[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


                   DATA SECURITY: VULNERABILITIES AND
                     OPPORTUNITIES FOR IMPROVEMENT

=======================================================================

                                HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON FINANCIAL INSTITUTIONS
                          AND CONSUMER CREDIT

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            NOVEMBER 1, 2017

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 115-52
                           
                           
 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]  
 
 
 
                               __________
                                
 
                     U.S. GOVERNMENT PUBLISHING OFFICE                    
30-771 PDF                  WASHINGTON : 2018                     
           
 -----------------------------------------------------------------------------------
 For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
 http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
 U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected]. 
 
 
                           

                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    JEB HENSARLING, Texas, Chairman

PATRICK T. McHENRY, North Carolina,  MAXINE WATERS, California, Ranking 
    Vice Chairman                        Member
PETER T. KING, New York              CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California          NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma             BRAD SHERMAN, California
STEVAN PEARCE, New Mexico            GREGORY W. MEEKS, New York
BILL POSEY, Florida                  MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri         WM. LACY CLAY, Missouri
BILL HUIZENGA, Michigan              STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin             DAVID SCOTT, Georgia
STEVE STIVERS, Ohio                  AL GREEN, Texas
RANDY HULTGREN, Illinois             EMANUEL CLEAVER, Missouri
DENNIS A. ROSS, Florida              GWEN MOORE, Wisconsin
ROBERT PITTENGER, North Carolina     KEITH ELLISON, Minnesota
ANN WAGNER, Missouri                 ED PERLMUTTER, Colorado
ANDY BARR, Kentucky                  JAMES A. HIMES, Connecticut
KEITH J. ROTHFUS, Pennsylvania       BILL FOSTER, Illinois
LUKE MESSER, Indiana                 DANIEL T. KILDEE, Michigan
SCOTT TIPTON, Colorado               JOHN K. DELANEY, Maryland
ROGER WILLIAMS, Texas                KYRSTEN SINEMA, Arizona
BRUCE POLIQUIN, Maine                JOYCE BEATTY, Ohio
MIA LOVE, Utah                       DENNY HECK, Washington
FRENCH HILL, Arkansas                JUAN VARGAS, California
TOM EMMER, Minnesota                 JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York              VICENTE GONZALEZ, Texas
DAVID A. TROTT, Michigan             CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia            RUBEN KIHUEN, Nevada
ALEXANDER X. MOONEY, West Virginia
THOMAS MacARTHUR, New Jersey
WARREN DAVIDSON, Ohio
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
TREY HOLLINGSWORTH, Indiana

                  Kirsten Sutton Mork, Staff Director
       Subcommittee on Financial Institutions and Consumer Credit

                 BLAINE LUETKEMEYER, Missouri, Chairman

KEITH J. ROTHFUS, Pennsylvania,      WM. LACY CLAY, Missouri, Ranking 
    Vice Chairman                        Member
EDWARD R. ROYCE, California          CAROLYN B. MALONEY, New York
FRANK D. LUCAS, Oklahoma             GREGORY W. MEEKS, New York
BILL POSEY, Florida                  DAVID SCOTT, Georgia
DENNIS A. ROSS, Florida              NYDIA M. VELAZQUEZ, New York
ROBERT PITTENGER, North Carolina     AL GREEN, Texas
ANDY BARR, Kentucky                  KEITH ELLISON, Minnesota
SCOTT TIPTON, Colorado               MICHAEL E. CAPUANO, Massachusetts
ROGER WILLIAMS, Texas                DENNY HECK, Washington
MIA LOVE, Utah                       GWEN MOORE, Wisconsin
DAVID A. TROTT, Michigan             CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    November 1, 2017.............................................     1
Appendix:
    November 1, 2017.............................................    35

                               WITNESSES
                      Wednesday, November 1, 2017

Bentsen, Hon. Kenneth, Jr., President and Chief Executive 
  Officer, Securities Industry and Financial Markets Association.     3
Mennenoh, Daniel, ITP, NTP, President, H.B. Wilkinson Title 
  Company, on behalf of the American Land Title Association......     5
Mierzwinski, Edmund, Consumer Program Director, U.S. Public 
  Interest Research Group........................................     6
Schwartz, Debra, President and Chief Executive Officer, Mission 
  Federal Credit Union, on behalf of the National Association of 
  Federally-Insured Credit Unions................................     8

                                APPENDIX

Prepared statements:
    Bentsen, Hon. Kenneth, Jr....................................    36
    Mennenoh, Daniel.............................................    50
    Mierzwinski, Edmund..........................................    61
    Schwartz, Debra..............................................    78

              Additional Material Submitted for the Record

Luetkemeyer, Hon. Blaine:
    Written statement of the Food Marketing Institute............   105
    Written statement of the Independent Community Bankers of 
      America....................................................   107
    Written statement of the American Bankers Association, the 
      Consumer Bankers Association, the Credit Union National 
      Association, the Financial Services Roundtable, the 
      Independent Community Bankers of America, the National 
      Association of Federally-Insured Credit Unions, and the The 
      Clearing House.............................................   109

 
                     DATA SECURITY: VULNERABILITIES
                   AND OPPORTUNITIES FOR IMPROVEMENT

                              ----------                              


                      Wednesday, November 1, 2017

             U.S. House of Representatives,
             Subcommittee on Financial Institutions
                               and Consumer Credit,
                           Committee on Financial Services,
                                                   Washington, D.C.

    The subcommittee met, pursuant to notice, at 2:02 p.m., in 
room 2128, Rayburn House Office Building, Hon. Blaine 
Luetkemeyer [chairman of the subcommittee] presiding.
    Present: Representatives Luetkemeyer, Rothfus, Royce, 
Lucas, Ross, Pittenger, Barr, Tipton, Williams, Love, Trott, 
Loudermilk, Kustoff, Tenney, Clay, Maloney, Scott, and Crist.
    Chairman Luetkemeyer. The committee will come to order.
    Without objection, the chair is authorized to declare a 
recess of the committee at any time.
    This hearing is entitled ``Data Security: Vulnerabilities 
and Opportunities for Improvement.''
    Before we begin, I would like to thank the witnesses for 
appearing today. We appreciate your participation and look 
forward to a productive discussion.
    I now recognize myself for 3 minutes for purposes of 
delivering an opening statement.
    More than 15 million Americans were victims of cyber fraud 
or identity theft last year. The number of those impacted in 
2017 could be significantly more, depending on the damage 
caused by the Equifax breach. While data security has been a 
hot topic since that breach, Equifax isn't where the problem 
started, and if we don't act, it isn't where the problem will 
end.
    Year after year, consumers deal with compromised personally 
identifiable information resulting from breaches in financial 
companies, retailers, insurance providers, and even the Federal 
Government. The list goes on and on.
    This type of fraud can strike at any point, leaving no 
consumer immune to its effects. Financial firms face attempted 
breaches every single day, sometimes hundreds of attempts a 
day. Each attack seems to be more dangerous and more advanced 
than the last, and while the good guys have to be right every 
time, the bad guys only have to be right once.
    Data security has turned into a crisis, and the American 
people deserve better. As in any crisis, every aspect of data 
security should be examined. That includes having an honest 
conversation about the regulatory regime governing these 
breaches. The question is, does it adequately safeguard 
consumer data? Does it provide flexibility for companies to 
innovate, or do they spend too much time and energy trying to 
comply with State and Federal requirements?
    We need to discuss how data security liability is assessed 
and which entity has a duty to report a breach to the public 
and in what timeframe such a disclosure should be required. We 
cannot tolerate a system that is unnecessarily complicated or 
offers slow resolution for customers and consumers. We need to 
instead work collaboratively to reduce red tape, create a more 
prompt notification standard, and foster harmonization among 
Federal and State agencies charged with data security 
regulation.
    Today's hearing offers an opportunity to look at data 
security vulnerabilities through a wider lens. Our witnesses 
represent a number of different industries that offer unique 
perspectives and ideas on how to improve the system for the 
most important people in this conversation: their customers and 
our constituents.
    While today's hearing does not focus on a specific bill, I 
want to be clear that it is my intention to produce data 
security reform legislation. This conversation and many others 
our members have had and will continue to have with their 
constituents will inform our actions and drive our policy.
    I want to again thank our witnesses for being here today. 
We look forward to your testimony.
    The chair now recognizes the gentleman from Missouri, Mr. 
Clay, the ranking member of the subcommittee, for 5 minutes for 
an opening statement.
    Mr. Clay. Thank you, Mr. Chairman. Thank you for holding 
this hearing as well as all of the witnesses who are here 
today. I will forego an opening statement in order to hear from 
our witnesses. I yield back.
    Chairman Luetkemeyer. The gentleman yields back.
    With that, we go to the gentleman from Pennsylvania, the 
vice chair of the subcommittee, Mr. Rothfus, for 2 minutes for 
an opening statement.
    Mr. Rothfus. Thank you, Mr. Chairman. I would like to thank 
the chairman for holding today's hearing on data security. As 
the recent Equifax data breach reminded us, cybercrime is a 
constant and growing threat. But the Equifax incident, though 
terrible and expansive as it was, was just the latest in a 
string of major cybercrimes that have compromised our private 
information and put us all at risk.
    I am deeply concerned that bad actors, State-sponsored or 
otherwise, continue to relentlessly target our financial 
system, retailers, and the physical and digital infrastructure 
that allow our society to function. Cybercrime is a national 
security threat and a danger to our economy. It hurts millions 
of Americans, and it undermines the trust needed to conduct 
business in the 21st century.
    This committee has an important role in helping to address 
this growing threat. I am looking forward to hearing from our 
witnesses about how we can improve our current system for 
addressing and preventing cybercrime. Clearly, there is room 
for improvement as we seek to ensure that firms take the steps 
needed to protect private data, properly and promptly notify 
law enforcement and customers, and quickly move to close 
vulnerabilities and make victims whole.
    Many of my constituents contacted my office after the 
Equifax breach to seek help and express their frustrations. 
Families, students, small business owners, and retirees are 
concerned about what they are seeing and they want us to take 
steps to protect them.
    Again, I look forward to today's discussion, and I hope 
that it can form the basis for bipartisan collaboration on this 
important issue.
    I yield back.
    Chairman Luetkemeyer. The gentleman yields back.
    With that, today, we welcome the testimony of the Honorable 
Ken Bentsen, president and chief executive officer, Securities 
Industry and Financial Markets Association; Mr. Daniel 
Mennenoh, president, H.B. Wilkinson Title Company, on behalf of 
the American Land Title Association; Ms. Debra Schwartz, 
president and CEO, Mission Federally-Insured Credit Union, on 
behalf of the National Association of Federal Credit Unions; 
and Mr. Edmund Mierzwinski, consumer program director, U.S. 
Public Interest Research Group.
    Each of the witnesses will now be recognized for 5 minutes 
to give an oral presentation of their testimony.
    Without objection, each of your written statements will be 
made part of the record.
    Just a brief tutorial on the lighting system for those of 
you who haven't been here before. Green means go. The yellow 
light lights up, that means you have a minute to wrap up. Red 
means that we need to stop and go on to the next question/
answer session.
    With that, Mr. Bentsen, you are recognized for 5 minutes.

         STATEMENT OF THE HONORABLE KENNETH BENTSEN, JR.

