b'<html>\n<title> - DATA SECURITY: VULNERABILITIES AND OPPORTUNITIES FOR IMPROVEMENT</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                   DATA SECURITY: VULNERABILITIES AND\n                     OPPORTUNITIES FOR IMPROVEMENT\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                 SUBCOMMITTEE ON FINANCIAL INSTITUTIONS\n                          AND CONSUMER CREDIT\n\n                                 OF THE\n\n                    COMMITTEE ON FINANCIAL SERVICES\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            NOVEMBER 1, 2017\n\n                               __________\n\n       Printed for the use of the Committee on Financial Services\n\n                           Serial No. 115-52\n                           \n                           \n [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]  \n \n \n \n                               __________\n                                \n \n                     U.S. GOVERNMENT PUBLISHING OFFICE                    \n30-771 PDF                  WASHINGTON : 2018                     \n           \n -----------------------------------------------------------------------------------\n For sale by the Superintendent of Documents, U.S. Government Publishing Office, \n http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \n U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d6b1a6b996b5a3a5a2beb3baa6f8b5b9bbf8">[email&#160;protected]</a> \n \n \n                           \n\n                 HOUSE COMMITTEE ON FINANCIAL SERVICES\n\n                    JEB HENSARLING, Texas, Chairman\n\nPATRICK T. McHENRY, North Carolina,  MAXINE WATERS, California, Ranking \n    Vice Chairman                        Member\nPETER T. KING, New York              CAROLYN B. MALONEY, New York\nEDWARD R. ROYCE, California          NYDIA M. VELAZQUEZ, New York\nFRANK D. LUCAS, Oklahoma             BRAD SHERMAN, California\nSTEVAN PEARCE, New Mexico            GREGORY W. MEEKS, New York\nBILL POSEY, Florida                  MICHAEL E. CAPUANO, Massachusetts\nBLAINE LUETKEMEYER, Missouri         WM. LACY CLAY, Missouri\nBILL HUIZENGA, Michigan              STEPHEN F. LYNCH, Massachusetts\nSEAN P. DUFFY, Wisconsin             DAVID SCOTT, Georgia\nSTEVE STIVERS, Ohio                  AL GREEN, Texas\nRANDY HULTGREN, Illinois             EMANUEL CLEAVER, Missouri\nDENNIS A. ROSS, Florida              GWEN MOORE, Wisconsin\nROBERT PITTENGER, North Carolina     KEITH ELLISON, Minnesota\nANN WAGNER, Missouri                 ED PERLMUTTER, Colorado\nANDY BARR, Kentucky                  JAMES A. HIMES, Connecticut\nKEITH J. ROTHFUS, Pennsylvania       BILL FOSTER, Illinois\nLUKE MESSER, Indiana                 DANIEL T. KILDEE, Michigan\nSCOTT TIPTON, Colorado               JOHN K. DELANEY, Maryland\nROGER WILLIAMS, Texas                KYRSTEN SINEMA, Arizona\nBRUCE POLIQUIN, Maine                JOYCE BEATTY, Ohio\nMIA LOVE, Utah                       DENNY HECK, Washington\nFRENCH HILL, Arkansas                JUAN VARGAS, California\nTOM EMMER, Minnesota                 JOSH GOTTHEIMER, New Jersey\nLEE M. ZELDIN, New York              VICENTE GONZALEZ, Texas\nDAVID A. TROTT, Michigan             CHARLIE CRIST, Florida\nBARRY LOUDERMILK, Georgia            RUBEN KIHUEN, Nevada\nALEXANDER X. MOONEY, West Virginia\nTHOMAS MacARTHUR, New Jersey\nWARREN DAVIDSON, Ohio\nTED BUDD, North Carolina\nDAVID KUSTOFF, Tennessee\nCLAUDIA TENNEY, New York\nTREY HOLLINGSWORTH, Indiana\n\n                  Kirsten Sutton Mork, Staff Director\n       Subcommittee on Financial Institutions and Consumer Credit\n\n                 BLAINE LUETKEMEYER, Missouri, Chairman\n\nKEITH J. ROTHFUS, Pennsylvania,      WM. LACY CLAY, Missouri, Ranking \n    Vice Chairman                        Member\nEDWARD R. ROYCE, California          CAROLYN B. MALONEY, New York\nFRANK D. LUCAS, Oklahoma             GREGORY W. MEEKS, New York\nBILL POSEY, Florida                  DAVID SCOTT, Georgia\nDENNIS A. ROSS, Florida              NYDIA M. VELAZQUEZ, New York\nROBERT PITTENGER, North Carolina     AL GREEN, Texas\nANDY BARR, Kentucky                  KEITH ELLISON, Minnesota\nSCOTT TIPTON, Colorado               MICHAEL E. CAPUANO, Massachusetts\nROGER WILLIAMS, Texas                DENNY HECK, Washington\nMIA LOVE, Utah                       GWEN MOORE, Wisconsin\nDAVID A. TROTT, Michigan             CHARLIE CRIST, Florida\nBARRY LOUDERMILK, Georgia\nDAVID KUSTOFF, Tennessee\nCLAUDIA TENNEY, New York\n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on:\n    November 1, 2017.............................................     1\nAppendix:\n    November 1, 2017.............................................    35\n\n                               WITNESSES\n                      Wednesday, November 1, 2017\n\nBentsen, Hon. Kenneth, Jr., President and Chief Executive \n  Officer, Securities Industry and Financial Markets Association.     3\nMennenoh, Daniel, ITP, NTP, President, H.B. Wilkinson Title \n  Company, on behalf of the American Land Title Association......     5\nMierzwinski, Edmund, Consumer Program Director, U.S. Public \n  Interest Research Group........................................     6\nSchwartz, Debra, President and Chief Executive Officer, Mission \n  Federal Credit Union, on behalf of the National Association of \n  Federally-Insured Credit Unions................................     8\n\n                                APPENDIX\n\nPrepared statements:\n    Bentsen, Hon. Kenneth, Jr....................................    36\n    Mennenoh, Daniel.............................................    50\n    Mierzwinski, Edmund..........................................    61\n    Schwartz, Debra..............................................    78\n\n              Additional Material Submitted for the Record\n\nLuetkemeyer, Hon. Blaine:\n    Written statement of the Food Marketing Institute............   105\n    Written statement of the Independent Community Bankers of \n      America....................................................   107\n    Written statement of the American Bankers Association, the \n      Consumer Bankers Association, the Credit Union National \n      Association, the Financial Services Roundtable, the \n      Independent Community Bankers of America, the National \n      Association of Federally-Insured Credit Unions, and the The \n      Clearing House.............................................   109\n\n \n                     DATA SECURITY: VULNERABILITIES\n                   AND OPPORTUNITIES FOR IMPROVEMENT\n\n                              ----------                              \n\n\n                      Wednesday, November 1, 2017\n\n             U.S. House of Representatives,\n             Subcommittee on Financial Institutions\n                               and Consumer Credit,\n                           Committee on Financial Services,\n                                                   Washington, D.C.\n\n    The subcommittee met, pursuant to notice, at 2:02 p.m., in \nroom 2128, Rayburn House Office Building, Hon. Blaine \nLuetkemeyer [chairman of the subcommittee] presiding.\n    Present: Representatives Luetkemeyer, Rothfus, Royce, \nLucas, Ross, Pittenger, Barr, Tipton, Williams, Love, Trott, \nLoudermilk, Kustoff, Tenney, Clay, Maloney, Scott, and Crist.\n    Chairman Luetkemeyer. The committee will come to order.\n    Without objection, the chair is authorized to declare a \nrecess of the committee at any time.\n    This hearing is entitled ``Data Security: Vulnerabilities \nand Opportunities for Improvement.\'\'\n    Before we begin, I would like to thank the witnesses for \nappearing today. We appreciate your participation and look \nforward to a productive discussion.\n    I now recognize myself for 3 minutes for purposes of \ndelivering an opening statement.\n    More than 15 million Americans were victims of cyber fraud \nor identity theft last year. The number of those impacted in \n2017 could be significantly more, depending on the damage \ncaused by the Equifax breach. While data security has been a \nhot topic since that breach, Equifax isn\'t where the problem \nstarted, and if we don\'t act, it isn\'t where the problem will \nend.\n    Year after year, consumers deal with compromised personally \nidentifiable information resulting from breaches in financial \ncompanies, retailers, insurance providers, and even the Federal \nGovernment. The list goes on and on.\n    This type of fraud can strike at any point, leaving no \nconsumer immune to its effects. Financial firms face attempted \nbreaches every single day, sometimes hundreds of attempts a \nday. Each attack seems to be more dangerous and more advanced \nthan the last, and while the good guys have to be right every \ntime, the bad guys only have to be right once.\n    Data security has turned into a crisis, and the American \npeople deserve better. As in any crisis, every aspect of data \nsecurity should be examined. That includes having an honest \nconversation about the regulatory regime governing these \nbreaches. The question is, does it adequately safeguard \nconsumer data? Does it provide flexibility for companies to \ninnovate, or do they spend too much time and energy trying to \ncomply with State and Federal requirements?\n    We need to discuss how data security liability is assessed \nand which entity has a duty to report a breach to the public \nand in what timeframe such a disclosure should be required. We \ncannot tolerate a system that is unnecessarily complicated or \noffers slow resolution for customers and consumers. We need to \ninstead work collaboratively to reduce red tape, create a more \nprompt notification standard, and foster harmonization among \nFederal and State agencies charged with data security \nregulation.\n    Today\'s hearing offers an opportunity to look at data \nsecurity vulnerabilities through a wider lens. Our witnesses \nrepresent a number of different industries that offer unique \nperspectives and ideas on how to improve the system for the \nmost important people in this conversation: their customers and \nour constituents.\n    While today\'s hearing does not focus on a specific bill, I \nwant to be clear that it is my intention to produce data \nsecurity reform legislation. This conversation and many others \nour members have had and will continue to have with their \nconstituents will inform our actions and drive our policy.\n    I want to again thank our witnesses for being here today. \nWe look forward to your testimony.\n    The chair now recognizes the gentleman from Missouri, Mr. \nClay, the ranking member of the subcommittee, for 5 minutes for \nan opening statement.\n    Mr. Clay. Thank you, Mr. Chairman. Thank you for holding \nthis hearing as well as all of the witnesses who are here \ntoday. I will forego an opening statement in order to hear from \nour witnesses. I yield back.\n    Chairman Luetkemeyer. The gentleman yields back.\n    With that, we go to the gentleman from Pennsylvania, the \nvice chair of the subcommittee, Mr. Rothfus, for 2 minutes for \nan opening statement.\n    Mr. Rothfus. Thank you, Mr. Chairman. I would like to thank \nthe chairman for holding today\'s hearing on data security. As \nthe recent Equifax data breach reminded us, cybercrime is a \nconstant and growing threat. But the Equifax incident, though \nterrible and expansive as it was, was just the latest in a \nstring of major cybercrimes that have compromised our private \ninformation and put us all at risk.\n    I am deeply concerned that bad actors, State-sponsored or \notherwise, continue to relentlessly target our financial \nsystem, retailers, and the physical and digital infrastructure \nthat allow our society to function. Cybercrime is a national \nsecurity threat and a danger to our economy. It hurts millions \nof Americans, and it undermines the trust needed to conduct \nbusiness in the 21st century.\n    This committee has an important role in helping to address \nthis growing threat. I am looking forward to hearing from our \nwitnesses about how we can improve our current system for \naddressing and preventing cybercrime. Clearly, there is room \nfor improvement as we seek to ensure that firms take the steps \nneeded to protect private data, properly and promptly notify \nlaw enforcement and customers, and quickly move to close \nvulnerabilities and make victims whole.\n    Many of my constituents contacted my office after the \nEquifax breach to seek help and express their frustrations. \nFamilies, students, small business owners, and retirees are \nconcerned about what they are seeing and they want us to take \nsteps to protect them.\n    Again, I look forward to today\'s discussion, and I hope \nthat it can form the basis for bipartisan collaboration on this \nimportant issue.\n    I yield back.\n    Chairman Luetkemeyer. The gentleman yields back.\n    With that, today, we welcome the testimony of the Honorable \nKen Bentsen, president and chief executive officer, Securities \nIndustry and Financial Markets Association; Mr. Daniel \nMennenoh, president, H.B. Wilkinson Title Company, on behalf of \nthe American Land Title Association; Ms. Debra Schwartz, \npresident and CEO, Mission Federally-Insured Credit Union, on \nbehalf of the National Association of Federal Credit Unions; \nand Mr. Edmund Mierzwinski, consumer program director, U.S. \nPublic Interest Research Group.\n    Each of the witnesses will now be recognized for 5 minutes \nto give an oral presentation of their testimony.\n    Without objection, each of your written statements will be \nmade part of the record.\n    Just a brief tutorial on the lighting system for those of \nyou who haven\'t been here before. Green means go. The yellow \nlight lights up, that means you have a minute to wrap up. Red \nmeans that we need to stop and go on to the next question/\nanswer session.\n    With that, Mr. Bentsen, you are recognized for 5 minutes.