[captioning performed by national captioning institute] [captions Copyright National cable satellite corp. 2014] in a few minutes we will be taking out to be woods in virginia, about 150 years to the civil war and the confederate soldiers. Civil war reenactors are out there, bringing to life the winter of 1864. Well also hear from the director of archaeology at James Madison montpelier. We will be looking for your call and tweets. You can join the conversation at twitter ata cspanhistory. Tonight the Washington PressClub Foundation 70 annual congressional dinner with the lighter side of capitol hill. Tomorrow kentucky senator rand paul is our guest on newsmakers. He talks about his potential run. Or president well take a look at some of the interview here. He said be careful. You could win. That is what he said about my senate race. Itave been looking at thursday because there are consequences to reading or office. What it isnd like for the travel requirements. We are thinking about it, discussing it at home. We will probably not make a decision until after the 2014 elections. Yikes if you ran, would you have to give up your senate seat . Is debatable. There are some laws we are looking at. We will know more. You will be the first to know what we come to a conclusion. I thought that was an interesting of the knowledge meant. There are many republicans, especially among the conservative states that are uneasy with the libertarian views on certain social issues. Do you think that the Republican Party needs to be somewhat less adopt a more embracing point of view if it is going to hang on to Younger Voters . Probably were going to have to have a party that is bigger, that includes evil that disagreed. One of the beauties of believing in federalism or that certain states and issues to say at the we couldel is that agree to disagree. The prevailing moon is quite a bit different than alabama. Now, unless the Supreme Court changes, they are allowing states to determine some of these rules. They would be a little different from state to state. I think maybe that is the better way to look at it. We will agree to disagree. You can hear more from senator paul on newsmakers. Also tomorrow, a look at thursdays hearing on targetedns the irs political groups. We will have that at 2 40 p. M. The new cspan. Org website makes it easy for you to find and watch all of the extensive coverage of official washington. Look for it on our homepage in a space called federal focus. Each day you will find comprehensive coverage of house and senate debates, events with the president and members of the cabinet. Press briefings from the white house, capitol hill, state department, and the pentagon. Oral argument and appearances by the justices. Ownh live or on your schedule. Federal focus on cspan. Or, making it easy to keep tabs on what is happening in congress, the courts. Is it a baking subcommittee heard from the secret Service Agent in charge of cyber investigations. He talked about the problems for shoppers at target in Nieman Marcus. The hearing is about one hour. Good morning. We are starting a little bit late. For that. E i appreciate everybody who is here today. From all over the state. There going to need to examine how we protect the data breaches in cyber crime in this digital age. Safeguarding American Consumers and businesses from data breaches and cyber crimes has been a priority of this committee since 2005. I have worked with members on both sides of the aisle to advance media protection legislation. I want to thank senator grassley for working with me very closely on this hearing. I hope we can continue working together to advance the personal data privacy and security act i recently introduced to protect American Consumers. You watch the news, you pick up the papers, you listen to the news, whatever. Most americans, myself included, have been alarmed by the recent data breaches at target and Nieman Marcus and michaels stores. The investigations of these Cyber Attacks are ongoing, but they compromise the privacy and security of millions of American Consumers, potentially putting one in three americans at risk of Identity Theft and other cyber crimes. I know my wife and i have never been so in deciduous in checking our credit card bills, but that is the same with everybody. I mention those three stores, those are all excellent stores. They are major parts of our economy. But we have to have faith in them. If we dont have faith in businesses ability to protect the personal information, the economic recovery is going to falter. In the digital age, major data breaches involving our private information are not uncommon. There have been significant data breaches involving sony, epsilon, cocacola, also some federal government agencies, department of veterans affairs, energy, dated breaches of yahoo and white lodge and others. Data breaches of yahoo and white lodge and others. So it wont seem like we are singling out just a few businesses, more than 662 million records have been involved in data breaches since 2005. We all agree, a cyber attack also for consumers who want to protect themselves against further exposure, it is not like someone comes in and robs a store, you know where it happened and you have some general idea of where the perpetrator is. Here, the perpetrator could be thousands of miles away in another country. American consumers deserve to know when their private information has been compromised. Most of us rely on being able to do a lot of our business electronically. But we should also remember that the businesses that suffer Cyber Attacks are also often the victims of a cyber crime. A recent study found that data breaches involved in malicious Cyber Attacks are the most costly data breaches around the globe. The per capita cost of Cyber Attacks in the United States was 277 per compromised record in 2013. Times that by millions upon millions. The highest cost for any nation, and if you are in a fragile economic recovery, this is a significant hindrance to recovery. So before the Judiciary Committee today, symantec, and we will hear from the u. S. Secret service, department of justice, federal trade commission. We are facing threats to our privacy and security unlike any time before in our nations own history. We have also had hearings about threats to our privacy by our own government agencies. I hope in this particular one we can get some good bipartisan support, get some data privacy legislation on here. I think we will all be better for it. Senator grassley. Very important that we have this hearing. We have had wellpublicized commercial data breaches. We are still learning about the details. This hearing will help bring more details out, i hope. It is clear that these and other breaches have intentionally potentially impacted tens of millions of consumers nationwide. Todays opportunity is to learn about the challenges that both industry and Law Enforcement face in combating Cyber Attacks from wellorganized criminals. The witnesses have the unique ability to provide us various important perspectives as we consider the governments role in securing Sensitive Data and crafting a breach notification standard. I hope to learn where the committees expertise could be helpful in combating future attacks. Furthermore, i would like to use this hearing to explore areas of Common Ground so that we can determine what might be accomplished quickly. It had been a couple of years since our committee has considered Data Security legislation. In that time we have learned a lot about the subject, thanks to broader Cyber Security conversations. The proposals offered by the administration and discussed in congress along with other government initiatives can be helpful for us to proceed as we consider what to do with this legislation. When considering Data Security requirements, our approach should provide flexibility and also account for businesses of different sizes and different resources. In a world of crafty criminals, it seems to me that onesizefitsall approach will not work or at least will not work for everybody. Instead, lets see how the government can partner with private business to strengthen Data Security. An example may be the National Institute of standards and technology Cyber Security framework, which has received bipartisan support, and as far as the senate is concerned, unless it is bipartisan, it isnt going to go anywhere. Thats not because theres something wrong with democrats or republicans. That is the institution itself. As we discussed the creation of a federal breach notification standard, we must avoid the risk of consumer over notification, just as there is a potential for harm when a victim isnt notified of a breach, over overnotification can lead to harm and apathy. As time permits, i want to explore these and other issues today, and will be available to discuss things beyond the committee process, either with colleagues or with other people. If everyone works together, it seems to me we can tackled these problems and hopefully limit future attacks. Thanks again, mr. Chairman. I ask unanimous consent to include my full statement in the record along with statements we received from these groups, the National Business coalition on ecommerce and privacy, the payment card industry, the National Association of federal credit unions, the american bankers association, National Retail federation, and the Retail Industry leaders association. Without objection that it be included in the record. Could i ask the four witnesses to please stand and raise your right hand. Do you swear the testimony you give in this matter will be the truth, the whole truth, and nothing but the truth, so help you god . Let the record show that the four witnesses all took the oath. We will hear from each of the witnesses first and then we will ask questions. John mulligan is chief Financial Officer and executive Vice President for target, the secondlargest largest general merchandise retailer in the u. S. He joined target in 1996. His responsibility includes Financial Planning and analysis, financial operations, tax assurance, investor relations. He graduated from the university of wisconsin in 1988. 