    Mr. Bentsen. Thank you, Chairman Luetkemeyer and Ranking 
Member Clay and members of the subcommittee, for giving me an 
opportunity to testify today on the important topics of 
cybersecurity and data protection.
    SIFMA represents hundreds of banks, broker-dealers, and 
asset managers who are dedicated to protecting their systems 
and, more importantly, their clients' data from cyber attacks. 
There is likely no greater threat to financial stability than a 
large-scale cyber event. The financial services sector has 
invested tremendous monetary and human resources to develop and 
implement cyber defense and recovery mechanisms, and we welcome 
the opportunity to discuss the progress we have made today.
    Cybercrime is now a bigger criminal enterprise than the 
global narcotics trade. While data breaches of customer 
information dominate headlines and are rightfully a top 
priority for policymakers in the industry, a major cyber attack 
on critical financial market infrastructure or one that 
destroys records or financial data are also risks with a 
potentially far larger impact on the economy.
    It is important to recognize that no single sector, not the 
Federal Government nor any individual firm, has the resources 
to protect markets from these threats on their own. It is 
critical that we establish and maintain a robust partnership 
between industry and government to mitigate cyber threats and 
their impact. The industry's resiliency will not be fully 
effective without the government's help and vice versa.
    The answer cannot exclusively be more regulation. However, 
over the past few years, regulators in the U.S. and around the 
world have proposed or finalized over 30 new cyber rules 
applicable to the financial services industry. While 
regulations can help raise expectations and define strong 
standards for market participants, the volume of regulations 
has resulted in requirements which are sometimes duplicative 
and conflicting. Some of our members are subject to as many as 
13 different Federal regulatory mandates in addition to State 
mandates.
    Turning to the threat we collectively face, I would like to 
highlight that every public and private sector institution 
which holds sensitive information can and, indeed, will be a 
target of malicious actors. Working with our members along with 
our sister trade associations, SIFMA has identified a number of 
best practices for protection of sensitive data in the 
financial services sector. These practices draw on the 
experience of our member firms and their own policies and 
procedures as well as industry standards, such as the NIST 
framework.
    Data protection begins with firms taking a risk-based look 
at the information they collect, and deciding if they have a 
business or regulatory purpose that requires them to hold this 
information. If sensitive information like a social security 
number is not directly relevant and necessary, firms should 
refrain from holding it. Once firms have collected sensitive 
data, they should ensure that they have controls in place to 
protect it while it is being used and stored. That includes 
ensuring that access to sensitive data is restricted only to 
authorized users who need it to perform their jobs. Firms 
should also work to reduce the risk by destroying sensitive 
data once it is no longer needed.
    As a highly regulated sector, our members also provide a 
tremendous amount of sensitive information to regulators in 
accord with their supervisory mandates, and given the ever-
increasing risks, our sector is engaged in an important dialog 
with our government partners to ensure and enhance protections 
across the board.
    I would also like to spend a minute or so to focus on one 
particular important data protection challenge currently on the 
minds of many. As the Securities and Exchange Commission and 
the SROs move forward with the development of a Consolidated 
Audit Trail, it is critical that the CAT not introduce new data 
protection risk. Once complete, the CAT will be the world's 
largest data repository for securities transactions and one of 
the largest databases of any type. Each day, the system will 
ingest 58 billion records and maintain the data on over 100 
million customer accounts.
    The current plan raises serious concerns around data 
protection and the ability to confidently secure the critical 
information it will contain. The CAT design requires firms to 
provide a significant amount of sensitive customer information, 
including names, social security numbers, and addresses. All 
this information will be held in a single database, creating a 
high-value target and bad actors will undoubtedly try to find 
the weakest link to gain access.
    While this concern existed well before the recent breaches 
at Equifax or EDGAR, many stakeholders have grown even more 
skeptical that the CAT, as currently designed, will be able to 
protect the massive amount of sensitive PII it will contain.
    Importantly, just as the industry should and does consider 
whether sensitive information needs to be collected and 
retained for a particular purpose, so too does the case need to 
be made that PII is required to be collected and reside in the 
CAT for effective surveillance by more than 3,000 users among 
22 different SROs in the SEC.
    Along this line, we would urge Congress to consider among 
other possible actions amending the Market Data Protection Act 
to ensure the SROs who designed and built the CAT have 
appropriate risk controls in place before the CAT goes live.
    In conclusion, effective cybersecurity will be in a state 
of discussion and improvement for years to come. That security 
is a combination of activities that relies on strong defenses, 
information sharing, mitigation, and recovery planning. It can 
only be accomplished through constructive dialog and engagement 
among the private sector, policymakers, and regulators. Much 
work has been done, but as my written testimony lays out, there 
is much more work to do. SIFMA's members stand ready to do 
their part, and I look forward to answering your questions.
    [The prepared statement of Mr. Bentsen can be found on page 
36 of the appendix.]
    Chairman Luetkemeyer. Thank you, Mr. Bentsen.
    Mr. Mennenoh, you are recognized for 5 minutes.

                  STATEMENT OF DANIEL MENNENOH

    Mr. Mennenoh. Thank you.
    Chairman Luetkemeyer, Ranking Member Clay, and members of 
the subcommittee, I appreciate the opportunity to discuss one 
of the largest financial threats facing consumers, title 
companies, and our real estate system. My wife and I own H.B. 
Wilkinson Title Company in Galena, Illinois. We bought the 
company from my dad 20 years ago. We have 28 employees, with 
offices in seven counties. We close about 70 real estate 
transactions a month. Though we are a small business, by title 
industry standards, we are a big company.
    One of my favorite opportunities as president of ALTA was 
traveling the country to hear what was happening in local 
markets. The largest concerns I heard from title agents were on 
data security and the growing threat of criminals trying to 
steal our customers' money. Even my small company in Galena 
sees a couple of phishing attempts every week. Those attempts 
are often sent to multiple email addresses.
    Earlier this year, the FBI reported a 480 percent increase 
in criminals attempting to steal consumers' funds, and it is 
easy to see why. The average successful bank robber's haul is 
$3,816. The average successful wire fraud loss is $129,427. 
This is a much better return for a much less expensive and 
dangerous crime to commit. Overall, these scams have cost 
Americans $5.3 billion.
    Home buyers are the most common targets. Criminals gain 
access to the buyer's, seller's, or real estate professional's 
email account. They monitor traffic looking for a deal. Their 
goal is to convince the buyer to send their earnest money or 
downpayment to the criminal. Bloomberg reports that criminals 
can obtain verified email accounts, passwords, and security 
questions on the dark web for as little as $10.
    In Texas, I heard about a woman who saved nearly $25,000 
for the downpayment on her first house. Prior to the lender 
finalizing the closing disclosure, the woman's email was 
hacked. Using information from her email, the criminal 
impersonated the title agency, used the closer's name, and 
instructed her to send the $25,000 using fraudulent wire 
instructions. Believing it was the title agency, she followed 
the instructions and wired the funds to the criminal's account. 
The home purchase fell through. The money was gone. The woman 
lost her life savings. This is a heartbreaking story, and it 
happens often. Title companies in each of your communities have 
stories just like these.
    Consumer losses due to a data breach pale in comparison to 
the loss of consumers' downpayment or earnest money deposit. I 
wish there was a silver bullet to protect our customers, but 
there is not. As an industry, we have improved our digital 
hygiene and have taken an array of steps to combat this fraud. 
This includes using secured email communications, verifying 
instructions with buyers using known phone numbers, and asking 
banks to match both the recipient's account number and payee 
information when we send wires. We issue warnings to our 
customers on websites and at the bottom of every email.
    What is so frustrating is there is no amount of money we 
can spend to protect our customers from being targeted by these 
criminals. Two years ago, we were the target, as title 
settlement agents. Now they are targeting our customers even 
before we get involved in the transaction, because we are at 
the end of the process.
    We believe we should focus on two key areas to stop these 
crimes. First, we need to increase awareness of these crimes 
for buyers, sellers, and the public. We need to get anyone 
involved in the real estate deal, real estate agents, banks, 
policymakers, consumer groups, title insurers, settlement 
agents and real estate attorneys, to help educate our customers 
about how to protect themselves. Think about movers. Think 
about surveyors, home inspectors. They are all part of the 
process.
    Second, financial institutions should match not only the 
account number, but also the payee's name. This simple 
authentication step can be the single biggest deterrent. We 
also need to better use both suspicious activity reports and 
IC3 data to detect trends. Even if more information does not 
lead to prosecutions of these criminals, it can help banks 
decide to place holds on the account to prevent the criminal 
from withdrawing funds.
    ALTA is eager to serve as a resource to the subcommittee, 
and I am happy to answer any questions. Thank you.
    [The prepared statement of Mr. Mennenoh can be found on 
page 50 of the appendix.]
    Chairman Luetkemeyer. Thank you, Mr. Mennenoh.
    Mr. Mierzwinski, you are recognized for 5 minutes.

                 STATEMENT OF EDMUND MIERZWINSKI

    Mr. Mierzwinski. Thank you, Chairman Luetkemeyer, members 
of the committee.
    Last week, you held a minority day hearing on Equifax. I 
could talk about Equifax for my entire 5 minutes, but I think 
the State enforcement officials and the consumer advocates who 
spoke last week, I would simply like to associate my remarks 
with theirs last week on Equifax specifically. But I do want to 
continue to talk a little bit about how Equifax fits into the 
larger big data universe.
    First of all, to be clear, Equifax had one of the worst 
breaches ever. They lost our consumer DNA through a pretty 
amazing failure to protect it, and then they did a really bad 
job of notifying us and telling us what was going to happen 
after that. But what people don't understand, a lot of people 
may not know, Equifax is in the highly regulated business, 
credit reporting, part of the time, but all of the time Equifax 
is a data broker. There are thousands of underregulated and 
unregulated data brokers out there.
    In my testimony, I represent the views of the Federal Trade 
Commission which has said they need more authority over data 
brokers. I encourage the committee to read their reports.
    Going forward, people should understand that consumers have 
no control over their information, particularly with the credit 
bureaus. As was said often in many of the other hearings, we 
are not their customers; we are their products. Mr. Cordray 
refers to credit reporting as a dead-end market. You can change 
your bank if you don't like it. You cannot change your credit 
bureau. You cannot vote with your feet.
    With the lack of control, it is very difficult for 
consumers to do anything about misuse of their information. We 
have very little authority to vote, to determine that companies 
can't use our information, very limited under Gramm-Leach-
Bliley. In most cases, companies simply collect information 
about us and sell it.
    We worked on the credit freeze as a way to return some 
control, starting about 20 years ago. The first credit freeze 
law passed in California about 15 years ago. It was 
revolutionary at the time, but what would make it more 
revolutionary is if the committee were to adopt--and I believe 
it has become a bipartisan issue--expand the availability of 
the free credit freeze. It is the only way you can at least 
exert some control over your consumer DNA. In addition, the 
committee should look at Ranking Member Waters' comprehensive 
bill to reform the credit bureaus themselves.
    Third, I think the committee should look very closely at 
the flaw in Gramm-Leach-Bliley where the Federal Trade 
Commission has authority over data security that was not 
transferred to the Consumer Bureau. Section 1093 should be 
looked at. I think the Consumer Bureau, because it has the 
ability to conduct examinations of credit bureaus, because it 
has the ability to impose penalties for the first violation of 
the law, not only after a company has violated a consent decree 
in the FTC's case, and because it has rulemaking authority that 
the FTC does not have. If you want to rein in the credit 
bureaus, you have to give the Consumer Bureau more power over 
them.
    The final point that I want to make in my testimony, and I 
make it extensively in my written testimony, is that the States 
are privacy innovators. The States are privacy first 
responders. The credit freeze, the data breach notification 
laws, all were passed by the States when Congress looked on and 
didn't do anything.
    We strongly support protecting the right of the States, as 
the two attorneys general offices testified last week. Going 
forward, we cannot preempt stronger State laws with some narrow 
Federal breach law that takes away States' rights not only to 
do breach notification, but States' rights to conduct other 
privacy examinations, and States' rights to strengthen the data 
security of their citizenry.
    I go into great detail on all of these matters in my 
testimony. I look forward to your questions. Thank you.
    [The prepared statement of Mr. Mierzwinski can be found on 
page 61 of the appendix.]
    Chairman Luetkemeyer. Thank you, Mr. Mierzwinski.
    Ms. Schwartz, you are recognized for 5 minutes.

