b'<html>\n<title> - DATA SECURITY: THE DISCUSSION DRAFT OF DATA PROTECTION LEGISLATION</title>\n<body><pre>[House Hearing, 109 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \n   DATA SECURITY: THE DISCUSSION DRAFT OF DATA PROTECTION LEGISLATION\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                            SUBCOMMITTEE ON\n                COMMERCE, TRADE, AND CONSUMER PROTECTION\n\n                                 of the\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JULY 28, 2005\n\n                               __________\n\n                           Serial No. 109-48\n\n                               __________\n\n      Printed for the use of the Committee on Energy and Commerce\n\n\n Available via the World Wide Web: http://www.access.gpo.gov/congress/\n                                 house\n\n                               __________\n\n\n                 U.S. GOVERNMENT PRINTING OFFICE\n\n22-989PDF              WASHINGTON : 2005\n_________________________________________________________________\nFor sale by the Superintendent of Documents, U.S. Government \nPrinting  Office Internet: bookstore.gpo.gov  Phone: toll free \n(866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail:\nStop SSOP, Washington, DC 20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                    ------------------------------  \n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                      JOE BARTON, Texas, Chairman\n\nRALPH M. HALL, Texas                 JOHN D. DINGELL, Michigan\nMICHAEL BILIRAKIS, Florida             Ranking Member\n  Vice Chairman                      HENRY A. WAXMAN, California\nFRED UPTON, Michigan                 EDWARD J. MARKEY, Massachusetts\nCLIFF STEARNS, Florida               RICK BOUCHER, Virginia\nPAUL E. GILLMOR, Ohio                EDOLPHUS TOWNS, New York\nNATHAN DEAL, Georgia                 FRANK PALLONE, Jr., New Jersey\nED WHITFIELD, Kentucky               SHERROD BROWN, Ohio\nCHARLIE NORWOOD, Georgia             BART GORDON, Tennessee\nBARBARA CUBIN, Wyoming               BOBBY L. RUSH, Illinois\nJOHN SHIMKUS, Illinois               ANNA G. ESHOO, California\nHEATHER WILSON, New Mexico           BART STUPAK, Michigan\nJOHN B. SHADEGG, Arizona             ELIOT L. ENGEL, New York\nCHARLES W. ``CHIP\'\' PICKERING,       ALBERT R. WYNN, Maryland\nMississippi, Vice Chairman           GENE GREEN, Texas\nVITO FOSSELLA, New York              TED STRICKLAND, Ohio\nROY BLUNT, Missouri                  DIANA DeGETTE, Colorado\nSTEVE BUYER, Indiana                 LOIS CAPPS, California\nGEORGE RADANOVICH, California        MIKE DOYLE, Pennsylvania\nCHARLES F. BASS, New Hampshire       TOM ALLEN, Maine\nJOSEPH R. PITTS, Pennsylvania        JIM DAVIS, Florida\nMARY BONO, California                JAN SCHAKOWSKY, Illinois\nGREG WALDEN, Oregon                  HILDA L. SOLIS, California\nLEE TERRY, Nebraska                  CHARLES A. GONZALEZ, Texas\nMIKE FERGUSON, New Jersey            JAY INSLEE, Washington\nMIKE ROGERS, Michigan                TAMMY BALDWIN, Wisconsin\nC.L. ``BUTCH\'\' OTTER, Idaho          MIKE ROSS, Arkansas\nSUE MYRICK, North Carolina\nJOHN SULLIVAN, Oklahoma\nTIM MURPHY, Pennsylvania\nMICHAEL C. BURGESS, Texas\nMARSHA BLACKBURN, Tennessee\n\n                      Bud Albright, Staff Director\n        David Cavicke, Deputy Staff Director and General Counsel\n      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel\n\n                                 ______\n\n        Subcommittee on Commerce, Trade, and Consumer Protection\n\n                    CLIFF STEARNS, Florida, Chairman\n\nFRED UPTON, Michigan                 JAN SCHAKOWSKY, Illinois\nNATHAN DEAL, Georgia                   Ranking Member\nBARBARA CUBIN, Wyoming               MIKE ROSS, Arkansas\nGEORGE RADANOVICH, California        EDWARD J. MARKEY, Massachusetts\nCHARLES F. BASS, New Hampshire       EDOLPHUS TOWNS, New York\nJOSEPH R. PITTS, Pennsylvania        SHERROD BROWN, Ohio\nMARY BONO, California                BOBBY L. RUSH, Illinois\nLEE TERRY, Nebraska                  GENE GREEN, Texas\nMIKE FERGUSON, New Jersey            TED STRICKLAND, Ohio\nMIKE ROGERS, Michigan                DIANA DeGETTE, Colorado\nC.L. ``BUTCH\'\' OTTER, Idaho          JIM DAVIS, Florida\nSUE MYRICK, North Carolina           CHARLES A. GONZALEZ, Texas\nTIM MURPHY, Pennsylvania             TAMMY BALDWIN, Wisconsin\nMARSHA BLACKBURN, Tennessee          JOHN D. DINGELL, Michigan,\nJOE BARTON, Texas,                     (Ex Officio)\n  (Ex Officio)\n\n                                  (ii)\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                               __________\n                                                                   Page\n\nTestimony of:\n    Burton, Daniel, Vice President of Government Affairs, \n      Entrust, Inc...............................................    35\n    Hintze, Michael, Senior Attorney, Microsoft Corporation......    19\n    Hoofnagle, Chris, Senior Counsel and Director, Electronic \n      Privacy Information Center, West Coast Office..............    27\n    Maier, Fran, Executive Director and President, TRUSTe........    13\nAdditional material submitted for the record:\n    Retail Industry Leaders Association, statement for the record    53\n\n                                 (iii)\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n   DATA SECURITY: THE DISCUSSION DRAFT OF DATA PROTECTION LEGISLATION\n\n                              ----------                              \n\n\n                        THURSDAY, JULY 28, 2005\n\n              House of Representatives,    \n              Committee on Energy and Commerce,    \n                       Subcommittee on Commerce, Trade,    \n                                   and Consumer Protection,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 10:07 a.m., in \nroom 2123, Rayburn House Office Building, Hon. Cliff Stearns \n(chairman) presiding.\n    Members present: Representatives Stearns, Pitts, Terry, \nBlackburn, Barton (ex officio), Towns, Green, Gonzalez, and \nBaldwin.\n    Staff present: David Cavicke, general counsel; Chris Leahy, \npolicy coordinator; Shannon Jacquot, counsel; Will Carty, \nprofessional staff; Billy Harvard, clerk; Chad Grant, clerk; \nKevin Schweers, communications director; Terry Lane, deputy \ncommunications director; Consuela Washington, senior minority \ncounsel; Jessica McNiece, minority research assistant; and \nEdith Holleman, minority counsel.\n    Mr. Stearns. Good morning. I would like to thank, first of \nall, the witnesses for coming before us today and to offer \ntheir comments and suggestions and helping us to craft a better \nbill and a workable data protection bill that will greatly \nimprove the protection and security for all consumers and their \ndata.\n    Data security breaches are an alarming trend that seems to \nbe increasing hand in hand with the cases of identity theft and \nfinancial fraud in the United States. Identity theft and \nfinancial fraud represents the fastest growing criminal \nenterprise in the United States. As we learned from the Federal \nTrade Commission in several previous hearings, a recent survey \nshowed that almost 10 million people in the United States \ndiscovered that they were involved in some sort of identity \ntheft. That figure translates into almost $50 billion in losses \nfor businesses and of course $5 billion for consumers.\n    Consumer data breaches and related identity theft crimes \nthreaten not only the financial and personal security of every \nconsumer in the United States, but also have the potential to \ndisrupt and impede commercial activity in every sector of our \neconomy.\n    Now, not surprisingly, there are now indications that \nconsumer confidence in Internet-based and electronic \ntransactions is starting to wane as reports mount about \nbreaches potentially affecting millions of Americans.\n    Regardless of statistics and trends, I would bet that a \nsignificant percentage of us in the committee room today have \nbeen touched personally by this problem. I also believe that we \ncan not rely solely on law enforcement and existing law for \nprotection against breaches and related criminal activity in \nthis area.\n    The Congress, and this committee in particular, is charged \nwith the responsibility to ensure that the entities possessing \nand dealing in sensitive consumer data keep the doors locked \nand the alarm on. We intend to live up to that responsibility. \nThe health of our modern network system of commerce demands \nthis and all consumers deserve this.\n    Data, especially personal data, is the currency of the \ndigital world. Given the sheer scope and interconnectivity of \nour fast-moving commercial environment, one simple mistake or \noversight can leave all of us vulnerable to the lone criminal \nwith the ability to victimize millions in an instant. \nUnfortunately, the crooks have discovered a lucrative new \nenterprise exploiting such vulnerabilities. And it is up to us \nto shut them down before they destroy the integrity of the \ndata-driven commercial system that so many of us rely on.\n    I believe consumers, businesses, and other important \nstakeholders must be empowered with adequate information to \nassess data security risk and provide sufficient incentives to \nencourage the most appropriate means, technical or otherwise, \nto enhance data security.\n    My colleagues, at the most basic level, our bill would \ncreate a uniform national data breach notification regime based \non risk of potential harm from identity theft. The bill also \nincorporates a number of provisions related to my earlier \nprivacy bill that are intended to provide security guidelines \nfor entities that keep personal data. I believe that once these \npractices are embraced, renewed consumer confidence in e-\ncommerce and its multitude of applications will lead to even \nbetter data security in the marketplace. We need to promote the \nnotion that security sells.\n    Specifically, our bill contains three major elements. The \nfirst major element of the bill directs the Federal Trade \nCommission to develop rules for data security, including \nrequirements that entities in possession of personal data have \na security policy, have someone designated as responsible for \nthat policy, and have a process for taking preventive and \ncorrective action to ensure that policy is as robust as \nrequired.\n    Two, the second main element of the bill relates to the \nspecial case of information brokers, which are defined in the \ndraft as ``companies whose primary business is to compile and \nsell consumer data to third parties\'\'. The bill requires these \nentities to submit their security policy to the Federal Trade \nCommission for audit and approval on an annual basis. In \naddition, any information broker is required to provide those \nwho ask a free report of what information the entity holds on \nthat individual.\n    And last, the last element establishes a national uniform \nstandard for consumer notification when there is a security \nbreach. A security breach is defined using a risk-based \nstandard that relates to the probability that the security \nbreach results in a reasonable basis to conclude that identity \ntheft may occur. The bill requires timely notification, both \nelectronic and through the mail, of consumers affected.\n    There are also a number of provisions relating to \nsubstitute notices in cases where there is a requirement of \nunduly burdensome to a business given its financial conditions.\n    I look forward to the comments on our draft bill and would \nlike to emphasize that the committee intends to develop this \nlegislation through a bipartisan and open process that allows \nfor constructive debate and discussion. We will solicit at \nleast one or more rounds of comments and work hard to continue \nto refine the bill to best achieve effectiveness with this \nbalance.\n    So I look forward to our testimony by our witnesses today \nand working together with them on this important piece of \nlegislation.\n    [The prepared statement of Hon. Clifford Stearns follows;]\nPrepared Statement of Hon. Clifford Stearns, Chairman, Subcommittee on \n                Commerce, Trade, and Consumer Protection\n    Good morning. I first would like to thank the witnesses before us \ntoday as well as all who have offered comments and suggestions \nassisting our important work in crafting a robust and workable data \nprotection bill that will improve greatly the protection and security \nof consumer data.