Cyber-Security Enhancement & Consumer Data Protection Act

Good morning Chairman Coble, Ranking Member Scott and members of the Subcommittee. My name is Joe LaRocca. I am the Vice President of Loss Prevention for the National Retail Federation (NRF), in Washington, D.C. I am here to provide the retail community's perspective on H.R. 5318, the Cyber-Security Enhancement and Consumer Data Protection Act of 2006, being considered by this subcommittee.

NRF applauds the subcommittee for initiating this effort to acknowledge and address the growing problem of computer-based, or "cyber" crime. We agree it is appropriate that efforts first be directed at updating current law — Title 18 Section 1030(a)(2) (aka, 18 U.S.C. 1030) — as is the focus of this bill, and NRF believes that the bill before you is a good first step toward punishing and deterring the bad actors while also protecting the interests of business and our customers.

The National Retail Federation is the world's largest retail trade association, with membership that comprises all retail formats and channels of distribution including department, specialty, discount, catalog, Internet, independent stores, chain restaurants and grocery stores as well as the industry's key trading partners of retail goods and services. NRF represents an industry with more than 1.4 million U.S. retail establishments, more than 23 million employees — about one in five American workers — and 2004 sales of $4.1 trillion. As the industry umbrella group, NRF also represents more than 100 state, national and international retail associations.

With over 18 years of experience as a loss prevention professional inside retail companies, I speak from experience about the significant and sweeping change I myself and colleagues of mine in loss prevention have encountered and had to adapt to in order to stay ahead of the bad guys. What used to be a focus of our time and resources on physical crime — property based theft, embezzlement, etc. — has quickly shifted and accelerated into the online world, presenting me and my colleagues with an entirely new, more sophisticated, harder to find, next to impossible to identify or reach culprit: the cyber-criminal.

Cyber-crime is an increasingly destructive form of trespass. The stakes grow higher by the day, as do the costs and measures needed to adequately secure retail websites, payment systems and databases in addition to our biggest asset — namely, our reputation. While loss prevention activities have traditionally centered on losses within the store or our supply chain of goods, LP professionals are taking on greater responsibility for protection of our business brand. In retail, our customers not only want a good deal for a desirable item we sell — our customers need to TRUST us in order for our relationship to flourish. To protect and hold customer information close is a necessity for a competitive retailer; it simply makes no practical or economical sense for retailers to be blasé when it comes to customer trust or data security.

Unauthorized access and use of retailers' customer data is a double hit — first to our customers, but also to retailers themselves. These rare and unfortunate circumstances happen, but we join with our customers as victims of smart and often distant cyber-criminals who are often just seeking out the thrill of the biggest security hack they can perpetrate. However, the minute customers stop trusting a retailer with their personal information, that retailer is doomed to fail. To protect all our assets — property, goods, employees, credit card information and brand — retail loss prevention professionals are aggressively building bridges across our discipline and to law enforcement, and looking for tools to help us in our mission.

The advent of the Web is both a blessing and a curse for retail loss prevention. While our e-commerce divisions have exploded in recent years, retail losses have also grown. Considering that one of the original purposes of 18 U.S.C. 1030 as amended in 1996 was to protect credit card numbers and other financial data, it makes sense that ten years later a number of "updates" are needed in order to keep step with the trends and growth of new avenues of cyber-crime. For retailers to stay profitable and viable and keep our brands from irreparable harm, we need updated laws like H.R. 5318 to help defend our property and ultimately our customers.

For example, in November 2003, three men accessed the computer system of a large, well-known home improvement retailer. They installed programs, or bots, on the computer systems of several stores and ultimately conspired to hack the retailer's central communication system in North Carolina. In 2004, a Boston-based warehouse club was the victim of cyber-thieves; in response, banks sent hundreds of thousands of replacement credit cards to consumers across 16 states. In April 2005, a well-known New York-based specialty retailer reported a systems breach resulting in 180,000 elements of credit card data being compromised. And in March 2005, a large Columbus-based shoe warehouse chain reported the theft of credit card and personal shopping information for 170,000 of its customers.