\n\n         STATEMENT OF THE HONORABLE KENNETH BENTSEN, JR.\n\n    Mr. Bentsen. Thank you, Chairman Luetkemeyer and Ranking \nMember Clay and members of the subcommittee, for giving me an \nopportunity to testify today on the important topics of \ncybersecurity and data protection.\n    SIFMA represents hundreds of banks, broker-dealers, and \nasset managers who are dedicated to protecting their systems \nand, more importantly, their clients\' data from cyber attacks. \nThere is likely no greater threat to financial stability than a \nlarge-scale cyber event. The financial services sector has \ninvested tremendous monetary and human resources to develop and \nimplement cyber defense and recovery mechanisms, and we welcome \nthe opportunity to discuss the progress we have made today.\n    Cybercrime is now a bigger criminal enterprise than the \nglobal narcotics trade. While data breaches of customer \ninformation dominate headlines and are rightfully a top \npriority for policymakers in the industry, a major cyber attack \non critical financial market infrastructure or one that \ndestroys records or financial data are also risks with a \npotentially far larger impact on the economy.\n    It is important to recognize that no single sector, not the \nFederal Government nor any individual firm, has the resources \nto protect markets from these threats on their own. It is \ncritical that we establish and maintain a robust partnership \nbetween industry and government to mitigate cyber threats and \ntheir impact. The industry\'s resiliency will not be fully \neffective without the government\'s help and vice versa.\n    The answer cannot exclusively be more regulation. However, \nover the past few years, regulators in the U.S. and around the \nworld have proposed or finalized over 30 new cyber rules \napplicable to the financial services industry. While \nregulations can help raise expectations and define strong \nstandards for market participants, the volume of regulations \nhas resulted in requirements which are sometimes duplicative \nand conflicting. Some of our members are subject to as many as \n13 different Federal regulatory mandates in addition to State \nmandates.\n    Turning to the threat we collectively face, I would like to \nhighlight that every public and private sector institution \nwhich holds sensitive information can and, indeed, will be a \ntarget of malicious actors. Working with our members along with \nour sister trade associations, SIFMA has identified a number of \nbest practices for protection of sensitive data in the \nfinancial services sector. These practices draw on the \nexperience of our member firms and their own policies and \nprocedures as well as industry standards, such as the NIST \nframework.\n    Data protection begins with firms taking a risk-based look \nat the information they collect, and deciding if they have a \nbusiness or regulatory purpose that requires them to hold this \ninformation. If sensitive information like a social security \nnumber is not directly relevant and necessary, firms should \nrefrain from holding it. Once firms have collected sensitive \ndata, they should ensure that they have controls in place to \nprotect it while it is being used and stored. That includes \nensuring that access to sensitive data is restricted only to \nauthorized users who need it to perform their jobs. Firms \nshould also work to reduce the risk by destroying sensitive \ndata once it is no longer needed.\n    As a highly regulated sector, our members also provide a \ntremendous amount of sensitive information to regulators in \naccord with their supervisory mandates, and given the ever-\nincreasing risks, our sector is engaged in an important dialog \nwith our government partners to ensure and enhance protections \nacross the board.\n    I would also like to spend a minute or so to focus on one \nparticular important data protection challenge currently on the \nminds of many. As the Securities and Exchange Commission and \nthe SROs move forward with the development of a Consolidated \nAudit Trail, it is critical that the CAT not introduce new data \nprotection risk. Once complete, the CAT will be the world\'s \nlargest data repository for securities transactions and one of \nthe largest databases of any type. Each day, the system will \ningest 58 billion records and maintain the data on over 100 \nmillion customer accounts.\n    The current plan raises serious concerns around data \nprotection and the ability to confidently secure the critical \ninformation it will contain. The CAT design requires firms to \nprovide a significant amount of sensitive customer information, \nincluding names, social security numbers, and addresses. All \nthis information will be held in a single database, creating a \nhigh-value target and bad actors will undoubtedly try to find \nthe weakest link to gain access.\n    While this concern existed well before the recent breaches \nat Equifax or EDGAR, many stakeholders have grown even more \nskeptical that the CAT, as currently designed, will be able to \nprotect the massive amount of sensitive PII it will contain.\n    Importantly, just as the industry should and does consider \nwhether sensitive information needs to be collected and \nretained for a particular purpose, so too does the case need to \nbe made that PII is required to be collected and reside in the \nCAT for effective surveillance by more than 3,000 users among \n22 different SROs in the SEC.\n    Along this line, we would urge Congress to consider among \nother possible actions amending the Market Data Protection Act \nto ensure the SROs who designed and built the CAT have \nappropriate risk controls in place before the CAT goes live.\n    In conclusion, effective cybersecurity will be in a state \nof discussion and improvement for years to come. That security \nis a combination of activities that relies on strong defenses, \ninformation sharing, mitigation, and recovery planning. It can \nonly be accomplished through constructive dialog and engagement \namong the private sector, policymakers, and regulators. Much \nwork has been done, but as my written testimony lays out, there \nis much more work to do. SIFMA\'s members stand ready to do \ntheir part, and I look forward to answering your questions.\n    [The prepared statement of Mr. Bentsen can be found on page \n36 of the appendix.]\n    Chairman Luetkemeyer. Thank you, Mr. Bentsen.\n    Mr. Mennenoh, you are recognized for 5 minutes.\n\n                  STATEMENT OF DANIEL MENNENOH\n\n    Mr. Mennenoh. Thank you.\n    Chairman Luetkemeyer, Ranking Member Clay, and members of \nthe subcommittee, I appreciate the opportunity to discuss one \nof the largest financial threats facing consumers, title \ncompanies, and our real estate system. My wife and I own H.B. \nWilkinson Title Company in Galena, Illinois. We bought the \ncompany from my dad 20 years ago. We have 28 employees, with \noffices in seven counties. We close about 70 real estate \ntransactions a month. Though we are a small business, by title \nindustry standards, we are a big company.\n    One of my favorite opportunities as president of ALTA was \ntraveling the country to hear what was happening in local \nmarkets. The largest concerns I heard from title agents were on \ndata security and the growing threat of criminals trying to \nsteal our customers\' money. Even my small company in Galena \nsees a couple of phishing attempts every week. Those attempts \nare often sent to multiple email addresses.\n    Earlier this year, the FBI reported a 480 percent increase \nin criminals attempting to steal consumers\' funds, and it is \neasy to see why. The average successful bank robber\'s haul is \n$3,816. The average successful wire fraud loss is $129,427. \nThis is a much better return for a much less expensive and \ndangerous crime to commit. Overall, these scams have cost \nAmericans $5.3 billion.\n    Home buyers are the most common targets. Criminals gain \naccess to the buyer\'s, seller\'s, or real estate professional\'s \nemail account. They monitor traffic looking for a deal. Their \ngoal is to convince the buyer to send their earnest money or \ndownpayment to the criminal. Bloomberg reports that criminals \ncan obtain verified email accounts, passwords, and security \nquestions on the dark web for as little as $10.\n    In Texas, I heard about a woman who saved nearly $25,000 \nfor the downpayment on her first house. Prior to the lender \nfinalizing the closing disclosure, the woman\'s email was \nhacked. Using information from her email, the criminal \nimpersonated the title agency, used the closer\'s name, and \ninstructed her to send the $25,000 using fraudulent wire \ninstructions. Believing it was the title agency, she followed \nthe instructions and wired the funds to the criminal\'s account. \nThe home purchase fell through. The money was gone. The woman \nlost her life savings. This is a heartbreaking story, and it \nhappens often. Title companies in each of your communities have \nstories just like these.\n    Consumer losses due to a data breach pale in comparison to \nthe loss of consumers\' downpayment or earnest money deposit. I \nwish there was a silver bullet to protect our customers, but \nthere is not. As an industry, we have improved our digital \nhygiene and have taken an array of steps to combat this fraud. \nThis includes using secured email communications, verifying \ninstructions with buyers using known phone numbers, and asking \nbanks to match both the recipient\'s account number and payee \ninformation when we send wires. We issue warnings to our \ncustomers on websites and at the bottom of every email.\n    What is so frustrating is there is no amount of money we \ncan spend to protect our customers from being targeted by these \ncriminals. Two years ago, we were the target, as title \nsettlement agents. Now they are targeting our customers even \nbefore we get involved in the transaction, because we are at \nthe end of the process.\n    We believe we should focus on two key areas to stop these \ncrimes. First, we need to increase awareness of these crimes \nfor buyers, sellers, and the public. We need to get anyone \ninvolved in the real estate deal, real estate agents, banks, \npolicymakers, consumer groups, title insurers, settlement \nagents and real estate attorneys, to help educate our customers \nabout how to protect themselves. Think about movers. Think \nabout surveyors, home inspectors. They are all part of the \nprocess.\n    Second, financial institutions should match not only the \naccount number, but also the payee\'s name. This simple \nauthentication step can be the single biggest deterrent. We \nalso need to better use both suspicious activity reports and \nIC3 data to detect trends. Even if more information does not \nlead to prosecutions of these criminals, it can help banks \ndecide to place holds on the account to prevent the criminal \nfrom withdrawing funds.\n    ALTA is eager to serve as a resource to the subcommittee, \nand I am happy to answer any questions. Thank you.\n    [The prepared statement of Mr. Mennenoh can be found on \npage 50 of the appendix.]\n    Chairman Luetkemeyer. Thank you, Mr. Mennenoh.\n    Mr. Mierzwinski, you are recognized for 5 minutes.\n\n                 STATEMENT OF EDMUND MIERZWINSKI\n\n    Mr. Mierzwinski. Thank you, Chairman Luetkemeyer, members \nof the committee.\n    Last week, you held a minority day hearing on Equifax. I \ncould talk about Equifax for my entire 5 minutes, but I think \nthe State enforcement officials and the consumer advocates who \nspoke last week, I would simply like to associate my remarks \nwith theirs last week on Equifax specifically. But I do want to \ncontinue to talk a little bit about how Equifax fits into the \nlarger big data universe.\n    First of all, to be clear, Equifax had one of the worst \nbreaches ever. They lost our consumer DNA through a pretty \namazing failure to protect it, and then they did a really bad \njob of notifying us and telling us what was going to happen \nafter that. But what people don\'t understand, a lot of people \nmay not know, Equifax is in the highly regulated business, \ncredit reporting, part of the time, but all of the time Equifax \nis a data broker. There are thousands of underregulated and \nunregulated data brokers out there.\n    In my testimony, I represent the views of the Federal Trade \nCommission which has said they need more authority over data \nbrokers. I encourage the committee to read their reports.\n    Going forward, people should understand that consumers have \nno control over their information, particularly with the credit \nbureaus. As was said often in many of the other hearings, we \nare not their customers; we are their products. Mr. Cordray \nrefers to credit reporting as a dead-end market. You can change \nyour bank if you don\'t like it. You cannot change your credit \nbureau. You cannot vote with your feet.\n    With the lack of control, it is very difficult for \nconsumers to do anything about misuse of their information. We \nhave very little authority to vote, to determine that companies \ncan\'t use our information, very limited under Gramm-Leach-\nBliley. In most cases, companies simply collect information \nabout us and sell it.\n    We worked on the credit freeze as a way to return some \ncontrol, starting about 20 years ago. The first credit freeze \nlaw passed in California about 15 years ago. It was \nrevolutionary at the time, but what would make it more \nrevolutionary is if the committee were to adopt--and I believe \nit has become a bipartisan issue--expand the availability of \nthe free credit freeze. It is the only way you can at least \nexert some control over your consumer DNA. In addition, the \ncommittee should look at Ranking Member Waters\' comprehensive \nbill to reform the credit bureaus themselves.