\n    Data security breaches are an alarming trend that seems to be \nincreasing hand-in-hand with the cases of identity theft and financial \nfraud in the United States. Identity theft and financial fraud \nrepresent the fastest growing criminal enterprise in America. As we \nlearned from the Federal Trade Commission in several previous hearings, \na recent survey showed that almost 10 million people in the United \nStates discovered that they are involved in some sort of identity \ntheft. That figure translates into almost $50 billion in losses for \nbusiness and $5 billion for consumers. Consumer data breaches and \nrelated identity theft crimes threaten not only the financial and \npersonal security of every consumer in America but also have the \npotential to disrupt and impede commercial activity in every sector of \nthe U.S. economy. Not surprisingly, there are now indications that \nconsumer confidence in Internet-based and other electronic transactions \nis starting to wane as reports mount about breaches potentially \naffecting millions.\n    Regardless of statistics and trends, I\'d bet that a significant \npercentage of us in the committee room today have been touched \npersonally by this menace. I also believe that we cannot rely solely on \nlaw enforcement and existing law for protection against breaches and \nrelated criminal activity in this area. The Congress and this great \nCommittee, in particular, are charged with the responsibility to ensure \nthat the entities possessing and dealing in sensitive consumer data \nkeep the doors locked and the alarm on. We intend to live up to that \nresponsibility. The health of our modern networked system of commerce \ndemands this, and all consumers deserve this. Data, especially personal \ndata, is the currency of the digital world. Given the sheer scope and \ninterconnectivity of our fast-moving commercial environment, one simple \nmistake or oversight can leave all of us vulnerable to the lone \ncriminal with the ability to victimize millions in an instant. \nUnfortunately, the crooks have discovered a lucrative new enterprise \nexploiting such vulnerabilities, and it\'s up to us to shut them down \nbefore they destroy the integrity of the data-driven commercial system \nthat so many rely on.\n    I believe consumers, business, and other important stakeholders \nmust be empowered with adequate information to assess data security \nrisk and provided sufficient incentive to encourage the most \nappropriate means, technical or otherwise, to enhance data security. At \nthe most basic level, our bill will create a uniform, national data \nbreach notification regime based on risk of potential harm from \nidentity theft. The bill also incorporates a number of provisions \nrelated to my earlier privacy bill that are intended to provide \nsecurity guidelines for entities that keep personal data. I believe \nthat once these practices are embraced, renewed consumer confidence in \ne-commerce and its multitude of applications will lead to even better \ndata security in the marketplace. We need to promote the notion that \nSECURITY SELLS.\n    Specifically, our bill contains three major elements:\n\n\x01 The first major element of the draft bill directs the Federal Trade \n        Commission to develop rules for data security, including \n        requirements that entities in possession of personal data have \n        a security policy, have someone designated as responsible for \n        that policy, and have a process for taking preventive and \n        corrective action to ensure that policy is as robust as needed.\n\x01 The second main element of the bill relates to the special case of \n        ``information brokers\'\', which are defined in the draft as \n        companies whose primary business is to compile and sell \n        consumer data to third parties. The bill requires these \n        entities to submit their security policy to the Federal Trade \n        Commission for audit and approval on an annual basis. In \n        addition, any information broker is required to provide those \n        who ask a free report on what information the entity holds on \n        that individual.\n\x01 The last element establishes a national, uniform standard for \n        consumer notification when there is a security breach. A \n        security breach is defined using a risk-based standard that \n        relates to the probability that the security breach results in \n        ``a reasonable basis to conclude\'\' that identity theft may \n        occur. The bill requires timely notification, both electronic \n        and through the mail, of consumers affected. There also are a \n        number of provisions relating to substitute notice in cases \n        where this requirement may be unduly burdensome to a business \n        given its financial condition.\n    I look forward to the comments on our draft bill and would like to \nemphasize that the Committee intends to develop the legislation through \na bipartisan and open process that allows for constructive debate and \ndiscussion. We will solicit at least one more round of comments and \nwill work hard to continue to refine the bill to best achieve \neffectiveness with balance. I look forward to the testimony of our \nwitnesses and to working together on this very important piece of \nlegislation. Thank you.\n\n    Mr. Stearns. And with that, the distinguished member from \nNew York, Ranking Member Towns.\n    Thank you.\n    Mr. Towns. Thank you very much, Mr. Chairman.\n    Let me begin by first thanking you for holding this \nhearing. And I would like to ask to place the 43 stakeholders\' \ncomments in the record.\n    Mr. Stearns. By unanimous consent, so ordered.\n    [The list of industry comments follow:]\n           data security discussion draft--industry comments\n1. American Bankers Association; 2. Business Software Alliance; 3. \nCenter for Democracy and Technology; 4. Consumers Union; 5. Cyber \nSecurity Industry Alliance; 6. Direct Marketing Association; 7. Dun & \nBradstreet; 8. eBay Inc.; 9. Electronic Privacy Information Center; 10. \nEntrust Inc.; 11. Experian; 12. Federal Reserve Board; 13. Federal \nTrade Commission; 14. Financial Services Roundtable; 15. First Data \nCorporation; 16. GC Services Limited Partnership ; 17. ID Analytics; \n18. IdTheftAwareness--``The Real Danny Lents\'\'; 19. Internet Commerce \nCoalition; 20. Internet Security Alliance; 21. Intersections Inc.; 22. \nMIB Group, Inc.; 23. Microsoft Corporation; 24. National Association \nfor Information Destruction, Inc.; 25. National Automobile Dealers \nAssociation; 26. National Business Coalition; 27. National Council of \nInvestigation & Security Services, Inc.; 28. Peter Kiewit Institute; 29 \nThe Progress & Freedom Foundation; 30. Reed Elsevier Inc.; 31. Retail \nIndustry Leaders Association; 32. Software & Information Industry \nAssociation; 33. Prof. Daniel J. Solove/George Washington Univ. Law \nSchool; 34. TALX; 35. Time Warner Inc.; 36. TRUSTe; 37. US Oncology, \nInc.; 38. U.S. PIRG; 39. Viacom; 40. VISA U.S.A.; 41. Vontu Inc.; 42. \nWexler & Walker PPA; and 43. Yahoo! Inc.\n\n    Mr. Towns. Since we last met, the privacy of our \nconstituencies have been compromised further, and their worries \nhave increased tenfold. I was encouraged by the feedback that \nwe received at our previous hearings. But there is much more \nwork that needs to be done.\n    The discussion draft that was recently circulated includes \nimportant requirements relating to information security \nprograms and security breach notices, but recent security \nbreaches have revealed that consumers also care about the lack \nof transparency as to how companies are using and to whom they \nare disclosing their personal information.\n    I was pleased to see that the draft includes a trigger for \nnotification purposes. Chairman Stearns and Ranking Member \nSchakowsky and the rest of my colleagues would agree that this \nissue has haunted us for too long. It seems as though a new \ndata security breach happens bimonthly, resulting in destroyed \nbank accounts and financial headaches.\n    As we begin to depend on technology more than ever, we must \nput our citizens\' privacy at the top of our priority list. I \nhope the FTC is ready to help to stem the tide of identity \ntheft and end the financial destruction that has plagued our \nconstituents and web users worldwide.\n    I look forward, Mr. Chairman, to working with you and the \nmembers of this committee to stem this very serious problem, \nbecause the more I travel back and forth into my District on \nthe plane and wherever, you hear these horrible stories. I \nthink the time has come to put an end to it.\n    On that note, I yield back.\n    [The prepared statement of Hon. Edolphus Towns follows:]\nPrepared Statement of Hon. Ed Towns, a Representative in Congress from \n                         the State of New York\n    Thank you Mr. Chairman for holding this important hearing. Since we \nlast met, the privacy of our constituents have been compromised further \nand their worries have increased ten-fold. I was encouraged by the \nfeedback that we received in our previous hearings, but there is much \nmore work to be done.\n    The Discussion Draft that was recently circulated includes \nimportant requirements relating to information security programs and \nsecurity breach notices. But recent security breaches have revealed \nthat consumers also care about the lack of transparency as to how \ncompanies are using and to whom they are disclosing their personal \ninformation in the first place. I was pleased to see that the draft \nincludes a ``trigger\'\' for notification purposes. No one likes to be \ninundated with dozens and dozens of risk-related notices, and I agree \nthat warnings should only be sent when there are severe breaches \ncapable of significant consumer burden.\n    I think that Chairman Stearns, Ranking Member Schakowsky and the \nrest of my colleagues would agree that this issue has haunted us for \ntoo long. It seems as though a new data security breach happens bi-\nmonthly, resulting in destroyed bank accounts and financial headaches.\n    As we begin to depend on technology more than ever before, we must \nput our citizens\' privacy at the top of the priority list. In July \n18th\'s Wall Street Journal, Bill Hancock, Chief Security Officer of \nSavis, Inc., a major internet service provider, is quoted as saying, \n``What people can do on computer networks and what they can find has \nincreased ten-fold from a few years ago.\'\' He went on to state that \n``Evil intent is easier than ever.\'\'\n    I hope the FTC is ready to help to stem the tide of identity theft \nand end the financial destruction that has plagued our constituents and \nweb users worldwide. I look forward to monitoring the positive \ndevelopments that are sure to stem from our committee draft.\n    Thank you.\n\n    Mr. Stearns. I thank my colleague.\n    The gentleman, Mr. Pitts, is recognized.\n    [No response.]\n    Mr. Stearns. The gentleman waives.\n    Mr. Gonzalez.\n    Mr. Gonzalez. Thank you very much, Mr. Chairman.\n    Again, I commend your continuous efforts. You have been on \nthis issue for some time, and I appreciate you calling this \nparticular hearing. I will be brief, but I will also request \nthat my written statement be submitted in its entirety by \nunanimous consent.\n    Mr. Stearns. With the record\'s consent, so ordered.\n    Mr. Gonzalez. I guess what we are trying to find out today, \nand I appreciate the presence of the witnesses. Many times I \nfeel that you all come here and give us the benefit of your \nknowledge and experience, and then you feel that maybe we are \nnot listening, but the truth is, we have a record, we have your \nstatements, and we do make reference to them as we proceed with \nthis piece of legislation.\n    My only observation is that we deal with this in a \nrealistic framework and that is what is happening out there, \nwhat is it possible that you bring to this. We need your \nsuggestions and recommendations. And that our policies will \naffect the abilities that technology give us today, we can\'t go \nout there and impose on what is going on out there in commerce \nand such, conditions that could never be met, technologically \nor otherwise. But I think that there can be certain compromises \nthat still address the chief concerns as expressed by my \nconstituents when we have town hall meetings.