These were the cases that were widely reported. Most security experts agree that a large number of hacking incidents go unreported due to the negative publicity of doing so or the fear of future attacks.

Even when retailers are not the direct target, there is still a significant risk for our industry. When hacking incidents or consumer records are fraudulently obtained from companies like ChoicePoint, Axium, Bank of America, University of Southern California, and LexisNexis, the data obtained by these cyber-criminals is often used to commit other crimes, such as opening credit accounts using true name fraud or assuming the identity of legitimate consumers and making fraudulent purchases — costing consumers and retailers in excess of $50 billion annually.

And while these examples are focused on the financial impact to retailers, we cannot forget that many of these computer intrusions result in lost data, system downtime, and lost hours of work for employees and companies that must then undergo significant review, recovery, and overhaul of their technical infrastructure.

As FBI Director Mueller stated in testimony before the Senate Committee on Intelligence: the cyber-threat to the United States is serious and continues to expand rapidly, with the number of actors with both the ability and the desire to utilize computers for illegal and harmful purposes growing. He went on to note that the growing number of hackers motivated by money is a cause for concern — if this pool of talent is utilized by terrorists, foreign governments, or criminal organizations, the potential for successful cyber-attack on our critical infrastructures is greatly increased.

Cyber-crime is a high reward, but high risk business. And while some items are fraudulently purchased for the hacker, their family, or their friends, oftentimes these products are fenced, sold, or swapped through online auction sites and converted to cash — activity we call "e-fencing." These purchases not only have a serious financial impact on businesses; this activity results in lost sales, as honest consumers are unable to purchase the most desirable goods a retailer can stock.

When last the federal computer crimes law was amended, Internet access and usage was still in its infancy. As the Internet grew, e-retailing with all its related benefits has also grown substantially. Likewise, smart criminals have kept on top of, or many times ahead of, technology trends. Their stealth activity is harder to detect, but not impossible, assuming law enforcement is provided with the right tools and victims of computer crime have additional avenues to identify and prosecute those that perpetrate our loss or harm.

Given the seamlessness of the Web, it is vitally important that Section 3 of the bill seeks to broaden the scope of 18 U.S.C. 1030 to apply to foreign and interstate computer frauds, as we know the crime can be initiated from remote locations and can still have a direct and crippling impact on broad-based businesses that operate across jurisdictions and in the ether known as the Internet.

NRF also applauds the enhanced tools for law enforcement found in H.R. 5318. First, the Section 4 language to add 18 U.S.C. 1030 to the definition of "racketeering activity" as a Racketeer Influenced and Corrupt Organizations (RICO) predicate offense to 18 U.S.C. 1961. Second, the Section 6 creation of a new federal offense of "conspiracy to commit cyber-crimes," as so much of the computer-based crime is both organized and far more sophisticated in its execution. And finally, the increased investigative and prosecutorial funding for federal law enforcement found in Section 10.

As for the penalties found in Section 8, it is laudable to see that the bill increases convictions of cyber-crime from 10 or 20 years to 30 years, as well as providing for stiffer forfeiture provisions. Expansion of these terms of imprisonment and tightening of property forfeiture is not only an incentive to law enforcement, but should prove to be a deterrent to all but the boldest of thieves.

NRF is encouraged by the intent of H.R. 5318 and applauds the expansion of scope of 18 U.S.C. 1030, particularly its RICO predicate, the expanded funding for law enforcement, the establishment of a new conspiracy crime section, and its penalty enhancements. Likewise, on behalf of the National Retail Federation, its member retailers and my colleagues in loss prevention, I look forward to working with members of the subcommittee toward development and passage of updated, substantive and enforceable laws that further protect businesses and consumers from online fraud — particularly the growing trend of e-fencing, a phenomenon booming on auction sites and swap-lists across the Internet.

I appreciate the invitation to come and address you and the subcommittee members on the merits of the draft Cyber-Security Enhancement and Consumer Data Protection Act of 2006, and I welcome any questions or comments you may have. Thank you for your kind attention.