\n    Third, I think the committee should look very closely at \nthe flaw in Gramm-Leach-Bliley where the Federal Trade \nCommission has authority over data security that was not \ntransferred to the Consumer Bureau. Section 1093 should be \nlooked at. I think the Consumer Bureau, because it has the \nability to conduct examinations of credit bureaus, because it \nhas the ability to impose penalties for the first violation of \nthe law, not only after a company has violated a consent decree \nin the FTC\'s case, and because it has rulemaking authority that \nthe FTC does not have. If you want to rein in the credit \nbureaus, you have to give the Consumer Bureau more power over \nthem.\n    The final point that I want to make in my testimony, and I \nmake it extensively in my written testimony, is that the States \nare privacy innovators. The States are privacy first \nresponders. The credit freeze, the data breach notification \nlaws, all were passed by the States when Congress looked on and \ndidn\'t do anything.\n    We strongly support protecting the right of the States, as \nthe two attorneys general offices testified last week. Going \nforward, we cannot preempt stronger State laws with some narrow \nFederal breach law that takes away States\' rights not only to \ndo breach notification, but States\' rights to conduct other \nprivacy examinations, and States\' rights to strengthen the data \nsecurity of their citizenry.\n    I go into great detail on all of these matters in my \ntestimony. I look forward to your questions. Thank you.\n    [The prepared statement of Mr. Mierzwinski can be found on \npage 61 of the appendix.]\n    Chairman Luetkemeyer. Thank you, Mr. Mierzwinski.\n    Ms. Schwartz, you are recognized for 5 minutes.\n\n                  STATEMENT OF DEBRA SCHWARTZ\n\n    Ms. Schwartz. Chairman Luetkemeyer, Ranking Member Clay, \nand members of the--\n    Chairman Luetkemeyer. Please turn on your microphone.\n    Ms. Schwartz. It should be on.\n    Chairman Luetkemeyer. Bring it closer to you then. There \nyou go.\n    Ms. Schwartz. OK, thank you.\n    Chairman Luetkemeyer, Ranking Member Clay, and members of \nthe subcommittee, thank you for the invitation to appear before \nyou this afternoon. My name is Debra Schwartz, and I am \ntestifying today on behalf of NAFCU. I currently serve as \npresident and CEO of Mission Federal Credit Union, Mission Fed, \nheadquartered in San Diego, California, and also serve on \nNAFCU\'s board of directors as treasurer.\n    Data security needs to be everyone\'s responsibility. More \ncan and must be done to protect consumers on this important \nissue. NAFCU has long supported comprehensive data security \nmeasures to protect consumers\' sensitive data. Credit unions \nand other depository institutions already protect data, \nconsistent with the provisions of 1999\'s Gramm-Leach-Bliley \nAct, GLBA.\n    Unfortunately, there is no similar regulatory structure for \nother entities that may handle sensitive personal and financial \ndata. Although credit bureaus are considered financial \ninstitutions under GLBA, they do not have the same regulatory \noversight as credit unions and other depository institutions.\n    GLBA and its implementing regulations have successfully \nlimited data breaches among depository institutions. This \nstandard, outlined in my written testimony, has a proven track \nrecord of success and should be recognized in any future \nrequirements. Gramm-Leach-Bliley requires financial \ninstitutions to address the risks presented by the complexity \nand scope of their business. This allows flexibility and \nensures the regulatory framework is workable for the largest \nand smallest financial institutions. GLBA is an example of how \nscalability is possible for varying size businesses.\n    A data security breach can have a big impact on consumers, \nfrom waiting for new cards to be issued to updating all \naccounts connected with a compromised card. Breaches can also \nresult in fraud losses, damaged credit ratings, and even \nidentity theft. As the Equifax breach has demonstrated, data \nsecurity breaches are not just a retailer problem, but occur \nacross many industries. This highlights the need for a \ncomprehensive national data security standard to protect data, \nakin to what is already in place for depository institutions \nunder GLBA.\n    A recent survey of NAFCU members found that respondents \nwere alerted to potential merchant breaches an average of 189 \ntimes in 2016. Over 40 percent of the respondents said that \nthey saw an increase in these alerts from 2015. At Mission Fed, \nwe have received over 1,400 separate alerts of merchant data \nbreaches since 2013.\n    When credit unions are alerted to breaches, they take \naction to respond and protect their members. These actions have \ncosts, such as card reissuance, fraud losses, and account \nmonitoring. Ultimately, this takes away from providing other \nservices to members. Unfortunately, credit unions rarely see \nany reimbursement for these costs. Even when there are \nrecoupment opportunities, such as settlements, it is usually \nonly pennies on the dollar, in terms of the real cost and \nlosses incurred.\n    Recognizing that finding a legislative solution is a \ncomplex issue, NAFCU has established a set of guiding \nprinciples we would like to see in data security legislation, \nincluding: reimbursement of all costs by the breached entity; \nnational standards for safekeeping of information; breach \nnotifications to financial institutions; disclosure of breached \nentity to consumers; and enforcement of data retention \nprohibitions. I outline all of our principles in detail in my \nwritten testimony.\n    The time has come for Congress to enact a national standard \non data protection for consumers\' personal financial \ninformation. Additionally, credit bureaus, such as Equifax, \nshould be subjected to examinations for compliance to data \nsecurity standards, just as depository institutions already \nare. Consumers whose personal and financial data has been \ncompromised have a right to be notified in a timely manner.\n    NAFCU believes that the best legislative solution so far on \nthis issue of data security is the bipartisan legislation that \nwas introduced in the 114th Congress, H.R. 2205, the Data \nSecurity Act of 2015, which would have set a national data \nsecurity standard that recognized those who already have one \nunder the GLBA. We were pleased to see this bill get bipartisan \nsupport in this committee in the last Congress.\n    Finally, as the committee is aware, data security is in the \njurisdiction of several congressional committees. We appreciate \nthe Financial Services Committee taking the lead to work with \nleaders in other committees to craft a bipartisan package that \ncan enact a robust national data security standard into law.\n    In conclusion, data security is a top challenge facing the \ncredit union industry today. Protecting the payment system is \nthe responsibility of all parties involved. It is time to level \nthe playing field, establish a national data security standard \nfor all who handle financial and sensitive personal data. This \nincludes consumers and impacted parties receiving timely \nnotification of data breaches.\n    The standards for depository institutions under GLBA should \nbe the model. NAFCU stands ready to work with you. Thank you \nfor the opportunity to appear before you today. I welcome any \nquestions you may have.\n    [The prepared statement of Ms. Schwartz can be found on \npage 78 of the appendix.]\n    Chairman Luetkemeyer. Thank you, Ms. Schwartz. I appreciate \nyour testimony and all of the witnesses today.\n    We will now begin the question-and-answer period of our \nhearing, and the chair recognizes himself for 5 minutes.\n    Mr. Bentsen, you in your testimony talked about \nharmonization of State and Federal data security regulations. \nYou even mentioned global standards. Where in this do you think \nthis committee has a role to be able to help the situation the \nway it is right now?\n    Mr. Bentsen. Thank you for the question, Mr. Chairman. It \nis a problem where the industry and the government are all \ntrying to get to the same place. There is very little \ndisagreement on that, and we believe it is very much a two-way \nstreet.\n    We have a multifaceted regulatory structure for financial \ninstitutions, including both a Federal and State regulatory \nstructure, and self-regulatory organizations, and we have many \nglobal institutions from the U.S. that operate in multiple \njurisdictions. We need to find a way where regulators can come \ntogether, in terms of the type of guidance they are doing, the \nexaminations, the supervision process that they want to do, to \nwork around the same framework. Even in the U.S., U.S. \nregulators are not all using the NIST framework, which we think \nis the best framework for developing cyber resiliency.\n    I think this committee can play a role with your oversight \nfunction of the agencies to start, and the SROs, where you have \nsome indirect jurisdiction, to try and bring them together. To \nbe fair, we have spent time with all of our regulators, brought \nthem all together and said: We understand your individual \nmandates, but cyber and cyber protection is really a top-of-\nthe-house-down program within all institutions.\n    There has to be a better way to do this, so we don\'t have a \nsituation where members are spending almost as much time on \nregulatory compliance as they are on cyber defense.\n    Chairman Luetkemeyer. OK. With regards to the NIST \nstandards, do you believe that they are adequate at this time \nand, if not, what concerns do you have, and in particular, with \nregards to notification? I am very concerned about \nnotification. It doesn\'t seem like we have either some \nstandards in place or they are not being adhered to. Can you \nelaborate a little bit on that?\n    Mr. Bentsen. We think the NIST framework is the appropriate \nframework. It has been updated recently by NIST. We think it \nprovides sufficient flexibility to the industry. We have mapped \nit out for our industry, and the capital markets and asset \nmanagement business and other sectors are using it as well.\n    In terms of notification, this is an important issue. I \nthink everyone agrees that there does need to be timely \nnotification. But I think we also have to be careful in setting \ndeadlines that can be artificial, and we have to determine what \nthe materiality is. We have to determine--in many cases, you \ncan have a cyber event going on and you are in the process of \ntrying to figure out how deep it is, what the impact of it is, \nif you have to do a forensic audit, if you have to call in the \nFBI, if it involves--whoever the perpetrator is, and to also be \nup against a deadline of having to notify before you know what \nis really going on adds additional risk factors.\n    It is an important issue. As you know, Chairman Clayton of \nthe SEC has raised this issue under the jurisdiction of this \ncommittee. I think it is something that, you all and the \nagencies are going to be spending a lot of time on.\n    Chairman Luetkemeyer. Thank you.\n    Ms. Schwartz, you were talking about the GLBA quite a bit. \nDo you believe that it is still adequate, or do you see some \nthings that need to be changed in it or amended or added to, or \nwhat do you think?\n    Ms. Schwartz. GLBA has been around since 1999, and it has \nbeen dynamic, scalable, and flexible. The nice thing about it \nis it works for institutions, whether you are a $10 million \ncredit union or a multibillion dollar credit union. I think it \nprovides an excellent model to be considered, because of those \nfactors.\n    Chairman Luetkemeyer. OK. With regards to notification, \nthere is not a whole lot in Gramm-Leach-Bliley with regards to \nnotification. Can you expound on what your position would be \nwith regards to where we need to go with this? Do we need to \nput some guidelines in place or leave it alone or--Mr. Bentsen \njust indicated there are a lot of problems with how you go \nabout that, but is there a way we can get through this and find \na middle ground here?\n    Ms. Schwartz. Notification is key. We found out about the \nEquifax breach probably the same time you did, when we read \nabout it in the Wall Street Journal. We subscribe through \nMastercard, who is our credit card partner, and receive ADC \nnotifications from them. We have received 1,400 separate breach \nnotifications since 2013. The faster we are notified, the \nfaster we can work to protect our members, by putting warnings \non their account, by reissuing cards. It is absolutely critical \nthat we get notification as soon as possible.\n    Chairman Luetkemeyer. I have just a few seconds left.\n    Mr. Bentsen, you mentioned the Consolidated Audit Trail and \nthe compounding of all information in there. Do you think that \nis really a good idea?\n    Mr. Bentsen. Well--\n    Chairman Luetkemeyer. Very quickly. My time is up.\n    Mr. Bentsen. Yes, the concept behind Consolidated Audit \nTrail is we think an appropriate concept. But we don\'t know \nthat the question has been answered that you have to have all \nthis personal information as part of the Consolidated Audit \nTrail in one place. We have no assurance from the builders and \nthe contractor that they can protect it.\n    Chairman Luetkemeyer. OK, thank you. My time has expired.\n    With that, we go to the gentleman from Missouri, another \ngentleman from Missouri, the ranking member. Mr. Clay, you are \nrecognized for 5 minutes.\n    Mr. Clay. Thank you, Mr. Chairman.\n    This question is for the entire panel, so we would start \nwith Mr. Bentsen and go down the line. Good to see you again, \nMr. Bentsen.