\n    The greatest attendance that I have had in any town hall \nmeeting, I guess second to Social Security, has been ID theft. \nIt is out there. It is tremendous. And working together, \nhopefully we will come up again with a feasible, viable answer. \nThe problem with technology, and I have said this before about \ntechnology, I guess it is the old proverbial key that opens the \ngates to paradise, but it is the same key that can open the \ngates to hell. And so somehow, we avoid that and do the best \nthat we can.\n    And again, thank you very much for your participation, and \nI yield back.\n    [The prepared statement of Hon. Charles A. Gonzalez \nfollows:]\n  Prepared Statement of Hon. Charles A. Gonzalez, a Representative in \n                    Congress from the State of Texas\n    Mr. Chairman, thank you for holding today\'s hearing on the \ndiscussion draft data protection bill that this subcommittee is \ndeveloping. I would particularly like to thank both the majority and \nminority staff for their work on this. I know that they have been \ncalled upon in recent days and weeks to put many hours into other \nlegislative items related to the Energy and Commerce Committee, so I \nespecially appreciate their attention to this legislation. This \ndiscussion draft provides us with an excellent starting point for \naddressing the rash of data breaches that have been threatening the \nprivacy and financial standing of consumers across America. I look \nforward to working with you, Mr. Chairman, the Ranking Member, and \nother members of this subcommittee to further build on the draft before \nus today.\n    The problem of data security, and the risk of identity theft that \nit carries, is a serious concern to people. I know that in my own \ndistrict in San Antonio, public attention is strong. I held a town hall \nmeeting in my district in May, which brought together the Federal Trade \nCommission and federal and local law enforcement. The turnout from the \npublic was impressive. And despite being in an auditorium without air-\nconditioning for over two hours, almost the entire audience stayed to \nthe very end and asked many questions. The bottom line is that people \nwant assurances that their private information is handled securely and \nthat breaches in data security are handled swiftly and effectively.\n    As we move forward with this legislation, I hope that we can have \nan end-product that adheres, as much as realistically possible, to the \nprinciple of ``don\'t collect it if you can\'t protect it.\'\' In other \nwords, companies and organizations should not be collecting personal \ninformation from individuals if they are not going to be able to \nreasonably ensure the security of that information.\n    In addition to the provisions already in the discussion draft, I \nwould like to also consider several related issues. First: how we deal \nwith paper records. ``Dumpster diving\'\' is a prevalent practice in \nwhich identity thieves go through dumpsters to find documents with \nindividuals\' personal information. San Antonio local law enforcement \nhas cited this practice as one of the most prevalent forms of identity \ntheft. We should explore the feasibility of including provisions in \nthis bill to require companies to shred or otherwise destroy documents \nwith individuals\' personal information before throwing them away.\n    Second, the draft bill gives the individual the right to get a free \nreport on what data the information broker companies hold on that \nindividual. If individuals feel the information in the broker\'s \ndatabase is inaccurate, they should be able to add supplementary \ninformation to their file to clarify the existing information.\n    Third. Under the draft bill\'s data breach notification \nrequirements, a ``substitute notice\'\' system is established for \ncompanies that cannot afford to send a letter to every individual \naffected by a breach, or if they do not have complete addresses for \nthose individuals. Substitute notification consists of the company \nalerting the media and posting a message on their website. We may want \nto consider whether the bill should also require that these companies \nnotify the FTC and that the FTC maintain a central public website \nlisting all data breaches, along with information for consumers on how \nto contact those companies and determine if their own personal data was \ncompromised. I know that private websites with a similar intent have \nbeen established, but it may strengthen consumers\' confidence to have \nsuch a function permanently and reliably carried out by the FTC.\n    Finally, as I represent a district with a sizable population of \nSpanish-speakers, I would like to explore how we can ensure that these \nconsumers and other language minorities, who are heavily targeted by \ncompanies for their business, are able to access notices sent to \nconsumers about data breaches. We need to ensure that these notices are \navailable in a language that these consumers can understand.\n    Thank you Mr. Chairman. I look forward to hearing from our \nwitnesses today, and to working with you on this subject.\n\n    Mr. Stearns. The gentleman yields back.\n    The gentlelady from Tennessee is recognized.\n    Ms. Blackburn. Thank you, Mr. Chairman.\n    I want to thank the chairman for holding this hearing and \nfor the witnesses for taking your time and being here with us \ntoday.\n    Many constituents in my District have expressed to me their \nconcerns about identity theft, and we recently held a workshop, \nan identity theft workshop, in our District. It was \nenlightening. It was well attended. And it was something that \nwe gained some information from, so we are looking forward to \nhearing what you have to say. And as this committee examines \nsteps to prevent identity theft, we must ensure that companies \nand individuals are not burdened with unnecessary regulations, \nbut that they have opportunities for privacy protection.\n    Congress should focus on reasonable security measures that \nwill protect personal information and provide enforcement \nmechanisms to penalize companies that readily buy and sell \ninformation on us to unscrupulous entities who will exploit our \nidentities for their personal gain.\n    Today, this committee looks at draft legislation on data \nsecurity, which I believe is a good step, a good first step, in \naddressing the problem. I commend Chairman Barton and our \nsubcommittee chairman for their efforts on this issue.\n    And again, I thank you. We look forward to hearing your \ninput. Thank you.\n    Mr. Stearns. Thank you.\n    The gentlelady from Wisconsin.\n    Ms. Baldwin. Thank you, Mr. Chairman.\n    I am also pleased that we are having this hearing today, \nMr. Chairman, and our witnesses.\n    This is an increasingly important question how we protect \nour sensitive personal information from theft and abuse. And \nthe statistics are staggering. The 10 million Americans who \nwere affected by identity theft in the year 2004, it is pretty \nstaggering. Access to the right data bases and the touch of a \nbutton or two allows access to vast amounts of information \nabout a person, things like date of birth, Social Security \nnumber, credit rating, debts, loans, insurance claims, magazine \nsubscriptions, even DNA.\n    American consumers deserve to have their personal \ninformation protected. And I am pleased that our subcommittee \nwill act soon to address this. And I also agree that the \ndiscussion draft before us is a good first step.\n    But as we consider next steps, changes, modifications, \nthere are a number of issues that we need to address and \nquestions we will need to answer, questions such as should we \npreempt State laws, and if so, how broad a preemption is \nappropriate. When should consumers be notified of data breaches \nand who decides? Should the FTC maintain public notices, public \ninformation about data breaches? Do we need to reach beyond our \ncommittee\'s jurisdiction to adequately address this problem? \nShould we exempt encrypted data? What role should States have \nin prevention and enforcement?\n    So today, I hope our witnesses will articulate ways in \nwhich we can protect consumers from identity theft and misuse \nof their personal data and hopefully help us explore the \nanswers to those questions.\n    Thank you, Mr. Chairman, I yield back.\n    Mr. Stearns. I thank the gentlelady.\n    Mr. Green, the gentleman from Texas.\n    Mr. Green. Thank you, Mr. Chairman. I would like to thank \nboth you and our ranking member for taking lead on this issue \nand holding this important hearing.\n    I would like to welcome our witnesses and thank you for \nyour cooperation and being here and sharing your knowledge and \nexperience. It is imperative for us when we begin drafting \nlegislation to combat identity theft and data theft that we \nhave the experience from the business community, so we make \nsure we pass legislation that really will do the job and again \nstill allow us to enjoy the benefits of what we do.\n    The committee has held four hearings since the fall of \n2004, and we have had a lot of discussions on passing a bill on \ndata security, and I believe the bill, as drafted, is a good \nstart.\n    I want to bring up a couple of issues, though, I have some \nconcern on. The preemption issue, special attention to that \nprovision. Currently, several States have stronger policies \nwhen it comes to data security that we are proposing, and we \nare proposing, furthermore, 18 States that have passed breach \nnotification laws, all of them, including my home State of \nTexas, offer an encryption safe harbor.\n    And I believe you should look at issues such as encryption \nand mask data to serve as a second form of defense. It is \nfrustrating, because in March we heard testimony from Choice \nPoint and Lexus Nexus, because both of these companies had a \nrecent experience of breach in their security, and at that \ntime, Lexus Nexus had almost 32,000 people affected. Well, then \na few weeks later, we really found out it was 300,000 that may \nhave been affected by the breach in security. And identity \ntheft is the No. 1 crime in our country. In fact, it is getting \nworse all of the time.\n    In our District, we have done identity theft workshops for \nour constituents, but you know, it is a very small group. We \nhave to do something more for the mass of people who have that \nfear. And these workshops, even those only work when credit-\nreporting agencies and financial institutions and data brokers \ndo their job to make sure information doesn\'t fall into the \nwrong hands. We are all a number now, and most often, it is our \nSocial Security number, and every financial institution uses \nthat number, including when I had to rent a U-Haul truck, Mr. \nChairman, they wanted my Social Security number. And I said, \n``Why?\'\' And they said, ``Well, we just require it.\'\' And I \nsaid, ``Well, I don\'t want to rent the truck.\'\' And they said I \ndidn\'t have to. And that is what I suggest to my constituents. \nIf it doesn\'t have anything to do with taxes or payroll, then \njust say no, or credit. And you can do that. But I still like \nto get the credit to use some other identifying number. And I \nknow a lot of States are working on that.\n    Our current systems of laws addressing the problem are \npiece meal. We have the Fair Credit Reporting Act. We have the \nFederal Trade Commission that addresses unfair and deceptive \npractices. We have separate laws and driver\'s license data. So \nwhat we need to do, Mr. Chairman, I am glad you are taking the \nlead in putting this together. And I would hope we would still \nlook at empowering the States and just an example, when \nCongresswoman Heather Wilson and I worked on the stand for so \nmany years, we ended up the compromises that we wanted uniform \nstandards around the country, but we also still empowered the \nState Attorney Generals to be able to do their job as consumer \nrepresentatives, but they had to use Federal law to do it. And \nas long as we pass a strong law and still empower the States in \naddition to whatever the FTC or whatever agency we give this \nauthority to.\n    But I look forward to participating and working on not only \nthe hearing today but also in the drafting of legislation.\n    Thank you.\n    Mr. Stearns. I thank the gentleman. And I thank him for \nconsidering ways to do this in a bipartisan fashion.