US House Energy and Commerce Committee. Commerce, Manufacturing, and Trade Subcommittee



Similar documents
WRITTEN TESTIMONY BEFORE THE HEARING ON FEBRUARY 4, 2014 TESTIMONY OF JOHN MULLIGAN TARGET

WRITTEN TESTIMONY BEFORE THE HEARING ON PROTECTING PERSONAL CONSUMER INFORMATION FROM CYBER ATTACKS AND DATA BREACHES MARCH 26, :30 PM

Prepared testimony of W. Joseph Majka Head of Fraud Control and Investigations Visa Inc.

DATA SECURITY: EVERYTHING YOU NEED TO KNOW

PAI Secure Program Guide

Target Security Breach

FINAL // FOR OFFICIAL USE ONLY. William Noonan

Identifying Security. Payment System. Federal Reserve Bank. Ellen Richey Chief Enterprise Risk Officer Visa Inc. Visa Public

Payment Card Industry Data Security Standards

FIGHTING FRAUD: IMPROVING INFORMATION SECURITY TESTIMONY OF JOHN J. BRADY VICE PRESIDENT, MERCHANT FRAUD CONTROL MASTERCARD INTERNATIONAL

CSR Breach Reporting Service Frequently Asked Questions

PRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS

Accepting Payment Cards and ecommerce Payments

Network Security & Privacy Landscape

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Frequently Asked Questions

2015 Visa Payment Security Symposium Webinar

Why Data Security is Critical to Your Brand

Healthcare Payment Security Is Your Patient s Card Data Exposed? May 24, 2016

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

Handling Debit Card, ATM, & Point-of-Sale Fraud

Chairman Johnson, Ranking Member Carper, and Members of the committee:

Preparing for EMV chip card acceptance

BIG DATA AND INSURANCE SYMPOSIUM

RETHINKING ORC: NRF S CYBER SECURITY EFFORTS. OMG Cross Domain Threat & Risk Information Exchange Day, March 23, 2015

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Risk and Rewards For PCI DSS 3.1 Compliance. What Is PCI DSS?

Tax Fraud and Identity Theft Frequently Asked Questions [Updated February 10, 2015] 4. WHAT CAN I DO TO PROTECT MYSELF FROM TAX FRAUD IN THE FUTURE?

The Evolution of Data Breaches

The SQL Injection Threat & Recent Retail Breaches

PREPARED STATEMENT OF THE FEDERAL TRADE COMMISSION. Protecting Consumer Information: Can Data Breaches Be Prevented? Before the

Data Breach and Senior Living Communities May 29, 2015

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

Statement of. Carlos Minetti. Discover Financial Services. Before the. Subcommittee on Oversight and Investigations. of the

INFORMATION SECURITY & PRIVACY INSURANCE WITH BREACH RESPONSE SERVICES

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, One Connection - A World of Opportunities

PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates

1. Ask what your financial institution knows or has personally experienced with regard to internal and external data breaches.

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

How To Control Credit Card And Debit Card Payments In Wisconsin

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

How To Protect Your Credit Card Information From Being Stolen

$22k. Payment Card Data Breaches: What You Need to Know About Your Risk and Liability. First Data Market Insight

How To Protect Your Restaurant From A Data Security Breach

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

INFORMATION SECURITY AND PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY COVERAGE. I. GENERAL INFORMATION Full Name:

Security & Compliance, Sikich LLP

Cybersecurity Workshop

CYBER LIABILITY AND PRIVACY CRISIS MANAGEMENT EXPENSE APPLICATION

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

State of Illinois Department of Central Management Services ACTION PLAN FOR NOTIFICATION OF A SECURITY BREACH

This notice contains important information about the data breaches announced by Home Depot, Kmart and Dairy Queen.

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

Payment Card Industry Data Security Standard

PCI Risks and Compliance Considerations

DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE

Privacy Legislation and Industry Security Standards

Information Technology

EMV and Small Merchants:

Nine Steps to Smart Security for Small Businesses

February Introduction

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH

PCI (Payment Card Industry) Compliance For Healthcare Offices By Ron Barnett

PCI Compliance for Healthcare

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

INFORMATION SECURITY & PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY APPLICATION

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Anatomy of a Hotel Breach

PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL

STATEMENT OF DELARA DERAKHSHANI CONSUMERS UNION BEFORE THE UNITED STATES SENATE COMMITTEE ON THE JUDICIARY

We are writing to you because of a recent security incident which may have resulted in unauthorized access of your personal information.

