And i started there. I start i thought i would start by following up what senator hatch talked about, which is new technology that i understand has been adopted in europe. Is that true . Yes. And is it true that in great britain, they have seen a major decrease in these kind of breach as . They have seen a decrease a decrease. They have also seen a shift to the online channel. What is stopping our country when they are doing this in europe . I think they started using this kind of technology back in 2003. What has stopped it from being rolled out on a major basis, and how can we change that . You know, there are many participants in the payment card world that will ensure that transactions are processed appropriately in the u. S. We put devices in our stores to read chips. Cardtroduced a target visa with a chip in it, but without broad options there are not brought adoptions, there are not significant advantages for consumers. You mean other retailers . Others having the ability to read the card as well as having cards issued with a chip on them. They need to move together simultaneously. We have been advocates of this. It is a shared responsibility. How does this affect the financial industry . They are the issuers of the cards, so again, in partnership with them, we need to move together collectively so that the whole system is employing this technology. And with the new standard that is in development how long has it been in development . It has been in development for quite some time. It is due to be released. Like 20 years . More like around a year time frame. Ok. It is said to be released next week. Thats good timing. Set a standard for these companies or do we need to do something to get the new technology out there . I think the new standards does provide some guidelines and objectives for the companies to follow but it is not specific we arethe chip definitely supportive of chip and Pin Technology and of any efforts to expedite wide adoption of this technology. I just want to go back quickly to something that was raised at the beginning about the time in between when it was and when the consumers found out about it. Time inu give me the between a was confirmed and the time you notified customers . We were told on december 15 and we notified customers on december 19. Itand by notified, you mean was released publicly. Broad public notification, yes. Notified about the malware and spend the next few days containing, disabling and removing the malware. January 10, we started notifying the public and customers directly. To both companies have policies in place on how you would do this consumer notification . We have several crisis communication plans and we enacted them immediately upon finding the crisis. Know, senatoryou leahy has a bill on some of these notification issues. I think some of the issues senator feinstein raised are worth discussing. We also have to realize that smaller retailers will have different situations than bigger retailers. We recently found out that hotel chains are being affected by this and were going to have to put something in place. Senator hatchhy, has asked to make a small statement before i recognize you. Thank you, senator. Came up todayt starts out by saying that u. S. Intelligence agencies will ask the Obama Administration to check the Government Network for Malicious Software related to the health care website. The u. S. Affordable care act was bytten in part in Belarus Software developers under state control and makes it a potential target for cyber attack. U. S. Healthcare data is confounded by what they said was an Internet Data hijacking involving the belarusian statecontrolled networks. I just bring that up because this is a very serious discussion the goes far beyond maybe what the retail community. S concerned with thank you, senator lee. Of you for joining us today. It is an important topic. I know it is important to each of you and to americas consumers. I generally trust that the marketplace will create the right kind of incentives for retailers to protect the personal data of their consumer base, but i think the creation of those incentives really the Condition Precedent that there be adequate notification procedures in place. In other words, consumers have to have received notification in order for any of this to work. They have to receive notification in order to take the steps they need to take to protect their identity. They also need notification so that they can decide where to take their business. Trust a particular business with their data am they are not going to shop there. Considerors do you when deciding at what point to notify consumers or guests . There are some countervailing considerations. You dont necessarily want to notify immediately upon discovering that there is a problem. After 18 years, it almost rolls off my tongue without thinking about it. Our view is that there is a balance to be struck here. Certainly, speed is very important to let consumers know what is going on. Balancing that is looking through the lens of our guests to ensure that we provide Accurate Information so that we can understand what happened and actionable information so they can understand what to do about it. Balancing those two factors is the lens we look through that ultimately led us to our timeframe. I would also add that for us in , ensuring that we had the appropriate ability to respond to our guests as we knew the questions were going to come, ensuring that our Call Center Staff was prepared and in our stores were able to provide that information. A large training element also went on to make sure we could handle their questions and concerns appropriately. All of that came together and balanced our decisionmaking quite quickly. Cause itould