\n    I don\'t think there are any more members, so let me \nwelcome----\n    Mr. Towns. Mr. Chairman, will you yield for one moment?\n    Mr. Stearns. Yes. Yes.\n    Mr. Towns. I ask unanimous consent that we place the \nstatement of Ranking Member Jan Schakowsky in the record. She \nhas a family emergency.\n    Mr. Stearns. I heard that, and I am sorry to hear that. So \nwith unanimous consent, so ordered. I appreciate you doing \nthat.\n    [Additional statements submitted for the record follow:]\n Prepared Statement of Hon. Joe Barton, Chairman, Committee on Energy \n                              and Commerce\n    Thank you, Chairman Stearns, for holding this hearing today and for \nyour good leadership on data security issues. Millions of records in \nother people\'s computers define and describe our lives. The recent rash \nof security breaches has made us keenly aware of just how vulnerable \nour records are to release through inept data security practices or, \nworse, intentional theft. Past hearings at this Subcommittee have \nexplored those breaches and exposed the gaps in protection. Today, the \nCommittee puts forth a bipartisan draft that aims to fill the gaps in \nprotection. I want to thank Chairman Stearns, Ranking Member Schakowsky \nof the subcommittee, Ranking Member Dingell of the full committee, and \nall of the staffs for their work on this bipartisan discussion draft.\n    I am pleased with the careful consideration this Committee is \ngiving to this important issue. Our goal is to work with industry and \nconsumer groups in developing this legislation to encourage a culture \nof strong data security. Data security has not been the priority it \nought to be and must become. I hope that the testimony we receive here \ntoday will help us to perfect the draft bill.\n    There are two critical components to the draft bill:\n\n\x01 One, a legal requirement for establishing and implementing \n        information security practices; and\n\x01 Two, notification requirements in the event of a security breach.\n    In mandating information security policies, we hope to strike the \nright balance between ensuring real protection for consumers without \nhalting the evolution of technology and best practices. We would be \nremiss not to mandate robust security for personal information, but \nwe\'ll do it in a way that allows companies to implement the security \nmeasures most effective for the types of information they maintain.\n    I would like to point out that the draft bill does not yet include \nguidelines for what companies must include in their information \nsecurity policies. I believe guidelines similar to those of the FTC\'s \nGramm-Leach-Bliley Safeguards Rule are a good place to start. I request \nthat our panel of experts provide the Committee with some guidance on \nthis issue. Over the August recess, we will be perfecting the draft and \nreadying it for introduction, and your guidance will be an important \npart of that preparation.\n    We have also been careful in crafting the notification requirements \nof the bill. While consumers ought to be notified when a breach of \ntheir information puts them at risk for identity theft, they should not \nbe showered with warnings when there is no risk. The notification \nrequirement of the bill has a trigger to avoid both ``over-\nnotification\'\' and ``under-notification\'\'. The bill provides that \nnotice should be prompt and meaningful so that consumers can best \nshield themselves from identity theft.\n    The draft bill also places additional requirements on information \nbrokers, those who trade in non-customer data. Because the normal \nmarket incentives for protecting customer information are absent or \ndiminished with this business model, the draft imposes federally \nsupervised security audit requirements for these entities.\n    I plan to move data security legislation though this Committee in \nSeptember, and I hope that we can get a bill signed into law this \nCongress. I would also like to mention that I support Congressman Clay \nShaw\'s bill protecting individual Social Security numbers. I will do my \npart to quickly move the portions of the bill that are within our \nCommittee\'s jurisdiction, once we get a referral of the bill.\n    I thank the witnesses for participating in the hearing today and \nlook forward to your testimony on the draft legislation. Thank you Mr. \nChairman, I yield back the balance of my time.\n                                 ______\n                                 \nPrepared Statement of Hon. Jan Schakowsky, a Representative in Congress \n                       from the State of Illinois\n    Thank you, Chairman Stearns, for holding today\'s hearing on our \ndraft legislation to address the recent spate of security breaches of \npersonal information. I would also like to thank Chairman Barton and \nRanking Member Dingell for working with us to protect consumers\' \npersonal information where current business practices and data security \nlaws have failed to do so. The time has come for us to ensure that \npersonally-identifiable information is protected and that consumers are \nnotified when their information has been compromised.\n    In the last five months alone, over 50 million consumers have had \ntheir personal information lost, stolen, hacked into, exposed online, \nor sold by corrupt insiders--and through no fault of their own. \nPersonal information is being collected, transferred, and sold \neveryday. Consumers are told that if they want to rent an apartment, \nbuy a pair of shoes, or contribute to a university, they have to \ndivulge their name, address, Social Security number, credit card \nnumber, mother\'s maiden name--and more--just to do so.\n    So many consumers are willing to provide the key facts of their \nlives because they believe that since they are dealing with a well-\nknown retailer, their alma mater, or an established bank, their \npersonal information will be treated as just that--personal--and that \nit will be secure. Until recently, most people had no idea that the \nteenage hacker looking for some kicks and the most sophisticated crime \nrings alike were raiding the virtual treasure troves of personal \ninformation at businesses, universities, and information brokers. But, \nnews of the breaches at DSW, Bank of America, and Boston College, to \nname a few, has made consumers and Congress alike realize that more \nneeds to be done to protect consumers\' personal information.\n    The bill we have been working on seeks to stop the pillaging of \npersonal information by raising the bar for the handling and security \nof consumers\' data. It seeks to make information brokers--those whose \nbusiness is to turn your name into a commodity--more accountable to \nconsumers. The bill would also take California\'s groundbreaking idea--\nthat consumers have a right to know when their information has been \ncompromised--and turn it into the standard for our country.\n    The draft at hand is a good start, but we have to do more to make \nsure that we provide the best protection for consumers that we can. \nWhen we consider the scope of the information our bill covers, we need \nto remember that it does not matter to the victim of identity theft \nwhere their information was stolen from -a small business or a massive \ndata broker, and it does not matter what form it was in--paper or \nelectronic. It does not matter if access was gained by an outsider who \nwas not authorized to do so or an insider who had the key to the \nencryption code. It does not matter if their file was the only one \ncompromised or if it was one of thousands. We also must keep in mind \nthat identity theft is not the only threat with which we should be \nconcerned. Information in the wrong hands could put domestic violence \nand stalkers\' victims\' lives at risk.\n    Additionally, consumers need to know more than that their \ninformation is secure. Since data brokers sell personal information to \nthose who will decide whether consumers will get jobs, roofs over their \nheads, and even whether they have the legal right to vote, consumers \nmust have the right to make sure that the information that is meant to \nrepresent what kind of risk they are to employers, landlords, and the \nlocal government is correct.\n    We have heard claims from information brokers that allowing \nconsumers to correct their files would be difficult to do because much \nof the data they have is from public records and the brokers do not \nhave the legal authority to correct them. However, I believe we should \nnot throw up our hands and say that nothing can be done. I believe that \nif consumers question the accuracy of their files, data brokers could--\nat a minimum--``flag\'\' that information to let those using the files \nknow that there is a question of the accuracy of the file. And, a \ncommon problem with inaccurate reports is not that the original record \nis incorrect, but that one person\'s file has been mixed with another\'s. \nFor instance, my file may be mixed with a Jean Schakowsky\'s or Jan \nStockowski--or both. I believe that data brokers should be compelled to \nfix those ``mixed files.\'\' Consumers must have every opportunity \npossible to set the record straight because of the impact incorrect \ninformation can have on their lives.\n    Finally, I believe it is important that we establish a strong \nfederal standard so that we do not have to worry about preempting 50 \nstate laws. While I can understand the desire to see one federal \nstandard, I believe that if we set the floor high enough, states will \nnot have to go beyond our requirements. Because so many states have \nbeat us to protecting consumers--including Illinois, Florida, and \nTexas-- I believe we must exercise great caution when we consider how \nwe will contend with state laws on data security and breach \nnotification.\n    Once again, Mr. Chairman, I look forward to working with you on our \ncommon goal of protecting consumers. Although there are many issues \nthat are still on the table, I think that using consumers\' rights and \nsafety as our guiding principles, we will be in good shape. Thank you.\n                                 ______\n                                 \n   Prepared Statement of Hon. Edward J. Markey, a Representative in \n                Congress from the State of Massachusetts\n    Mr. Chairman, thank you for holding this important hearing today.\n    Mr. Chairman, on March 15th, following massive breaches of personal \ninformation at ChoicePoint, Bank of America and LexisNexis, you wisely \nconvened a hearing in this Subcommittee to question executives from \nmajor data profiling firms. This hearing provided important momentum \nfor ongoing efforts to strengthen privacy protections for the millions \nof Americans whose private information is gathered by data merchants \nwho view our Social Security numbers, credit records and other \nsensitive personal information as commodities to be bought and sold for \na profit.\n    Since the Subcommittee hearing, a tidal wave of personal data has \ngushed from a long list of data brokers, public companies, \nuniversities, financial institutions, high schools, hospitals and other \norganizations. The Privacy Rights Clearinghouse has reported that more \nthan 48 million personal records have been lost or stolen over the past \nfour months alone.\n    Mr. Chairman, today\'s hearing on draft legislation you are \npreparing in collaboration with the Democrats on the Committee is \nanother step towards providing Americans with increased control over \ntheir most precious and private personal information. I commend you for \nyour efforts to date.As you know, Mr. Chairman, the draft bill defines \npersonal information as ``an individual\'s first and last name in \ncombination with any 1 or more of the following data elements for that \nindividual: Social Security account number, driver\'s license number or \nother State identification number, financial account number, or credit \nor debit card number\' that would enable access to an individual\'s \nfinancial account. [Sec. 5. Definitions, Page 9]. The bill also permits \nthe Federal Trade Commission to modify this definition. [Sec.5. \nDefinitions, Page 11].\n    Last week, the full Energy and Commerce Committee marked up H.R. \n1132, legislation to provide grants to states for building or enhancing \nstate-run prescription drug databases. These databases will contain \npersonal information about patients--their name, address and phone \nnumber--along with the type of prescription, quantity dispensed, the \nnumber of refills and related data about the drugs they are prescribed \nthat are subject to the bill\'s reporting requirement.