1996 he earned a masters of Business Administration degree from the university of minnesota. Good morning, members of the committee. My name is john mulligan. Im executive Vice President and chief Financial Officer of target. I appreciate the opportunity to be here today to discuss important issues surrounding data breaches and cyber crime. As you know, target recently experienced a data breach is from criminal attack on our systems. To begin, i want to say how deeply sorry we are for the impact this incident has had on our guests, your constituents. We know this breach has shaken their confidence in target and we are determined to work very hard to earn it back. At target we take our responsibility to our guest very seriously. This attack has only strengthened our resolve. We will learn from this incident and as a result, we hope to make target and our industry more secure for consumers in the future. I would now like to explain the events of the breach as i currently understand them. Please recognize that i may not be able to provide specifics on certain matters because the criminal and forensic investigation remains active and ongoing. We are working closely with the secret service and the department of justice on the investigation to help them bring to justice the criminals who committed this widespread attack on target, american business, and consumers. On the evening of december 12, we were notified of the Justice Department of suspicious activity involving payment cards used at target. We immediately started our internal investigation. On december 13, we met with the Justice Department and the secret service. On december 14, we had an independent team of experts lead a thorough forensics investigation. On december 15, we confirm the criminals had infiltrated our system and installed malware and potentially stolen guest payment card data. Over the next two days we began notifying the payment card processors and card networks, preparing to notify our guests and equipping our call centers and stores with the necessary information and resources to address the concerns of our guests. Our actions leading up to our public announcement on december 19 and since have been guided by the principle of serving our guests. We have been moving as quickly as possible to share accurate and actionable information with the public. We know that the breach affected two types of data. Payment card data which affected approximally 40 million guests and certain personal data that affected up to 70 million guest. We believe the payment card data was accessed through malware placed on our pointofsale registers. It is designed to capture the data that resided on the magnetic strip. Our response has this focused on supporting our guests and strengthening security. In addition to the steps i described, we are taking the following concrete actions. First, we are undertaking and forensic review of our and our network and will make security enhancements as appropriate. Second, we increased fraud detection for our target red card guests. To date we have not seen any fraud on a proprietary credit and debit card do to this breach. We have seen only a very low amount of additional fraud on our target visa card. We are issuing new target credit and debit cards to any guest who requests one. Fourth, we are offering one year of free credit monitoring and Identity Theft protection to anyone who has ever shopped in our u. S. Target stores. We informed guests they have zero liability for any fraudulent charges on the cards arising from this incident. Six, target is accelerating our investment in Chip Technology for our target red card pointofsale terminals. Target has invested significant capital and resources in security technology, personnel, and processes. We had in place multiple layers of protection including firewalls, malware detection, intrusion detection and prevention capabilities and Data Loss Prevention tools. Unfortunate reality is that we suffered a breach. All businesses and their customers are facing increasingly sophisticated threats from cyber criminals. In fact, news reports have indicated several other companies have been subjected to similar attacks. To prevent this from happening again, none of us can go it alone. We need to Work Together. Updating Payment Card Technology and strengthening protections for American Consumers is a shared responsibility and requires a collective and coordinated response. On behalf of target i am committing that we will be an active part of the solution. Senators, to each of you and all of your constituents and our guests, i want to once again reiterate how sorry we are this happened and our ongoing commitment to making this right. Thank you for your time today. Thank you very much, mr. Mulligan. Michael kingston is senior Vice President and chief Information Officer for Neiman Marcus as well as chief Information Officer, he oversees approximately 500 professionals responsible for all aspects of Information Technology and security including technology strategies. Information Technology Services for all Neiman Marcus clients, both its doors and website. Brands, both its doors and website. Thank you for being here. Please go ahead, sir. Mr. Chairman, senator grassley, members of the committee, good morning. My name is michael kingston and im chief Information Officer at Neiman Marcus group. I want to thank you for your invitation to appear today to share with you our experiences regarding the recent criminal Cyber Security incident at our company. I have submitted a longer written statement and appreciate the opportunity to make some brief opening remarks. We are in the midst of an ongoing forensic investigation that has revealed a cyber attack using very sophisticated malware. From the moment i learned there might be a compromise of payment card information involving our company, i have personally led the effort to ensure that we were acting swiftly month early, and thoroughly and responsibly to determine whether such a compromise had occurred, to protect our customers and the security of our systems, and to assist Law Enforcement in capturing the criminals. Because our investigation is ongoing, i may be limited in my ability to speak definitively or with specificity on some issues. There may be some questions i do not have the answers. Nevertheless, it is important to us as a company to make ourselves available to you to provide whatever information we can to assist in your important work. Our company was founded 107 years ago. One of our founding principles is based on delivering Exceptional Service to our customers and building longlasting relationships with them that have spanned generations. We take this commitment to our customers very seriously. It is part of who we are and what we do daily to distinguish ourselves from other retailers. We have never before been subjected to any sort of significant Cyber Security intrusion, so we have been particularly disturbed by this incident. Through our ongoing for investigation, we have learned that the malware which penetrate d our system was exceedingly sophisticated. A conclusion that the secret service has confirmed. A recent report prepared by the secret service crystallized the problem when they concluded that a specific type of malware, comparable and perhaps even less sophisticated than the one in our case, according to our investigators had a zero percent detection rate by antivirus software. The malware was able to capture payment card data in realtime, right after a card was swiped, and had sophisticated features that made it particularly difficult to detect, including some that were specifically customized to evade our multilayered Security Architecture that provided strong protection of our customers data in our systems. Because of the malwares sophisticated antidetection devices, we did not learn that we had an actual problem in our Computer System until january 2 and it was not until january 6 when the malware output had been disassembled and decrypted enough that we were able to determine that it was able to operate in our systems. Then, disabling it to ensure it was still not operating took until january 10. That day we sent our first notices to customers potential he affected and made widely reported public statements describing what we knew at that point about the incident. Simply put, prior to january 2, despite our immediate efforts to have two separate firms of forensic investigators dig into our systems in an attempt to define any Data Security compromise, no Data Security compromise in our systems had been identified. Based on the current state of evidence and the ongoing investigation, it now appears that the customer information that was potentially exposed to malware was payment card information and transactions in 77 of our 85 stores between july and october of 2013, at different periods of time within this date range at each store. Two, we have no indication in our transactions on her website or in our restaurants were compromised. Three, and data was not compromised, as we do not have been patently do not request pins. For, theres no indication that Social Security numbers or other personal information were exposed in any way. We have also offered to any customer who shops with us in the last year at either Neiman Marcus group stores our websites, whether theyre card was exposed to the malware or not, one year of free credit monitoring and Identity Theft insurance. We will continue to provide the Excellent Service to our customers that is our