How To Comply With The New Credit Card Chip And Pin Card Standards

Fighting Today s Cybercrime

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Written Testimony of. Jason Oxman, CEO The Electronic Transactions Association

Failure to follow the following procedures may subject the state to significant losses, including:

Project Title slide Project: PCI. Are You At Risk?

Presented By: Corporate Security Information Security Treasury Management

Important Info for Youth Sports Associations

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

Data Security, Fraud Prevention, and Cost Control. Mike Dorland, CPP Regional Marketing Representative Michigan Retailers Association

Matthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation

PCI Compliance Overview

The Home Depot Provides Update on Breach Investigation

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Data Security Basics for Small Merchants

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

Transcription:

US House Energy and Commerce Committee Commerce, Manufacturing, and Trade Subcommittee Protecting Consumer Information: Can Data Braches Be Prevented? February 5, 2014 Congressmen in Attendance: Rep. Lee Terry, Rep. Pete Olson, Rep. Leonard Lance, Rep. Jan Schakowsky, Rep. Fred Upton, Rep. Marsha Blackburn, Rep. Billy Long, Rep. Henry Waxman, Rep. Joe Barton, Rep. John Dingell, Rep. Peter Welch, Rep. Brett Guthrie, Rep. Mike Pompeo, Rep. Gregg Harper, Rep. Gus Bilirakis, Rep. David McKinley, Rep. John Yarmuth, and Rep. Bill Johnson Witnesses: Panel 1: Edith Ramirez, Chairwoman, Federal Trade Commission, Lisa Madigan, Attorney General, State of Illinois, William Noonan, Deputy Special Agent in Charge, Criminal Investigations Division, Cyber Operations, US Secret Service, Lawrence Zelvin, Director of the National Cybersecurity and Communications Integration Center, Department of Homeland Security Panel 2: Michael Kingston, Senior Vice President and Chief Information Officer, The Neiman Marcus Group, John Mulligan, Executive Vice President and CFO, Target Brands Inc., Bob Russo, General Manager, PCI Security Standards Council, Philip Smith, Senior Vice President, Trustwave Holdings Begin Panel 1 Rep. Lee Terry introduces the panel and witnesses. He states that he believes that that more can be done whether that be by government, the private sector or a combination of both. Rep. Pete Olsen makes a similar statement. Rep. Leonard Lance states that data breach notification is where the attention should be focused. He also suggests that attention should also be on prevention and the industry standards put in place by the card brands. Rep. Jan Schakowsky takes the floor recognizing that no regulation can 100% prevent data breaches, which happen every day. She makes it clear that we need a federal law regarding data breach notification and data security standards. She also is open to the idea of a technology neutral bill so that the FTC can work with the payments industry to keep up with new technology as it becomes available. Rep. Fred Upton states that the federal government and regulation is not the only layer of protection. The states and the private sector have important roles to play as well. On the other hand, Rep. Upton questioned whether self regulation was the way to go.

In Rep. Marsha Blackburn s opening statement she explained that data breach notification is important but the private sector must work with the federal government on these issues. Rep. Henry Waxman questioned if the industry policing itself was the best course of action. He explained that the federal government definitely has a role in data breach notification and data security standards. He stated that the state laws should be used as models for minimum legislation implemented on the federal level. Ms. Edith Ramirez urged the importance for a data security protection standard and data breach notification legislation. She also encouraged the panel to consider increasing the FTC s power, giving them the power to implement civil actions and liabilities, holding companies responsible for their data security systems. The FTC would also have the power to form security standards. Ms. Lisa Madigan stated that action must be taken on the private sector and in the federal government. She explains that companies are not doing everything they can to prevent breaches and the US in general is behind on its payments networks. This technological gap is the main reason for the US being such a large criminal target according to Madigan. She says that the government must put in place a notification requirement, give the FTC power to investigate, all while not undercutting state laws. Mr. William Noonan made it clear that the Secret Service has the authority and should keep the authority to investigate data breaches. He also explains the five part breach process criminals go through to gain access to consumer information. The process includes, unauthorized access, implementation of malware, selling the acquired data, fraud with the data, and the laundering process of the stolen money. Mr. Lawrence Zelvin echoes many other representatives and witness statements, saying that everyone must work together to combat data breaches; the government and the private sector. Begin Questioning Rep. Terry asks about how this data security breach took place. Mr. Noonan explains that the Target and Neiman Marcus breaches are different in nature, including different malware. He also confirms that these companies were using major security systems at the time of the attacks. Noonan also explains the ISAC program to the board. Mr. Zelvin states that it is up to businesses if they want to participate in ISAC. Rep. Shakowski asks what the Illinois law considers reasonable security and notification. Madigan stated that it is investigated on a case by case basis and no one has been fined yet due to lack of security. Rep. Barton asks if it is at all possible to legislatively eliminate data theft. Ramirez states that congress needs to act regardless. The entire panel is in agreement that there needs to be government action on data security standards and breach notification.

