislation that is
being vetted. Mr. Oxman, from my listening, you seem to be the
most technical member of the panel. Is that a fair--
Mr. Pawlenty. Yes.
Mr. Schweikert. Yes. He says yes.
Mr. Oxman. I guess I have been voted most technical.
Mr. Schweikert. As the Governor says, ``Yes, give it to
him.''
Okay. Can we walk through a couple of mechanics? And,
first, the philosophical box I want to work from is, if you and
I wanted to design as robust a system as possible--I am not
asking practical, but possible today, where I still have the
use of my financial instruments, my credit cards, online, at
the retailer, in any fashion it may be, what would I be doing?
Because when we sat through something in this regard a
couple of years ago, we had such high hopes for the
tokenization handoffs and the randomization of the designs of
those tokens.
Is it token-plus? If you and I were designing a system here
and making sure that, as we work on the legislation, it has
enough openness to grab tomorrow's technology, what should we
be doing?
Mr. Oxman. A system designed from scratch would ensure that
actual information that can be tied back to you or your account
cannot be intercepted. Put another way, you would make sure
that you didn't transmit actual information in a way that could
be taken by somebody else and used in the same form.
That is the real goal of all of the layered security
technologies that you see deployed today. It is dynamic, and it
makes sure that intercepted information cannot be useful.
We haven't really talked about how the chip works in the
chip card, for example. But the real difference between the
chip and the mag stripe is it generates a unique dynamic
security code--
Mr. Schweikert. Yes.
Mr. Oxman. --with each transaction. So even if you
intercepted the chip information or tried to create a
counterfeit chip, you wouldn't know the code for the next
transaction, so it would be useless to you.
So, again, does that--
Mr. Schweikert. It is the handoff.
Mr. Oxman. Yes, designing a system from scratch would make
sure that the information was dynamic and couldn't be tied back
to anything, even if it were intercepted.
Mr. Schweikert. Now, is it a blend of, okay, here is my
tokenization, handoff mechanics, and a biomechanic? If I am
doing online, an IP algorithm behind saying, is this an IP that
matches--what am I doing to make these things work?
Mr. Oxman. Right. That is kind of the interesting thing
about mobile payments, for example, which a lot of ETA-member
companies, great technology companies, are moving to deploy--
Mr. Schweikert. You beat me to our last minute of
conversation, but we might as well move on to that. As we all
move to the mobile pay and sort of catching up with the rest of
the world, is the technology in my payment systems on this, is
that my future of transaction security?
Mr. Oxman. It is a great future of transaction security,
because what that mobile device has on there is the token that
we were talking about earlier--
Mr. Schweikert. It could have all three. It could have the
tokenization. It could have my bio data with my fingerprint.
Mr. Oxman. Exactly.
Mr. Schweikert. And it obviously has its version of--it is,
as you know, not technically an IP, but it has--
Mr. Oxman. It is encrypted.
Mr. Schweikert. --the ability to hand over, saying, here is
the device that goes with this.
Mr. Oxman. That is right. So the future of technology that
we are all working together to deploy has all of those elements
to it. So it is almost as if we have an opportunity, thanks to
the advances in technology, to devise that utopian system from
scratch.
Mr. Schweikert. Okay.
Now, for everyone else on the panel, how do I incentivize
that?
Mr. Dodge. The one point that I would make at the outset
is, Jason is absolutely right, the future of payments is in
mobile technology, and we are going there, but we are not there
yet. There are 1.2 billion cards circulating in the United
States, and we need to make sure we are locking down that
before we move to the next generation or while we are moving to
the next generation.
But I think I won't try to wade into the deep technological
comments, but we believe that tokenization is a great
opportunity and a great, great potential. And, certainly,
mobile technology and the encryption that is in place today I
think will work for a long period of time.
Mr. Orfei. So the end game, really, is you devalue the data
so that it is useless in the hands of criminals. And the three
technologies that we have talked about today do exactly that:
EMV at the point of sale; point-to-point encryption; and
tokenization. If you bundle those correctly, and you implement
it properly, the value is useless. There is no reason to break
in. And even if you did, whatever you stole, you can't use
anywhere else.
Mr. Schweikert. Okay.
Much of today's conversation was, who holds the liability,
who pays. And my fear, at one level, is that is an absurd
conversation to have. We should be having the conversation of,
how do we build the robust technology so we don't have the
problem?
Mr. Pawlenty. Congressman, I know we are out of time. The
good news is, it is happening. While mobile payments and some
of the things you mentioned are a small part of the picture,
the rate at which they are growing is rapid, and the adoption
rate, particularly for younger people, is very high. So the
future that you are foreshadowing is unfolding.
Mr. Schweikert. I yield back, Mr. Chairman. Thank you.
Mr. Neugebauer. I thank the chairman.
And now the gentleman from Indiana, the chairman of the
Republican Policy Committee, Mr. Messer, is recognized for 5
minutes.
Mr. Messer. I thank the panel for being here. Thank you for
your stamina. I think we are getting close to wrapping up.
I wanted to talk a little bit further about breach
notification, and I think, Mr. Dodge, a couple of times you got
pretty close to this, but I just want to make sure I better
understand your position and your organization's position.
You stated earlier that you wanted clarity for the business
community, and I know you support the one sentence standard
that was based on reasonableness found in the Energy and
Commerce Committee bill.