hallmark. I know that the way we responded to this situation is consistent with that commitment. Thank you again for your invitation to testify today and i look forward to answering your questions. Thank you very much, mr. Kingston. Our next witness served as policy council in the Consumer UnionWashington Office and is lead advocate for Telecommunications Media and privacy efforts. Consumers union is a policy Action Division of Consumer Reports. She graduated from the university of virginia with a law degree from Columbia School of law. We are glad to have you here. Please go ahead. Thank you for the opportunity to testify before you today about these breaches. I serve as policy council of Consumers Union. This past december at the height of the Holiday Shopping season, 40 million unsuspecting customers learned that criminals may have gained unauthorized access to their credit card and debit card information. Subsequently, 70 million more learned that personal information such as names, addresses, and telephone numbers may have also fallen into the hands of suspected hackers. Since then we have learned of similar breaches that other retailers. At other retailers. Neiman marcus has confirmed unauthorized access to payment data and michaels has stated it is investigating whether a similar breach occurred. The press is reporting that the malware that was reportedly used in the Neiman Marcus and target breaches was sold to criminals overseas. What we have seen thus far may just be the tip of the iceberg. This is truly disturbing. As Consumer Reports and Consumers Union have reported with regularity, consumers who have their data compromised in a largescale Security Breach are more likely to become victims of Identity Theft or fraud. Although federal Consumer Protection lending laws and voluntary industry standards generally protect consumers from significant outofpocket losses, policymakers and consumers should take these threats seriously. There are practical and timeconsuming concerns for consumers whose data has been breached. A particular concern is debit cards. While consumers might not ultimately be held responsible if someone steals their debit card data or pin number, data thieves can still empty out out a Consumers Bank account and set off a cascade of bounced checks and late fees which victims will have to settle down the road. What can happen to that data after it is stolen is disconcerting to say the least. Sometimes it is resold to criminals outside the country. It is used to make counterfeit cards. The result is decreased Consumer Confidence in the marketplace and uncertainty with the realization that your private Financial Information is out there in the ether for anybody to use for an unauthorized purpose. When Consumers Union learned of the breach, we urged the cfpd to investigate the matter and for increased public disclosure. Just last week attorney general eric holder confirmed that the Department Justices also investigating the matter. We know that lawmakers have urged the federal trade commission to investigate as well and we are grateful of the federal agencies efforts and state attorneys general efforts so that we can figure out what happened and get to the bottom of this and figure out how to come up with a solution together to prevent these breaches from occurring in the future. We have also provided consumers with a number of tips including checking transaction data, notifying your bank immediately of any suspicious activity, replacing credit cards, debit cards and pin numbers. Placing fraud alerts to block access to your credit report. Target and affected retailers are also offering consumers credit monitoring which we would be happy to speak about and answer questions about as well. New Technology Uses multiple layers of security including computer chips in each card that stores and transmits encrypted data. What we have reported in the past is that when this technology has been adopted in europe, it has significantly decreased fraud. So we need a stronger commitment from all stakeholders to adopt this technology sooner rather than later. These incidents reinforce just how timely and relevant these issues are. We are appreciative of the committees efforts and to the chairman for introducing the data privacy and security act. We think that the sooner consumers know their data has been compromise, the sooner they can take steps to protect themselves. We would also urge the committee to consider shortening the time line for notification from 60 days to require more immediate notification. We would like to strengthen some provisions including those related to preemption. We want to make sure that any National Standards offer strong, meaningful protection. We thank you for the opportunity to speak before you today and appreciate your interest in Data Security. We want to ensure that there is Consumer Confidence in the marketplace and we look forward to working with you and all interested parties. Thank you very much. Thank you for what you said about our legislation. Im hoping we can move it quickly. The senior Vice President of user protection at symantec. He drives development at symantec and Norton Mobile management. He was Vice President of identity and Authentication Services before that. He obviously has a background in this field. Please go ahead. Thank you, and good morning. Thank you for the opportunity to testify today on behalf of symantec corporation. We are the World LargestSecurity Software company with over 31 years of experience developing Information Security and management technology. Our Global Intelligence network is made with millions of sensors all over the world and records thousands of events per second, and we maintain 10 Security Response centers that operate 24 by seven around the globe. This gives us a view of the entire internet landscape. At symantec, we also invest over 1 billion a year in research and development to help our customers stay ahead of the bad guys. The hearing today is critically important and will focus attention on what businesses and consumers can do to protect themselves from Cyber Attacks and data breaches. Attacks on pointofsale devices are not new. But it does appear the pace is increasing. It brings immediate attention and citizen concern, but it cannot be just about one or two high profile crimes. Not just retailers but every organization with Sensitive Information is at risk because cyber crime is a big business. In 2013, we estimate the identities of over 435 Million People were exposed. That number is rising as the reports surface. The cost is very real and is borne by both consumers and organizations. We estimate that in 2012, the global price tag of consumer cyber crime was 113 billion. It was found the average total cost per breach in 2012 was 5. 4 million. The study also found that Strong Security before a breach and good incident management post breach can dramatically cut the cost of these incidents. These breaches are increasingly caused by targeted attacks which are up 42 year over year. Some are direct attacks on the Company Servers where they search for undefended connections to the internet. All attacks have essentially one goal, to gain control of the users computer. In the case of a retailer, and can include compromising pointofsale systems to obtain valuable Consumer Information. The best way to prevent the attack starts with the basics. Good cyber hygiene is simple and costeffective. Strong passwords, ubiquitous encryption are important element of any good security program. A modern security suite that is being fully utilized is essential. Then Security Protection is much more than antivirus software. In the past, the same piece of malware would be delivered to thousands or even millions of computers and with easily block with signaturebased systems. Today cyber criminals can take the same malware and create unlimited unique variance they can slip past basic software. That is why modern Security Software does much more than look or known malware. It monitors your computer or mobile device, watching for unusual traffic had earns or processes that could be indicative of malicious behavior. We provide behavior based Security Technologies that can identify more danced threats. The solutions put files in context using age, frequency, locations and other data of the computers trying to execute a file we have never seen anywhere in the world and it comes from an unknown source, theres a high probability that it is malicious and should be blocked. Security should also be specific to the device being protected. In some ways, pointofsale system devices have advantages over other systems because the functions they need to perform can be narrowly defined. Allowing these devices to only run approved applications will reduce the attack surface and render many streams of malware ineffective. Yesterday we released a report that provides an overview of the methods that attackers may use and provides recommendations on how to protect the systems from attack. Unfortunately, data breaches and Cyber Threats are part of our daytoday lives. We will never be able to prevent every data breach or cyber attack. Working together, industry and government can make it increasingly more difficult for cyber criminals to succeed. Thank you again for this opportunity to be here today and im happy to take any questions you may have. Thank you very much. I think we are all united in the same thing. We all want to stop these attacks, number one. Number two, as you just pointed out, we are always going to have these attacks, no matter what we do. The question is, can we successfully stop them and are we keeping up to date with the realities of today as compared to years ago. Mr. Mulligan, the data breach at target became frontpage news every day on and on. But it wasnt just going after your company, obviously, but