could cause problems if you notified too soon before you know the nature of the threat and what you are going to do about it . We believe it is important to provide Accurate Information wants notification is made about what has gone on and helping our consumers understand what to do about it. Thank you. Mr. Kingston, one potential legislative response to all of this could involve establishing security of national standard. Perhaps standards that are already excepted within the industry. Im always a little concerned about creating a new federal Regulatory Authority in part because sometimes when you establish Something Like that it quickly becomes ineffective, especially in an area like this were technological advances can a codifiedy render National Security standard irrelevant or outdated. There is also, i think, some risk that if we create a National Security standard, that would be seen not just as a floor, but as a floor and a ceiling, and you could see some people complying with that and that creates an easy target for wouldbe thieves. What the Security Standards are because they are codified in law. Do you see some risks in legislation the codifies a National Security standard . I think there is inherently going to be risk for some of the reasons that you stated, senator. I think the thing we have to keep in mind is that the Cyber SecurityThreat Landscape astinues to evolve every day it becomes more and more complicated. Theoon as we establish standards, which are helpful, but as soon as we establish them , as you pointed out, that gives the whole world the opportunity to come up with ways to defeat those standards. I think it is obviously healthy to be able to communicate to people what some of the standards and practices are, but i agree, i think there is a risk there as well. Nodding. You do you have something to add . I think it is not only that the Cyber Threats are evolving, our environments are changing so quickly. If we look at what a Company Infrastructure looked like five years ago, it was pretty much contained in their data centers and devices. Today, it is everywhere. It is in our data centers, in the cloud, on mobile devices. So threats are floating, but are the attack surfaces. We need to be able to adjust because the environments change. Thank you, senator lee. Senator franklin . Thank you. First of all, chairman leahy has a bill i am cosponsor of that standards thate i think you can write in a flexible manner. I see you nodding. As some of you may know, i am chair of the subcommittee on privacy and the law. I think the people have a fundamental right to privacy and part of that is knowing that your sense of information is protected and secure, and when millions of consumers have their data stolen, we have a big problem and we need to fix it. Minnesotans shop at target all the time, as do millions of other americans. Minnesotans shop at Neiman Marcus, too, and we need to get to the bottom of these breaches. But what is clear to me is that we are not just dealing with a problem at target and Neiman Marcus. Or michaels, for that matter. We are dealing with a systemic problem. A big part of the problem, as we discussed, is the security of our credit and debit cards. The u. S. Has one fourth of the worlds card transactions, and yet we are victims to half of all card fraud. Two weeks ago, i wrote to each of the nations largest credit and Debit Card Companies and asked what they were doing to make our cards safer. Their responses are due tomorrow. The federal government has a role to play here, too. Congress has passed laws that promote Data Security. Right now, there is no federal law setting out clear Security Standards at merchants and data no federald theres law requiring companies to tell customers when their data has been stolen. I am glad to say that chairman leahy has a bill that would fix this problem. I am glad to be a cosponsor. I think it contains enough aexibility that it is not signal of how to overcome that to criminals. First, i want to get a handle on how the breaches occurred. I understand target has spent considerable resources on Data Security systems. But in january 17, an article in the New York Times states that your systems at target were astonishingly open and particularly vulnerable to attack. I know you have had independent audits before, couple of them, saying that you had passed muster and were among the best in the industry. Can you respond to these charges . Over the past several years, we have spent hundreds of millions of dollars to improve malware detection, intruder protection and prevention, Data Loss Prevention tools, multiple layers of firewalls, but beyond that, as you said we have ongoing assessments and third parties coming in doing penetration testings of our systems, benchmarking us against others, assessing if we are in compliance with our own processes and control standards. And we have hundreds of team members responsible for this. Go so far as training 300 thousand team members annually on security. Significantsted resources. It is kind of spy versus spy is what we are talking about. Testimony your oral that you are for and senator hatch brought this up im a that. Ou are for the smart chip mr. Roche, visa and mastercard are pushing the rollout smart chip cards in the u. S. In 2015. R of i wish that could be hurried. Understanding is that these cards may not require pins for every transaction, and this is surprising to me because, as we heard from you, the incidence of fraud is far higher for signature debit transaction span four pin transactions. And maybe this is a question for ms. Derek shani. Is there a reason that visa and mastercard dont want to put the pin in their . We are aware of the promises that have been made to implement