Now, I think if you look at Section 4 of H.R. 2205, it has
a set--a process that is laid out that, frankly, is much
clearer and I think more scalable. It is based and modeled off
of what banks have been doing for 16 years under Gramm-Leach-
Bliley.
Can you explain from your perspective why you believe H.R.
2205's clarity isn't sufficient?
Mr. Dodge. The Gramm-Leach-Bliley Act, and certainly the
legislation you are referencing, were designed primarily for
the financial services industry. It was passed in 1990, 2000,
and enforced over the last 15 years.
What we have argued is that you have to look at the
regulatory landscape as it is today and look at what has been
done for regulations that apply to other industries. And there
has been a substantial body of work done by the Federal Trade
Commission in enforcing cybersecurity expectations of
businesses. That has established a decades-worth of case law
that merchants or businesses all under the authority of the FTC
understand what the expectations are of them.
Mr. Messer. So am I hearing you say that while the Energy
and Commerce bill has a one-sentence standard, you believe that
one sentence incorporates the FTC standards that have been--
Mr. Dodge. I do. And I think any business that would be
forced to comply with it--and most businesses today are--don't
look at the sentence that would be in the legislation, but they
would look at what the body of work is and the requirements
that would be--
Mr. Messer. Okay. And so that I make sure I understand your
objection, is your objection to who the regulator would be?
That you believe under the Energy and Commerce bill, it would
be a different regulator?
Mr. Dodge. We think the way that the Energy and Commerce
bill is structured and how it builds upon the work that has
been undertaken by the FTC to date, it makes sense, and we
believe that is the best way to move the ball forward in terms
of cybersecurity.
Mr. Messer. Okay. Other members of the panel, I don't know
if anybody would like to comment on the specificity and clarity
of the language in the--
Mr. Pawlenty. Congressman, I would say while we recognize
the brevity of it, to simply say, ``Hey, go act reasonably,''
that is just a negligence standards that is built into common
law for everything. We are all under a duty to go act
reasonably in our daily lives and not be negligent. So it
doesn't--when you are facing a threat of this magnitude, this
nature, which is exponentially accelerating, to have the
Congress say, ``Hey, act reasonably,'' I think is underwhelming
as a standard and expectation as we enter the age of cyber
battles.
Mr. Messer. Yes. I would agree, Governor, particularly when
you have a road map that has worked for 16 years in another
industry that you can lean on.
But, moving on to another topic, I would like to talk a
little bit about how unreasonable delay works in the real
world. There is talk about whether a notice should be
immediate. Could you put some specific timeframe on when a
reasonable notice would occur? Could anyone on the panel
comment on whether it is realistic to require a company to
notify consumers within a specific number of days?
Mr. Oxman. I think that the challenge of the existing State
laws is that different States have different requirements for
what ``reasonableness'' means. And, obviously, all of us in the
industry across the payments ecosystem and retail share an
interest in making sure our customers know what happened as
quickly as possible, but in some circumstances, there are
issues that arise. For example, law enforcement may ask that we
delay notification because they are pursuing the criminals, and
they don't want to interfere with the investigation or the
possibility of apprehension. So I do think that kind of
flexibility is important, Congressman, because there are
circumstances in which what one may think is reasonable someone
else may decide--
Mr. Messer. And is that relatively unanimous on the panel?
Ms. Moy. I would just add that I think one of the problems
with having a harm trigger and having a risk analysis between
the discovery of the breach and notification of the consumers
is that it can delay notification to the consumers. One of the
reasons that that many States have no trigger at all is to
ensure that consumers get notification as quickly as possible.
Mr. Messer. And in my very limited time, could anybody talk
about over-reporting? It seems to me one of the challenges of
what happens in the practical world when you have this big
patchwork of standards is companies go out and over-report and
there are consequences to consumers of that as well.
Ms. Moy. Once again, I would just turn to what the State
AGs are saying on this topic, which is that in their
conversations with consumers, they are not hearing that
consumers want to hear less about breaches of their personal
information. Consumers are upset about the fact that they are
hearing about so many breaches because they are upset that so
many breaches are taking place. But they don't want to forego
the possibility of protecting themselves in the event of a
breach.
Mr. Messer. They want to be notified when they should be
notified if there is a real problem.
Mr. Oxman. I think that is right. That is fair.
Mr. Messer. Okay. Thank you very much.
Mr. Pawlenty. Congressman, on that last point, we do see in
the auto-manufacturing recall space dealers and others noticing
people paying less attention, unfortunately, to recall notices
because they think they get too many of them or they are not
serious enough. So they are just something to at least keep an
eye on.
Mr. Messer. Okay. Thanks, Governor.
Mr. Neugebauer. I thank the gentleman.
I would like to thank our witnesses for their testimony
today. It has been a little 3-hour exercise here. We appreciate
your patience, but also I think the panel has been very
informative. This is a very important issue to our country. It
is a very important issue to the Americans that use the system
on a daily basis, that we give them the confidence that they
can continue to use one of the most aggressive and progressive
payment systems in the world.
The Chair notes that some Members may have additional
questions for this panel, which they may wish to submit in
writing. Without objection, the hearing record will remain open
for 5 legislative days for Members to submit written questions
to these witnesses and to place their responses in the record.
Also, without objection, Members will have 5 legislative days
to submit extraneous materials to the Chair for inclusion in
the record.
With that, this hearing is adjourned.
[Whereupon, at 1:05 p.m., the hearing was adjourned.]
A P P E N D I X
May 14, 2015
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]