\n    I appreciate the Chairman\'s comments during last week\'s mark-up \nabout the importance of securing this health information and notifying \npatients in the event that their electronic medical records are lost, \nstolen or used for an unauthorized purpose. As the data security bill \nbefore this Subcommittee evolves, I look forward to working with the \nChairman to ensure that consumers\' medical information is covered by \nthe protections contained in this bill.\n    I would also like to point out a few other areas of this draft \nlegislation that deserve further review and adjustment.\n    1. The scope of the bill: As noted in the testimony provided by \nFran Maier of Trust-e (TRUST-E), it appears that the bill, in its \ncurrent form, does not cover personal information held by banks, \nunions, thrifts and government entities like the state-run databases \nthat maintain records on patients and the prescription drugs they take. \nI agree with the Mr./Ms. Maier that when a consumer\'s personal \ninformation is leaked from a database, it matters not whether the \ninformation was leaked from a bank or a university or a state\'s \ndepartment of health. This bill\'s privacy protections should be brought \nto bear whenever a consumer\'s personally-identifiable information is \nlost, stolen or divulged for an unauthorized purpose.\n    2. Pre-emption of state law: I am concerned that this bill would \npre-empt stronger state laws. For example, because California has a law \nthat requires consumer notification in the event of data breaches at \nfinancial firms and government institutions, consumers in California \nwould be denied this protection if this bill were to become law, since \nit contains no such coverage and would pre-empt the California statute.\n    3. The trigger for notification: While the method and content of \nthe consumer notification requirement in the bill is specific and \ndetailed [Page 5], the conditions that trigger this notification are \nmurky. For consumers to be notified of a breach that affects their \npersonal information there must be a compromise of security that \nresults in ``the acquisition of personal information by an unauthorized \nperson that may result in identity theft.\'\' [Page 5] I would suggest \nthat this trigger be expanded so that notification would occur if the \ninformation were lost, stolen or used for an unauthorized purpose. The \n``identity theft test\'\' is too difficult to determine, particularly in \nthe immediate aftermath of a breach, and there is other damage--beyond \nidentity theft--that can be inflicted upon consumers by the misuse of \ntheir personal information. Consumers should be notified in these \ninstances too, even if the breach may not result in someone stealing \ntheir entire identity.\n    I commend the gentleman from Florida, Chairman Stearns, for holding \ntoday\'s hearing, and I look forward to working with you to refine this \nbill. I appreciate the witnesses appearing before us this morning and \nlook forward to their testimony.\n    Thank you.\n\n    Mr. Stearns. We will ask the witnesses to come forward. We \nhave Ms. Fran Maier, Executive Director and President of \nTRUSTe, San Francisco, California; Mr. Michael Hintze, Senior \nAttorney, Microsoft Corporation, Redmond, Washington; Mr. Chris \nHoofnagle, Electronic Privacy Information Center, Senior \nCounsel and Director, West Coast office in San Francisco; and \nMr. Daniel Burton, Vice President of Government Affairs, \nEntrust, Inc., McLean, Virginia.\n    Ms. Maier, we welcome your opening statement.\n\n  STATEMENTS OF FRAN MAIER, EXECUTIVE DIRECTOR AND PRESIDENT, \nTRUSTe; MICHAEL HINTZE, SENIOR ATTORNEY, MICROSOFT CORPORATION; \n   CHRIS HOOFNAGLE, SENIOR COUNSEL AND DIRECTOR, ELECTRONIC \n   PRIVACY INFORMATION CENTER, WEST COAST OFFICE; AND DANIEL \n  BURTON, VICE PRESIDENT OF GOVERNMENT AFFAIRS, ENTRUST, INC.\n\n    Ms. Maier. Mr. Chairman----\n    Mr. Stearns. Yes, there is a little switch there.\n    Ms. Maier. Hello.\n    Mr. Stearns. Yes.\n    Ms. Maier. Thank you.\n    Mr. Stearns. Yes, that is good.\n    Ms. Maier. Mr. Chairman, and members of the subcommittee, \nRanking Member Towns, I want to thank you for the opportunity \nto address you today on this important proposed legislation and \nto tell you about TRUSTe\'s security guidelines, which we \nreleased earlier this year.\n    TRUSTe is an online privacy leader. We have been around \nsince 1997 as an independent, non-profit organization. As you \nmentioned, we come from San Francisco, adjacent to Silicon \nValley, and we have been very close to the issues related to \nCalifornia\'s State Bill 1386.\n    Our mission is to enable individuals and organizations to \nestablish trusting relationships based on respect for their \npersonal identity and information in the ever-evolving \nnetworked world. We are very concerned about Internet, and we \nare very concerned about trust and e-commerce.\n    We have over 1,500 companies, their websites, who have been \ncertified by TRUSTe\'s process and carry the TRUSTe trustmark, \nthe green and black symbol you have seen. We are also approved \nas a safe harbor for Children\'s Online Privacy Protection Act \nwith the FTC and by the U.S. Department of Commerce for the EU \nSafe Harbor.\n    We are also deeply involved in e-mail practices. For \nexample, we just launched a new e-mail privacy seal for \nwebsites, which is based on permission from consumers and \nallows a company to post a seal that says, ``We don\'t spam,\'\' \nif they meet the strict standards that we require. We also \nserve as an e-mail accreditation authority for Bonded Sender, \none of the leading legitimate e-mail sender programs. Again, \nthis is to address another issue that faces consumers in terms \nof spam.\n    My remarks today will be brief and will focus first on \nTRUSTe\'s security guidelines and then specific thoughts on the \nproposed legislation.\n    Our security guidelines were released in March of this year \nin consultation with many of our shareholders and others in \nindustry. As you well know, privacy is closely intertwined with \nsecurity. You can\'t really deliver privacy unless you have \nsecurity. Security is necessary but not sufficient to deliver \nacceptable privacy to consumers. So we felt that it was very \nimportant for us to address security and to provide some \nguidelines for our members who are obviously engaged in and \nvalue privacy.\n    The guidelines, of course, are expected to evolve, much as \nwe expect this legislation to evolve, to address new \ntechnologies, new threats, and new consumer concerns. The \nguidelines are drafted in checklist form, and the reason why \nthat is important is because small companies and large \ncompanies, depending on the size, depending on the kind of \ninformation they collect, might have different reasons or \ndifferent expectations for the kind of security that they \nshould abide by. Larger, more complex companies which handle \ndata with the highest level of sensitivity will likely find it \nappropriate to adopt all of the recommended practices. However, \nsmaller companies collecting less sensitive information may \nconclude that adopting only some set of these controls will \nstill enable it to have a security program appropriate to the \nnature of data it collects and its consumers.\n    The guidelines like the FTC\'s guidelines and others echo \nthe structure that you could find at those other pieces of \nrules. For example, we have administrative rules. This includes \ndrafting an internal security policy and appointing someone to \nbe the executive in charge of security, which is similar to \nwhat you have proposed in the legislation before us. \nAdministrative controls also include training of employees and \nother items such as procedures internally. Of course, a big \npart of security guidelines includes tentacle measures. This \nincludes password practices, controlling employee access to \nsensitive information, ongoing monitoring, firewalls, \nvulnerability testing, and the like, and then finally physical \ncontrols which include monitoring access to data, securing \none\'s data facilities, and those kinds of physical things, \ncovering not only electronic data but also paper-based data.\n    All of these guidelines can be found within TRUSTe\'s \ntestimony that we submitted, and of course, on our website.\n    Now let us turn to the proposed data protection breach \nnotification legislation. We, of course, would like to applaud \nthe committee on its hard work on the draft legislation. We \nbelieve that this is the right balance and mandates high \nstandards and allows for flexibility in their implementation. \nAnd we think it also provides the right incentives for \ncompanies to put meaningful security safeguards into place in \ntheir own and consumers\' best interests. We believe that the \ndesire to minimize a potential negative publicity, brand \ndamage, and embarrassment often resulting from the disclosure \nof a data breach has been proven to motivate companies to \nprioritize security much more highly than they otherwise would.\n    We wish to focus on a couple provisions of the bill today.\n    First of all, in terms of the scope of the legislation and \nthe trigger for security breach. We appreciate, first, that the \ncommittee has put focus on the jurisdiction for the industry \nunder which it has jurisdiction. However, from a consumer\'s \nperspective, when their information is breached, the particular \nindustry or organization involved is irrelevant to them. We \nbelieve that consumers should enjoy the same level of \nprotection regardless of the industry involved. So we would \nrecommend that the jurisdiction extends to the financial \nservices especially.\n    In a related way, we would like to express concern about \nthe scope and the definition of person under Section 5 \nSubsection 6 of the bill. We would urge the committee to expand \nthe definition so that the scope of the legislation covers \nlocal, State, and Federal law. As you know, in California, it \ndoes cover the State government, which is really where the \nlegislation in California came from.\n    The second point that we would like to talk about is the \ndefinition and notice of breach of security. The current draft \nincludes a trigger requirement for notice as a result in or \nthere is a reasonable basis to conclude has resulted in the \nacquisition of personal information by an unauthorized person \nthat may result in identity theft. The qualifier language \n``that may result in identity theft\'\' we believe is subjective. \nWhether something may result in ID theft depends, in a large \npart, on the sophistication of the wrongful acquirer of the \ndata. It is not feasible for the potential provider of the \nbreach notice to definitively assess the skill level and \nsophistication of the wrongdoer and certainly not an \nintermediate aftermath of a breach, which is when such an \nassessment would have to be made.\n    We would recommend the committee to consider altering this \ndefinition with a qualifier that is a bit more broad, one that \ncould result in the unauthorized disclosure, misuse, \nalteration, destruction, or other compromise of such personal \ninformation.\n    There has been a question of whether or not a broader \ndefinition or a broader trigger may result in too many notices \nto consumers. We believe that the experience in the State of \nCalifornia, which the law has been in effect for over 2 years, \nseems to have struck the right balance. Consumers are receiving \nappropriately useful notices, and based on our own observations \nas well as our consultations with the staff of the California \nOffice of Privacy Protection, that the law has not resulted in \na----\n    Mr. Stearns. Ms. Maier, if you could, just sum up.\n    Ms. Maier. That is great, sir. Thank you.\n    Again, I very much appreciate being here. We look forward \nto working with you and hopefully discussing the creation of a \nsafe harbor. And we thank you.