\n    Equifax learned of the data breach on July 29th, 2 days \nafter it filed its quarterly report with the SEC. However, it \nwas not until 6 weeks later, on September 7, that Equifax \nnotified the public of the breach through a statement filed \nwith the SEC.\n    Now, in your view, what duties do public financial services \ncompanies owe consumers to provide timely notice of significant \ncybersecurity incidents? Do you believe that disclosure 6 weeks \nafter a material event is timely? Could you elaborate whether \nthis extended period with the Equifax incident, from when the \ncompany learned of it to when the public was made aware of it, \nmay have violated some State breach notification laws, \nparticularly given that some States require immediate \nnotification and most States require notification within the \nmost expedient time possible without reasonable delay?\n    I will start with Mr. Bentsen and would like for each \npanelist to try to answer some of those questions.\n    Mr. Bentsen. Thank you, Mr. Clay, and good to see you again \nas well.\n    First of all, Equifax is not a member of ours. We don\'t \nrepresent the credit bureaus. Most of what I know about the \nEquifax issue is what I have read in the press. I can\'t really \ncomment on what they did, whether it is appropriate or not, and \nI am sure the appropriate regulators are looking at the issue \nas it is.\n    Again, I think there is a question of materiality. There is \na question of your risk factors, when there has been a breach \nand if the person who is breaching is still there and who it is \nand how you are dealing with it. There is no question that \nthere should be an effort to notify the affected parties, your \nclients in this case, as soon as it is practical that you can \ndo so, weighing all those other factors.\n    As it relates to Equifax they are not a member. I am not \nfamiliar with the facts of that case.\n    Mr. Clay. Sure. But you are saying they did have a duty to \ninform the public.\n    Mr. Bentsen. I think if it is a material issue, there are a \nnumber of requirements, both in terms of public company \nrequirements and State--and I can\'t speak to all the States; Ed \nprobably can--of what they have to comply with.\n    Mr. Clay. Mr. Mennenoh.\n    Mr. Mennenoh. Thank you, sir.\n    Yes, I certainly would agree that consumers need to be \nnotified promptly. Certainly from our perspective, when we have \ncircumstances where consumer funds have been taken, we take \nimmediate action to try to recover those funds. But with wire \ntransfers, oftentimes, it is a case where if you don\'t address \nit within 24 hours, it is pretty difficult to get those funds \nback.\n    Mr. Clay. 6 weeks was, in your opinion, quite a bit of time \nexpired?\n    Mr. Mennenoh. For our purposes, the money is gone.\n    Chairman Luetkemeyer. Mr. Mierzwinski.\n    Mr. Mierzwinski. Mr. Clay, I totally agree. You made a lot \nof the points in your opening remark here. Equifax probably \nviolated the strongest State laws on immediate notification. It \nprobably violated a number of State laws on attorney general \nnotification. Massachusetts has already sued Equifax. Other \nState attorneys general have a multiState investigation going \non right now. I think you will see additional litigation \nagainst the company. You will see private lawsuits as well. But \nthey failed. They epically failed, and a lot more needs to be \ndone.\n    Mr. Clay. Thank you.\n    Ms. Schwartz.\n    Ms. Schwartz. Six weeks is clearly too long. I think, in \nadditional to notifying consumers, notifying financial \ninstitutions is also critical. We are in a position where we \ncan really help to mitigate fraud. We can put warnings on \naccounts; we can reissue cards. We can\'t do that if we are not \ntold. A lot of fraud can happen in 6 weeks.\n    Mr. Clay. Mr. Mierzwinski, in the event of a breach, what \ninformation should be provided to consumers to ensure they are \nfully informed of the rights and remedies available to them as \nwell as the steps that they consider taking to protect against \nfraud, identity theft, and other crimes?\n    Mr. Mierzwinski. I think consumers need to hear everything \nabout their rights under Federal law and what the company is \ngoing to do, and they don\'t need to hear about all the changing \nkinds of results that Equifax provided them. You need to know \nwhat your rights are. You need to learn how to put a fraud \nalert. You need to learn how to put a credit freeze on. You \nneed to learn all of these things. You need to understand that \nyour Social Security number is the key to identity theft. They \nlost that. It is much worse than any merchant breach.\n    Mr. Clay. Thank you.\n    My time is up.\n    Chairman Luetkemeyer. The gentleman\'s time has expired.\n    With that, we go to the gentleman from Texas. Mr. Williams \nis recognized for 5 minutes.\n    Mr. Williams. Thank you, Mr. Chairman.\n    Thank all of you for being here today, and I appreciate \nyour testimony this afternoon on the important subject of data \nsecurity and how we can and must do better to protect private \ninformation.\n    As a small business owner for 45 years, I recognize the \nimportance of protecting the information of my customers, and I \nknow firsthand the impact that cyber attacks can have on Main \nStreet America.\n    I am concerned by the increasing trend of breaches that has \noccurred over the past few years, and I hope to learn from all \nof you today how we can ensure that American consumers can rest \neasy, knowing that their personal information is in good hands.\n    Mr. Bentsen, one of the things that I do worry about, not \njust when it comes to the industry but in general, is an issue \nwith excessive regulations. When President Trump was elected, \nhe pledged to fight against expanding the regulatory regime. I \nagree with his goals on that regard. One of the fears I have, \nwhich you also mentioned in your testimony, is that Congress \ncreates regulations which result, I quote, ``in requirements \nwhich are sometimes overlapping, duplicative, and \nconflicting.\'\'\n    How can Congress create effective rules while avoiding the \nproblem of overburdensome regulations?\n    Mr. Bentsen. I think in the case of cyber protection, \nincluding protection of sensitive data like PII, I think \nCongress plays a very important oversight role with the \nagencies that you set the authorization for, you fund, you set \nthe laws that they execute on.\n    In the case of the financial services sector, where you can \nhave 5, and up to 13 different regulators, Congress can \ndefinitely play a role in trying to get better coordination \namong those regulators in how they are going to implement cyber \nrules, cyber defense rules, guidance, or whatever it may be, as \nwell as on their examination process.\n    We have members who, again, they have up to 13 different \nregulators before you get to the States. We have members who \nare going through multiple examinations because they have a \nbank, a broker-dealer, a futures commodities merchant. In many \ncases, they will have the SEC, the CFTC, the OCC, the Fed \ncoming through, but that is before whoever their State \nregulator may be or whoever their SRO may be.\n    If we can get some harmonization there, where we are all \ntrying to do the same thing, and with Congress\' oversight \nfunction working with those agencies, that could be very \nhelpful.\n    Mr. Williams. Thank you.\n    Mr. Mennenoh, this question is for you. I mentioned earlier \nmy background as a small business owner, and I am extremely \nconcerned with protecting the nonpublic personal information of \nmy customers. I am a car dealer.\n    In your testimony, you discuss how the American Land Title \nAssociation, which represents many small businesses, has \ndeveloped a set of voluntary standards for its members to use \nas part of their compliance programs. Can you expand on these \nstandards, and to what extent do your members cooperate with \nlaw enforcement following a breach, and what steps would you \nrecognize to take immediately following a breach?\n    Mr. Mennenoh. Thank you. Yes, the standards that we put \nout, the voluntary ALTA best practices, do address very \nspecifically how to protect data, how we should be addressing \nthat in quite a bit of detail. But the other side of it too is \nthat because we handle a lot of money for real estate \ntransactions, we also have to protect the money. We have very \nhigh standards in terms of how we protect the money as the \ntransactions are taking place.\n    It is a process that we feel has raised the bar, if you \nwill. I believe many of our members are doing a very, very good \njob of addressing this, but, as I mentioned in my testimony, \nthe biggest issue for us is the money at this point. The small \ncompanies oftentimes use third-party data centers, that sort of \nthing, that have high security standards for the data security, \nbut we have to make sure that we are protecting the money as \nwell. That is a big issue for us, and we address this very, \nvery aggressively.\n    Mr. Williams. Thank you.\n    Ms. Schwartz, one of the biggest issues in the wake of the \nEquifax breach was their notification process to consumers. In \nyour testimony, you too acknowledge that Equifax failed in the \narea of consumer notification. Additionally, you discuss the \nneed for timely notification of members after a breach has \ntaken place. In your words, you say that this is important to \nmanage an institution\'s reputation risk.\n    What kinds of notification standards should Congress \nconsider requiring, if any, and would such standards hamper the \nefforts of law enforcement following a breach?\n    Ms. Schwartz. I think the most important thing is trying to \navoid the breaches in the first place. But absent that, timely \nnotification as soon as reasonably applicable. It is very \ndifficult to put a certain timeframe on it, because I think \nthere are issues, such as law enforcement actions, that could \npossibly delay it. But as soon as possible, financial \ninstitutions can do a lot to help mitigate any losses that \ncould happen. We can reissue cards. We can also notify our \nmembers that their accounts have been compromised. We have a \npretty good track record of them opening up the emails that \nthey get from us.\n    The notification standards as they are right now can be \nsomewhat nebulous, particularly in California; I believe you \ncan just put something in the newspaper. It puts a lot of \npressure on the consumer to look up to see if it has been \ncompromised. There is a lot of room there for improvement.\n    Mr. Williams. Thank you for your testimony.\n    I yield back.\n    Chairman Luetkemeyer. The gentleman\'s time has expired.\n    With that, we go to the distinguished gentleman from \nGeorgia. Mr. Scott is recognized for 5 minutes.\n    Mr. Scott. Thank you very much. Mr. Chairman, this issue is \nvery important to all of the American people and all of us \nMembers here in Congress, but it is expressly important to me \nbecause I am the representative from the great State of \nGeorgia, a State I love. This extraordinarily careless breach \nthat was allowed at Equifax is certainly very troublesome to \nme. I am very concerned about that. I have a commitment to help \nEquifax because I want to make sure that we can bring them out \nof this standing tall, standing big, and be able to renew the \nconfidence of the American people. However, that is not going \nto happen for any of them, but certainly for Equifax: 145 \nmillion people, and their Social Securities are out there in \nthe wind, their birth dates, all this vital information.\n    While I want to do that, we on this committee and Members \nof Congress, can\'t do it without them. I don\'t know if you all \nknow this, but they refused--can you imagine that?--to come \nbefore this Congress and speak. We cannot solve this problem, \nyou and I. I know many of you.\n    Mr. Bentsen, I know your great reputation.\n    Ms. Schwartz.\n    All of you. But neither you nor I can solve this problem if \nthe CEOs, the people that run Equifax, that run TransUnion and \nthese other companies are not willing to come and sit where you \nare so that we can find that. We have to get the message to \nthese credit agencies that they have to get here in Congress, \npartner with all of us. This is a huge issue. I just hope that \nyou all will convey that message to them.\n    Now, with the time remaining, I just want to--I look at \nthis as the American people look at it and want to get your \nresponses to this. If Americans can\'t trust their credit and \ndata, that it is going to be protected, let me ask you this, \nMr. Bentsen, Ms. Schwartz, any of you: Why would they want to \nrisk shopping online for their Christmas gifts? Can you see the \ndamage that this would do to our economy through that? Or if \nAmericans don\'t think that their local banks can keep their \npersonal account numbers protected, why would they want to risk \nit by opening up a checking account?\n    In other words, the whole foundation of our fantastic and \nyet complex financial system is registered in credit. If these \ncredit agencies, 145 million Americans, Mr. Bentsen, I ask you \nand Ms. Schwartz, how many of these 145 million Americans do \nyou believe even have been informed that their data is out \nfloating and gone with the wind?\n    Mr. Bentsen. Mr. Scott, I don\'t know the answer to that \nquestion, but certainly there has been a lot written about it, \nand I have been on the website myself.\n    What I will say, I think you are absolutely correct that \nthere are two things that are very important. The confidence in \nthe system is incredibly important. In the industry at large--\nwe don\'t represent the credit bureaus, so I won\'t speak for \nthem. The industry at large has a responsibility to work to \nmaintain that confidence, and this industry does that day in \nand day out. No. 1, it is through defense; and No. 2, it is \nthrough recovery. We are taking efforts in both those areas, \nincluding understanding what happens if you have a major attack \nwiping out books and records. Can someone at the end of the day \ngo back and say: What was my balance of my retail brokerage \naccount yesterday? What was my balance in my checking account \nyesterday?