                  STATEMENT OF DEBRA SCHWARTZ

    Ms. Schwartz. Chairman Luetkemeyer, Ranking Member Clay, 
and members of the--
    Chairman Luetkemeyer. Please turn on your microphone.
    Ms. Schwartz. It should be on.
    Chairman Luetkemeyer. Bring it closer to you then. There 
you go.
    Ms. Schwartz. OK, thank you.
    Chairman Luetkemeyer, Ranking Member Clay, and members of 
the subcommittee, thank you for the invitation to appear before 
you this afternoon. My name is Debra Schwartz, and I am 
testifying today on behalf of NAFCU. I currently serve as 
president and CEO of Mission Federal Credit Union, Mission Fed, 
headquartered in San Diego, California, and also serve on 
NAFCU's board of directors as treasurer.
    Data security needs to be everyone's responsibility. More 
can and must be done to protect consumers on this important 
issue. NAFCU has long supported comprehensive data security 
measures to protect consumers' sensitive data. Credit unions 
and other depository institutions already protect data, 
consistent with the provisions of 1999's Gramm-Leach-Bliley 
Act, GLBA.
    Unfortunately, there is no similar regulatory structure for 
other entities that may handle sensitive personal and financial 
data. Although credit bureaus are considered financial 
institutions under GLBA, they do not have the same regulatory 
oversight as credit unions and other depository institutions.
    GLBA and its implementing regulations have successfully 
limited data breaches among depository institutions. This 
standard, outlined in my written testimony, has a proven track 
record of success and should be recognized in any future 
requirements. Gramm-Leach-Bliley requires financial 
institutions to address the risks presented by the complexity 
and scope of their business. This allows flexibility and 
ensures the regulatory framework is workable for the largest 
and smallest financial institutions. GLBA is an example of how 
scalability is possible for varying size businesses.
    A data security breach can have a big impact on consumers, 
from waiting for new cards to be issued to updating all 
accounts connected with a compromised card. Breaches can also 
result in fraud losses, damaged credit ratings, and even 
identity theft. As the Equifax breach has demonstrated, data 
security breaches are not just a retailer problem, but occur 
across many industries. This highlights the need for a 
comprehensive national data security standard to protect data, 
akin to what is already in place for depository institutions 
under GLBA.
    A recent survey of NAFCU members found that respondents 
were alerted to potential merchant breaches an average of 189 
times in 2016. Over 40 percent of the respondents said that 
they saw an increase in these alerts from 2015. At Mission Fed, 
we have received over 1,400 separate alerts of merchant data 
breaches since 2013.
    When credit unions are alerted to breaches, they take 
action to respond and protect their members. These actions have 
costs, such as card reissuance, fraud losses, and account 
monitoring. Ultimately, this takes away from providing other 
services to members. Unfortunately, credit unions rarely see 
any reimbursement for these costs. Even when there are 
recoupment opportunities, such as settlements, it is usually 
only pennies on the dollar, in terms of the real cost and 
losses incurred.
    Recognizing that finding a legislative solution is a 
complex issue, NAFCU has established a set of guiding 
principles we would like to see in data security legislation, 
including: reimbursement of all costs by the breached entity; 
national standards for safekeeping of information; breach 
notifications to financial institutions; disclosure of breached 
entity to consumers; and enforcement of data retention 
prohibitions. I outline all of our principles in detail in my 
written testimony.
    The time has come for Congress to enact a national standard 
on data protection for consumers' personal financial 
information. Additionally, credit bureaus, such as Equifax, 
should be subjected to examinations for compliance to data 
security standards, just as depository institutions already 
are. Consumers whose personal and financial data has been 
compromised have a right to be notified in a timely manner.
    NAFCU believes that the best legislative solution so far on 
this issue of data security is the bipartisan legislation that 
was introduced in the 114th Congress, H.R. 2205, the Data 
Security Act of 2015, which would have set a national data 
security standard that recognized those who already have one 
under the GLBA. We were pleased to see this bill get bipartisan 
support in this committee in the last Congress.
    Finally, as the committee is aware, data security is in the 
jurisdiction of several congressional committees. We appreciate 
the Financial Services Committee taking the lead to work with 
leaders in other committees to craft a bipartisan package that 
can enact a robust national data security standard into law.
    In conclusion, data security is a top challenge facing the 
credit union industry today. Protecting the payment system is 
the responsibility of all parties involved. It is time to level 
the playing field, establish a national data security standard 
for all who handle financial and sensitive personal data. This 
includes consumers and impacted parties receiving timely 
notification of data breaches.
    The standards for depository institutions under GLBA should 
be the model. NAFCU stands ready to work with you. Thank you 
for the opportunity to appear before you today. I welcome any 
questions you may have.
    [The prepared statement of Ms. Schwartz can be found on 
page 78 of the appendix.]
    Chairman Luetkemeyer. Thank you, Ms. Schwartz. I appreciate 
your testimony and all of the witnesses today.
    We will now begin the question-and-answer period of our 
hearing, and the chair recognizes himself for 5 minutes.
    Mr. Bentsen, you in your testimony talked about 
harmonization of State and Federal data security regulations. 
You even mentioned global standards. Where in this do you think 
this committee has a role to be able to help the situation the 
way it is right now?
    Mr. Bentsen. Thank you for the question, Mr. Chairman. It 
is a problem where the industry and the government are all 
trying to get to the same place. There is very little 
disagreement on that, and we believe it is very much a two-way 
street.
    We have a multifaceted regulatory structure for financial 
institutions, including both a Federal and State regulatory 
structure, and self-regulatory organizations, and we have many 
global institutions from the U.S. that operate in multiple 
jurisdictions. We need to find a way where regulators can come 
together, in terms of the type of guidance they are doing, the 
examinations, the supervision process that they want to do, to 
work around the same framework. Even in the U.S., U.S. 
regulators are not all using the NIST framework, which we think 
is the best framework for developing cyber resiliency.
    I think this committee can play a role with your oversight 
function of the agencies to start, and the SROs, where you have 
some indirect jurisdiction, to try and bring them together. To 
be fair, we have spent time with all of our regulators, brought 
them all together and said: We understand your individual 
mandates, but cyber and cyber protection is really a top-of-
the-house-down program within all institutions.
    There has to be a better way to do this, so we don't have a 
situation where members are spending almost as much time on 
regulatory compliance as they are on cyber defense.
    Chairman Luetkemeyer. OK. With regards to the NIST 
standards, do you believe that they are adequate at this time 
and, if not, what concerns do you have, and in particular, with 
regards to notification? I am very concerned about 
notification. It doesn't seem like we have either some 
standards in place or they are not being adhered to. Can you 
elaborate a little bit on that?
    Mr. Bentsen. We think the NIST framework is the appropriate 
framework. It has been updated recently by NIST. We think it 
provides sufficient flexibility to the industry. We have mapped 
it out for our industry, and the capital markets and asset 
management business and other sectors are using it as well.
    In terms of notification, this is an important issue. I 
think everyone agrees that there does need to be timely 
notification. But I think we also have to be careful in setting 
deadlines that can be artificial, and we have to determine what 
the materiality is. We have to determine--in many cases, you 
can have a cyber event going on and you are in the process of 
trying to figure out how deep it is, what the impact of it is, 
if you have to do a forensic audit, if you have to call in the 
FBI, if it involves--whoever the perpetrator is, and to also be 
up against a deadline of having to notify before you know what 
is really going on adds additional risk factors.
    It is an important issue. As you know, Chairman Clayton of 
the SEC has raised this issue under the jurisdiction of this 
committee. I think it is something that, you all and the 
agencies are going to be spending a lot of time on.
    Chairman Luetkemeyer. Thank you.
    Ms. Schwartz, you were talking about the GLBA quite a bit. 
Do you believe that it is still adequate, or do you see some 
things that need to be changed in it or amended or added to, or 
what do you think?
    Ms. Schwartz. GLBA has been around since 1999, and it has 
been dynamic, scalable, and flexible. The nice thing about it 
is it works for institutions, whether you are a $10 million 
credit union or a multibillion dollar credit union. I think it 
provides an excellent model to be considered, because of those 
factors.
    Chairman Luetkemeyer. OK. With regards to notification, 
there is not a whole lot in Gramm-Leach-Bliley with regards to 
notification. Can you expound on what your position would be 
with regards to where we need to go with this? Do we need to 
put some guidelines in place or leave it alone or--Mr. Bentsen 
just indicated there are a lot of problems with how you go 
about that, but is there a way we can get through this and find 
a middle ground here?
    Ms. Schwartz. Notification is key. We found out about the 
Equifax breach probably the same time you did, when we read 
about it in the Wall Street Journal. We subscribe through 
Mastercard, who is our credit card partner, and receive ADC 
notifications from them. We have received 1,400 separate breach 
notifications since 2013. The faster we are notified, the 
faster we can work to protect our members, by putting warnings 
on their account, by reissuing cards. It is absolutely critical 
that we get notification as soon as possible.
    Chairman Luetkemeyer. I have just a few seconds left.
    Mr. Bentsen, you mentioned the Consolidated Audit Trail and 
the compounding of all information in there. Do you think that 
is really a good idea?
    Mr. Bentsen. Well--
    Chairman Luetkemeyer. Very quickly. My time is up.
    Mr. Bentsen. Yes, the concept behind Consolidated Audit 
Trail is we think an appropriate concept. But we don't know 
that the question has been answered that you have to have all 
this personal information as part of the Consolidated Audit 
Trail in one place. We have no assurance from the builders and 
the contractor that they can protect it.
    Chairman Luetkemeyer. OK, thank you. My time has expired.
    With that, we go to the gentleman from Missouri, another 
gentleman from Missouri, the ranking member. Mr. Clay, you are 
recognized for 5 minutes.
    Mr. Clay. Thank you, Mr. Chairman.
    This question is for the entire panel, so we would start 
with Mr. Bentsen and go down the line. Good to see you again, 
Mr. Bentsen.
    Equifax learned of the data breach on July 29th, 2 days 
after it filed its quarterly report with the SEC. However, it 
was not until 6 weeks later, on September 7, that Equifax 
notified the public of the breach through a statement filed 
with the SEC.
    Now, in your view, what duties do public financial services 
companies owe consumers to provide timely notice of significant 
cybersecurity incidents? Do you believe that disclosure 6 weeks 
after a material event is timely? Could you elaborate whether 
this extended period with the Equifax incident, from when the 
company learned of it to when the public was made aware of it, 
may have violated some State breach notification laws, 
particularly given that some States require immediate 
notification and most States require notification within the 
most expedient time possible without reasonable delay?
    I will start with Mr. Bentsen and would like for each 
panelist to try to answer some of those questions.
    Mr. Bentsen. Thank you, Mr. Clay, and good to see you again 
as well.
    First of all, Equifax is not a member of ours. We don't 
represent the credit bureaus. Most of what I know about the 
Equifax issue is what I have read in the press. I can't really 
comment on what they did, whether it is appropriate or not, and 
I am sure the appropriate regulators are looking at the issue 
as it is.
    Again, I think there is a question of materiality. There is 
a question of your risk factors, when there has been a breach 