it did have the potential to place one in three americans at risk of fraud or Identity Theft, Identity Theft being probably one of the most difficult things one has to deal with. What do you find so far . Are you any closer to finding who did it . Tell us just briefly, what are the steps you are taking to protect privacy . As i said earlier, the intruder came in through a set of compromised vendor credentials and took two sets of data. The first set of data was malware was placed on our pointofsale registers and there they grabbed payment card information in the time from it being swiped by Magnetic Stripe and a time when encrypted it in our system. Separately, they took information from certain personal data, name, address, phone number, email address, for up to 70 million records. They encrypted that and removed it from our systems. We have an ongoing forensic investigation and end to end review of our entire network to understand what went on. Since then we have removed the malware, close the point of entry, narrow the scope of who has access to our system. We have provided the malware to a Security Firm for their review, and we have the ongoing review where we will have additional learning and we are committed to taking additional actions. As i understand it, the Justice Department told you about this you said this, on december 12. You remove the malware three days later on december 15, is that correct . That is correct. Had you had any knowledge the malware was there before the department of justice gave you that notification . We did not. Despite multiple layers of detection we had within our systems, we did not. So you had all your systems in place, but you found out about it from the department of justice. That is correct, mr. Chairman. Did the breach involved Online Purchases . That is my understanding. Mr. Kingston, you testified that the breach at your company could affect 1. 1 million American Consumers, is that correct . What we have learned in our investigation is that this malware which was inserted into our systems by the criminals was operating in many of our stores at certain times between july and october of 2013. The maximum number of account numbers in our stores at that time that were exposed to the malware was 1. 1 million accounts. But we do believe because the malware was only operating at certain times that the number is actually less than that. When did you first find out about it . The first time we found out about it was when our forensic Investigation Teams discovered it on january 2, 2014. When did you first receive information about it . The forensic Investigation Firm first alerted us that there was some suspicious malware they had found as part of the investigation on our systems on january 1. Did you say that you first received information december 17 . On december 17, we were notified by our merchant processor that mastercard had found in their fraud systems 122 account numbers that had been fraudulently used, that were used prior to that at Neiman Marcus locations. Since january 1, have you changed any of your Malware Protection protocols or equipment . Yes, we have. We have made a number of different changes. As i mentioned in my testimony, the malware unfortunately was not detected by our antivirus systems which we maintain and keep up to date. Since then we have shared the malware both with forensic Investigation Teams, the secret service and our Antivirus Company and they provided us with updated signatures so we can remove it and disable it. How has the cooperation been within Law Enforcement . We have been working with Law Enforcement all along the investigation and they have been very helpful and very cooperative. Would you say the same, mr. Mulligan . I would, senator. We have a long relationship with Law Enforcement and our interactions throughout this time have been very productive. I want to associate myself with the remarks that the chairman made just before he asked questions. That is that i think we are all trying to find the same solution. This is not a case of a group of Business People on one side and the government on the other side. Weve got a major problem we have to deal with and its going to take cooperation. The senator did not say it exactly that way, but i hope i i agree with you. Thank you. As we have heard today, Even Companies with tremendous resources and multilayered by the way, im going to ask this, as we heard today, Even Companies with tremendous resources and multilayered Security Systems can be attacked and breached. This means smaller businesses are more vulnerable to similar attacks. One thing i have heard repeatedly is that businesses of all sizes need flexibility in creating and implementing their security programs. What works for one may not work for another. But Companies Must be proactive and guidelines for what they should be doing are held. Helpful. So to you three, how can the government encourage the private sector to strengthen Data Security that provides businesses that flexibility and guidance that they need as opposed to burdensome government regulations . We agree that this is an evolving threat and one that is well beyond retail or target to all industry. There were hundreds of breaches last year and we think therefore the solution needs to be a combination of efforts across all participants in the space. For payment card information, there are a number of participants in the payment card world and we need to work collectively to move to chip and Pin Technology. That would have rendered the account numbers that were taken far less useful. It is Technology Like that that is important and we are committed to moving forward and accelerating our efforts in that particular area. I think shedding light on the issue as the committee is doing today is extremely helpful, and we appreciate that. One of the things the government can do, there are a lot of actors in this ecosystem. Technology companies, private sector, Law Enforcement, government agencies, there are security experts. Collectively all of those actors and stakeholders who have intelligence and are able to share that with the community, if we can encourage more of that information sharing, i think it could help us try to keep up with this problem, which is continuing to evolve and continuing to become more sophisticated. I would agree with what mr. Kingston said. It is definitely a shared responsibility to follow good practices. We believe it would be helpful for the government to recommend in a very flexible way some preventative measures that companies can take to at least give a guideline on being able to protect our systems. We believe it is a good, flexible Framework Companies can use to guide them into developing good security solutions. To the three of you again, and this gets back to some people who think this ought to be government driven, and then there are people who think it is entirely industry, government stay out of it. The chairman and i have talked about a partnership, and recently the National Institute of Standards Technology was just mentioned here. For you three, if government is going to create federal Data Security standards, what role, if any, should the private sector have in that process . I think private industry and government have to Work Together here. I agree with what you have heard, it is a shared responsibility and communication between the private sector and Public Sector is important. We have had ongoing relationships and information sharing with Law Enforcement. That needs to happen more broadly between our organization and the government to find solutions here. Mr. Kingston . I think guidelines and standards are always very helpful, particularly in this case. So i would encourage that all the stakeholders provide input into that. I would agree and i think the key word here is flexibility. What we have to recognize is that this is kind of an ongoing war. The type of threats are changing all the time. The new technology where constantly raising the bar. Whatever gets developed needs to allow for that to happen rather than locking in at any particular time what might seem to be acceptable. I did have a question but i want to make a statement that i hope we can avoid a situation where the government says you do something and you do it, and it is abiding by the regulations, and that may come up short of what we need to do. That is why cooperation is so important. I agree with that. Even with the expertise of the four of you here, you couldnt tell me specifically what would be the greatest threat we might face 18 months from now, because these things are evolving, just as our best intelligence agencies and others cannot either. But we want to give you a framework and we want to have our framework that protects consumers so they know their rights are being protected, but also protect our businesses. You have to maintain the trust between both the businesses and the consumers for the good of our country. We have a fragile recovery, we are slowly recovering, but without that credibility, we cannot do it. I have to step out for a moment. Thank you very much, mr. Chairman. I want to begin by thanking mr. Mulligan and mr. Kingston for being here, because up to very recently, companies would not step forward. Companies would not make it public. I introduced the first data breach notification bill in 2003. I could not get any cooperation in that data breach. I have pulled the record and would like to introduce the particulars of what happened in 2002 and 2003 into the record. That will be the order. I am a shopper at your institution, mr. Kingston. I dont recall getting any notice that my data may have been breached. When would i have had notice . And i would have shopped during that period of time. We have actually sent out a number of different notifications. I will start with the 10th of january, when we learned you did not learn the breach took place months before you actually learned that there was a breach . It wasnt until january 6, actually, that we learned that this very sophisticated malware that was put in our systems had the ability to scrape card data in our systems, and then we quickly put in actions to contain and eradicate that malware. Then we immediately began notifying customers. And you said that 1. 