\n    These are the things we should be working on, which we are.\n    Mr. Scott. Ms. Schwartz, let me ask you, because I have \nbeen concerned about Gramm-Leach-Bliley standards and the \napplicability of them to large as well as the smaller, the \nrural companies. I think you alluded to this in your testimony, \nand I would like for you to clear that up.\n    Do you have confidence in that one size will fit all? \nParticularly when you look at our economic system, it is so \ndiverse; it is so varied. To have the same standards for a big \nmega bank operating around the world, for a mom-and-pop store \nin my district in Stockbridge, Georgia? Are you saying that we \ndon\'t have to worry about that, that it is applicable?\n    Ms. Schwartz. No, I think your point is very well taken. \nOne size fits all is not the answer. But I will say that the \nbeauty of Gramm-Leach-Bliley is it is scalable, and it is \nflexible. It has been around for more than 17 years and is \nstill helpful and provides a framework. I think a level playing \nfield is very important. Some minimum standards that anyone \nalong the payment system rails should follow I think is very \nimportant.\n    Mr. Scott. Thank you.\n    Thank you for the little extra time there, Mr. Chairman. I \nappreciate it.\n    Chairman Luetkemeyer. Thank you, Mr. Scott.\n    The gentleman\'s time has expired.\n    With that, we go to the gentleman from Michigan. Mr. Trott \nis recognized for 5 minutes.\n    Mr. Trott. Thank you, Mr. Chairman.\n    I also want to thank the panel for their time this \nafternoon.\n    Mr. Bentsen, I want to start with you. You talked in your \nopening comments about the need for partnership between \nindustry and government to address this problem. I am just \ncurious what is the most significant barrier in your mind to \nthe creation of that partnership, and what does that \npartnership look like? Is it just less, more reasonable \ncompliance, burdens, or what does the partnership look like, \nand how do we accomplish it?\n    Mr. Bentsen. Congressman, thank you for that question. I \nthink our partnership with the government on the broad question \nof cyber resiliency is quite good. I credit the Treasury \nDepartment, Homeland Security, and the various agencies for \nthat. This is something where everybody is trying to row in the \nsame direction. Frankly, through a lot of industry exercises \nand a lot of tabletop exercises with the government, and we \nhave learned a lot. They have learned a lot, I think. We have \nlearned a lot from them as well, and we want to keep doing \nthat. That has led to new initiatives on both sides, I believe.\n    Where I think things can break down is agencies operating \nunder their own individual mandate, which is established by law \nand all of that. That is understandable, but it seems to us \nthat we can do a better job of coordinating among those various \nagencies so there is more interchangeability between how firms \nare complying with requirements. That is really the point.\n    Mr. Trott. Maybe 2 or 3 instead of 13 would be a good \nstart?\n    Mr. Bentsen. Or some substitution, yes.\n    Mr. Trott. Thanks so much.\n    Mr. Mennenoh, nice to see you again. We met up in Traverse \nCity at the Michigan Land Title Association. You were the \nkeynote speaker up there this summer.\n    Mr. Mennenoh. Yes, we did.\n    Mr. Trott. I hope you enjoyed your time in northern \nMichigan.\n    Mr. Mennenoh. Absolutely.\n    Mr. Trott. You discussed wire fraud and what a huge problem \nit is for the industry. It is a significant problem because, \nunlike some of these issues, really there is no good solution. \nOnce it happens, the money is gone. Usually it is a lot of \nmoney, as you said.\n    You discussed education, and it sounds like a good idea, \nbut I wanted to get your thoughts on--one thought I had was \nmaybe we put some kind of disclaimer or warning in the purchase \nagreement, or maybe the realtor\'s listing agreement has some \nkind of--or there is some form. But, that is probably not a \ngreat solution, and I want to get your thoughts on it, because \nyou have a buyer who is excited to get their home. Maybe it is \ntheir first home. They don\'t even understand what a title \nagency does in the overall transaction, perhaps. Is the \neducation going to make a difference, or is it really the \nfinancial institutions that have to be the solution in terms of \nthe wire fraud?\n    Mr. Mennenoh. Honestly, I think there is maybe a \ncombination of the two. Certainly the financial institutions, \nif we can match the account name, the account owner to the \naccount number and the routing number on a wire transfer, that \nwould actually be a good deterrent.\n    But I also think the education component is very important \nas well, in that all of the professions involved in real estate \ncan work together, send the same message. It has to be a \nmessage that is being conveyed routinely, because, as you say, \npeople buy a house and they may not buy another house for \nyears. But providing that level of education from all of the \nprofessions that are involved in this process would be very, \nvery helpful.\n    As I mentioned before, we are at the end of the process. \nThe parties that have first contact with the consumer can help \nwith that process as well. For example, in January, I, along \nwith the Board of Governors at ALTA, met with Director Cordray, \nand we were asking for a consumer alert to be issued. The \nDirector\'s initial response was, how often does that really \nhappen? We were telling him stories about things that have, in \nfact, happened.\n    We followed up again in April. Then it wasn\'t until June \nthat we actually had the CFPB issue a consumer alert. That is \nall we wanted to have them do. It is a difficult process.\n    Mr. Trott. That is for sure. Thank you.\n    Ms. Schwartz, so my friend from Georgia was quite \narticulate in how he described the ramifications to commerce, \ne-commerce in this country, given the Equifax breach. I want to \nask a question with respect to Mission Federal. Can you say \nwith 100 percent confidence that you can build a firewall that \nwill protect your members\' data?\n    Ms. Schwartz. I don\'t think anybody can say with 100 \npercent confidence, but I can tell you we have had 245,752 \nattacks on our system through September 30th, none of which \nwere successful.\n    Mr. Trott. That is extraordinary. But your answer, I was \nhoping you would say that you couldn\'t say with 100 percent \nconfidence that you could protect the data, because I think \nthat is an accurate answer.\n    My concern is, when we talk about notification and we are \nbeating up Equifax for how poorly they handled that whole \nprocess, to some extent, we were really in damage control at \nthat point. When we talk about a solution--and I am out of time \nhere--I wonder if really we need to focus on a solution that \nchanges the identification process that goes well beyond a \nSocial Security number and date of birth and really makes it \nmuch more cumbersome for these cybercrimes to happen.\n    But I will yield back. Thank you for the additional time, \nChairman.\n    Chairman Luetkemeyer. The gentleman\'s time has expired.\n    With that, we go to the gentlelady from New York, Mrs. \nMaloney. She is recognized for 5 minutes.\n    Mrs. Maloney. Thank you. I thank the chairman and ranking \nmember for calling this important hearing and take this \nopportunity to welcome my former colleague and very good friend \nKen Bentsen. We miss you. I hope you will run for Congress \nagain. But, anyway, it is good to see you again.\n    My question to Mr. Bentsen and actually everybody on the \npanel, as you know, last Congress, this committee considered a \ndata security bill that would have created a national standard \nfor data security and for breach notification procedures. I \nsupported that bill because it would have subjected many more \ncompanies to the strong data security requirements that \nfinancial institutions already have, subject to the safeguards \nrule.\n    But we cannot ignore the fact that Equifax was already \nsubject to the safeguards rule, which is what the legislation \nwould have done, yet it still suffered a massive data breach \nthat affected a startling 145 million Americans. Not just today \nbut for the rest of their lives, they are in threat with their \nsecurity, their identification stolen, their Social Security \nnumber.\n    My question to all of you is, in light of the Equifax \nbreach, do you believe the safeguards rule needs to be updated \nat all to include things like encryption requirements and the \ntwo examples of startling mismanagement by Equifax.\n    I know Ms. Schwartz was saying that you should have \ntraining so that you would be looking for these breaches. But \nin an unprecedented action, Equifax was notified by the \nHomeland Security Department that you will be breached: You \nwill be breached in this way; take steps to protect your \ncustomers.\n    Now, the other two companies took steps to protect their \ncustomers. Equifax did not. No matter how many training \nsessions you had, if someone tells you you are going to be \nbreached this way and you don\'t correct it, training is not \ngoing to help you.\n    The other two companies, it is my understanding--because I \nwrote them and they wrote me back and said they had these other \nsafeguards--they had a system that once you told their system \nthat there could be a breach in a certain way, the whole system \nclosed down until you corrected it. Should Equifax be required \nto have the same updated system?\n    Also, Equifax had a system that was different from the best \npractices that were put out by the safeguards rule. The best \npractices said that every firm should have an IT manager who is \nin charge of this, who is responsible. The other two firms had \nan IT manager whose sole job was to protect their customers, \nprotect the system, make sure it is safe, but Equifax did not. \nThey had everybody reporting to a, quote, ``general manager,\'\' \nwho had conflicting responsibilities, such as managing the \nwhole company, the general counsel, such as profits, such as \nnew technologies or whatever else he was looking at. He wasn\'t \nfocused on IT.\n    Should that best practices idea that has been put out there \nbe implemented in law so that people are following it? We have \nto take steps to make sure that this happens. Or do you just \nneed to enforce the safeguards rule more?\n    I would like to really go first to my colleague Mr. Bentsen \nand down the line. I know he has sponsored some data security \nforums that I have been privileged to attend. I would just like \nto hear your comments on what we need to do to protect this \ninformation. I am astounded that they were notified by the \nHomeland Security Department and they still couldn\'t figure out \nhow to correct a breach that they were told they were going to \nget.\n    Mr. Bentsen. How you describe the situation with Equifax \nwould not be consistent with how the financial services \nindustry approaches the issue of cyber defense, preparedness, \nand resiliency. And the industry is doing a lot on its own, \nthrough its own self-directed principles, in adhering to the \nNIST framework.\n    Furthermore, though, our regulators will regularly look and \nsee how we are complying with our cyber defenses and \nresiliency. Our concern is doing it 13 times the same way, but \nthat is more of a process question.\n    That would not be acceptable within our industry.\n    Mrs. Maloney. Any other comments?\n    Ms. Schwartz. I think examination is an important part of \nthat. In the credit union industry, we receive regular \nexaminations. There is not a regulatory body that routinely \ngoes into any of the credit bureaus and ensures that they are \nfollowing those best practices.\n    We just completed a regulatory exam last Friday where they \nasked us to have a backup firewall to our backup site. We have \na firewall, a backup firewall, a redundant site, and a backup \nfirewall for that. I don\'t believe that the credit bureaus are \nsubject to that same degree of scrutiny and examination.\n    Chairman Luetkemeyer. The gentlelady\'s time--\n    Mr. Mierzwinski. Could I make a brief comment?\n    Chairman Luetkemeyer. Very brief.\n    Mr. Mierzwinski. Very briefly, Congresswoman, the Equifax \nmess is a mess, but the solution is examination authority. I \nthink it should go to the Consumer Bureau. They have all the \nrest of the authority over Equifax, but everything they did was \nwrong.\n    Chairman Luetkemeyer. OK. The gentlelady\'s time has \nexpired. We go to the gentleman from Colorado, Mr. Tipton, \nrecognized for 5 minutes.\n    Mr. Tipton. Thank you, Mr. Chairman, and thank the panel \nfor taking the time to be able to be here. I would like to \nstart with Mr. Bentsen, in your testimony you had noted that \napproximately 40 percent of cybersecurity activities were \nfocused on compliance rather than security.\n    How is that impacting the ability to actually address what \nI think people are concerned about, and that is actually having \nreal security?\n    Mr. Bentsen. That is what our member firms report to us, in \nterms of having to deal with various compliance requirements, \nexercises, and all. Again, our point is we understand the need \nfor this, but it is having to do it over and over and over \nagain when--and having to deploy those resources when they \ncould be deployed to frontline defense and resiliency and \nrecovery planning.