and if the person who is breaching is still there and who it is 
and how you are dealing with it. There is no question that 
there should be an effort to notify the affected parties, your 
clients in this case, as soon as it is practical that you can 
do so, weighing all those other factors.
    As it relates to Equifax they are not a member. I am not 
familiar with the facts of that case.
    Mr. Clay. Sure. But you are saying they did have a duty to 
inform the public.
    Mr. Bentsen. I think if it is a material issue, there are a 
number of requirements, both in terms of public company 
requirements and State--and I can't speak to all the States; Ed 
probably can--of what they have to comply with.
    Mr. Clay. Mr. Mennenoh.
    Mr. Mennenoh. Thank you, sir.
    Yes, I certainly would agree that consumers need to be 
notified promptly. Certainly from our perspective, when we have 
circumstances where consumer funds have been taken, we take 
immediate action to try to recover those funds. But with wire 
transfers, oftentimes, it is a case where if you don't address 
it within 24 hours, it is pretty difficult to get those funds 
back.
    Mr. Clay. 6 weeks was, in your opinion, quite a bit of time 
expired?
    Mr. Mennenoh. For our purposes, the money is gone.
    Chairman Luetkemeyer. Mr. Mierzwinski.
    Mr. Mierzwinski. Mr. Clay, I totally agree. You made a lot 
of the points in your opening remark here. Equifax probably 
violated the strongest State laws on immediate notification. It 
probably violated a number of State laws on attorney general 
notification. Massachusetts has already sued Equifax. Other 
State attorneys general have a multiState investigation going 
on right now. I think you will see additional litigation 
against the company. You will see private lawsuits as well. But 
they failed. They epically failed, and a lot more needs to be 
done.
    Mr. Clay. Thank you.
    Ms. Schwartz.
    Ms. Schwartz. Six weeks is clearly too long. I think, in 
additional to notifying consumers, notifying financial 
institutions is also critical. We are in a position where we 
can really help to mitigate fraud. We can put warnings on 
accounts; we can reissue cards. We can't do that if we are not 
told. A lot of fraud can happen in 6 weeks.
    Mr. Clay. Mr. Mierzwinski, in the event of a breach, what 
information should be provided to consumers to ensure they are 
fully informed of the rights and remedies available to them as 
well as the steps that they consider taking to protect against 
fraud, identity theft, and other crimes?
    Mr. Mierzwinski. I think consumers need to hear everything 
about their rights under Federal law and what the company is 
going to do, and they don't need to hear about all the changing 
kinds of results that Equifax provided them. You need to know 
what your rights are. You need to learn how to put a fraud 
alert. You need to learn how to put a credit freeze on. You 
need to learn all of these things. You need to understand that 
your Social Security number is the key to identity theft. They 
lost that. It is much worse than any merchant breach.
    Mr. Clay. Thank you.
    My time is up.
    Chairman Luetkemeyer. The gentleman's time has expired.
    With that, we go to the gentleman from Texas. Mr. Williams 
is recognized for 5 minutes.
    Mr. Williams. Thank you, Mr. Chairman.
    Thank all of you for being here today, and I appreciate 
your testimony this afternoon on the important subject of data 
security and how we can and must do better to protect private 
information.
    As a small business owner for 45 years, I recognize the 
importance of protecting the information of my customers, and I 
know firsthand the impact that cyber attacks can have on Main 
Street America.
    I am concerned by the increasing trend of breaches that has 
occurred over the past few years, and I hope to learn from all 
of you today how we can ensure that American consumers can rest 
easy, knowing that their personal information is in good hands.
    Mr. Bentsen, one of the things that I do worry about, not 
just when it comes to the industry but in general, is an issue 
with excessive regulations. When President Trump was elected, 
he pledged to fight against expanding the regulatory regime. I 
agree with his goals on that regard. One of the fears I have, 
which you also mentioned in your testimony, is that Congress 
creates regulations which result, I quote, ``in requirements 
which are sometimes overlapping, duplicative, and 
conflicting.''
    How can Congress create effective rules while avoiding the 
problem of overburdensome regulations?
    Mr. Bentsen. I think in the case of cyber protection, 
including protection of sensitive data like PII, I think 
Congress plays a very important oversight role with the 
agencies that you set the authorization for, you fund, you set 
the laws that they execute on.
    In the case of the financial services sector, where you can 
have 5, and up to 13 different regulators, Congress can 
definitely play a role in trying to get better coordination 
among those regulators in how they are going to implement cyber 
rules, cyber defense rules, guidance, or whatever it may be, as 
well as on their examination process.
    We have members who, again, they have up to 13 different 
regulators before you get to the States. We have members who 
are going through multiple examinations because they have a 
bank, a broker-dealer, a futures commodities merchant. In many 
cases, they will have the SEC, the CFTC, the OCC, the Fed 
coming through, but that is before whoever their State 
regulator may be or whoever their SRO may be.
    If we can get some harmonization there, where we are all 
trying to do the same thing, and with Congress' oversight 
function working with those agencies, that could be very 
helpful.
    Mr. Williams. Thank you.
    Mr. Mennenoh, this question is for you. I mentioned earlier 
my background as a small business owner, and I am extremely 
concerned with protecting the nonpublic personal information of 
my customers. I am a car dealer.
    In your testimony, you discuss how the American Land Title 
Association, which represents many small businesses, has 
developed a set of voluntary standards for its members to use 
as part of their compliance programs. Can you expand on these 
standards, and to what extent do your members cooperate with 
law enforcement following a breach, and what steps would you 
recognize to take immediately following a breach?
    Mr. Mennenoh. Thank you. Yes, the standards that we put 
out, the voluntary ALTA best practices, do address very 
specifically how to protect data, how we should be addressing 
that in quite a bit of detail. But the other side of it too is 
that because we handle a lot of money for real estate 
transactions, we also have to protect the money. We have very 
high standards in terms of how we protect the money as the 
transactions are taking place.
    It is a process that we feel has raised the bar, if you 
will. I believe many of our members are doing a very, very good 
job of addressing this, but, as I mentioned in my testimony, 
the biggest issue for us is the money at this point. The small 
companies oftentimes use third-party data centers, that sort of 
thing, that have high security standards for the data security, 
but we have to make sure that we are protecting the money as 
well. That is a big issue for us, and we address this very, 
very aggressively.
    Mr. Williams. Thank you.
    Ms. Schwartz, one of the biggest issues in the wake of the 
Equifax breach was their notification process to consumers. In 
your testimony, you too acknowledge that Equifax failed in the 
area of consumer notification. Additionally, you discuss the 
need for timely notification of members after a breach has 
taken place. In your words, you say that this is important to 
manage an institution's reputation risk.
    What kinds of notification standards should Congress 
consider requiring, if any, and would such standards hamper the 
efforts of law enforcement following a breach?
    Ms. Schwartz. I think the most important thing is trying to 
avoid the breaches in the first place. But absent that, timely 
notification as soon as reasonably applicable. It is very 
difficult to put a certain timeframe on it, because I think 
there are issues, such as law enforcement actions, that could 
possibly delay it. But as soon as possible, financial 
institutions can do a lot to help mitigate any losses that 
could happen. We can reissue cards. We can also notify our 
members that their accounts have been compromised. We have a 
pretty good track record of them opening up the emails that 
they get from us.
    The notification standards as they are right now can be 
somewhat nebulous, particularly in California; I believe you 
can just put something in the newspaper. It puts a lot of 
pressure on the consumer to look up to see if it has been 
compromised. There is a lot of room there for improvement.
    Mr. Williams. Thank you for your testimony.
    I yield back.
    Chairman Luetkemeyer. The gentleman's time has expired.
    With that, we go to the distinguished gentleman from 
Georgia. Mr. Scott is recognized for 5 minutes.
    Mr. Scott. Thank you very much. Mr. Chairman, this issue is 
very important to all of the American people and all of us 
Members here in Congress, but it is expressly important to me 
because I am the representative from the great State of 
Georgia, a State I love. This extraordinarily careless breach 
that was allowed at Equifax is certainly very troublesome to 
me. I am very concerned about that. I have a commitment to help 
Equifax because I want to make sure that we can bring them out 
of this standing tall, standing big, and be able to renew the 
confidence of the American people. However, that is not going 
to happen for any of them, but certainly for Equifax: 145 
million people, and their Social Securities are out there in 
the wind, their birth dates, all this vital information.
    While I want to do that, we on this committee and Members 
of Congress, can't do it without them. I don't know if you all 
know this, but they refused--can you imagine that?--to come 
before this Congress and speak. We cannot solve this problem, 
you and I. I know many of you.
    Mr. Bentsen, I know your great reputation.
    Ms. Schwartz.
    All of you. But neither you nor I can solve this problem if 
the CEOs, the people that run Equifax, that run TransUnion and 
these other companies are not willing to come and sit where you 
are so that we can find that. We have to get the message to 
these credit agencies that they have to get here in Congress, 
partner with all of us. This is a huge issue. I just hope that 
you all will convey that message to them.
    Now, with the time remaining, I just want to--I look at 
this as the American people look at it and want to get your 
responses to this. If Americans can't trust their credit and 
data, that it is going to be protected, let me ask you this, 
Mr. Bentsen, Ms. Schwartz, any of you: Why would they want to 
risk shopping online for their Christmas gifts? Can you see the 
damage that this would do to our economy through that? Or if 
Americans don't think that their local banks can keep their 
personal account numbers protected, why would they want to risk 
it by opening up a checking account?
    In other words, the whole foundation of our fantastic and 
yet complex financial system is registered in credit. If these 
credit agencies, 145 million Americans, Mr. Bentsen, I ask you 
and Ms. Schwartz, how many of these 145 million Americans do 
you believe even have been informed that their data is out 
floating and gone with the wind?
    Mr. Bentsen. Mr. Scott, I don't know the answer to that 
question, but certainly there has been a lot written about it, 
and I have been on the website myself.
    What I will say, I think you are absolutely correct that 
there are two things that are very important. The confidence in 
the system is incredibly important. In the industry at large--
we don't represent the credit bureaus, so I won't speak for 
them. The industry at large has a responsibility to work to 
maintain that confidence, and this industry does that day in 
and day out. No. 1, it is through defense; and No. 2, it is 
through recovery. We are taking efforts in both those areas, 
including understanding what happens if you have a major attack 
wiping out books and records. Can someone at the end of the day 
go back and say: What was my balance of my retail brokerage 
account yesterday? What was my balance in my checking account 
yesterday?
    These are the things we should be working on, which we are.
    Mr. Scott. Ms. Schwartz, let me ask you, because I have 
been concerned about Gramm-Leach-Bliley standards and the 
applicability of them to large as well as the smaller, the 
rural companies. I think you alluded to this in your testimony, 
and I would like for you to clear that up.
    Do you have confidence in that one size will fit all? 
Particularly when you look at our economic system, it is so 
diverse; it is so varied. To have the same standards for a big 
mega bank operating around the world, for a mom-and-pop store 
in my district in Stockbridge, Georgia? Are you saying that we 
don't have to worry about that, that it is applicable?
    Ms. Schwartz. No, I think your point is very well taken. 