\n    [The prepared statement of Fran Maier follows:]\n Prepared Statement of Fran Maier, Executive Director and President of \n                                 TRUSTe\n    Chairman Stearns, Chairman Barton, Ranking Member Schakowsky, and \nmembers of the Subcommittee, I am Fran Maier, Executive Director and \nPresident of TRUSTe. I thank you for the opportunity to address the \nSubcommittee on this important proposed legislation and to tell you \nabout TRUSTe\'s Security Guidelines, which we released earlier this \nyear. TRUSTe is an independent, nonprofit organization with the mission \nto enable individuals and organizations to establish trusting \nrelationships based on respect for personal identity and information in \nthe evolving networked world. Through long-term supportive \nrelationships with our licensees, extensive interactions with consumers \nin our Watchdog Dispute Resolution program, and with the support and \nguidance of many established companies and industry experts, TRUSTe has \nearned a reputation as the leader in promoting privacy policy \ndisclosure, informed user consent, and consumer education.\n    TRUSTe was founded in 1997 to act as an independent, unbiased trust \nentity, and we have earned our reputation as the leading builder of \ntrusting relationships between companies and consumers. The TRUSTe \nprivacy program--based on a branded online seal, the TRUSTe \n``trustmark\'\'ridges the gap between users\' concerns over privacy and \nWeb sites\' needs for self-regulated information disclosure standards. \nIn May 2001, the Federal Trade Commission approved TRUSTe\'s Children\'s \nPrivacy Seal Program as a safe harbor under the Children\'s Online \nPrivacy Protection Act. We are proud to have received that designation. \nHundreds of thousands of young children who are active online are \nprotected by our program, which currently includes some of the most \npopular Web sites, including www.disney.go.com, www.kids.msn.com, and \nwww.epals.com. TRUSTe is also certified as a safe harbor program under \nthe Safe Harbor Framework administered by the U.S. Department of \nCommerce for U.S. companies wishing to receive personal data from \ncountries in the European Union (``EU\'\'). Our EU Safe Harbor Seal \nProgram gives companies assurance that they are in compliance with the \nFramework and, therefore, with national data protection laws in all EU \nmember states.\n    In addition to these efforts, TRUSTe is deeply involved in \nfostering best practices for email. We have just launched our \npermission-based Email Privacy Seal Program, which allows companies who \nagree to our strict standards to post a TRUSTe ``We Don\'t Spam\'\' seal \non online and offline forms where they collect email addresses. We also \nserve as the email certification authority for senders of legitimate \nemail who are members of the Bonded Sender Program.\n    Finally, we are a California company, and we closely follow \ndevelopments in California law, including the data breach notification \nlaw, to keep our licensees informed about compliance issues. We also \nwork closely with the California Office of Privacy Protection in its \nongoing efforts to provide guidance to businesses and consumers on \nprivacy and security issues.\n                      truste\'s security guidelines\n    In March of this year, TRUSTe issued our first version of Data \nSecurity Guidelines. As the Committee recognizes, privacy is very \nclosely intertwined with security. We believe that security is \nnecessary but not sufficient to giving consumers the privacy assurances \nthey expect. In developing the Guidelines, we aimed to expand the reach \nof our expertise in privacy by providing our licensees and other \nmembers of the public a resource they can use as a foundation of \nresponsible data security practices.\n    The Guidelines are divided into three categories of safeguards: \nadministrative, technical, and physical controls. This structure echoes \nthat of the Federal Trade Commission (FTC\'s) Gramm Leach Bliley \nSafeguards Rule, which we discuss in further detail below. \nAdministrative controls include, for example, drafting a written \ninternal security policy, training employees, conducting ongoing \nsecurity risk assessments, and establishing procedures in connection \nwith external third parties (including vendors) with whom data is \nshared. Technical measures include controlling employee access to \nsensitive information on a need-to-know basis, establishing good \npassword practices, ongoing monitoring to assess threats and \nvulnerabilities, and establishing incident response procedures. \nFinally, physical controls include practices such as monitoring \nlegitimate access to data, establishing physical access controls, and \nsecuring one\'s data facilities.\n    The Guidelines are drafted in checklist form so that companies can \nassess their own risk levels and adopt the corresponding appropriate \nlevel of recommended safeguard practices. Larger, more complex \ncompanies which handle data with the highest level of sensitivity will \nlikely find it appropriate to adopt all the recommended practices, \nwhile a smaller company, collecting less sensitive information, may \nconclude that adopting only a subset of these controls will still \nenable it to have a security program appropriate to the nature of the \ndata it collects and handles.\n    We anticipate that our Guidelines will evolve over time to reflect \nemerging technologies and business issues that may impact the safety, \nsecurity and quality of sensitive or confidential information used by \nTRUSTe\'s licensees. We have attached the Guidelines as an appendix to \nour testimony, for the Committee\'s review. The Guidelines are also \nposted on our Web site at http://www.truste.org/pdf/\nSecurityGuidelines.pdf.\n    the proposed data protection and breach notification legislation\n    TRUSTe applauds the Committee on its work on the draft legislation \nto date. We believe the bill strikes the right balance by both \nmandating high standards and allowing for flexibility in their \nimplementation. As a result, the bill provides the right incentives for \ncompanies to put meaningful security safeguards into place in their \nown, and consumers\', best interests. In addition to imposing security \nstandards directly, we believe the draft legislation will fundamentally \nempower consumers to take action to minimize the potential impact of ID \ntheft. The desire to minimize the potential negative publicity, brand \ndamage, and embarrassment often resulting from the disclosure of a data \nbreach has been proven to motivate companies to prioritize security. \nThe market-driven, non-prescriptive approach you have chosen will \nencourage companies to protect personal information.\n    We wish to highlight a few specific provisions in the bill.\n                        scope of the legislation\n    As the bill\'s jurisdictional limits are those of the Federal Trade \nCommission Act, it does not cover banks, unions, thrifts, and common \ncarriers. We appreciate that the Committee has crafted a bill that \napplies to industries under its jurisdiction, and we understand that \nthe House Financial Services Committee, and the Senate Banking \nCommittee, are working on parallel legislation governing entities \nwithin their jurisdiction. We support these efforts. From a consumer\'s \nperspective, when a database is breached, the particular industry \ninvolved is irrelevant. We believe that consumers should enjoy the same \nlevel of protection, regardless of the industry involved.\n    Thus, we believe that the legislation\'s requirements should extend \nacross all industries. For instance, insurance institutions would not \nbe reached by the scope of this bill. Those financial institutions that \nare regulated under the Gramm Leach Bliley Act have no requirement to \nprovide breach notices; therefore it would be appropriate to exempt \nfinancial institutions from the requirements of section 2, but not from \nsection 3. In fact, were this legislation to become law with the \ncurrent preemption language, California residents would have less \nprotection than they do now under the California data breach \nnotification statute since it applies to financial institutions. In the \nChildren\'s Online Privacy Protection Act (COPPA), 15 U.S.C. 6501-6505, \nCongress gave enforcement authority to the appropriate regulatory \nagencies over industries not regulated under the FTC Act. Perhaps the \nCOPPA model could be followed here.\n    The Committee has doubtless considered the role of vendors or \nservice providers in the context of breach notices. The Federal Trade \nCommission (FTC\'s) GLB Safeguards Rule expressly recognizes the \nresponsibility which principals must take for the security practices of \ntheir service providers (section 314.4(d)), and we recommend that the \nCommittee consider adhering to this philosophy in the context of this \nlegislation, also.\n    The California data breach notification statute imposes specific \nresponsibilities on service providers (i.e., those not having a direct \nrelationship with the consumer, and acting on someone else\'s behalf) to \nnotify the party who does have the direct relationship. This allows the \nprincipal to maintain control of the notification process, and ensures \nthat it has the right to be notified itself in case of a breach by a \nservice provider. The California law defines service providers as those \nwho do not ``own\'\' the data in question. Since in the customer\'s eyes \ntheir relationship is with the principal, from the customer\'s \nperspective, the principal is responsible for the service provider\'s \nbreach. If the consumer has a relationship with the company (i.e., it\'s \nnot a data broker situation), then it is proper for the consumer to \nhear about the breach from the principal, and not from an unknown third \nparty service provider.\n    Finally, we would like to express concern about the scope of the \ndefinition of ``Person\'\' under Section 5(6) of the bill. This \ndefinition as defined in 551(2) of title 5, United States Code, does \nnot include any governmental agency. We would urge the Committee to \nexpand that definition so that the scope of the legislation covers \nlocal, state and the Federal government. Again, enactment of the \nlegislation as drafted with the current preemption provision would \nweaken consumer protections currently provided by the California breach \nnotification statute, which extends to governmental agencies.\n                  definition of ``breach of security\'\'\n    Section 3 of the bill would impose certain notice requirements upon \ncompanies that discover there has been a ``breach of security\'\' \naffecting their databases. Although the specific facts and \ncircumstances that constitute a ``breach of security\'\' are left to \nrulemaking by the Federal Trade Commission, the legislation requires, \nat a minimum, that a breach triggering the notice requirement ``result \n. . . in, or there is a reasonable basis to conclude has resulted in, \nthe acquisition of personal information by an unauthorized person that \nmay result in identity theft.\'\' Section 3(b) (emphasis added). The \nqualifier language ``that may result in identity theft\'\' in the \nproposed legislation is subjective in nature. Whether something may \nresult in ID theft depends in large part on the sophistication of the \nwrongful acquirer of the data. It is not feasible for the potential \nprovider of the breach notice to definitively assess the skill level \nand sophistication of a wrongdoer, and certainly not in the immediate \naftermath of a breach--which is when such an assessment would have to \nbe made.\n    We think the Committee should consider altering this definition \nwith the qualifier ``that could result in the unauthorized disclosure, \nmisuse, alteration, destruction, or other compromise of such [personal] \ninformation.\'\' This would mirror the approach taken in the FTC\'s \nGuidelines. If this approach is taken, the standard could become a \nceiling for the level of protection granted, eliminating the need for \nthe FTC to revise the standard through future rulemaking. Rather the \nFTC could develop guidelines that would be instructive in their nature \nand perhaps fit into a safe harbor program which we address later in \nour testimony. TRUSTe believes that this approach provides strong \nprotection for consumers and would not likely lead to an overload of \nnotifications. It also provides certainty for businesses who may be \nconcerned about the standard changing in the future.