\n    Second, I would point out, which is not in my testimony, \nbut industry statistics have found that there is actually a \nshortage of cyberdefense personnel in the United States. This \nis something where I think we ought to be careful how we are \ndeploying our resources. That we are not overtaxing when we \ndon\'t really need to. We can accomplish the same thing for \ndifferent regulators because of the way the industry approaches \nthe question.\n    Mr. Tipton. Well and you have spoken a lot to the \nharmonization that needs to happen. Would this actually help in \nterms of harmonizing some of the policies that are going \nthrough the different agencies so you aren\'t filing duplicate \nreports to the 13 different agencies to be able to address \nthat?\n    Mr. Bentsen. We think so. We are talking with our \nregulators about that. Again, we are all trying to do the same \nthings. We can use the same nomenclature. We can try and adhere \nto the same framework, which we think it ought to be the NIST \nframework. If you were able to have a good exam with SEC, you \nought to have a good exam with FINRA, likewise with the OCC, or \nwhoever it may be.\n    Mr. Tipton. Yes. Ms. Schwartz, is that pretty much your \nexperience with the credit unions as well? Are you seeing \ndollars for compliance as opposed to security?\n    Ms. Schwartz. It is absolutely true. But as a credit union, \nwe are in the trust business a little bit as well, well, a lot \nas well, and our reputation is very, very important. Even \nabsent the regulations, absent the compliance requirements, \nmost of the things we would be doing anyway, because we would \nabsolutely lose our membership if they can\'t be 100 percent \nconfident that we are protecting their secure information, \ntheir private information.\n    Mr. Tipton. Right. A lot of the concern really is about \nhaving that real confidence within the system. I think, \nprobably everybody can agree there will be a tax, there will be \nbreaches that are going to take place.\n    Mr. Bentsen, through SIFMA, you have developed a program, I \nthink through your industry, the Quantum Dawn, to be able to \nidentify maybe some responses, to be able to rebuild those \ndatabases.\n    What has been something that you have learned from that?\n    Mr. Bentsen. Congressman, the Quantum Dawn is a \nindustrywide exercise that we do biannually, and do simulate \nmajor attacks on market infrastructure, different sectors of \nthe industry, with our government regulators looking over our \nshoulder. From those we learn a number of things, including \nbetter ways of information sharing, who you should call in the \nGovernment, depending on what type of account. Testing our \nplaybooks and our recovery playbooks, for instance, of whether \nmarkets should open or close if there is a major attack on an \ninfrastructure situation.\n    The industry finds this very valuable. Our regulators, I \nthink, find it very valuable. We have also done tabletop \nexercises with our regulators and going through different \nscenario planning. In those we have actually also come up with \nthings that neither us nor the Government necessarily had \nthought about, and that has led to new initiatives that we \nthink improve our resiliency.\n    Mr. Tipton. Speaking to that, would you maybe speak a \nlittle bit to the Sheltered Harbor?\n    Mr. Bentsen. The Sheltered Harbor is an initiative that \ncame out of what is known as the Hamilton Exercises, which is a \nTreasury-led effort with the industry and the Government. \nSheltered Harbor is an industry-led effort that SIFMA as well \nas the ABA, the FSR, the Clearinghouse, and a number of other \nindustry participants and vendors participate in. It is now \nhoused under the FS-ISAC.\n    The idea here is if there is a major attack on a banker, \nbroker, dealer, and all of their data is wiped out, and they \nare not able to stand back up. Are you able to recreate end of \nday balances from the day prior--and bring that up through a \nvendor or another institution. It is done through establishing \na protocol that firms would adhere to. We are currently at \nabout 70 percent of the bank retail deposits participating in \nthe process, and about 50 percent--or 60 percent of broker \ndealer retail accounts.\n    The idea is, again, to be able to go back through encrypted \noffline protocol that then could be reestablished. Again, it \ngoes back to the question of confidence in the system in trying \nto solve that. That came out of our exercises. We didn\'t have a \nmechanism in place so now we are trying to create it.\n    Mr. Tipton. Great. Well thank you. My time has expired, Mr. \nChairman.\n    Chairman Luetkemeyer. The gentleman\'s time has expired. \nWith that, we go to the gentleman from Tennessee, Mr. Kustoff, \nyou are recognized for 5 minutes.\n    Mr. Kustoff. Thank you, Mr. Chairman. Thank you to the \nwitnesses for being here this afternoon. Mr. Mennenoh, if we \ncould, I know in your testimony you discussed the rapid \nincrease in criminal attempts, almost--I think you said almost \n500 percent--480 percent.\n    Mr. Mennenoh. Yes.\n    Mr. Kustoff. To steal customers\' closing funds. In response \nto Mr. Trott, you talked about, in your testimony and in \nrelation to his questions, education of the consumer. Could you \nalso address, from a closer standpoint, a title company\'s \nstandpoint, what best practices a typical closer or title \ncompany has implemented to protect customers\' funds?\n    Mr. Mennenoh. Yes. Absolutely. First of all, we use \nencrypted email when we communicate with our consumers. We also \nhave secure platforms where we can exchange information with \nour customers on a transaction. In terms of actually protecting \nthe funds and what we do, our escrow trust accounts we have \nmany security measures in place to make sure that anything that \ngoes through there is watched very closely.\n    Most of our members do a three-way daily reconciliation of \nthe account. We are reconciling our account every single day to \nmake sure we see what activity is going through. We use \nPositive Pay for our checks. When we have an outgoing wire, we \nhave a two-step authentication process. Once it reaches a \ncertain level, there is a three-step process. To make sure that \neverything is being done, the wire instructions are correct, it \nis going to the right place. We take a number of steps like \nthat to make sure that we are protecting the funds.\n    Mr. Kustoff. Some of the practices you have described, are \nthose recommended by the American Land Title Association?\n    Mr. Mennenoh. Those are included in the ALTA best \npractices. Yes.\n    Mr. Kustoff. Do you have an opinion or would you have any \nknowledge what percentage of ALTA members follow those best \npractices?\n    Mr. Mennenoh. Honestly, I don\'t have a number for you. In \ntraveling around the country, I can tell you that a lot of our \nmembers who are actively engaged in their State association or \nnational association have implemented the best practices. But I \ndon\'t have a number for you.\n    Mr. Kustoff. Again, I understand you don\'t have a number. \nFor those entities that maybe have not adopted those best \npractices standards, would the issue be cost, that is my first \nquestion. Can you elaborate on the difference between costs \nassociated with cybersecurity for a small company and for a \nmedium and large-sized company?\n    Mr. Mennenoh. Certainly. Yes. Cost is certainly an issue. \nIt is costly to implement these things, particularly for a \nsmall company. Implementing these types of security measures is \na good example, for my company, the amount of fees that we pay \nto our bank is in the tens of thousands of dollars per year to \nimplement these various procedures and protections that we have \nin place just with the bank. It is a cost issue, and for small \ncompanies that is a big problem. But many of our members who \nare very responsible and want to do the right thing are very \ninadvertent.\n    Mr. Kustoff. Thank you. Ms. Schwartz, if I could. The \ncollaborative efforts that have to be undertaken, if you will, \nby the financial sector and by law enforcement is incredibly \nimportant, I think we would all agree, in preventing and \nmitigating the risk that these cyber attacks pose.\n    In the event of a cyber attack, how quickly would your \ninstitution engage with law enforcement?\n    Ms. Schwartz. Happily, my institution has not been the \nvictim directly of a cyber attack. We have had--our members \nhave been the victim from data breaches that have happened at \nthe merchant level. We, would of course, cooperate fully should \nthat unfortunate event happen. But we have DDoS protection, and \nwe haven\'t had any direct attacks since 2015.\n    Mr. Kustoff. In those institutions, those members that \nwould have attacks, are there law enforcement agencies that \nthey typically go to, are they Federal, State, local? Who do \nthey reach out to first and how do they collaborate?\n    Ms. Schwartz. For our members, they would reach out to us, \nto say, What should we do? We would put everything in place, we \ncould to protect them, whether it is the reissuance of cards, \nputting notification of fraud alerts on their accounts, best \npractices, webinars, telling them how they can put a freeze on \ntheir account through the credit bureaus.\n    Typically, because we cover the losses, as a financial \ninstitution, they are less concerned with reaching out, \nfrankly, to law enforcement because we have covered them from \nthose losses.\n    Mr. Kustoff. Thank you. My time is expired. Thank you, Mr. \nChairman.\n    Chairman Luetkemeyer. The gentleman\'s time has expired. Now \nwe go to the gentleman from Kentucky, chairman of the Monetary \nPolicy Subcommittee, Mr. Barr, recognized for 5 minutes.\n    Mr. Barr. Thank you, Mr. Chairman. Thank you for holding \nthis very important hearing. I hear very regularly from both \nretailers and the merchant community back in Kentucky, in \naddition to community financial institutions that serve \nconsumers in central and eastern Kentucky, about the problem of \ndata security, of course, the Equifax breach is a warning to us \nall that this is a very large scope problem.\n    As we marked up the legislation last year to attempt to \naddress this problem, the Carney/Neugebauer legislation, we got \ndifferent competing stories from the various different actors \nthat would be affected by this. I kind of want to unpack all of \nthat discussion here.\n    A community bank in Kentucky has told me that they have \nincreased spending significantly over the last 18 months on \ndata security. Why? Because they have seen the number of \naccount take-overs triple. Meaning, scammers, through the use \nof personally identifiable information and security questions \ndata try to gain access to an account by calling the bank and \nasking for addresses to be changed and new debit cards to be \nordered. Et cetera.\n    These same community banks and credit unions tell me that \nthey are spending a whole lot of money dealing with the fraud \nand reissuance of cards. What they talk about is the weakest \nlink in the data security system. My first question to Ms. \nSchwartz is where do you view the weakest link to be?\n    Ms. Schwartz. In the payment market, they are absolutely \nright. The weakest link is where the criminals are going to go, \nand frankly, it is at the merchant level at this point. Mission \nFed spent over a million dollars in 2017 for data security. \nMany of the merchants have little or no protocol in place for \nthings as simple as getting rid of old data or shredding or \nvirus protection. It doesn\'t have to cost a million dollars. \nThere is basic financial hygiene, if you will, that can be \nimplemented at a reasonable cost, no matter what your size.\n    Again, going back to Gramm-Leach-Bliley, as a scaleable and \nflexible rule that does provide a nice framework for protecting \nimportant consumer privacy data, financial data.\n    Mr. Barr. Now, what would you say, Ms. Schwartz, to the \nkind of response from the merchant community that the breach \nnotification legislation that we voted for in the last Congress \nwould subject retailers to stringent bank-style security rules, \nwhereas, banks or credit unions would be subject only to \ndiscretionary guidance?\n    Ms. Schwartz. I don\'t think it is discretionary for us. It \nis our reputation. We are responsible, on the hook monetarily, \nand we are very, very heavily regulated. I think H.R. 2205, \nwhich I believe is what you are referring to, did a very nice \njob at providing a level playing field, because again, if you \ndon\'t have the standards throughout the whole payment systems \ninfrastructure, the criminals are going to find the weakest \nlink.\n    Mr. Barr. Yes, I think, so community financial institutions \nin my district also would say that Regulation E forces them to \npay when their customers are harmed, even though it is not \ntheir fault, when it is the fault of some other party. That is \nvery understandable anxiety for those folks.\n    But let me just kind of continue to try to unpack this, \nbecause the merchant community will say that small businesses \nsimply don\'t pose the same kind of risk because they are only \ndealing with a small category of vulnerabilities, namely, \ncredit card information, not a range of other kinds of \nsensitive information.\n    What would you say in response to that?\n    Ms. Schwartz. I would say in 2017 until the end of \nSeptember, at my credit union alone, we have had 14,500 cases \nof reported fraud, costing us $1.7 million, money that could \nhave been better spent serving our members.\n    Again, basic financial hygiene of protecting sensitive \ndata, updating virus protection, does not seem like an \nunreasonable standard for those merchants to have to follow in \nreturn for having a good business practice, a good name.