US House Energy and Commerce Committee. Commerce, Manufacturing, and Trade Subcommittee

Transcription

1 US House Energy and Commerce Committee Commerce, Manufacturing, and Trade Subcommittee Protecting Consumer Information: Can Data Braches Be Prevented? February 5, 2014 Congressmen in Attendance: Rep. Lee Terry, Rep. Pete Olson, Rep. Leonard Lance, Rep. Jan Schakowsky, Rep. Fred Upton, Rep. Marsha Blackburn, Rep. Billy Long, Rep. Henry Waxman, Rep. Joe Barton, Rep. John Dingell, Rep. Peter Welch, Rep. Brett Guthrie, Rep. Mike Pompeo, Rep. Gregg Harper, Rep. Gus Bilirakis, Rep. David McKinley, Rep. John Yarmuth, and Rep. Bill Johnson Witnesses: Panel 1: Edith Ramirez, Chairwoman, Federal Trade Commission, Lisa Madigan, Attorney General, State of Illinois, William Noonan, Deputy Special Agent in Charge, Criminal Investigations Division, Cyber Operations, US Secret Service, Lawrence Zelvin, Director of the National Cybersecurity and Communications Integration Center, Department of Homeland Security Panel 2: Michael Kingston, Senior Vice President and Chief Information Officer, The Neiman Marcus Group, John Mulligan, Executive Vice President and CFO, Target Brands Inc., Bob Russo, General Manager, PCI Security Standards Council, Philip Smith, Senior Vice President, Trustwave Holdings Begin Panel 1 Rep. Lee Terry introduces the panel and witnesses. He states that he believes that that more can be done whether that be by government, the private sector or a combination of both. Rep. Pete Olsen makes a similar statement. Rep. Leonard Lance states that data breach notification is where the attention should be focused. He also suggests that attention should also be on prevention and the industry standards put in place by the card brands. Rep. Jan Schakowsky takes the floor recognizing that no regulation can 100% prevent data breaches, which happen every day. She makes it clear that we need a federal law regarding data breach notification and data security standards. She also is open to the idea of a technology neutral bill so that the FTC can work with the payments industry to keep up with new technology as it becomes available. Rep. Fred Upton states that the federal government and regulation is not the only layer of protection. The states and the private sector have important roles to play as well. On the other hand, Rep. Upton questioned whether self regulation was the way to go.

2 In Rep. Marsha Blackburn s opening statement she explained that data breach notification is important but the private sector must work with the federal government on these issues. Rep. Henry Waxman questioned if the industry policing itself was the best course of action. He explained that the federal government definitely has a role in data breach notification and data security standards. He stated that the state laws should be used as models for minimum legislation implemented on the federal level. Ms. Edith Ramirez urged the importance for a data security protection standard and data breach notification legislation. She also encouraged the panel to consider increasing the FTC s power, giving them the power to implement civil actions and liabilities, holding companies responsible for their data security systems. The FTC would also have the power to form security standards. Ms. Lisa Madigan stated that action must be taken on the private sector and in the federal government. She explains that companies are not doing everything they can to prevent breaches and the US in general is behind on its payments networks. This technological gap is the main reason for the US being such a large criminal target according to Madigan. She says that the government must put in place a notification requirement, give the FTC power to investigate, all while not undercutting state laws. Mr. William Noonan made it clear that the Secret Service has the authority and should keep the authority to investigate data breaches. He also explains the five part breach process criminals go through to gain access to consumer information. The process includes, unauthorized access, implementation of malware, selling the acquired data, fraud with the data, and the laundering process of the stolen money. Mr. Lawrence Zelvin echoes many other representatives and witness statements, saying that everyone must work together to combat data breaches; the government and the private sector. Begin Questioning Rep. Terry asks about how this data security breach took place. Mr. Noonan explains that the Target and Neiman Marcus breaches are different in nature, including different malware. He also confirms that these companies were using major security systems at the time of the attacks. Noonan also explains the ISAC program to the board. Mr. Zelvin states that it is up to businesses if they want to participate in ISAC. Rep. Shakowski asks what the Illinois law considers reasonable security and notification. Madigan stated that it is investigated on a case by case basis and no one has been fined yet due to lack of security. Rep. Barton asks if it is at all possible to legislatively eliminate data theft. Ramirez states that congress needs to act regardless. The entire panel is in agreement that there needs to be government action on data security standards and breach notification.