\n    The parameters of the California security breach notification law \nare instructive in this regard. California Civil Code Sections 1798.29 \nand 1798.82-.84. This law, in effect for over two years, seems to have \nstruck the right balance in this area. Consumers are receiving \nappropriate and useful notices; and it is our understanding, based upon \nour consultations with staff of the California Office of Privacy \nProtection, that the law has not resulted in an unmanageable deluge of \nnotices to consumers. Although anecdotal, the fact that the California \nstatute to a large extent has been followed as a nationwide standard \nmakes it a good indicator of the potential impact of a nationwide bill \nsuch as this one.\n    We also note that the marketplace approach taken by the California \nstatute (as well as the Committee draft) prompts a positive cause-and-\neffect dynamic. A broad nationwide breach notice requirement will \nincent companies to improve their practices, thereby, in the long run, \nresulting in fewer breaches and therefore fewer notices. TRUSTe \nbelieves that this generates a much better outcome than setting the \ninitial threshold so high that few breaches generate notice \nrequirements, thereby decreasing the motivation to prioritize security.\n        minimum requirements for a security policy and statement\n    Section 2(a)(1) of the bill would authorize the Federal Trade \nCommission to promulgate rules requiring companies to implement a \n``security policy and statement concerning the collection, use, \ndisclosure, and security of personal information.\'\' We believe the \nCommittee should consider adopting relevant provisions of the \nCommission\'s Security Guidelines for financial institutions provided \nunder Gramm-Leach-Bliley as required components of the security \nstatement provided for in Section 2(a)(1). Standards for Insuring the \nSecurity, Confidentiality, Integrity and Protection of Customer Records \nand Information, 16 C.F.R. Part 314. We refer specifically to the \nfollowing provisions in the Guidelines:\n        \x06 314.3 Standards for safeguarding customer information.\n          (a) Information security program. You shall develop, \n        implement, and maintain a comprehensive information security \n        program that is written in one or more readily accessible parts \n        and contains administrative, technical, and physical safeguards \n        that are appropriate to your size and complexity, the nature \n        and scope of your activities, and the sensitivity of any \n        customer information at issue. Such safeguards shall include \n        the elements set forth in \x06 314.4 and shall be reasonably \n        designed to achieve the objectives of this part, as set forth \n        in paragraph (b) of this section.\n          (b) Objectives. The objectives of section 501(b) of the Act, \n        and of this part, are to:\n          (1) Insure the security and confidentiality of customer \n        information;\n          (2) Protect against any anticipated threats or hazards to the \n        security or integrity of such information; and (3) Protect \n        against unauthorized access to or use of such information that \n        could result in substantial harm or inconvenience to any \n        customer.\n        \x06 314.4 Elements.\n          In order to develop, implement, and maintain your information \n        security program, you shall:\n          (a) Designate an employee or employees to coordinate your \n        information security program.\n          (b) Identify reasonably foreseeable internal and external \n        risks to the security, confidentiality, and integrity of \n        customer information that could result in the unauthorized \n        disclosure, misuse, alteration, destruction or other compromise \n        of such information, and assess the sufficiency of any \n        safeguards in place to control these risks. At a minimum, such \n        a risk assessment should include consideration of risks in each \n        relevant area of your operations, including:\n          (1) Employee training and management;\n          (2) Information systems, including network and software \n        design, as well as information processing, storage, \n        transmission and disposal; and\n          (3) Detecting, preventing and responding to attacks, \n        intrusions, or other systems failures.\n          (c) Design and implement information safeguards to control \n        the risks you identify through risk assessment, and regularly \n        test or otherwise monitor the effectiveness of the safeguards\' \n        key controls, systems, and procedures.\n          (d) Oversee service providers, by:\n          (1) Taking reasonable steps to select and retain service \n        providers that are capable of maintaining appropriate \n        safeguards for the customer information at issue; and\n          (2) Requiring your service providers by contract to implement \n        and maintain such safeguards.\n          (e) Evaluate and adjust your information security program in \n        light of the results of the testing and monitoring required by \n        paragraph (c) of this section; any material changes to your \n        operations or business arrangements; or any other circumstances \n        that you know or have reason to know may have a material impact \n        on your information security program.\nThese Guidelines provisions reflect a non-prescriptive approach to \ncrafting security policies that we believe is best, given the changing \nnature of the overall environment, technology and threats.\n    TRUSTe has particular expertise in the area of drafting sound \nconsumer-facing privacy statements. We believe that the following \nelements, drawn from guidance set out in recent Federal Trade \nCommission settlements involving security breaches, should be required \nof companies\' security statements:\n\n1. The kinds of personal information collected and how it is used, \n        disclosed, or otherwise handled in the regular course of \n        business.\n2. How consumers can access their information and have it corrected or \n        updated.\n3. How company will notify consumers in the event of a security breach, \n        and what redress will be provided to them.\n4. Where consumers can learn more about their rights in the event of a \n        breach.\n                   creation of a safe harbor program\n    As I mentioned earlier, TRUSTe has particular expertise in \nadministering safe harbor programs for industry participants who comply \nwith our guidelines. We recommend that the Committee add to your \nlegislation a safe harbor that (1) allows businesses to comply with a \nset of guidelines that are approved by the FTC and administered by a \nthird party certification organization; and (2) limits a company\'s \nliability, should a breach of security occur, if that company is in \nfull compliance with such guidelines. We believe this is a better \napproach than simply locking in guidelines through an FTC rulemaking. \nThrough a safe harbor, your legislation could set a floor of \nprotections, and industry self-regulation would then drive even greater \nlevels of protection for consumers, while providing businesses the \nflexibility they need to develop marketplace solutions to data \nprotection.\n                               conclusion\n    TRUSTe welcomes this opportunity to share our thoughts on the \nproposed data protection legislation, and to make the Committee aware \nof our efforts to serve as the model for industry best practices in \ninformation security through our Data Security Guidelines. We look \nforward to working with the Committee as it continues its efforts to \nprotect the security of personal information in the twenty-first \ncentury marketplace.\n\n    Mr. Stearns. And thank you.\n    Mr. Hintze.\n\n                   STATEMENT OF MICHAEL HINTZE\n\n    Mr. Hintze. Thank you, Chairman Stearns, Congressman Towns, \nChairman Barton, and members of the subcommittee.\n    My name is Michael Hintze. I am a senior attorney at \nMicrosoft. I want to commend the members of this committee for \ntheir attention to data security and identity theft issues. \nMicrosoft shares your concerns.\n    I also want to thank you for the opportunity to provide our \nviews on the discussion draft. Microsoft firmly believes that \nnow is the appropriate time for Congress to adopt Federal data \nsecurity legislation. It would be an effective complement to \nMicrosoft\'s and industry\'s efforts to develop technological \nsolutions, to educate consumers, to adopt best practices, and \nto help enforce existing laws.\n    Today, I want to highlight some of the key issues raised by \nthe discussion draft.\n    First, any required information security program should \ngive organizations the discretion to implement the most \nappropriate technologies and procedures for their respective \nenvironments. Microsoft urges the subcommittee to revise the \ndiscussion draft to reflect the general framework set forth in \nthe Gramm-Leach-Bliley Act. It should also direct the FTC to \nallow organizations to adopt the security programs appropriate \nto their size and complexity, the nature and scope of their \nactivities, and the amount and sensitivity of information that \nthey collect.\n    Second, any required information security program should \napply to all personal information, whether electronic or paper. \nThe consequences of a loss or misuse of personal information on \npaper can be just as devastating to the affected individual as \nthe loss of that same data in electronic form. Likewise, the \nprograms should not be limited just to sensitive financial \ninformation. A single, flexible framework for all information \nwill create a broader protection for consumers and enable \ncompanies to comply with one set of security requirements.\n    Third, a security breach standard should focus on whether \nthe misuse of unencrypted sensitive personal information is \nreasonably possible. This will ensure that consumers receive \nnotification regarding breaches of information that could lead \nto identity theft, like Social Security numbers and credit card \ninformation with associated passwords. This should also \nincorporate a materiality threshold like the Federal banking \nregulators have implied on their guidance on GLB, namely \nnotification is required where there is a reasonable \npossibility of misuse. Such an approach will prevent \nnotifications from becoming so frequent that consumers \ndisregard them or find themselves unable to differentiate \nbetween those that indicate a significant risk and those that \ndo not.\n    Fourth, different methods of notification should be \npermitted. The appropriate method for notice will turn on the \nsize and type of entity providing it, the number of people \nrequired to receive it, and the relative cost for different \nmethods of providing it. The ways in which an entity typically \ncommunicates with its customers should also be considered. For \nthese reasons, the interagency guidance interpreting GLB gives \ndiscretion to covered entities to provide notice in any manner \ndesigned to ensure that a consumer can reasonably be expected \nto receive it. Microsoft urges the subcommittee to follow this \napproach.\n    Finally, the Federal legislation in this area should create \na uniform standard. Security breaches are a national problem, \nand all consumers should be protected by the same high level of \nprotection. This will also allow responsible businesses to \noperate without the unnecessary burdens of inconsistent \nsecurity and notification requirements. For these reasons, we \nsupport the preemption provision in the discussion draft. At \nthe same time, we recognize the State Attorney Generals play a \nvital role in ensuring the companies adhere to sound \ninformation security practices. Microsoft therefore supports \nany clarification that enables State Attorney Generals to \nenforce the provisions of this legislation.\n    Thank you for asking us to share our views on data security \nlegislation and the discussion draft. We are committed to \nhelping create a safe and trusted environment for consumers, \nand we look forward to working with you and your staff toward \nthis common goal.\n    [The prepared statement of Michael Hintze follows:]\n   Prepared Statement of Michael Hintze, Senior Attorney, Microsoft \n                              Corporation\n    Chairman Stearns, Ranking Member Schakowsky, and Members of the \nSubcommittee: My name is Michael Hintze, and I am a Senior Attorney at \nMicrosoft Corporation. I want to thank you for the opportunity to share \nwith the Subcommittee our views on data security legislation. In light \nof the number of recent serious security breaches, the increasing \nconcern nationwide over identity theft, and the ever-rising but often \ninconsistent number of state laws imposing security and customer \nnotification requirements, Microsoft firmly believes that now is an \nappropriate time for Congress to adopt federal data security \nlegislation.