\n    Mr. Barr. Yes. I am very sympathetic to your point of view, \nat the same time, I want to figure out a way forward, \nespecially with those small businesses that are pushing back. \nAny help that you all can give us in terms of working with the \nmerchant community to come--to work through these issues would \nbe appreciated, because we clearly need a solution. I think all \nparties, to their credit, have supported passage of some kind \nof Federal data breach notification law to replace the existing \npatchwork.\n    I have run out of time so I will yield back.\n    Chairman Luetkemeyer. The gentleman\'s time has expired. \nWith that, we go to the gentleman from Georgia, Mr. Loudermilk, \nhe is recognized for 5 minutes.\n    Mr. Loudermilk. Thank you, Mr. Chairman. I appreciate the \npanel being here. This is--being in the IT arena for 30 years, \nand 20 of that in the private sector, and prior to that being \nin the intelligence community, security is something that has \nbeen a grave concern of mine over the years, especially when I \nhave been in Congress. It is something that we are going to be \ncontinually chasing.\n    One of the things that I emphasized on the businesses that \nI served in the IT industry, most of them small, medium size \nbusinesses, is it is impossible to protect yourself from a \nhack, from an intruder. The idea is, you make yourself a harder \ntarget than the other guy. That is sort of like the story of \nthe two Georgians who went hiking in Alaska, one of them took a \n357-magnum, the other took a pair of tennis shoes because they \nwere afraid of bears. The guy with the gun said, you can\'t \noutrun a bear, why are you taking those? He said, I don\'t have \nto outrun the bear, I just have to outrun you.\n    That is really the idea that cybersecurity is making \nyourself a harder target than the risk that you propose. The \nother aspect of that is something that we held when I was in \nthe intelligence community when it came to security is that you \ndon\'t have to protect what you don\'t have. It deals with data \nretention, which Ms. Schwartz indicated earlier, especially \nwith small businesses, is the amount of data that you are \nkeeping. If you don\'t need it, you need to destroy it, which \nleads to an area that I have begun looking into.\n    I think that we, the Government, create a security issue \nourselves by the regulations that we impose upon, especially \nthe financial services industry, making these businesses obtain \nand maintain information for long periods of time that they \nreally don\'t need.\n    Ms. Schwartz, can you opine in this? Is there data in \ncredit unions, and especially small banks, that we require you \nto get that you wouldn\'t obtain, except for the Government is \ntelling you to keep it?\n    Ms. Schwartz. I am not going to argue with the fact that we \nhave to maintain and submit an awful lot of data to our \nregulators. When we do a mortgage, in particular, there is more \nand more data points that are being collected and provided. \nThat is absolutely true. It has exponentially increased over \nthe years as to how much we need to maintain, retain, and \nprovide.\n    Mr. Loudermilk. OK. Mr. Bentsen?\n    Mr. Bentsen. It is a very good question. A lot of data \ncollected and held for regulatory mandates and submitted to our \nregulators is with no malintent, it was part of the process. \nBut as we moved into this age, it is really something that we \nreally need to think about. It is part of our principles as \nwell, do you need it in the first place? How long do you need \nit? Who should have access to it? When you don\'t need it, how \ndo you get rid of it so you eliminate the target in that \nresponse? That is my point with Consolidated Audit Trail, which \nis something that was not designed to capture PII, but does in \nthe current design. It is designed to monitor market activity. \nYou are creating this massive database with a lot of sensitive \nPII in there. The question needs to be asked, just like the \nindustry asks itself, do we need that to accomplish the \nunderlying goal?\n    Mr. Loudermilk. Exactly. Mr. Mennenoh?\n    Mr. Mennenoh. A very simple example is many, many years ago \nthe title industry was required by a regulation to collect \ninformation for the issuance of 1099s on real estate \ntransactions. That means that we have to collect Social \nSecurity numbers so that we are effectively the watch dog for \nthis, for the IRS, and this is something we have been forced \ninto doing and we have to maintain that to prove that we have \ndone what we are supposed to.\n    Mr. Loudermilk. I am also a member of the Science, Space \nand Technology Committee, and we have been looking into \ncybersecurity risks for 3 years I have been in Congress. I \nasked the Inspector General, not long after the OPM data \nbreach, if you would rate the Federal Government\'s ability to \nprotect data, our cybersecurity preparedness, on a simply \nelementary school rating system, what would you rate the \nFederal Government? His answer was a D minus. He said, it was \nonly because of the minimal changes that were made in APM, I am \nnot giving it an F. But, yet, we are continually having to \nprovide to the Federal Government massive amounts of data on \nyour customers.\n    That is why I keep addressing this is--maybe one of the \ntheories we need to address that area of--the amount of data \nthat you are required to obtain and maintain.\n    One last question. I see I am running out of time, Mr. \nChairman, so I will yield back. Thank you.\n    Chairman Luetkemeyer. The gentleman yields back. With that, \nwe will go to the gentlelady from New York, Ms. Tenney, is \nrecognized for 5 minutes.\n    Ms. Tenney. Thank you, Mr. Chairman and thank you panel. \nThis is a complex issue, and actually, I am not sure who to \naddress these questions to. I was a former member of the New \nYork State Assembly, and as we--I don\'t think it was the wisest \nmove, our Governor decided to consolidate our insurance and \nbanking industries into one big institution, Government \ninstitution, and then obligated many of our banks and our \ninstitutions to provide data, much like Mr. Mennenoh was \ntalking about with the 1099 data for real estate closings.\n    I attended a cybersecurity event where a cybersecurity \nexpert said, the worst place to reserve your data is in a \nGovernment entity. It is safer and better in banking \ninstitutions and financial institutions. As Ms. Schwartz cited, \nyour reputation is on the line, and the incentive for you to \nprotect that and be competitive in the marketplace is certainly \nmuch greater than Governments.\n    I know we are trying to get to the bottom of this. But \ntoward that end, and I will address this to Ms. Schwartz \ninitially. Can you tell us some way that we can help in \nCongress to minimize your--the requirement that you come up \nwith data--extra data turned over to Government with \nconfidential information, with some other way that you can \nprotect it, and we can know with assurances that without that \ndata getting into the stream, how can we protect it in some \nway?\n    Ms. Schwartz. I think much of the data is requested with \nthe best of intentions.\n    Ms. Tenney. Exactly. We know they are good intentions, but \ngetting hacked is certainly by somebody without good \nintentions.\n    Ms. Schwartz. But we are very heavily regulated, very \nheavily examined. Most of the data would be available at \nexamination time, without needing to be transmitted on a loan \nby loan or account by account basis. Other than--\n    Ms. Tenney. You are suggesting that instead of turning the \ndata over, as is sometimes required by say New York State, it \nwould be sampling of data, as opposed to a full turnover of \ndata.\n    Ms. Schwartz. Or it could be a full turnover of data when \nthe examiners are onsite. They can look at any anything they \nwant while they are onsite without out having to electronically \ntransmit it.\n    Ms. Tenney. That sounds like a great option. I appreciate \nit. Mr. Mennenoh or Mr. Bentsen, would you like to comment or--\n    Mr. Bentsen. I agree with that. A situation we have now is \nabout what is known as penetration testing, and this is \nsomething that firms do to test their own defense system, and \nthey may do it with their own teams, or they may bring in an \noutside vendor to do it. Certain regulators in the U.S. and \naround the globe have wanted to create a mandate around using \nthird party vendors, and the industry has become concerned, \nbecause in doing this you are kind of giving the keys to the \ncastle to an outside party.\n    Then in reporting to our regulators, if you have to report \nthe whole road map, you are handing the keys over, again, to an \noutside party. We completely agree from the standpoint of, come \nin, sit down, look at the data, we will walk you through it, \nyou can tell us what you don\'t like, or what you want us to \nchange, but let\'s be very careful about spreading that all over \nthe place, again, with the best of intent. Let\'s not create \ntargets unnecessarily.\n    Ms. Tenney. I appreciate that. Maybe you could comment--I \nagree a hundred percent. I think that, obviously, Government is \nwell-intentioned, but it is unpredictable. The people in power \nchange, the people in positions change, and so you have--it \nseems to me the data is just drifting across unsafe and \nunsecure regions. But maybe you can comment on that as well, \nMr. Mennenoh.\n    Mr. Mennenoh. I would agree that it is--we are being asked \nfor information, certainly more frequently. Many States in our \nindustry are regulated, they do have audits and those things \nthat are being done. Certainly, an onsite audit of paper is a \nlot easier to secure than a digital audit that is being sent \nall over the place. It is troubling.\n    Ms. Tenney. Thank you very much. I appreciate your \ntestimony. I yield my time back. Thanks so much.\n    Chairman Luetkemeyer. The gentlelady yields back. We will \nnow go to the gentleman from California, Mr. Royce.\n    Mr. Royce. Chairman, thank you. Thank you very much. I \nthank the panel here. I was looking through my notes, and every \n2 years, like clockwork here, we hold a hearing and it follows \nalways a major breach in consumer data by a U.S. company. Here \nwe are again, and the massive Equifax breach exposed the \npersonal information of 150 million consumers. Before that we \nhad Anthem, we had Yahoo, we had Home Depot, and of course, \nTarget, and even the Federal Government\'s Office of Personnel \nManagement, as the Chairman of Homeland Security reminds me, \nsince his data was stolen.\n    These breaches have made the headlines, and then the \nhearings follow, and then, of course, outside of Gramm-Leach-\nBliley, we have failed to pass legislation into law that puts \nin place national standards for data protection and national \nstandards for breach notification. We have failed to do that on \nour part here.\n    To be very clear, the Committee has acted, this Committee \nhas acted repeatedly. We have passed legislation over and over \nagain. But it is high time that we put any policy differences \naside and enact a law that serves the American people. I know \nthe chairman--I want you to know, Chairman, I stand ready to \nwork with you. I suspect you will be the author of the bill. To \ndo this, we have to convince our colleagues as we move it out \nof committee, which certainly you will, to take this seriously \nwith respect to getting it over in the Senate, and then things \nwill become more complicated. But we have to convince the \nSenators to move this legislation as well.\n    I would like to ask Ms. Schwartz a question. Community \nfinancial institutions are often the face of data breach for \nyour customer, although not necessarily the cause. In your \ntestimony you cite a July 2017 NAFCU member survey. The \nestimated cost of data breaches in 2016 was $400,000 per credit \nunion.\n    Credit unions in California have been very hard hit. The \ntarget breach cost the Credit Union of Southern California \n$35,000. The Home Depot breach costs Schools First Federal \nCredit Union in my area, they are in Orange County, $700,000, \nwith a 65 percent increase in card fraud. Coast Hills Credit \nUnion watched $100,000 in fraud hit their system in 5 minutes \nbecause of that same breach.\n    Do these numbers ring true for your credit union in San \nDiego as well?\n    Ms. Schwartz. Sadly, absolutely. In 2017, we had 14,500 \nseparate reported cases of fraud. It has cost my credit union \n$1.7 million so far this year. The holiday season is typically \nalso a fraud season, so we expect to see more. Over $6 million \nsince 2003 in fraud losses.\n    Mr. Royce. Six million for your membership. How much \nreimbursement of your costs is covered by contracts with \nvendors and payments networks?\n    Ms. Schwartz. Pennies on the dollar. The fraud losses I \nmentioned are simply the hard costs. There is also staff costs. \nThe cost of us implementing security measures. The cost of \neducating our members, educating our employees. There is both \nthe hard dollar costs and the soft costs. The remuneration is \nminimal.\n    Mr. Royce. Do you think there is a better way to allocate \nfinancial responsibility for breaches in order to incentivize \ncompanies to better secure data?\n    Ms. Schwartz. Absolutely. We very much support a level \nplaying field. H.R. 2205, which was introduced in the 114th \nCongress, provided that, Gramm-Leach-Bliley is a dynamic, \nscaleable, flexible tool that should apply to largest and \nsmallest. It applies to small credit unions, it could apply to \nsmall merchants.