1 million customers had been affected . During that time, that is the total number of accounts that we transacted in our stores. Can i assume that all 1. 1 million were affected and noticed . So somewhere in my records i should be able to find a record of having been noticed . We have notified all customers who shopped in our stores or on our websites, which is a greater number of customers that were affected in this 1. 1 million number. When did you do that . We did that on january 22. Mr. Mulligan, when did you notify your customers, and how many did you notice . We refer to them as guests. On december 19, four days after we found the malware. For those we had email addresses for, we notify them by email. Given the scope, we thought that broad disclosure was the best path to go, so we had very broad disclosure through multitude of channels. But you did not notify individual customers . We did not have specific contact information. So you were depending on the public for your notice. Can you explain to me why i document cases going back to 2003 and 2002. Nobody would notify. I had a bill that would notify, and it was fiercely fought. Companies did not want to notify their customers. I worked on that bill, its not going to go anywhere because of the notice provisions. Here we are again with respect to notices. I believe that if somebody has an account, or uses their credit at your institution and their data is breached, they should be notified so they can protect themselves. Do you want to respond to that . We agree with your view completely, senator. Our focus has been on having accurate and actionable information, balanced with providing that notice as quickly as possible and ensuring we had the capability to respond to millions of requests for information. We felt that public dissemination was appropriate and would let all of our guest know virtually immediately. We were on the front page of every newspaper in this country. Here is the problem with that. The public notification is always vague. It is sort of nonspecific. You really dont know, and then you find out kind of brutally in other ways if you have money missing. You happen to be retail establishments. In 2003, a hacker broke into electronic records of the payroll facility for california state employees. Some 265,000 Social Security numbers were compromised. You said there was no compromise of Social Security numbers, but my point is, those people deserved to know that their data was hacked, and this has been the big resistance out there in the commercial community in the 1112 years i have worked on this. As far as im concerned, any bill that is forthcoming from this institution should provide notification of customers that their data may have been breached, so they can protect themselves. If anyone has a comment on that, if you disagree, please tell me. No comment . We agree, senator, which is why we did exactly as you said, once we knew that we had criminal activity inside our systems and who the impact was, we reached out individually to customers and in fact reached out to more customers just to be cautious, because it is important to us. Our primary concern is their privacy and information. All customers that shop the entire year at Neiman Marcus stores and websites were notified. I will go home and look for my notice. Thank you very much. We agree that notification is an extremely important aspect of this discussion. The sooner consumers are made aware, the sooner they can take actions to protect himself. Themselves. Thank you very much. Senator hatch. I know that many retailers are migrating toward secure pointofsale terminals capable of processing chip and pin transactions. Some will only require chip and signature. Why would that be the case, especially when a chip and pin credit card would be more secure for instore purchases. Anybody who cares to answer that . My understanding is today the standards have been set for chip enabled Card Technology. The chip and pin standards have not been set yet. We are advocates of getting to chip and Pin Technology. We think that is the safer form. We also think making the next step in getting to a place where we have guest payment devices in retailers that can read chips and cards are issued with chips so we can begin to migrate away from magnetic strips. It is my understanding that chip and Pin Technology does not make Online Purchases more secure. Reports confirm that as europe transitioned to chip and pin card, fraud losses from Online Transactions actually increased at a greater pace. As chip and pin cards make instore transactions more secure in the United States, how will you make online sales similarly secure, mr. Mulligan . That is an excellent question, senator. First, we need to not let the perfect get in the way of the good. Making progress in stores makes a lot of sense and installing chip and Pin Technology there we think is important. As you said, the threat continues to evolve. There is a shared responsibility here, and continued to have all parties that ensure Payment Transactions are processed appropriately here in the u. S. , be participants in moving that forward to find solutions to the Online Transactions. It is a topic where all interested parties in the payment space come together and discuss that so we can find solutions to online, but your point is right on. Mr. Kingston, you said the credit card information was scrapped. What about information like birthdays and Social Security numbers . Were the hackers able to get that information too . Our investigation has shown no evidence that other personal information was obtained. Could you please describe both the advantages and disadvantages or shortcomings of chip and Pin Technology, as well as any alternatives that may exist that are not currently being considered . Chip and Pin Technology itself is more than 20 years old. Are there more secure alternatives that we should be considering . I think we would agree with the other panelists that chip and pin is definitely a step in the right direction. It definitely adds three primary benefits to the ecosystem. One is more encryption. The credit card information would stay encrypted longer and it would make it more difficult for hackers to be able to obtain that information. That is a big benefit of chip and pin. It makes it more difficult to duplicate the card. If the information is stolen, sometimes with the regular magstripe it is easy enough to go and create another card. Because the chip in the card has a unique credential, it cannot be copied. It reduces the risk of multiple cards being generated. Third, it combines what is called to factor identification. The card is something you have and the pin is something you know. If someone was to steal your physical card, it would do no good unless they knew your pin. It raises the bar on security. I have a related question about the socalled mobile wallet. Companies like google are just starting to roll out these type products. It allows you to pay by simply tapping your smart phone and it will be widespread in a few years. Can you describe the security features of these payment platforms and whether chip and Pin Technology is compatible . We agree that mobile payments are certainly going to be the future. It is yet to determine which of those models that are out there will be the future. It is important to note that when you use a mobile device, basically there is a new opportunity for criminals to use that. There are a lot of technologies that can lock down those devices and keep that information safe. Chip and pin would not apply in that case. It is really for cards when you have a swipe. There are other ways using Behavioral Analysis to fingerprint some of these devices and recognize the user that can add security in the mobile payments ecosystem. Thank you very much. We certainly know that in minnesota, the home of target, and we also know that if these companies can see these kinds of data breaches, it can happen to anyone. A lot of times when we have pushed these cyber bells, we get a lot of push back. Fromything, weve learned this major breach, we can no longer do nothing. We have to take action. As a former prosecutor, my first reaction is to find the crooks that did this and punish them. Isnow that investigation continuing. My sec and reaction is we have to find the Technical Solutions here, and our laws have to be as sophisticated as the crooks that are breaking them. I start there. I thought i would start with calling up what senator hatch talked about, this new technology which i understand is adopted in europe. Is that true . Yes. It has shown significant benefits. Is it true that in Great Britain they have seen a major decrease in these types of breaches . They have seen a reduction of instore breaches. They have also seen some of that shift to the online channel, where the chip and pin does not prevent that. But it has helped reducing fraud instore. What is stopping us from moving to this kind of technology . We have acknowledged that senator hatch there may be some great new thing that comes along, but what is stopping our country when they are doing this in europe . I know target had attempted using this technology. Was it back in 2003 . What has stopped it from being rolled out on a major basis, and how can we change that, mr. Mulligan . Are many participants in the payment card world that ensure transactions are processed appropriately