During Rep. Dingell s questioning he makes it clear that there must be legislation and imposed regulation on the industry. There also must be an FTC power increase and a requirement for companies to provide credit monitoring after a data breach. Rep. Welch was the first to bring up Chip and PIN technology in his questioning. In Ms. Ramirez s answer, she made it clear that the FTC does not support technology in legislation. The Issuers need to stay up to date with emerging technology trends according to Ramirez. She also states that this technology will not eliminate data beaches but would still help. She also encourages the industry to not abandon PIN technology. Mr. Noonan supports the new technology but also realizes that one technology cannot not 100% prevent data breaches. Finally, Rep. Welch agrees that maybe technology should not be incorporated into any data security legislation. During Rep. Lance s questioning Noonan explained that in 2007 criminals started focusing on data processing companies and not POS systems. That has since changed. Rep. Pompeo questioned why the consumers could not choose whether to patronize Target and Neiman Marcus if their systems were not secure. Ramirez explains that consumers inevitably bear the cost and this includes if the industry switches to chip and PIN technology. Rep. Pompeo then explains that Europe is perfectly comfortable using the US s payments system and the situation is not as dire as it may seem. Rep. Harper inquired about how this breach could have been prevented. Noonan responds by noting that this was a highly skilled group of criminals but it could have been handled better if the companies had a response plan consisting of notifying authorities and victims. Rep. Harper went further by asking if a government standard would be setting up the companies to fail. Ramirez emphasized that each case would be handled on a case by case basis. She also explained that there are still simple security flaws that companies make that can be prevented. Rep. Bilirakis asked about how seniors or people without internet could be notified about a breach.. Ramirez responded by saying that they would be willing to use paper mail and work with the committee to come up with better options. Rep. McKinley asked about the Affordable Care Act and data breach notification associated with that. Noonan and Zelvin both agreed that people should be notified if this situation occurred. Begin Panel 2 Mr. Mulligan started the panel by explaining that Target had malware in their systems that led to the data breach. He also stated that Target moved as quickly as possible to notify law enforcement and breach victims. Target also took several steps after discovering the data breach. According to Mulligan they put security enhancements in place, fraud protection, reissuing of cards to those who request it, one year of free credit monitoring, zero liability fraud protection and accelerating Target s chip technology integration in its stores and Target credit cards.