3 During Rep. Dingell s questioning he makes it clear that there must be legislation and imposed regulation on the industry. There also must be an FTC power increase and a requirement for companies to provide credit monitoring after a data breach. Rep. Welch was the first to bring up Chip and PIN technology in his questioning. In Ms. Ramirez s answer, she made it clear that the FTC does not support technology in legislation. The Issuers need to stay up to date with emerging technology trends according to Ramirez. She also states that this technology will not eliminate data beaches but would still help. She also encourages the industry to not abandon PIN technology. Mr. Noonan supports the new technology but also realizes that one technology cannot not 100% prevent data breaches. Finally, Rep. Welch agrees that maybe technology should not be incorporated into any data security legislation. During Rep. Lance s questioning Noonan explained that in 2007 criminals started focusing on data processing companies and not POS systems. That has since changed. Rep. Pompeo questioned why the consumers could not choose whether to patronize Target and Neiman Marcus if their systems were not secure. Ramirez explains that consumers inevitably bear the cost and this includes if the industry switches to chip and PIN technology. Rep. Pompeo then explains that Europe is perfectly comfortable using the US s payments system and the situation is not as dire as it may seem. Rep. Harper inquired about how this breach could have been prevented. Noonan responds by noting that this was a highly skilled group of criminals but it could have been handled better if the companies had a response plan consisting of notifying authorities and victims. Rep. Harper went further by asking if a government standard would be setting up the companies to fail. Ramirez emphasized that each case would be handled on a case by case basis. She also explained that there are still simple security flaws that companies make that can be prevented. Rep. Bilirakis asked about how seniors or people without internet could be notified about a breach.. Ramirez responded by saying that they would be willing to use paper mail and work with the committee to come up with better options. Rep. McKinley asked about the Affordable Care Act and data breach notification associated with that. Noonan and Zelvin both agreed that people should be notified if this situation occurred. Begin Panel 2 Mr. Mulligan started the panel by explaining that Target had malware in their systems that led to the data breach. He also stated that Target moved as quickly as possible to notify law enforcement and breach victims. Target also took several steps after discovering the data breach. According to Mulligan they put security enhancements in place, fraud protection, reissuing of cards to those who request it, one year of free credit monitoring, zero liability fraud protection and accelerating Target s chip technology integration in its stores and Target credit cards.

4 Mr. Kingston also explained that the Neiman Marcus data breach is still under investigation and they acted swiftly and responsibility once the breach was discovered. He also stated that the malware that was found within their systems had a zero percent detection rate. Neiman Marcus found out about the breach on January 2 and disabled the malware on January 10 and notified their customers once the malware had been eliminated. Neiman Marcus is also offering identity theft insurance and credit monitoring to its customers. Mr. Russo states that the private sector is qualified to secure itself and does not need outside legislation. There are currently PCI standards for the industry. These standards include destroying unneeded information off servers, software and POS device standards, tokenization and point to point encryption goals, and EMV technology goals. EMV technology, according to Russo, EMV will reduce face to face fraud but it is only a piece of the puzzle. There also needs to be more than just standards, there also needs to be a raised level of awareness. The best way for the government to help would be an increased level of law enforcement and the facilitation of a data sharing network among companies. Mr. Smith stated that companies must go beyond PCI standards although the standards are an excellent guideline for companies to follow. He also states that chip and PIN technology is a good step but a multilayer approach is needed. Incident and response plans should be implemented, web application security, and antimalware gateways allowing for real time protection. Rep. Terry asks if the US is actually being attacked more or if the media is just playing it up to look that way. Smith says that the US is being attacked more because our data is so valuable. Rep. Terry also asks if the unencrypted information involved in the Target breach was a short coming. Mulligan blames the magnetic strips on current credit cards as the problem and notes that Target fully supports the move towards EMV technology. Rep. Terry also asks what the point of access was. Mulligan said it was false vendor credentials and Kingston did not know. Rep. Terry also inquired about the timeliness of notification after the breach occurred. Both men stated that notification is very important to their respective companies and it took four days after the breach to notify the victims and the public. Rep. Schakowsky straight forwardly asks if the committee should act at all. Russo says that the best way for the government to act in this situation is to better equip law enforcement of the criminals involved and encourage data sharing. Rep. Schakowsky asks who discovered the breaches. According to the witnesses, the Neiman Marcus breach was discovered by a forensic investigator hired by the company and Target s breach was discovered by the Justice Department. Mulligan also explained that Target notified the victims of the marketing information breach as well through public exposure and notification. Rep. Schakowsky goes on to question whether or not credit monitoring really does anything for those who were victims. Mulligan states that he cannot comment on the effectiveness of the program but the consumers will have zero liability for any fraudulent charges. Rep. Lance inquired about how business was conducted at Neiman Marcus between the dates of discovery and notification. Kingston said that business was conducted normally but with increased security measures. Rep. Lance also questioned about the difference between chip and PIN and chip and signature cards. Russo stated that both are great security advancements. Russo also did not have a