in the u. S. In 2003. This we put guest payment devices in our stores to read chips and introduced a new payment card with a chip in it. You mean other retail outlets using the same one . X having the ability to read that carl as well as though being issued with tip technology. We have been advocates of this. It is a shared reality. In general, they are the issuers. We need to move together one isively so the whole do it. And with the new standard . . Talent is a have been in development . For quite some time. More on a year time frame. It is going to be released next year. That is good timing. Standard for the companies are doing need to do something more aggressive to get any technology out there . It does provide some guidelines and objectives for companies to follow. It is not specific. Did you want to add anything . We are definitely supportive of the technology and the this. S to expedite i want to go back to something that was raised about the time and be time when it was confirmed this was on the system and when the consumers found out about it. Could you give me just the time in between . It on december 16. This was done publicly. And broad public disclosure, yes. What was your timeline. Onwe were first notified january 2 that they saw suspicious malware. It was not to generate 26 that they saw how it operated. Few dayst the next removing the malware. It was on january 10 that we started notifying the public and customers directly. To both companies have policies in place on how you would do the consumer notification . We have several communication plans. We enacted those immediately on founding the malware . We do. Are good. Bill thatahy has a focus on some of these notification issues. Some of the issues are worth that are worth discussion. We have to understand some of the smaller retailers are going to have different situations than the bigger retailers. If we want to fix this Going Forward we just recently found out hotel chains are now being affected by this. Were going to have to put something in place. Think you very much for being here today. Thank you. A smallsked to make statement before i recognize you. Thank you. Just an article that came up today. Saying theyf by urge the Obama Administration to check the Health Care Network from Malicious Software after thening they were linked to ulurus government. The u. S. Affordable care act software was written in belarus by Software Developed first under state control. That makes the software a potential target for Cyber Attacks. Officials said the potential by at is compounded hijacking last year involving the statecontrolled networks. Thank you. All of you for joining us. This is an important topic and i know it is important to each of you. And to americas consumers. I generally trust that the marketplace will create the right kind of incentives for retailers to protect the personal data of their consumer base. In other words, consumers have to have received notification in order for any of this to work. They have to receive notification in order to take the steps they need to take to protect their identity. They also need notification so that they can decide where to take their business. They dont trust a particular business with their data am they are not going to shop there. What factors do you consider when deciding at what point to notify consumers or guests . There are some countervailing considerations. You dont necessarily want to notify immediately upon discovering that there is a problem. After 18 years, it almost rolls off my tongue without thinking about it. Our view is that there is a balance to be struck here. Certainly, speed is very important to let consumers know what is going on. Balancing that is looking through the lens of our guests to ensure that we provide Accurate Information so that we can understand what happened and actionable information so they can understand what to do about it. Balancing those two factors is the lens we look through that ultimately led us to our timeframe. I would also add that for us in particular, ensuring that we had the appropriate ability to respond to our guests as we knew the questions were going to come, ensuring that our Call Center Staff was prepared and in our stores were able to provide that information. A large training element also went on to make sure we could handle their questions and concerns appropriately. All of that came together and balanced our decisionmaking quite quickly. But it should cause it could cause problems if you notified too soon before you know the nature of the threat and what you are going to do about it . We believe it is important to provide Accurate Information wants notification is made about what has gone on and helping our consumers understand what to do about it. Thank you. Mr. Kingston, one potential legislative response to all of this could involve establishing some kind of National Security standard. Perhaps standards that are already excepted within the industry. Im always a little concerned about creating a new federal Regulatory Authority in part because sometimes when you establish Something Like that it quickly becomes ineffective, especially in an area like this were technological advances can very quickly render a codified National Security standard irrelevant or outdated. There is also, i think, some risk that if we create a National Security standard, that would be seen not just as a floor, but as a floor and a ceiling, and you could see some people complying with that and that creates an easy target for wouldbe thieves. They know what the Security Standards are because they are codified in law. Do you see some risks in adopting federal legislation the codifies a National Security standard . I think there is inherently going to be risk for some of the reasons that you stated, senator. I think the thing we have to keep in mind is that the Cyber SecurityThreat Landscape continues to evolve every day as it becomes more and more complicated. As soon as we establish the standards, which are helpful, but as soon as we establish them , as you pointed out, that gives the whole world the opportunity to come up with ways to defeat those standards. I think it is obviously healthy to be able to communicate to people what some of the standards and practices are, but i agree, i think there is a risk there as well. I see you nodding. Do you have something to add . I think it is not only that the Cyber Threats are evolving, our environments are changing so quickly. If we look at what a Company Infrastructure looked like five years ago, it was pretty much contained in their data centers and devices. Today, it is everywhere. It is in our data centers, in the cloud, on mobile devices. The threats are floating, but so are the attack surfaces. We need to be able to adjust because the environments change. Thank you, senator lee. Senator franklin . Thank you. First of all, chairman leahy has a bill i am cosponsor of that talks about some standards that i think you can write in a flexible manner. I see you nodding. As some of you may know, i am chair of the subcommittee on privacy and the law. I think the people have a fundamental right to privacy and part of that is knowing that your sense of information is protected and secure, and when millions of consumers have their data stolen, we have a big problem and we need to fix it. Minnesotans shop at target all the time, as do millions of other americans. Minnesotans shop at Neiman Marcus, too, and we need to get to the bottom of these breaches. But what is clear to me is that we are not just dealing with a problem at target and Neiman Marcus. Or michaels, for that matter. We are dealing with a systemic problem. A big part of the problem, as we discussed, is the security of our credit and debit cards. The u. S. Has one fourth of the worlds card transactions, and yet we are victims to half of all card fraud. Two weeks ago, i wrote to each of the nations largest credit and Debit Card Companies and asked what they were doing to make our cards safer. Their responses are due tomorrow. The federal government has a role to play here, too. Congress has passed laws that promote Data Security. Right now, there is no federal law setting out clear Security Standards at merchants and data brokers, and theres no federal law requiring companies to tell customers when their data has been stolen. I am glad to say that chairman leahy has a bill that would fix this problem. I am glad to be a cosponsor. I think it contains enough flexibility that it is not a signal of how to overcome that to criminals. First, i want to get a handle on how the breaches occurred. I understand target has spent considerable resources on Data Security systems. But in january 17, an article in the New York Times states that your systems at target were astonishingly open and particularly vulnerable to attack. I know you have had independent audits before, couple of them, saying that you had passed muster and were among the best in the industry. Can you respond to these charges . Over the past several years, we have spent hundreds of millions of dollars to improve malware detection, intruder protection and prevention, Data Loss Prevention tools, multiple layers of firewalls, but beyond that, as you said we have ongoing assessments and third parties coming in doing penetration testings of our systems, benchmarking us against others, assessing if we are in compliance with our own processes and control standards. And we have hundreds of team members responsible for this. We go so far as training 300 thousand team members annually on security. We have invested significant resources. It is kind of spy versus spy is what we are talking about. You say in your oral testimony that you are for and senator hatch brought this up im a that you are for the smart chip. Mr. Roche, visa and mastercard are pushing the