\n    Mr. Royce. Let me get a quick question in here for Ken, if \nI could. As I mentioned in my opening, failures in \ncybersecurity systems have occurred in the private sector and \nin the Government--within the Government. Representing an \nindustry that shares an enormous amount of sensitive customer \ndata with regulators and other agencies, do you feel the \nGovernment is doing enough to shore-up its own systems to \nprotect against cyber attacks?\n    Mr. Bentsen. Thank you for the question, Congressman. This \nis an ever growing threat. I think the Government increasingly \nunderstands that, and we are engaged in dialog with our \nregulators about how we protect the data when we hold it, and \nthe best practices that we use. The Treasury has been leading \nan effort to look at how they protect the data that they \ncollect. This is an emerging issue that I think has gotten the \nspotlight with everything going on.\n    Mr. Royce. Thank you. Thank you, Mr. Chairman.\n    Chairman Luetkemeyer. The gentleman\'s time has expired. \nWith that, we go to the gentlelady from Utah, Mrs. Love, who is \nrecognized for 5 minutes.\n    Mrs. Love. Thank you. Thank you for being here. I have a \nquestion that I want to address, Ms. Schwartz, you mentioned in \nyour testimony that credit unions left often cleaning up the \nmess when another institution suffers from data breach. \nInstitutions such as retailers that aren\'t subject to a data \nsecurity structure like the Gramm-Leach-Bliley, you have \nwritten this in your testimony.\n    Could you summarize for me what that mess looks like for \ncredit unions like yours, and what kind of costs are involved \nin that?\n    Ms. Schwartz. To scale it--my credit union has issued about \n280,000 credit cards to our members. Over the past few years we \nhave reissued 146,000. A significant number of our members have \nbeen impacted, some more than once, many more than once.\n    Mrs. Love. Right.\n    Ms. Schwartz. They don\'t always understand where the breach \nhappened, most particularly because often we can\'t tell them \nwhere the breach happened. They tend to think that the \nfinancial institution is the responsible party, when we have \nnot been.\n    Mrs. Love. When you are reissuing over half, what does that \ncost look like?\n    Ms. Schwartz. Just for fraud itself was $1.7 million for us \nso far this year, through September 30. We anticipate it will \nbe well over $2 million just for the fraud occurrences. \nReissuance of the cards depends on the type of card and whether \nthe PIN was compromised. It ranges between $2 to $6 per PIN, \njust for the hard cost. Then, of course, there is the soft cost \nof answering all of those member questions.\n    Mrs. Love. Right. OK. Are you able to break down those \nnumbers by different types of breaches, such as by source?\n    Ms. Schwartz. If it is a huge breach, we will typically go \nback and take a look and be able to determine. Oftentimes, \nbecause there are so many different cases, 1,400 different \nbreaches is not practical for us to spend staff time to try and \ntie back every single bit. We are financially responsible to \nthe members, we reimburse them, and then we move on to the \nnext.\n    Mrs. Love. OK. You also mentioned that one of the \nvulnerabilities in sectors beyond bank and credit unions is \nlack of examination for compliance with data security \nstandards. You specifically mentioned that credit bureaus, like \nEquifax, are not examined for compliance with the GLBA. How big \nof an impact do you think this makes, and how should compliance \nbe insured?\n    Ms. Schwartz. I think it clearly makes a huge difference. \nIf they had followed the Gramm-Leach-Bliley Act requirements, \nit is very possible the breach wouldn\'t have happened. The \npatch would have occurred in a more timely manner and the \nopportunity for the fraudsters to gather that data simply would \nnot have been there. Absent a regulatory examination to ensure \ncompliance, I don\'t think it happens.\n    Mrs. Love. Would it be fair to say that if institutions or \nthe credit bureaus, like Equifax, had as much skin in the game, \nin other words, if they were held responsible financially for \nthese breaches, that you would see fewer of these things \nhappening?\n    Ms. Schwartz. No question.\n    Mrs. Love. OK. I have a few more minutes. There was a part \nwhere you pointed out in your testimony that the breach may \nnever come to fruition if an entity handles sensitive \ninformation, limits the amount of data collected on the front-\nend and is diligent in not storing sensitive personal data and \nfinancial data in their own systems.\n    Do your consumers even know, for example, if they are \nsitting at their computers shopping online, what happens to \ntheir data, especially the data that they are being asked to \nsupply?\n    Ms. Schwartz. I think consumers are becoming more educated \non this, but I think they are more concerned with the \ntransaction than what is happening behind it. I am sure that \nthey don\'t realize that many merchants can store that data for \nan unlimited period of time, even though they might not have \nshopped at a certain merchant, that data is going to linger out \nthere forever.\n    Mrs. Love. In other words, sitting at their computer, they \nprobably feel like there is some vulnerability there, but they \nhave no idea that the vulnerability lingers way past the time \nthat they are actually sitting on the computer.\n    Ms. Schwartz. Exactly.\n    Mrs. Love. Over 1.4 million Utahans were affected by the \nEquifax breach, and as information is growing and changing, it \nis something that is incredibly concerning. I think that this \nis an example of how we need to have institutions that are \nholding onto this data have some skin in the game, that they \nknow that they are absolutely responsible for those breaches, \nalso. I think that where a lot of responsibility is given, you \nhave to make sure that you take care of that responsibility \ncarefully. Thank you for your testimony.\n    Chairman Luetkemeyer. The gentlelady\'s time has expired. \nWith that, we go to the gentleman from North Carolina, Mr. \nPittenger, is recognized for 5 minutes.\n    Mr. Pittenger. Thank you, Mr. Luetkemeyer, for hosting this \nhearing. I really appreciate each of you all being with us \ntoday, your input is extremely valuable.\n    In North Carolina we have had a significant impact with 1.1 \nmillion North Carolinians\' personal data stolen in various \nsecurity breaches since 2015, up from 300,000 in 2014. The \nEquifax had an impact of 5 million North Carolinians. It is a \nclear indication of the concerns that we have with data and \nsecurity concerns, as well as congressional action that needs \nto be provided.\n    With that in mind, I would like to ask you, Mr. Bentsen. In \nyour own statement you referenced that we need to have a \ncombination of activities that relies on strong defenses, \ninformation sharing, mitigation, and recovery planning.\n    To the point of information sharing, Mr. Mierzwinski \nconveyed that you cannot bifurcate data sharing and privacy \nissues. How would we mitigate the privacy concerns with the \nneed that we truly do have for greater data sharing?\n    Mr. Bentsen. That is a very good question. We are \ninterested in information sharing, not only with the industry \nbeing able to share with the Government, the Government being \nable to share with the industry when there is a certain attack, \nbut also to be able to share not data as much as sharing the \ntypes of attacks that are occurring across the sector.\n    Mr. Loudermilk talked about this in the past, one of my \ndefenses is having somebody else get attacked so they are not \ncoming after me. What we have tried to do in the financial \nservices industry is to be able to spread the information \nacross the sector quickly if a certain type of attack is \noccurring so that others can recheck their defenses against \nthat or their resiliency efforts against it. We think that is \nreally important.\n    At the same time, the industry feels very strongly, not \nonly about our legal obligation with respect to protection of \nprivacy, but as Ms. Schwartz says, our reputational obligation \nto our clients. It is a highly competitive industry, and if we \nare viewed as not protecting our clients\' data, they are going \nto go somewhere else. It is a spot-on question.\n    Mr. Pittenger. Recognizing this need, how would you frame \nlegislation? How would you advise us to address this concern?\n    Mr. Bentsen. We were not part of the legislation referenced \nfrom the 114th Congress, and obviously, you have parties on all \nsides who have--or interests on all sides who have legitimate \nconcerns about that. Data breaches are just one component of \nthis, but it is a huge component. It maybe has the biggest \nretail aspect in some respects, and a huge market failure would \nhave a huge retail impact as well.\n    This is an emerging issue that is only going to get worse. \nIt is not going to get better. It is something where \npolicymakers, such as Congress, are really going to have to dig \nin and bring the parties together, and by that, the interests--\npolitical parties perhaps as well, but the interests together \nto really see how can we look into the future, because we are \nalso going to see technology use increase. Technology is a good \nthing, it has improved efficiencies in the economy, it is only \ngoing to do more of that. But it is going to create new risk, \nand we need to be in front of those going forward.\n    Mr. Pittenger. Thank you. Mr. Mennenoh, you stated in your \nremarks that policymakers should consider better ways to use \nboth the SARS reports, and IC3 data to better detect accounts \nused by these criminals.\n    Give us some examples of better ways that we should be \nemploying?\n    Mr. Mennenoh. That is a good question. I don\'t know that I \nhave a clear answer for you on that without having the staff \nhelp me with that. But, certainly, I would say being able to \nprovide information to all of the parties in the real estate \ntransaction, the different industries that are involved in \nterms of where these problems occur, how they occur, and the \nwarning signs, if you will, to detect them, to try to prevent \nthem. I don\'t know that I can help you further than that.\n    Mr. Pittenger. Ms. Schwartz, quickly, you stated that \nCongress needs to modernize data security laws to reflect the \ncomplexity of the current environment, insist that entities \ncollecting and storing personal financial information adhere to \nstrong Federal standard in this regard.\n    How would you modernize those laws?\n    Ms. Schwartz. I think Gramm-Leach-Bliley does provide a \ngood model because it is scalable and flexible. I think it can \napply to small and large, and it provides some basic guidelines \nthat ensure sound practices.\n    Mr. Pittenger. Thank you. My time is expired.\n    Chairman Luetkemeyer. The gentleman\'s time has expired, and \nwe are out of questioners. All of you on the panel are freed up \nhere at this moment. Thank you for being here today.\n    Just a few closing thoughts. We are a very data driven \nsociety. I am a big baseball fan. Even data drives the baseball \ngames. I have been watching the World Series, and they talk \nabout this batter can hit this pitch in this area and you have \nshifts on the defense to where you go, and they match up \npitchers between the batters. It is all back to data, data, \ndata, which is great to a certain extent.\n    But I think, Mr. Bentsen, your last comment there was very \nsuccinct when you say, with all this data comes new risks, and \nhow do we protect ourselves against those risks. I think that \nis what we are concerned about today, as we see these breaches \ncontinue. The gentleman from California a minute ago, Mr. \nRoyce, said, here we are again. Here we are again.\n    We have to figure out how to put some solutions on these \nproblems, and hopefully your information today will help us. I \nthink we need to look at notification. To me, that is a big \nissue. How do you make sure that the public, whose information \nthat you as a business--or Government have, how do you notify \nthem when you have been breached so that there is a level of \ntrust there, so that you can give those folks notice that they \ncan get themselves in a position where they can protect \nthemselves.\n    Who assumes the liability whenever there is a breach? To \nme, that is a big question. I think Mr. Barr asked that \nquestion a while ago. We need to figure out where that stands, \nbecause I can tell you there are some businesses, I think, one \nof them, I think maybe it was Andy here a minute ago, made the \nsame comment with regards to businesses, who through no fault \nof their own, it is costing them thousands and thousands of \ndollars as a result of breaches. This has to go back to \nentities that caused the problem and they have to be held \naccountable.\n    We are looking for help, we are looking for answers. We are \ngoing to continue to work with you on these issues. We \ncertainly appreciate your being here today and all of your \ninput, and again, as I said, welcome your input back to us on \nother concerns or questions that may have come up during the \ndiscussion.\n    The Chair notes that some Members may have additional \nquestions for this panel, which they may wish to submit in \nwriting. Without objection, the hearing record will remain open \nfor 5 legislative days for Members to submit written questions \nto these witnesses and to place their responses in the record. \nAlso, without objection, Members will have 5 legislative days \nto submit extraneous materials to the Chair for inclusion in \nthe record.\n    [Whereupon, at 3:45 p.m., the subcommittee was adjourned.]\n\n\n                            A P P E N D I X\n\n\n\n                            November 1, 2017\n                            \n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'