One size fits all is not the answer. But I will say that the 
beauty of Gramm-Leach-Bliley is it is scalable, and it is 
flexible. It has been around for more than 17 years and is 
still helpful and provides a framework. I think a level playing 
field is very important. Some minimum standards that anyone 
along the payment system rails should follow I think is very 
important.
    Mr. Scott. Thank you.
    Thank you for the little extra time there, Mr. Chairman. I 
appreciate it.
    Chairman Luetkemeyer. Thank you, Mr. Scott.
    The gentleman's time has expired.
    With that, we go to the gentleman from Michigan. Mr. Trott 
is recognized for 5 minutes.
    Mr. Trott. Thank you, Mr. Chairman.
    I also want to thank the panel for their time this 
afternoon.
    Mr. Bentsen, I want to start with you. You talked in your 
opening comments about the need for partnership between 
industry and government to address this problem. I am just 
curious what is the most significant barrier in your mind to 
the creation of that partnership, and what does that 
partnership look like? Is it just less, more reasonable 
compliance, burdens, or what does the partnership look like, 
and how do we accomplish it?
    Mr. Bentsen. Congressman, thank you for that question. I 
think our partnership with the government on the broad question 
of cyber resiliency is quite good. I credit the Treasury 
Department, Homeland Security, and the various agencies for 
that. This is something where everybody is trying to row in the 
same direction. Frankly, through a lot of industry exercises 
and a lot of tabletop exercises with the government, and we 
have learned a lot. They have learned a lot, I think. We have 
learned a lot from them as well, and we want to keep doing 
that. That has led to new initiatives on both sides, I believe.
    Where I think things can break down is agencies operating 
under their own individual mandate, which is established by law 
and all of that. That is understandable, but it seems to us 
that we can do a better job of coordinating among those various 
agencies so there is more interchangeability between how firms 
are complying with requirements. That is really the point.
    Mr. Trott. Maybe 2 or 3 instead of 13 would be a good 
start?
    Mr. Bentsen. Or some substitution, yes.
    Mr. Trott. Thanks so much.
    Mr. Mennenoh, nice to see you again. We met up in Traverse 
City at the Michigan Land Title Association. You were the 
keynote speaker up there this summer.
    Mr. Mennenoh. Yes, we did.
    Mr. Trott. I hope you enjoyed your time in northern 
Michigan.
    Mr. Mennenoh. Absolutely.
    Mr. Trott. You discussed wire fraud and what a huge problem 
it is for the industry. It is a significant problem because, 
unlike some of these issues, really there is no good solution. 
Once it happens, the money is gone. Usually it is a lot of 
money, as you said.
    You discussed education, and it sounds like a good idea, 
but I wanted to get your thoughts on--one thought I had was 
maybe we put some kind of disclaimer or warning in the purchase 
agreement, or maybe the realtor's listing agreement has some 
kind of--or there is some form. But, that is probably not a 
great solution, and I want to get your thoughts on it, because 
you have a buyer who is excited to get their home. Maybe it is 
their first home. They don't even understand what a title 
agency does in the overall transaction, perhaps. Is the 
education going to make a difference, or is it really the 
financial institutions that have to be the solution in terms of 
the wire fraud?
    Mr. Mennenoh. Honestly, I think there is maybe a 
combination of the two. Certainly the financial institutions, 
if we can match the account name, the account owner to the 
account number and the routing number on a wire transfer, that 
would actually be a good deterrent.
    But I also think the education component is very important 
as well, in that all of the professions involved in real estate 
can work together, send the same message. It has to be a 
message that is being conveyed routinely, because, as you say, 
people buy a house and they may not buy another house for 
years. But providing that level of education from all of the 
professions that are involved in this process would be very, 
very helpful.
    As I mentioned before, we are at the end of the process. 
The parties that have first contact with the consumer can help 
with that process as well. For example, in January, I, along 
with the Board of Governors at ALTA, met with Director Cordray, 
and we were asking for a consumer alert to be issued. The 
Director's initial response was, how often does that really 
happen? We were telling him stories about things that have, in 
fact, happened.
    We followed up again in April. Then it wasn't until June 
that we actually had the CFPB issue a consumer alert. That is 
all we wanted to have them do. It is a difficult process.
    Mr. Trott. That is for sure. Thank you.
    Ms. Schwartz, so my friend from Georgia was quite 
articulate in how he described the ramifications to commerce, 
e-commerce in this country, given the Equifax breach. I want to 
ask a question with respect to Mission Federal. Can you say 
with 100 percent confidence that you can build a firewall that 
will protect your members' data?
    Ms. Schwartz. I don't think anybody can say with 100 
percent confidence, but I can tell you we have had 245,752 
attacks on our system through September 30th, none of which 
were successful.
    Mr. Trott. That is extraordinary. But your answer, I was 
hoping you would say that you couldn't say with 100 percent 
confidence that you could protect the data, because I think 
that is an accurate answer.
    My concern is, when we talk about notification and we are 
beating up Equifax for how poorly they handled that whole 
process, to some extent, we were really in damage control at 
that point. When we talk about a solution--and I am out of time 
here--I wonder if really we need to focus on a solution that 
changes the identification process that goes well beyond a 
Social Security number and date of birth and really makes it 
much more cumbersome for these cybercrimes to happen.
    But I will yield back. Thank you for the additional time, 
Chairman.
    Chairman Luetkemeyer. The gentleman's time has expired.
    With that, we go to the gentlelady from New York, Mrs. 
Maloney. She is recognized for 5 minutes.
    Mrs. Maloney. Thank you. I thank the chairman and ranking 
member for calling this important hearing and take this 
opportunity to welcome my former colleague and very good friend 
Ken Bentsen. We miss you. I hope you will run for Congress 
again. But, anyway, it is good to see you again.
    My question to Mr. Bentsen and actually everybody on the 
panel, as you know, last Congress, this committee considered a 
data security bill that would have created a national standard 
for data security and for breach notification procedures. I 
supported that bill because it would have subjected many more 
companies to the strong data security requirements that 
financial institutions already have, subject to the safeguards 
rule.
    But we cannot ignore the fact that Equifax was already 
subject to the safeguards rule, which is what the legislation 
would have done, yet it still suffered a massive data breach 
that affected a startling 145 million Americans. Not just today 
but for the rest of their lives, they are in threat with their 
security, their identification stolen, their Social Security 
number.
    My question to all of you is, in light of the Equifax 
breach, do you believe the safeguards rule needs to be updated 
at all to include things like encryption requirements and the 
two examples of startling mismanagement by Equifax.
    I know Ms. Schwartz was saying that you should have 
training so that you would be looking for these breaches. But 
in an unprecedented action, Equifax was notified by the 
Homeland Security Department that you will be breached: You 
will be breached in this way; take steps to protect your 
customers.
    Now, the other two companies took steps to protect their 
customers. Equifax did not. No matter how many training 
sessions you had, if someone tells you you are going to be 
breached this way and you don't correct it, training is not 
going to help you.
    The other two companies, it is my understanding--because I 
wrote them and they wrote me back and said they had these other 
safeguards--they had a system that once you told their system 
that there could be a breach in a certain way, the whole system 
closed down until you corrected it. Should Equifax be required 
to have the same updated system?
    Also, Equifax had a system that was different from the best 
practices that were put out by the safeguards rule. The best 
practices said that every firm should have an IT manager who is 
in charge of this, who is responsible. The other two firms had 
an IT manager whose sole job was to protect their customers, 
protect the system, make sure it is safe, but Equifax did not. 
They had everybody reporting to a, quote, ``general manager,'' 
who had conflicting responsibilities, such as managing the 
whole company, the general counsel, such as profits, such as 
new technologies or whatever else he was looking at. He wasn't 
focused on IT.
    Should that best practices idea that has been put out there 
be implemented in law so that people are following it? We have 
to take steps to make sure that this happens. Or do you just 
need to enforce the safeguards rule more?
    I would like to really go first to my colleague Mr. Bentsen 
and down the line. I know he has sponsored some data security 
forums that I have been privileged to attend. I would just like 
to hear your comments on what we need to do to protect this 
information. I am astounded that they were notified by the 
Homeland Security Department and they still couldn't figure out 
how to correct a breach that they were told they were going to 
get.
    Mr. Bentsen. How you describe the situation with Equifax 
would not be consistent with how the financial services 
industry approaches the issue of cyber defense, preparedness, 
and resiliency. And the industry is doing a lot on its own, 
through its own self-directed principles, in adhering to the 
NIST framework.
    Furthermore, though, our regulators will regularly look and 
see how we are complying with our cyber defenses and 
resiliency. Our concern is doing it 13 times the same way, but 
that is more of a process question.
    That would not be acceptable within our industry.
    Mrs. Maloney. Any other comments?
    Ms. Schwartz. I think examination is an important part of 
that. In the credit union industry, we receive regular 
examinations. There is not a regulatory body that routinely 
goes into any of the credit bureaus and ensures that they are 
following those best practices.
    We just completed a regulatory exam last Friday where they 
asked us to have a backup firewall to our backup site. We have 
a firewall, a backup firewall, a redundant site, and a backup 
firewall for that. I don't believe that the credit bureaus are 
subject to that same degree of scrutiny and examination.
    Chairman Luetkemeyer. The gentlelady's time--
    Mr. Mierzwinski. Could I make a brief comment?
    Chairman Luetkemeyer. Very brief.
    Mr. Mierzwinski. Very briefly, Congresswoman, the Equifax 
mess is a mess, but the solution is examination authority. I 
think it should go to the Consumer Bureau. They have all the 
rest of the authority over Equifax, but everything they did was 
wrong.
    Chairman Luetkemeyer. OK. The gentlelady's time has 
expired. We go to the gentleman from Colorado, Mr. Tipton, 
recognized for 5 minutes.
    Mr. Tipton. Thank you, Mr. Chairman, and thank the panel 
for taking the time to be able to be here. I would like to 
start with Mr. Bentsen, in your testimony you had noted that 
approximately 40 percent of cybersecurity activities were 
focused on compliance rather than security.
    How is that impacting the ability to actually address what 
I think people are concerned about, and that is actually having 
real security?
    Mr. Bentsen. That is what our member firms report to us, in 
terms of having to deal with various compliance requirements, 
exercises, and all. Again, our point is we understand the need 
for this, but it is having to do it over and over and over 
again when--and having to deploy those resources when they 
could be deployed to frontline defense and resiliency and 
recovery planning.
    Second, I would point out, which is not in my testimony, 
but industry statistics have found that there is actually a 
shortage of cyberdefense personnel in the United States. This 
is something where I think we ought to be careful how we are 
deploying our resources. That we are not overtaxing when we 
don't really need to. We can accomplish the same thing for 
different regulators because of the way the industry approaches 
the question.
    Mr. Tipton. Well and you have spoken a lot to the 
harmonization that needs to happen. Would this actually help in 
terms of harmonizing some of the policies that are going 
through the different agencies so you aren't filing duplicate 
reports to the 13 different agencies to be able to address 
that?
    Mr. Bentsen. We think so. We are talking with our 