Mr. Kingston also explained that the Neiman Marcus data breach is still under investigation and they acted swiftly and responsibility once the breach was discovered. He also stated that the malware that was found within their systems had a zero percent detection rate. Neiman Marcus found out about the breach on January 2 and disabled the malware on January 10 and notified their customers once the malware had been eliminated. Neiman Marcus is also offering identity theft insurance and credit monitoring to its customers. Mr. Russo states that the private sector is qualified to secure itself and does not need outside legislation. There are currently PCI standards for the industry. These standards include destroying unneeded information off servers, software and POS device standards, tokenization and point to point encryption goals, and EMV technology goals. EMV technology, according to Russo, EMV will reduce face to face fraud but it is only a piece of the puzzle. There also needs to be more than just standards, there also needs to be a raised level of awareness. The best way for the government to help would be an increased level of law enforcement and the facilitation of a data sharing network among companies. Mr. Smith stated that companies must go beyond PCI standards although the standards are an excellent guideline for companies to follow. He also states that chip and PIN technology is a good step but a multilayer approach is needed. Incident and response plans should be implemented, web application security, and antimalware gateways allowing for real time protection. Rep. Terry asks if the US is actually being attacked more or if the media is just playing it up to look that way. Smith says that the US is being attacked more because our data is so valuable. Rep. Terry also asks if the unencrypted information involved in the Target breach was a short coming. Mulligan blames the magnetic strips on current credit cards as the problem and notes that Target fully supports the move towards EMV technology. Rep. Terry also asks what the point of access was. Mulligan said it was false vendor credentials and Kingston did not know. Rep. Terry also inquired about the timeliness of notification after the breach occurred. Both men stated that notification is very important to their respective companies and it took four days after the breach to notify the victims and the public. Rep. Schakowsky straight forwardly asks if the committee should act at all. Russo says that the best way for the government to act in this situation is to better equip law enforcement of the criminals involved and encourage data sharing. Rep. Schakowsky asks who discovered the breaches. According to the witnesses, the Neiman Marcus breach was discovered by a forensic investigator hired by the company and Target s breach was discovered by the Justice Department. Mulligan also explained that Target notified the victims of the marketing information breach as well through public exposure and email notification. Rep. Schakowsky goes on to question whether or not credit monitoring really does anything for those who were victims. Mulligan states that he cannot comment on the effectiveness of the program but the consumers will have zero liability for any fraudulent charges. Rep. Lance inquired about how business was conducted at Neiman Marcus between the dates of discovery and notification. Kingston said that business was conducted normally but with increased security measures. Rep. Lance also questioned about the difference between chip and PIN and chip and signature cards. Russo stated that both are great security advancements. Russo also did not have a

preference as to whether the government should require a chip and PIN/signature implementation. Smith, however, explained the importance of leaving room for the industry to innovate new technologies past EMV to boost security. Rep. Yarmuth asked about the communication within the industry about attacks. Mulligan expressed that Target has a good relationship with law enforcement and security tech companies. Now they are working to communicate directly with other companies as well. Rep. Blackburn asked if law enforcement had ever seen this malware prior to these breaches. Kingston stated that the malware had a zero percent detection rate and had never been seen before. Rep. Blackburn also asked what the panel s guidance for law makers was when it comes to this situation. Russo emphasized the effectiveness and importance of the PCI standards and that most companies are complaint. He did however agree that the standards may need some updating. Rep. Blackburn also asked how much the companies were spending on data security. Both Mulligan and Kingston replied with millions of dollars spent on security. Rep. Guthrie asked if Neiman Marcus and Target were PCI compliant and if the breaches were basic and the cost of the breaches. The answer to these questions were all still under investigation. Rep. Johnson asked why Target had not joined ISAC and Mulligan stated that he did not know much about it but they share information with law enforcement and would consider joining a data sharing group. Rep. Johnson also asked about the current systems that the companies have in place and why they failed. Kingston stated that Neiman Marcus uses a multi layer security system consisting on firewalls, intrusion detection, encryption and tokenization. The malware, according to Kingston, was extremely sophisticated and unique and was able to delete itself from the system after doing the damage. Rep. Bilirakis asked if Target had notified the payment processors first and if there was a notification standard for that. Mulligan stated that Target notified the processors and they, in turn, fired up their fraud detection security systems. Rep. Bilirakis also asked if it was hard to follow all the different state laws. Mulligan said that with broad public exposure and emails, all state laws were followed. Rep. Bilirakis also asked if there should be a federal law on notification. Mulligan said yes and Kingston did not have an opinion on the law but noted the need for flexibility and case by case examination. Rep. Bilirakis also brought up the 2015 shift of liability to retailers and if EMV technology will save the retailers money. Mulligan expressed Target s advocacy of EMV and its further investment in the technology. Kingston stated that Neiman Marcus is still evaluating chip and PIN technology but they will be ready to support the technology by 2015. Smith stated that any technological advancement, including EMV, is good for security. Russo also agreed that EMV will be a good additional layer to data security. Rep. Terry asked about the last time security audits took place at each company. Mulligan explained that there are annual security checks and PCI standards checks, but he did not know when the last audit was done. Target was however PCI compliant as recently as September. Kingston also shared that Neiman Marcus also does periodic security checks and PCI compliant checks.

Rep. Schakowsky if the companies agree that the FTC lacks authority. Mulligan expressed that Target would be open to engaging in talks. Kingston stated that he was not familiar with the FTC s powers but supports data security standards.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information