5 preference as to whether the government should require a chip and PIN/signature implementation. Smith, however, explained the importance of leaving room for the industry to innovate new technologies past EMV to boost security. Rep. Yarmuth asked about the communication within the industry about attacks. Mulligan expressed that Target has a good relationship with law enforcement and security tech companies. Now they are working to communicate directly with other companies as well. Rep. Blackburn asked if law enforcement had ever seen this malware prior to these breaches. Kingston stated that the malware had a zero percent detection rate and had never been seen before. Rep. Blackburn also asked what the panel s guidance for law makers was when it comes to this situation. Russo emphasized the effectiveness and importance of the PCI standards and that most companies are complaint. He did however agree that the standards may need some updating. Rep. Blackburn also asked how much the companies were spending on data security. Both Mulligan and Kingston replied with millions of dollars spent on security. Rep. Guthrie asked if Neiman Marcus and Target were PCI compliant and if the breaches were basic and the cost of the breaches. The answer to these questions were all still under investigation. Rep. Johnson asked why Target had not joined ISAC and Mulligan stated that he did not know much about it but they share information with law enforcement and would consider joining a data sharing group. Rep. Johnson also asked about the current systems that the companies have in place and why they failed. Kingston stated that Neiman Marcus uses a multi layer security system consisting on firewalls, intrusion detection, encryption and tokenization. The malware, according to Kingston, was extremely sophisticated and unique and was able to delete itself from the system after doing the damage. Rep. Bilirakis asked if Target had notified the payment processors first and if there was a notification standard for that. Mulligan stated that Target notified the processors and they, in turn, fired up their fraud detection security systems. Rep. Bilirakis also asked if it was hard to follow all the different state laws. Mulligan said that with broad public exposure and s, all state laws were followed. Rep. Bilirakis also asked if there should be a federal law on notification. Mulligan said yes and Kingston did not have an opinion on the law but noted the need for flexibility and case by case examination. Rep. Bilirakis also brought up the 2015 shift of liability to retailers and if EMV technology will save the retailers money. Mulligan expressed Target s advocacy of EMV and its further investment in the technology. Kingston stated that Neiman Marcus is still evaluating chip and PIN technology but they will be ready to support the technology by Smith stated that any technological advancement, including EMV, is good for security. Russo also agreed that EMV will be a good additional layer to data security. Rep. Terry asked about the last time security audits took place at each company. Mulligan explained that there are annual security checks and PCI standards checks, but he did not know when the last audit was done. Target was however PCI compliant as recently as September. Kingston also shared that Neiman Marcus also does periodic security checks and PCI compliant checks.

6 Rep. Schakowsky if the companies agree that the FTC lacks authority. Mulligan expressed that Target would be open to engaging in talks. Kingston stated that he was not familiar with the FTC s powers but supports data security standards.