regulators about that. Again, we are all trying to do the same 
things. We can use the same nomenclature. We can try and adhere 
to the same framework, which we think it ought to be the NIST 
framework. If you were able to have a good exam with SEC, you 
ought to have a good exam with FINRA, likewise with the OCC, or 
whoever it may be.
    Mr. Tipton. Yes. Ms. Schwartz, is that pretty much your 
experience with the credit unions as well? Are you seeing 
dollars for compliance as opposed to security?
    Ms. Schwartz. It is absolutely true. But as a credit union, 
we are in the trust business a little bit as well, well, a lot 
as well, and our reputation is very, very important. Even 
absent the regulations, absent the compliance requirements, 
most of the things we would be doing anyway, because we would 
absolutely lose our membership if they can't be 100 percent 
confident that we are protecting their secure information, 
their private information.
    Mr. Tipton. Right. A lot of the concern really is about 
having that real confidence within the system. I think, 
probably everybody can agree there will be a tax, there will be 
breaches that are going to take place.
    Mr. Bentsen, through SIFMA, you have developed a program, I 
think through your industry, the Quantum Dawn, to be able to 
identify maybe some responses, to be able to rebuild those 
databases.
    What has been something that you have learned from that?
    Mr. Bentsen. Congressman, the Quantum Dawn is a 
industrywide exercise that we do biannually, and do simulate 
major attacks on market infrastructure, different sectors of 
the industry, with our government regulators looking over our 
shoulder. From those we learn a number of things, including 
better ways of information sharing, who you should call in the 
Government, depending on what type of account. Testing our 
playbooks and our recovery playbooks, for instance, of whether 
markets should open or close if there is a major attack on an 
infrastructure situation.
    The industry finds this very valuable. Our regulators, I 
think, find it very valuable. We have also done tabletop 
exercises with our regulators and going through different 
scenario planning. In those we have actually also come up with 
things that neither us nor the Government necessarily had 
thought about, and that has led to new initiatives that we 
think improve our resiliency.
    Mr. Tipton. Speaking to that, would you maybe speak a 
little bit to the Sheltered Harbor?
    Mr. Bentsen. The Sheltered Harbor is an initiative that 
came out of what is known as the Hamilton Exercises, which is a 
Treasury-led effort with the industry and the Government. 
Sheltered Harbor is an industry-led effort that SIFMA as well 
as the ABA, the FSR, the Clearinghouse, and a number of other 
industry participants and vendors participate in. It is now 
housed under the FS-ISAC.
    The idea here is if there is a major attack on a banker, 
broker, dealer, and all of their data is wiped out, and they 
are not able to stand back up. Are you able to recreate end of 
day balances from the day prior--and bring that up through a 
vendor or another institution. It is done through establishing 
a protocol that firms would adhere to. We are currently at 
about 70 percent of the bank retail deposits participating in 
the process, and about 50 percent--or 60 percent of broker 
dealer retail accounts.
    The idea is, again, to be able to go back through encrypted 
offline protocol that then could be reestablished. Again, it 
goes back to the question of confidence in the system in trying 
to solve that. That came out of our exercises. We didn't have a 
mechanism in place so now we are trying to create it.
    Mr. Tipton. Great. Well thank you. My time has expired, Mr. 
Chairman.
    Chairman Luetkemeyer. The gentleman's time has expired. 
With that, we go to the gentleman from Tennessee, Mr. Kustoff, 
you are recognized for 5 minutes.
    Mr. Kustoff. Thank you, Mr. Chairman. Thank you to the 
witnesses for being here this afternoon. Mr. Mennenoh, if we 
could, I know in your testimony you discussed the rapid 
increase in criminal attempts, almost--I think you said almost 
500 percent--480 percent.
    Mr. Mennenoh. Yes.
    Mr. Kustoff. To steal customers' closing funds. In response 
to Mr. Trott, you talked about, in your testimony and in 
relation to his questions, education of the consumer. Could you 
also address, from a closer standpoint, a title company's 
standpoint, what best practices a typical closer or title 
company has implemented to protect customers' funds?
    Mr. Mennenoh. Yes. Absolutely. First of all, we use 
encrypted email when we communicate with our consumers. We also 
have secure platforms where we can exchange information with 
our customers on a transaction. In terms of actually protecting 
the funds and what we do, our escrow trust accounts we have 
many security measures in place to make sure that anything that 
goes through there is watched very closely.
    Most of our members do a three-way daily reconciliation of 
the account. We are reconciling our account every single day to 
make sure we see what activity is going through. We use 
Positive Pay for our checks. When we have an outgoing wire, we 
have a two-step authentication process. Once it reaches a 
certain level, there is a three-step process. To make sure that 
everything is being done, the wire instructions are correct, it 
is going to the right place. We take a number of steps like 
that to make sure that we are protecting the funds.
    Mr. Kustoff. Some of the practices you have described, are 
those recommended by the American Land Title Association?
    Mr. Mennenoh. Those are included in the ALTA best 
practices. Yes.
    Mr. Kustoff. Do you have an opinion or would you have any 
knowledge what percentage of ALTA members follow those best 
practices?
    Mr. Mennenoh. Honestly, I don't have a number for you. In 
traveling around the country, I can tell you that a lot of our 
members who are actively engaged in their State association or 
national association have implemented the best practices. But I 
don't have a number for you.
    Mr. Kustoff. Again, I understand you don't have a number. 
For those entities that maybe have not adopted those best 
practices standards, would the issue be cost, that is my first 
question. Can you elaborate on the difference between costs 
associated with cybersecurity for a small company and for a 
medium and large-sized company?
    Mr. Mennenoh. Certainly. Yes. Cost is certainly an issue. 
It is costly to implement these things, particularly for a 
small company. Implementing these types of security measures is 
a good example, for my company, the amount of fees that we pay 
to our bank is in the tens of thousands of dollars per year to 
implement these various procedures and protections that we have 
in place just with the bank. It is a cost issue, and for small 
companies that is a big problem. But many of our members who 
are very responsible and want to do the right thing are very 
inadvertent.
    Mr. Kustoff. Thank you. Ms. Schwartz, if I could. The 
collaborative efforts that have to be undertaken, if you will, 
by the financial sector and by law enforcement is incredibly 
important, I think we would all agree, in preventing and 
mitigating the risk that these cyber attacks pose.
    In the event of a cyber attack, how quickly would your 
institution engage with law enforcement?
    Ms. Schwartz. Happily, my institution has not been the 
victim directly of a cyber attack. We have had--our members 
have been the victim from data breaches that have happened at 
the merchant level. We, would of course, cooperate fully should 
that unfortunate event happen. But we have DDoS protection, and 
we haven't had any direct attacks since 2015.
    Mr. Kustoff. In those institutions, those members that 
would have attacks, are there law enforcement agencies that 
they typically go to, are they Federal, State, local? Who do 
they reach out to first and how do they collaborate?
    Ms. Schwartz. For our members, they would reach out to us, 
to say, What should we do? We would put everything in place, we 
could to protect them, whether it is the reissuance of cards, 
putting notification of fraud alerts on their accounts, best 
practices, webinars, telling them how they can put a freeze on 
their account through the credit bureaus.
    Typically, because we cover the losses, as a financial 
institution, they are less concerned with reaching out, 
frankly, to law enforcement because we have covered them from 
those losses.
    Mr. Kustoff. Thank you. My time is expired. Thank you, Mr. 
Chairman.
    Chairman Luetkemeyer. The gentleman's time has expired. Now 
we go to the gentleman from Kentucky, chairman of the Monetary 
Policy Subcommittee, Mr. Barr, recognized for 5 minutes.
    Mr. Barr. Thank you, Mr. Chairman. Thank you for holding 
this very important hearing. I hear very regularly from both 
retailers and the merchant community back in Kentucky, in 
addition to community financial institutions that serve 
consumers in central and eastern Kentucky, about the problem of 
data security, of course, the Equifax breach is a warning to us 
all that this is a very large scope problem.
    As we marked up the legislation last year to attempt to 
address this problem, the Carney/Neugebauer legislation, we got 
different competing stories from the various different actors 
that would be affected by this. I kind of want to unpack all of 
that discussion here.
    A community bank in Kentucky has told me that they have 
increased spending significantly over the last 18 months on 
data security. Why? Because they have seen the number of 
account take-overs triple. Meaning, scammers, through the use 
of personally identifiable information and security questions 
data try to gain access to an account by calling the bank and 
asking for addresses to be changed and new debit cards to be 
ordered. Et cetera.
    These same community banks and credit unions tell me that 
they are spending a whole lot of money dealing with the fraud 
and reissuance of cards. What they talk about is the weakest 
link in the data security system. My first question to Ms. 
Schwartz is where do you view the weakest link to be?
    Ms. Schwartz. In the payment market, they are absolutely 
right. The weakest link is where the criminals are going to go, 
and frankly, it is at the merchant level at this point. Mission 
Fed spent over a million dollars in 2017 for data security. 
Many of the merchants have little or no protocol in place for 
things as simple as getting rid of old data or shredding or 
virus protection. It doesn't have to cost a million dollars. 
There is basic financial hygiene, if you will, that can be 
implemented at a reasonable cost, no matter what your size.
    Again, going back to Gramm-Leach-Bliley, as a scaleable and 
flexible rule that does provide a nice framework for protecting 
important consumer privacy data, financial data.
    Mr. Barr. Now, what would you say, Ms. Schwartz, to the 
kind of response from the merchant community that the breach 
notification legislation that we voted for in the last Congress 
would subject retailers to stringent bank-style security rules, 
whereas, banks or credit unions would be subject only to 
discretionary guidance?
    Ms. Schwartz. I don't think it is discretionary for us. It 
is our reputation. We are responsible, on the hook monetarily, 
and we are very, very heavily regulated. I think H.R. 2205, 
which I believe is what you are referring to, did a very nice 
job at providing a level playing field, because again, if you 
don't have the standards throughout the whole payment systems 
infrastructure, the criminals are going to find the weakest 
link.
    Mr. Barr. Yes, I think, so community financial institutions 
in my district also would say that Regulation E forces them to 
pay when their customers are harmed, even though it is not 
their fault, when it is the fault of some other party. That is 
very understandable anxiety for those folks.
    But let me just kind of continue to try to unpack this, 
because the merchant community will say that small businesses 
simply don't pose the same kind of risk because they are only 
dealing with a small category of vulnerabilities, namely, 
credit card information, not a range of other kinds of 
sensitive information.
    What would you say in response to that?
    Ms. Schwartz. I would say in 2017 until the end of 
September, at my credit union alone, we have had 14,500 cases 
of reported fraud, costing us $1.7 million, money that could 
have been better spent serving our members.
    Again, basic financial hygiene of protecting sensitive 
data, updating virus protection, does not seem like an 
unreasonable standard for those merchants to have to follow in 
return for having a good business practice, a good name.
    Mr. Barr. Yes. I am very sympathetic to your point of view, 
at the same time, I want to figure out a way forward, 
especially with those small businesses that are pushing back. 
Any help that you all can give us in terms of working with the 
merchant community to come--to work through these issues would 
be appreciated, because we clearly need a solution. I think all 
parties, to their credit, have supported passage of some kind 