rollout smart chip cards in the u. S. In october of 2015. I wish that could be hurried. My understanding is that these cards may not require pins for every transaction, and this is surprising to me because, as we heard from you, the incidence of fraud is far higher for signature debit transaction span four pin transactions. And maybe this is a question for ms. Derek shani. Is there a reason that visa and mastercard dont want to put the pin in their . We are aware of the promises that have been made to implement the technology by 2015. The answer comes down to money. It is expensive to update the technology at the pointofsale. We would be supportive of efforts to encourage Widespread Adoption of these technologies and we think more of a push would be a good thing. Can you follow up on that . In particular, do visa and mastercard have a reason. Chip and pin we think is the best and most secure solution. I think the chip on its own still provides more security, running encryption and protection from cloning of the cards. We still think that is the best way to go. Senator frank in senator franken, i believe you will chair as i need to leave. And senator durbin is next. Senator durbin, and i will move over to the chair. I believe in the early bird rule. It is not the early bird. Thank you very much. Senator franken, if i could just followup on the line of questioning that senator franken was on. It is very helpful when you take the time to share the details of these incidents. As we in Congress Work hard to strike the right balance between a robust marketplace where we all benefit from the ease and convenience of using credit cards and debit cards, but we also try to make sure we are sufficiently protected in our privacy and against theft. These are delicate choices we have to make, and i think this has been very helpful for us to better understand what is possible, what is desirable, and what the cost and impact would be. If i could just continue, does the consumer even believe that the deadline is reasonable . I think were more supportive of having it being expedited even more quickly. So you think it is possible to be expedited more quickly, it is just a matter of cost . I will cannot speak for everything it would take to be implemented, but we would like to see it happen more quickly. And if i understand you correctly, chipless pin is now possible or at least in his possible in pin is possible in debit card cases. Do you believe that should be enabled for credit cards as well . That is an interesting question. We have spoken about the differences between debit card protections and credit card elections, and i think it would be a good thing you are less protected under a debit card. I think it would be a good thing for debit Card Technology to come in line with credit card protection. Do you have the option currently to input a pin . We do not use pin pads in our Stores Currently and we do not require pins. Just tell me understand why not. I think the issue that we are talking about here is that there are a lot of different technologies that are available, and this is something that right now in the industry consumers dont actually have a lot of these cards in their wallet. I am a consumer, i have several cards in my wallet and none of them have chips on them. While it is an option, it is not something that has been widely adopted in the industry at this point. My specific question is about pins rather than chips, but i and her stand your point about the trajectory of that adoption. It is not easily predictable. A broader question, if i might. You testified that reef notification standards are not enough. Federal legislation is needed to ensure prebreach security measures. Can you grade the efficiency of the Cyber Security measures currently in place and give us some insight into how the compliance factor weighs into Cyber Security . It is a great question, and i think there are a lot of companies that have put in very Effective Security solutions and some that have a ways to go. I think the trick is here that we have focused very much on chip and pin. What Companies Really need to do is look at a very layered security at every part of their ecosystem. But stronger measures in place so that bad people cannot get into the network. The more we can encrypt the data , the more it is of no value to them. Antivirus is a great foundational technology, but there are things we can do on top of that to stop the emerging threat. It is really about using a layered security approach and we think any legislation should reflect those layers. My last question, if i might. Help us understand the key impediments that your Companies Face in trying to achieve this sort of more robust Cyber Security. We want to make sure that our data is protected and that we are not subject to vast amounts of fraud. What is involved in creating stronger Cyber Security measures . We agreed. Layers of protection are important across the entire enterprise. This is an evolving threat, and we think one of the keys Going Forward is again, shared responsibility to share information across the industry, not just across retail, but across the industry. We have a long history of doing that. We all want to understand the evolving threat and respond to it as we design Security Systems and protocols. I talked about the importance of all the actors in the ecosystem being able to share intelligence. These Cyber Attacks are very sophisticated. Things that have not been seen before or done. That is one thing, and i think the other thing that is really important is that all of the actors he able to adopt these technologies at the same time. Consumers obviously have to be able to adopt the technology, companies and private Sector Institutions as well. Enqueue. I do think there is a strong federal role in ensuring privacy and security. Thank you. We actually are using the early bird rule, and you are the late bird. So we go to senator blumenthal. Senator blumenthal. Thank you. Thank you all for being here. Not easy to be the face of the industry which really bears the responsibility here for what i see as a record of failure. And this comment is not directed at target or at Neiman Marcus. It is directed at an industry, and i think you deserve a lot of credit for coming here today and representing that industry, and also for the steps you have taken in the wake of reaches that certainly victimized you and those measures include credit monitoring, insurance, measures that i thought sought for others in this industry and in other worlds to adopt voluntarily while i was attorney general in the state of connecticut and literally had to bludgeon and pummeled them into doing, not physically, but legally. I just want to commend you for appearing here and for the proactive steps you have taken. But, i have introduced a bill that i think builds on the very Good Measures that senator leahy and senator rockefeller have introduced to establish standards so that there will be in effect a bar that everybody has to follow, a standard of care, because this information is not yours. It is entrusted to you. Up along to the consumers, and that kind of basic principle is the bedrock of this legislation, a standard of care applied industrywide and enforcement. Because rights are not real unless they are enforceable, so enforcement by the ftc but also by consumers themselves, the steps for consumers to take if they are victimized as your stores might be victimized by hackers, a standard of care enforceable by a right of action, and a Clearing House so that you can share the kind of information everyone has shared here this morning that is so important for you to be able to exchange amongst yourselves to be flexible and raise that bar. And i agree that the standard has to be flexible. Right now, we are talking about chip and pin, but the threats are emerging and evolving, and so does the standard, and it is specific. But, you know, i sit here with the attitude of most of your consumers, which is that half the fraud occurs in the United States, but only a quarter of the credit card use. Something is wrong with this picture. In the continuing series of significant, even sensational breaches, an indictment of the american retailing industry in its failure to protect Consumer Information. We are talking here, after all, not about some sort of sciencefiction technology. We are talking about something that is widely used in europe and could easily have been imposed here earlier. So my question to you, in light of your very welcome and important recommendation, and you have had the good sense to make it simple and a graph that is understandable to rudimentary laymen, would your recommendations have helped to prevent this kind of massive information breach at Neiman Marcus and target. To start, i am unable to speak to specifics of the incident. These were very sophisticated hackers and they were very well resourced. However, we do believe that the chip and pin, layered security approach is, all of these things would contribute to more safety. That is basically a yes. It would have helped prevent. I am not asking you to go into details, but you also recommend the chip and pin or Something Like it. Would it have been any kind of help to prevent this massive breach . Let me ask you gentlemen, were you in the process of adopting some of these recommendations, and if not then, are you now . Senator, as i said in my opening statement, we actually do have a multilayered Security Architecture and had it prior to these attacks at Neiman Marcus. Many of the was this information encrypted . During processing, the information was encrypted, during processing. Many of the technologies being discussed here today by the committee, Network Monitoring for suspicious traffic, these are all technologies we have deployed and utilized at Neiman Marcus. Unfortunately, the