the technology by 2015. The answer comes down to money. It is expensive to update the technology at the pointofsale. We would be supportive of efforts to encourage Widespread Adoption of these technologies and we think more of a push would be a good thing. Can you follow up on that . In particular, do visa and mastercard have a reason. Chip and pin we think is the best and most secure solution. I think the chip on its own still provides more security, running encryption and protection from cloning of the cards. We still think that is the best way to go. In senatornk franken, i believe you will chair as i need to leave. And senator durbin is next. Senator durbin, and i will move over to the chair. I believe in the early bird rule. It is not the early bird. Thank you very much. Senator franken, if i could just followup on the line of questioning that senator franken was on. It is very helpful when you take of time to share the details these incidents. As we in Congress Work hard to strike the right balance between a robust marketplace where we all benefit from the ease and convenience of using credit cards and debit cards, but we also try to make sure we are sufficiently protected in our privacy and against theft. These are delicate choices we have to make, and i think this has been very helpful for us to better understand what is possible, what is desirable, and what the cost and impact would be. , doesould just continue the consumer even believe that the deadline is reasonable . I think were more supportive of having it being expedited even more quickly. So you think it is possible to be expedited more quickly, it is just a matter of cost . Will cannot speak for everything it would take to be implemented, but we would like to see it happen more quickly. And if i understand you correctly, chipless pin is now possible or at least in his pin is possible in debit card cases. Do you believe that should be enabled for credit cards as well . That is an interesting question. We have spoken about the differences between debit card protections and credit card elections, and i think it would be a good thing you are less protected under a debit card. I think it would be a good thing for Debit Card Technology to come in line with credit card protection. Do you have the option currently to input a pin . We do not use pin pads in our Stores Currently and we do not require pins. Just tell me understand why not. We areink the issue that talking about here is that there are a lot of different technologies that are available, and this is something that right now in the industry consumers dont actually have a lot of these cards in their wallet. I am a consumer, i have several cards in my wallet and none of them have chips on them. While it is an option, it is not something that has been widely adopted in the industry at this point. My specific question is about pins rather than chips, but i and her stand your point about the trajectory of that adoption. It is not easily predictable. A broader question, if i might. You testified that reef notification standards are not enough. Federal legislation is needed to ensure prebreach security measures. Can you grade the efficiency of the Cyber Security measures currently in place and give us some insight into how the compliance factor weighs into Cyber Security . It is a great question, and i think there are a lot of companies that have put in very Effective Security solutions and some that have a ways to go. I think the trick is here that we have focused very much on chip and pin. Dot Companies Really need to is look at a very layered security at every part of their ecosystem. But stronger measures in place so that bad people cannot get into the network. The more we can encrypt the data , the more it is of no value to them. Antivirus is a great foundational technology, but there are things we can do on top of that to stop the emerging threat. It is really about using a layered security approach and we think any legislation should reflect those layers. My last question, if i might. Help us understand the key impediments that your Companies Face in trying to achieve this sort of more robust Cyber Security. We want to make sure that our data is protected and that we are not subject to vast amounts of fraud. Involved in creating stronger Cyber Security measures . We agreed. Layers of protection are important across the entire enterprise. This is an evolving threat, and we think one of the keys Going Forward is again, shared responsibility to share information across the industry, not just across retail, but across the industry. We have a long history of doing that. We all want to understand the evolving threat and respond to it as we design Security Systems and protocols. I talked about the importance of all the actors in the ecosystem being able to share intelligence. Attacks are very sophisticated. Things that have not been seen before or done. That is one thing, and i think the other thing that is really important is that all of the actors he able to adopt these technologies at the same time. Consumers obviously have to be technology,t the companies and private Sector Institutions as well. Enqueue. I do think there is a strong federal role in ensuring privacy and security. Thank you. We actually are using the early bird rule, and you are the late bird. So we go to senator blumenthal. Senator blumenthal. Thank you. Thank you all for being here. Not easy to be the face of the industry which really bears the responsibility here for what i see as a record of failure. Not directedent is at target or at Neiman Marcus. It is directed at an industry, and i think you deserve a lot of credit for coming here today and representing that industry, and also for the steps you have t