of Federal data breach notification law to replace the existing 
patchwork.
    I have run out of time so I will yield back.
    Chairman Luetkemeyer. The gentleman's time has expired. 
With that, we go to the gentleman from Georgia, Mr. Loudermilk, 
he is recognized for 5 minutes.
    Mr. Loudermilk. Thank you, Mr. Chairman. I appreciate the 
panel being here. This is--being in the IT arena for 30 years, 
and 20 of that in the private sector, and prior to that being 
in the intelligence community, security is something that has 
been a grave concern of mine over the years, especially when I 
have been in Congress. It is something that we are going to be 
continually chasing.
    One of the things that I emphasized on the businesses that 
I served in the IT industry, most of them small, medium size 
businesses, is it is impossible to protect yourself from a 
hack, from an intruder. The idea is, you make yourself a harder 
target than the other guy. That is sort of like the story of 
the two Georgians who went hiking in Alaska, one of them took a 
357-magnum, the other took a pair of tennis shoes because they 
were afraid of bears. The guy with the gun said, you can't 
outrun a bear, why are you taking those? He said, I don't have 
to outrun the bear, I just have to outrun you.
    That is really the idea that cybersecurity is making 
yourself a harder target than the risk that you propose. The 
other aspect of that is something that we held when I was in 
the intelligence community when it came to security is that you 
don't have to protect what you don't have. It deals with data 
retention, which Ms. Schwartz indicated earlier, especially 
with small businesses, is the amount of data that you are 
keeping. If you don't need it, you need to destroy it, which 
leads to an area that I have begun looking into.
    I think that we, the Government, create a security issue 
ourselves by the regulations that we impose upon, especially 
the financial services industry, making these businesses obtain 
and maintain information for long periods of time that they 
really don't need.
    Ms. Schwartz, can you opine in this? Is there data in 
credit unions, and especially small banks, that we require you 
to get that you wouldn't obtain, except for the Government is 
telling you to keep it?
    Ms. Schwartz. I am not going to argue with the fact that we 
have to maintain and submit an awful lot of data to our 
regulators. When we do a mortgage, in particular, there is more 
and more data points that are being collected and provided. 
That is absolutely true. It has exponentially increased over 
the years as to how much we need to maintain, retain, and 
provide.
    Mr. Loudermilk. OK. Mr. Bentsen?
    Mr. Bentsen. It is a very good question. A lot of data 
collected and held for regulatory mandates and submitted to our 
regulators is with no malintent, it was part of the process. 
But as we moved into this age, it is really something that we 
really need to think about. It is part of our principles as 
well, do you need it in the first place? How long do you need 
it? Who should have access to it? When you don't need it, how 
do you get rid of it so you eliminate the target in that 
response? That is my point with Consolidated Audit Trail, which 
is something that was not designed to capture PII, but does in 
the current design. It is designed to monitor market activity. 
You are creating this massive database with a lot of sensitive 
PII in there. The question needs to be asked, just like the 
industry asks itself, do we need that to accomplish the 
underlying goal?
    Mr. Loudermilk. Exactly. Mr. Mennenoh?
    Mr. Mennenoh. A very simple example is many, many years ago 
the title industry was required by a regulation to collect 
information for the issuance of 1099s on real estate 
transactions. That means that we have to collect Social 
Security numbers so that we are effectively the watch dog for 
this, for the IRS, and this is something we have been forced 
into doing and we have to maintain that to prove that we have 
done what we are supposed to.
    Mr. Loudermilk. I am also a member of the Science, Space 
and Technology Committee, and we have been looking into 
cybersecurity risks for 3 years I have been in Congress. I 
asked the Inspector General, not long after the OPM data 
breach, if you would rate the Federal Government's ability to 
protect data, our cybersecurity preparedness, on a simply 
elementary school rating system, what would you rate the 
Federal Government? His answer was a D minus. He said, it was 
only because of the minimal changes that were made in APM, I am 
not giving it an F. But, yet, we are continually having to 
provide to the Federal Government massive amounts of data on 
your customers.
    That is why I keep addressing this is--maybe one of the 
theories we need to address that area of--the amount of data 
that you are required to obtain and maintain.
    One last question. I see I am running out of time, Mr. 
Chairman, so I will yield back. Thank you.
    Chairman Luetkemeyer. The gentleman yields back. With that, 
we will go to the gentlelady from New York, Ms. Tenney, is 
recognized for 5 minutes.
    Ms. Tenney. Thank you, Mr. Chairman and thank you panel. 
This is a complex issue, and actually, I am not sure who to 
address these questions to. I was a former member of the New 
York State Assembly, and as we--I don't think it was the wisest 
move, our Governor decided to consolidate our insurance and 
banking industries into one big institution, Government 
institution, and then obligated many of our banks and our 
institutions to provide data, much like Mr. Mennenoh was 
talking about with the 1099 data for real estate closings.
    I attended a cybersecurity event where a cybersecurity 
expert said, the worst place to reserve your data is in a 
Government entity. It is safer and better in banking 
institutions and financial institutions. As Ms. Schwartz cited, 
your reputation is on the line, and the incentive for you to 
protect that and be competitive in the marketplace is certainly 
much greater than Governments.
    I know we are trying to get to the bottom of this. But 
toward that end, and I will address this to Ms. Schwartz 
initially. Can you tell us some way that we can help in 
Congress to minimize your--the requirement that you come up 
with data--extra data turned over to Government with 
confidential information, with some other way that you can 
protect it, and we can know with assurances that without that 
data getting into the stream, how can we protect it in some 
way?
    Ms. Schwartz. I think much of the data is requested with 
the best of intentions.
    Ms. Tenney. Exactly. We know they are good intentions, but 
getting hacked is certainly by somebody without good 
intentions.
    Ms. Schwartz. But we are very heavily regulated, very 
heavily examined. Most of the data would be available at 
examination time, without needing to be transmitted on a loan 
by loan or account by account basis. Other than--
    Ms. Tenney. You are suggesting that instead of turning the 
data over, as is sometimes required by say New York State, it 
would be sampling of data, as opposed to a full turnover of 
data.
    Ms. Schwartz. Or it could be a full turnover of data when 
the examiners are onsite. They can look at any anything they 
want while they are onsite without out having to electronically 
transmit it.
    Ms. Tenney. That sounds like a great option. I appreciate 
it. Mr. Mennenoh or Mr. Bentsen, would you like to comment or--
    Mr. Bentsen. I agree with that. A situation we have now is 
about what is known as penetration testing, and this is 
something that firms do to test their own defense system, and 
they may do it with their own teams, or they may bring in an 
outside vendor to do it. Certain regulators in the U.S. and 
around the globe have wanted to create a mandate around using 
third party vendors, and the industry has become concerned, 
because in doing this you are kind of giving the keys to the 
castle to an outside party.
    Then in reporting to our regulators, if you have to report 
the whole road map, you are handing the keys over, again, to an 
outside party. We completely agree from the standpoint of, come 
in, sit down, look at the data, we will walk you through it, 
you can tell us what you don't like, or what you want us to 
change, but let's be very careful about spreading that all over 
the place, again, with the best of intent. Let's not create 
targets unnecessarily.
    Ms. Tenney. I appreciate that. Maybe you could comment--I 
agree a hundred percent. I think that, obviously, Government is 
well-intentioned, but it is unpredictable. The people in power 
change, the people in positions change, and so you have--it 
seems to me the data is just drifting across unsafe and 
unsecure regions. But maybe you can comment on that as well, 
Mr. Mennenoh.
    Mr. Mennenoh. I would agree that it is--we are being asked 
for information, certainly more frequently. Many States in our 
industry are regulated, they do have audits and those things 
that are being done. Certainly, an onsite audit of paper is a 
lot easier to secure than a digital audit that is being sent 
all over the place. It is troubling.
    Ms. Tenney. Thank you very much. I appreciate your 
testimony. I yield my time back. Thanks so much.
    Chairman Luetkemeyer. The gentlelady yields back. We will 
now go to the gentleman from California, Mr. Royce.
    Mr. Royce. Chairman, thank you. Thank you very much. I 
thank the panel here. I was looking through my notes, and every 
2 years, like clockwork here, we hold a hearing and it follows 
always a major breach in consumer data by a U.S. company. Here 
we are again, and the massive Equifax breach exposed the 
personal information of 150 million consumers. Before that we 
had Anthem, we had Yahoo, we had Home Depot, and of course, 
Target, and even the Federal Government's Office of Personnel 
Management, as the Chairman of Homeland Security reminds me, 
since his data was stolen.
    These breaches have made the headlines, and then the 
hearings follow, and then, of course, outside of Gramm-Leach-
Bliley, we have failed to pass legislation into law that puts 
in place national standards for data protection and national 
standards for breach notification. We have failed to do that on 
our part here.
    To be very clear, the Committee has acted, this Committee 
has acted repeatedly. We have passed legislation over and over 
again. But it is high time that we put any policy differences 
aside and enact a law that serves the American people. I know 
the chairman--I want you to know, Chairman, I stand ready to 
work with you. I suspect you will be the author of the bill. To 
do this, we have to convince our colleagues as we move it out 
of committee, which certainly you will, to take this seriously 
with respect to getting it over in the Senate, and then things 
will become more complicated. But we have to convince the 
Senators to move this legislation as well.
    I would like to ask Ms. Schwartz a question. Community 
financial institutions are often the face of data breach for 
your customer, although not necessarily the cause. In your 
testimony you cite a July 2017 NAFCU member survey. The 
estimated cost of data breaches in 2016 was $400,000 per credit 
union.
    Credit unions in California have been very hard hit. The 
target breach cost the Credit Union of Southern California 
$35,000. The Home Depot breach costs Schools First Federal 
Credit Union in my area, they are in Orange County, $700,000, 
with a 65 percent increase in card fraud. Coast Hills Credit 
Union watched $100,000 in fraud hit their system in 5 minutes 
because of that same breach.
    Do these numbers ring true for your credit union in San 
Diego as well?
    Ms. Schwartz. Sadly, absolutely. In 2017, we had 14,500 
separate reported cases of fraud. It has cost my credit union 
$1.7 million so far this year. The holiday season is typically 
also a fraud season, so we expect to see more. Over $6 million 
since 2003 in fraud losses.
    Mr. Royce. Six million for your membership. How much 
reimbursement of your costs is covered by contracts with 
vendors and payments networks?
    Ms. Schwartz. Pennies on the dollar. The fraud losses I 
mentioned are simply the hard costs. There is also staff costs. 
The cost of us implementing security measures. The cost of 
educating our members, educating our employees. There is both 
the hard dollar costs and the soft costs. The remuneration is 
minimal.
    Mr. Royce. Do you think there is a better way to allocate 
financial responsibility for breaches in order to incentivize 
companies to better secure data?
    Ms. Schwartz. Absolutely. We very much support a level 
playing field. H.R. 2205, which was introduced in the 114th 
Congress, provided that, Gramm-Leach-Bliley is a dynamic, 
scaleable, flexible tool that should apply to largest and 
smallest. It applies to small credit unions, it could apply to 
small merchants.
    Mr. Royce. Let me get a quick question in here for Ken, if 
I could. As I mentioned in my opening, failures in 
cybersecurity systems have occurred in the private sector and 
in the Government--within the Government. Representing an 
industry that shares an enormous amount of sensitive customer 
data with regulators and other agencies, do you feel the 