sophistication of this particular attack was able to evade detection of all those best practices, and i think what we have learned, or what is important here, is the just having tools and technology is not enough in this day and age. These attackers are very sophisticated and they have figured out ways around that. It is often how you are deploying those technologies and what else are you doing, which goes back to making sure that we are sharing intelligence as much as we can so we can try to stay up ahead of these attacks. Thank you. My time has expired, so you may be spared, mr. Mulligan, an answer to that question, but i would like to ask both of you to provide perhaps some detailed answer in writing to the question about whether you are going beyond your present practices and procedures to adopt these steps that symantec has represented, not saying they are the only solutions, but just a kind of benchmark, and if you could provide that in writing, i would appreciate it. I also want to say that my bill would provide for mandatory notification, and i want to thank you for the notification steps you did take. Both of your companies took. Thank you very mr. Chairman and senator durbin. Just one i know mr. Mulligan did not answer this, but target 10 years ago implemented the technology, and found that so a few others were doing that. They abandoned that, but that is something i want to find out from the banks and the credit card issuers and debit card issuers about how fast they can go to this technology, because right now it is october 2015. But lets go to senator parada. Thank you. Following what appears to be the protocol on this side of the table, it would certainly be happy to defer to senator durbin. I would like to defer to everyone except senator whitehouse. I am the chair of this committee, and i will determine but that is about right. I would like to thank target a Neiman Marcus for coming here today because i think all of us shop at both of these establishments. There has been a discussion about by 2015 visa and mastercard using the power of their their power to require that merchants and banks agree to issue cards, and you all have readers that will read cards with chips in them. I take it that mr. Kingston and mr. Mulligan, both of you were prepared to meet that deadline with the Chip Technology . Senator, we have been proponents of chip and pin, as you just heard, for a very long time. Over 300 of our stores have guessed payment devices and we are accelerating to get those in our stores by the Fourth Quarter this year and in the products we offer will have the chips in them early next year. Are you also prepared to adopt the pin portion . We are advocates for the pin as the industry in total becomes capable of handling that for credit card transactions. We are advocates of that is a double authentication. What about you . Neiman marcus is certainly willing and will consider anything that is going to make this process and Consumer Information safer, including chip and pin. As i pointed out earlier, at Neiman Marcus, we do not use pin pads today. As a practical martyr as a practical matter, it is important to understand that while i think the industry would be safer with that, there is a lot of work to do to make that happen. The pin pads have to be able to process this. There are Software Changes that will have to happen, and of course, all of the integration with the other actors such as banks and merchant processors, and finally, getting all the cards with chips in consumer hands. Think we are very supportive of considering those and other Technology Capabilities that will make us safer, but i think we all need to understand that there is a lot of work involved in doing that. What i heard is that target is prepared to establish chip and Pin Technology but you are raising some concerns. Does that mean that at Neiman Marcus you would not be able to meet a 2015 deadline with both of these factors. We want to develop a Safer Partnership and move as quickly as we can to do that. Would federal legislation help if we were to say because right now, it is just visa and mastercard saying heres whats going to happen in the arena. Would federal legislation that says here is what we would like to see . I mean, again, i think we have to consider that. It is something that is a law we have to do. Obviously, we will follow the law. It may be coming down the pike, but of course we would have to have all the parties at the table so we can proceed in a reasonable weighing. Also, cost was mentioned, and i dont know within the nonfederal arena this cost was going to be borne by target, Neiman Marcus, and all the other retailers and Financial Institutions . Shared responsibility and a shared interest in payment processing, and the cost a court a portion of the costs will be borne by all parties. Including consumers . No, including all Companies Involved in payment processing. So what would be involved in this technology . Perhaps you can enlighten us on that . We think it is very important for cost not to be borne by the consumer. Consumers have lost this information through no fault of their own. I think it is important to remember that. Do you have any idea what the cost of putting in place chip and pin i would be happy to look into it and get back to you. I dont have figures at this time. I know i am running out of time, but one of the areas i was very interested in was the prevention side of things. You mentioned that one of the first lines of defenses for the consumers to use is for consumers to use certain kinds of pins and all of that. How do we get this information out to consumers so that, as you say, they are the firstline of defense in terms of prevention . What can we do to enable consumers to know that they can take some of these prevention elements into their own hands and protect themselves now go i think there are things consumers can do around stronger passwords, watching their bills. I think we all share the responsibility to try to get that communication out. I think Consumer Reports makes excellent recommendations directly to consumers. The Better Business bureau has good recommendations. I think it is basically getting the news out there to keep them protected. I think that is a very important aspect. For a lot of consumers, and i am one of them, i am trying to simplify my life by using very few passwords. You are suggesting the opposite. I think that information needs to get out and have consumers adopt the kind of suggestions you are putting forth. Thank you. Senator durbin . Inc. You very much, mr. Chairman. I want to thank you very much, mr. Chairman. I want you to think back to the time we publicly asked about something known to retailers across the United States, and that was the amount being charged on it each transaction by the card issuers and banks when retailers used the card. What the Federal Reserve reported to us was the average was . 44 on transactions. The actual cost to the card issuer and the bank was seven cents. We ask for them to come up with a reasonable fee, and the Federal Reserve came up with . 24. Within that . 24 was one penny for fraud protection. It is ironic or at least coincidental that just weeks after this law was passed and signed by the president that we had an announcement by fisa that they were finally adopting a roadmap for chip Card Technology in the United States. They had a dedicated source that they represented to the Federal Reserve was going to be an antifraud effort. We are moving in that direction, albeit slowly. It is ironic that we have had i have had a chip card in my wallet with American Express for years. It is clear that it is fair. It has been around for a while. Let me go to a study that came out recently in 2012. There were about 5. 3 billion dollars in credit and debit card fraud loss in the United States in 2012. 1 5 of the payment card fraud losses concert occurred with debit cards. The feds said card issuers for 60 of the debit card fraud losses. Merchants 38 . Cardholders two percent. Mr. Mulligan, in light of the fact that fraud losses were divided among merchants, banks and cardholders, do you agree it is a shared responsibility to support this move toward new technology . We absolutely agree it is a shared responsibility. All of us have an interest in ensuring that consumers have trust in the system we have been using every day. We are currently looking to accelerate our investment to bring devices into our stores more quickly. Wakes you and i had a brief conversation yesterday. We discussed the card reader that retailers are responsible for paying for. Can you give me an idea of what the cost is of a card reader today versus chip and pin . I dont know the incremental costs. I can tell you that the total investment for us is about 100 million. That is split equally between our pointofsale system and reissuing the cards with the chips in them, so about 5050. Lets get back to the original point. Retailers and customers in many cases are paying an additional one cent on every transaction for antifraud measures. They are, in fact, issuing a subsidy to have antifraud technology. So it isnt as if we arent paying already to move this technology forward. The contractual arrangements create processes for the banks and those cards. And there is consideration for the impact of new Card Technology on smaller retail hubs that listens retailers and establishments, which is something we need to be sensitive to. But we also need to be aware of the current money if they are alleging to the fed that they are using this money for antifraud purposes. Did i describe that well . Perfectly, yes. There are lots of legislative proposals designed to address data breach. I would also address the underlying issue, the collection of personally identifiable information and practices guarding their retention by