Government is doing enough to shore-up its own systems to 
protect against cyber attacks?
    Mr. Bentsen. Thank you for the question, Congressman. This 
is an ever growing threat. I think the Government increasingly 
understands that, and we are engaged in dialog with our 
regulators about how we protect the data when we hold it, and 
the best practices that we use. The Treasury has been leading 
an effort to look at how they protect the data that they 
collect. This is an emerging issue that I think has gotten the 
spotlight with everything going on.
    Mr. Royce. Thank you. Thank you, Mr. Chairman.
    Chairman Luetkemeyer. The gentleman's time has expired. 
With that, we go to the gentlelady from Utah, Mrs. Love, who is 
recognized for 5 minutes.
    Mrs. Love. Thank you. Thank you for being here. I have a 
question that I want to address, Ms. Schwartz, you mentioned in 
your testimony that credit unions left often cleaning up the 
mess when another institution suffers from data breach. 
Institutions such as retailers that aren't subject to a data 
security structure like the Gramm-Leach-Bliley, you have 
written this in your testimony.
    Could you summarize for me what that mess looks like for 
credit unions like yours, and what kind of costs are involved 
in that?
    Ms. Schwartz. To scale it--my credit union has issued about 
280,000 credit cards to our members. Over the past few years we 
have reissued 146,000. A significant number of our members have 
been impacted, some more than once, many more than once.
    Mrs. Love. Right.
    Ms. Schwartz. They don't always understand where the breach 
happened, most particularly because often we can't tell them 
where the breach happened. They tend to think that the 
financial institution is the responsible party, when we have 
not been.
    Mrs. Love. When you are reissuing over half, what does that 
cost look like?
    Ms. Schwartz. Just for fraud itself was $1.7 million for us 
so far this year, through September 30. We anticipate it will 
be well over $2 million just for the fraud occurrences. 
Reissuance of the cards depends on the type of card and whether 
the PIN was compromised. It ranges between $2 to $6 per PIN, 
just for the hard cost. Then, of course, there is the soft cost 
of answering all of those member questions.
    Mrs. Love. Right. OK. Are you able to break down those 
numbers by different types of breaches, such as by source?
    Ms. Schwartz. If it is a huge breach, we will typically go 
back and take a look and be able to determine. Oftentimes, 
because there are so many different cases, 1,400 different 
breaches is not practical for us to spend staff time to try and 
tie back every single bit. We are financially responsible to 
the members, we reimburse them, and then we move on to the 
next.
    Mrs. Love. OK. You also mentioned that one of the 
vulnerabilities in sectors beyond bank and credit unions is 
lack of examination for compliance with data security 
standards. You specifically mentioned that credit bureaus, like 
Equifax, are not examined for compliance with the GLBA. How big 
of an impact do you think this makes, and how should compliance 
be insured?
    Ms. Schwartz. I think it clearly makes a huge difference. 
If they had followed the Gramm-Leach-Bliley Act requirements, 
it is very possible the breach wouldn't have happened. The 
patch would have occurred in a more timely manner and the 
opportunity for the fraudsters to gather that data simply would 
not have been there. Absent a regulatory examination to ensure 
compliance, I don't think it happens.
    Mrs. Love. Would it be fair to say that if institutions or 
the credit bureaus, like Equifax, had as much skin in the game, 
in other words, if they were held responsible financially for 
these breaches, that you would see fewer of these things 
happening?
    Ms. Schwartz. No question.
    Mrs. Love. OK. I have a few more minutes. There was a part 
where you pointed out in your testimony that the breach may 
never come to fruition if an entity handles sensitive 
information, limits the amount of data collected on the front-
end and is diligent in not storing sensitive personal data and 
financial data in their own systems.
    Do your consumers even know, for example, if they are 
sitting at their computers shopping online, what happens to 
their data, especially the data that they are being asked to 
supply?
    Ms. Schwartz. I think consumers are becoming more educated 
on this, but I think they are more concerned with the 
transaction than what is happening behind it. I am sure that 
they don't realize that many merchants can store that data for 
an unlimited period of time, even though they might not have 
shopped at a certain merchant, that data is going to linger out 
there forever.
    Mrs. Love. In other words, sitting at their computer, they 
probably feel like there is some vulnerability there, but they 
have no idea that the vulnerability lingers way past the time 
that they are actually sitting on the computer.
    Ms. Schwartz. Exactly.
    Mrs. Love. Over 1.4 million Utahans were affected by the 
Equifax breach, and as information is growing and changing, it 
is something that is incredibly concerning. I think that this 
is an example of how we need to have institutions that are 
holding onto this data have some skin in the game, that they 
know that they are absolutely responsible for those breaches, 
also. I think that where a lot of responsibility is given, you 
have to make sure that you take care of that responsibility 
carefully. Thank you for your testimony.
    Chairman Luetkemeyer. The gentlelady's time has expired. 
With that, we go to the gentleman from North Carolina, Mr. 
Pittenger, is recognized for 5 minutes.
    Mr. Pittenger. Thank you, Mr. Luetkemeyer, for hosting this 
hearing. I really appreciate each of you all being with us 
today, your input is extremely valuable.
    In North Carolina we have had a significant impact with 1.1 
million North Carolinians' personal data stolen in various 
security breaches since 2015, up from 300,000 in 2014. The 
Equifax had an impact of 5 million North Carolinians. It is a 
clear indication of the concerns that we have with data and 
security concerns, as well as congressional action that needs 
to be provided.
    With that in mind, I would like to ask you, Mr. Bentsen. In 
your own statement you referenced that we need to have a 
combination of activities that relies on strong defenses, 
information sharing, mitigation, and recovery planning.
    To the point of information sharing, Mr. Mierzwinski 
conveyed that you cannot bifurcate data sharing and privacy 
issues. How would we mitigate the privacy concerns with the 
need that we truly do have for greater data sharing?
    Mr. Bentsen. That is a very good question. We are 
interested in information sharing, not only with the industry 
being able to share with the Government, the Government being 
able to share with the industry when there is a certain attack, 
but also to be able to share not data as much as sharing the 
types of attacks that are occurring across the sector.
    Mr. Loudermilk talked about this in the past, one of my 
defenses is having somebody else get attacked so they are not 
coming after me. What we have tried to do in the financial 
services industry is to be able to spread the information 
across the sector quickly if a certain type of attack is 
occurring so that others can recheck their defenses against 
that or their resiliency efforts against it. We think that is 
really important.
    At the same time, the industry feels very strongly, not 
only about our legal obligation with respect to protection of 
privacy, but as Ms. Schwartz says, our reputational obligation 
to our clients. It is a highly competitive industry, and if we 
are viewed as not protecting our clients' data, they are going 
to go somewhere else. It is a spot-on question.
    Mr. Pittenger. Recognizing this need, how would you frame 
legislation? How would you advise us to address this concern?
    Mr. Bentsen. We were not part of the legislation referenced 
from the 114th Congress, and obviously, you have parties on all 
sides who have--or interests on all sides who have legitimate 
concerns about that. Data breaches are just one component of 
this, but it is a huge component. It maybe has the biggest 
retail aspect in some respects, and a huge market failure would 
have a huge retail impact as well.
    This is an emerging issue that is only going to get worse. 
It is not going to get better. It is something where 
policymakers, such as Congress, are really going to have to dig 
in and bring the parties together, and by that, the interests--
political parties perhaps as well, but the interests together 
to really see how can we look into the future, because we are 
also going to see technology use increase. Technology is a good 
thing, it has improved efficiencies in the economy, it is only 
going to do more of that. But it is going to create new risk, 
and we need to be in front of those going forward.
    Mr. Pittenger. Thank you. Mr. Mennenoh, you stated in your 
remarks that policymakers should consider better ways to use 
both the SARS reports, and IC3 data to better detect accounts 
used by these criminals.
    Give us some examples of better ways that we should be 
employing?
    Mr. Mennenoh. That is a good question. I don't know that I 
have a clear answer for you on that without having the staff 
help me with that. But, certainly, I would say being able to 
provide information to all of the parties in the real estate 
transaction, the different industries that are involved in 
terms of where these problems occur, how they occur, and the 
warning signs, if you will, to detect them, to try to prevent 
them. I don't know that I can help you further than that.
    Mr. Pittenger. Ms. Schwartz, quickly, you stated that 
Congress needs to modernize data security laws to reflect the 
complexity of the current environment, insist that entities 
collecting and storing personal financial information adhere to 
strong Federal standard in this regard.
    How would you modernize those laws?
    Ms. Schwartz. I think Gramm-Leach-Bliley does provide a 
good model because it is scalable and flexible. I think it can 
apply to small and large, and it provides some basic guidelines 
that ensure sound practices.
    Mr. Pittenger. Thank you. My time is expired.
    Chairman Luetkemeyer. The gentleman's time has expired, and 
we are out of questioners. All of you on the panel are freed up 
here at this moment. Thank you for being here today.
    Just a few closing thoughts. We are a very data driven 
society. I am a big baseball fan. Even data drives the baseball 
games. I have been watching the World Series, and they talk 
about this batter can hit this pitch in this area and you have 
shifts on the defense to where you go, and they match up 
pitchers between the batters. It is all back to data, data, 
data, which is great to a certain extent.
    But I think, Mr. Bentsen, your last comment there was very 
succinct when you say, with all this data comes new risks, and 
how do we protect ourselves against those risks. I think that 
is what we are concerned about today, as we see these breaches 
continue. The gentleman from California a minute ago, Mr. 
Royce, said, here we are again. Here we are again.
    We have to figure out how to put some solutions on these 
problems, and hopefully your information today will help us. I 
think we need to look at notification. To me, that is a big 
issue. How do you make sure that the public, whose information 
that you as a business--or Government have, how do you notify 
them when you have been breached so that there is a level of 
trust there, so that you can give those folks notice that they 
can get themselves in a position where they can protect 
themselves.
    Who assumes the liability whenever there is a breach? To 
me, that is a big question. I think Mr. Barr asked that 
question a while ago. We need to figure out where that stands, 
because I can tell you there are some businesses, I think, one 
of them, I think maybe it was Andy here a minute ago, made the 
same comment with regards to businesses, who through no fault 
of their own, it is costing them thousands and thousands of 
dollars as a result of breaches. This has to go back to 
entities that caused the problem and they have to be held 
accountable.
    We are looking for help, we are looking for answers. We are 
going to continue to work with you on these issues. We 
certainly appreciate your being here today and all of your 
input, and again, as I said, welcome your input back to us on 
other concerns or questions that may have come up during the 
discussion.
    The Chair notes that some Members may have additional 
questions for this panel, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 5 legislative days for Members to submit written questions 
to these witnesses and to place their responses in the record. 
Also, without objection, Members will have 5 legislative days 
to submit extraneous materials to the Chair for inclusion in 
the record.
    [Whereupon, at 3:45 p.m., the subcommittee was adjourned.]


                            A P P E N D I X



                            November 1, 2017
                            
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]