\n    Microsoft applauds Congress and the members of this Subcommittee \nfor their attention to data security and identity theft issues. As the \nFederal Trade Commission has reported, in 2003 alone, roughly 10 \nmillion Americans suffered from identity theft, costing businesses \n$47.6 billion and consumers almost $5 billion.<SUP>1</SUP> As a leading \nprovider of software and online services, Microsoft is particularly \nconcerned that identity theft threatens to erode trust on the Internet, \nand we are deeply committed to working with you, law enforcement, and \nothers in the industry to maximize deterrence and minimize the \nopportunities for identity thieves.\n---------------------------------------------------------------------------\n    \\1\\ Federal Trade Commission--Identity Theft Survey Report 7 (Sept. \n2003), available at http://www.consumer.gov/idtheft/stats.html \n[hereinafter ``Identity Theft Survey Report\'\'].\n---------------------------------------------------------------------------\n    Today, I want to address the focus of this hearing--data security \nlegislation. Microsoft generally supports the draft legislation before \nthis Subcommittee, dated June 30, 2005 (the ``Discussion Draft\'\'), that \nwould require companies both to adopt an information security program \nand to notify consumers in the case of a security breach. This \nlegislative approach would be an effective complement to Microsoft\'s \nown multi-faceted strategy for protecting individuals\' personal \ninformation, which includes developing and implementing technological \nsolutions, educating consumers about ways to protect themselves while \nonline, meeting or exceeding industry best practices on privacy and \nsecurity, and enforcing existing laws. My testimony today highlights \nsome of the key issues raised by federal data security legislation and \nby the Discussion Draft in particular, and recommends ways to proceed \ntoward the goal of creating a trusted environment for Internet users.\nbusinesses should be required to adopt an information security program.\n    Microsoft supports legislation that would require companies engaged \nin interstate commerce to adopt an information security program. But in \norder to be effective, while avoiding unnecessary burdens on \nresponsible businesses, such legislative requirements should be both \nbroadly applicable and sufficiently flexible to meet the security \nchallenges across a wide variety of business environments and \nscenarios.\n(1) Federal Legislation Should Enable Companies to Implement Security \n        Measures Best Suited for Their Environments.\n    First, any such legislative requirement should recognize that \nsecurity is an ongoing process, that the threats to data security are \nconstantly changing, and that the degree and type of risk can vary from \none situation to another. An appropriate and effective information \nsecurity program will depend on a number of factors, including, but not \nlimited to, an entity\'s size, the nature of its business, the amount \nand type of information it collects, and the number of employees that \nit has. In short, federal legislation must provide flexibility to \nenable companies to adopt security policies and procedures that are \nresponsive to their risk level.\n    With this in mind, the framework for an information security \nprogram set forth in the Gramm-Leach-Bliley Act (``GLB\'\') is preferable \nto that outlined in section 2(a) of the Discussion Draft. In GLB, \nCongress directed the relevant agencies to provide for the \nestablishment of ``appropriate . . . administrative, technical, and \nphysical safeguards--\n          (1) to insure the security and confidentiality of customer \n        records and information;\n          (2) to protect against any anticipated threats or hazards to \n        the security or integrity of such records; and\n          (3) to protect against unauthorized access to or use of such \n        records or information which would result in substantial harm \n        or inconvenience to any customer.\'\' <SUP>2</SUP>\n---------------------------------------------------------------------------\n    \\2\\ 15 U.S.C. \x06 6801(b).\n---------------------------------------------------------------------------\nIn response to this directive, the FTC implemented regulations that \nrequire the development of information security programs ``appropriate \nto the [subject entity\'s] size and complexity, nature and scope of . . \n. activities, and sensitivity of the customer information at issue.\'\' \n<SUP>3</SUP>\n---------------------------------------------------------------------------\n    \\3\\ 16 C.F.R. \x06 314.3.\n---------------------------------------------------------------------------\n    Microsoft believes a flexible framework such as that established by \nGLB and the FTC\'s implementing regulations makes sense. It gives \nindividual organizations--which are in the best position to understand \nthe particular security measures that are best suited to the different \ntypes and forms of personal information they maintain--the discretion \nto implement the most appropriate technologies and procedures for their \nrespective environments. In contrast, a set of federally-mandated \ntechnical specifications would inevitably impose too high of a burden \non some organizations for some information, but not adequately protect \nsome personal information held by other organizations. And, because \nsecurity measures are constantly changing and improving as technology \nadvances and engineers respond to evolving threats to information \nsecurity, a one-size-fits-all regime would likely and rapidly become \nobsolete.<SUP>4</SUP>\n---------------------------------------------------------------------------\n    \\4\\ We also note that as currently drafted, the Discussion Draft \ncould create different regimes for entities that are subject both to \nGLB and to the reach of new data security legislation. That said, \nexcluding entities covered under GLB from new data security \nlegislation, and then adopting a different standard for other entities, \nwould subject companies that house the exact same information to \ndifferent regulatory frameworks--e.g., a retailer would be subject to a \ndifferent information security framework than a bank. For this reason, \nwe support creating uniformity to facilitate both the development of \nbest practices and the development of service-related expertise--such \nas that provided by auditors--in the area of information security.\n---------------------------------------------------------------------------\n    For these reasons, Microsoft urges the Subcommittee to replace its \ncurrent section 2(a) with language modeled on the framework set forth \nin GLB and the FTC\'s implementing regulations. In addition, in light of \nthe importance of ensuring that implementing regulations give companies \nthe discretion to adopt programs that best suit their respective needs, \nMicrosoft encourages Congress to direct the FTC to allow entities to \ndevelop information security programs consistent with the following: \n(1) the entities\' size and complexity, (2) the nature and scope of \ntheir activities, (3) the sensitivity of the personal information at \nissue, (4) the current state of the art in administrative, technical, \nand physical safeguards for protecting information, and (5) the cost of \nimplementing such safeguards. Microsoft believes such a flexible \napproach is the best way to protect individuals\' personal information \nnow and into the future.<SUP>5</SUP>\n---------------------------------------------------------------------------\n    \\5\\ This testimony focuses on subsection (a) of Section 2. With \nrespect to subsection (b)--which applies special requirements to \ninformation brokers--Microsoft has only two brief observations. First, \nthe definition of ``information broker\'\' requires a slight revision to \nmake clear that it applies strictly to those entities whose primary \nbusiness is selling consumer data. Second, while Microsoft generally \nsupports giving individuals access to personal information collected \nabout them, we think that certain reasonable exceptions must accompany \nsuch a legislative requirement for it to make sense. For example, \naccess should not be required where the individual requesting access \ncannot reasonably verify his name or identity as the person to whom the \npersonal information relates; the rights of other persons would be \nviolated; the burden of providing access would be disproportionate to \nthe risk of harm to the individual; revealing the information would \ncompromise proprietary or confidential information, technology, or \nbusiness processes; or revealing the information would be unlawful or \naffect litigation or a judicial proceeding in which the business or \nindividual has an interest.\n---------------------------------------------------------------------------\n(2) Federal Security Requirements Should Apply to All Personal \n        Information.\n    If federal data security legislation includes sufficient \nflexibility to enable companies to develop security practices and \nprocedures that are tailored to the situation based on these factors, \nMicrosoft believes that federal information security requirements \nshould apply to all personal information housed by an organization in \nany form, whether electronic or paper. There is no reason to limit the \nrequirements to protect personal information to its electronic form: \nThe consequences of a loss or misuse of personal information in paper \nform can be just as serious and devastating to the affected individuals \nas a loss of that same data in electronic form. Likewise, the federal \nsecurity requirements should not be limited only to sensitive \ninformation that, if exposed, could lead to identity theft.<SUP>6</SUP> \nAlthough a breach of non-sensitive personal information may not expose \nindividuals to identity theft, it can have other negative \nconsequences.<SUP>7</SUP> Again, as long as the federal legislation \navoids mandating a one-size-fits-all approach to this data and instead \nprovides flexibility, the security requirements can reasonably be \napplied to all personal information.<SUP>8</SUP> The creation of such a \nsingle, flexible framework for all personal information will create \nbroader protection for consumers as well as increase efficiency for \nbusinesses that otherwise could be faced with having to comply with \nadditional and inconsistent security requirements imposed by other \nstate or federal laws.\n---------------------------------------------------------------------------\n    \\6\\ By ``sensitive information\'\' we mean the kinds of data that is \nincluded in the Discussion Draft\'s definition of ``personal \ninformation.\'\' Although we advocate for a broader scope for security \nrequirements, as we note later, this narrower definition remains \nrelevant for the purposes defining the scope of information that should \ntrigger a notification obligation.\n    \\7\\ For example, if a number of e-mail addresses wind up in the \nwrong hands, those individual recipients could be deluged with unwanted \nspam that renders their e-mail account virtually unusable--or even \nsubjects them to harmful phishing scams that trick them into disclosing \nsensitive financial information to would-be identity thieves. The \nexposure of other non-sensitive personal information can have similarly \ninvasive consequences on an individual\'s privacy.\n    \\8\\ It is worth noting that the FTC Consent Orders on security have \nrequired businesses to implement security programs for all personal \ninformation, not just sensitive personal information.\n---------------------------------------------------------------------------\n    With this background in mind, Microsoft respectfully suggests that \nthe Subcommittee reconsider the approach taken in section 2(a) of the \nDiscussion Draft. This section appropriately directs the Federal Trade \nCommission to adopt implementing regulations governing information \nsecurity programs, but only with respect to a narrow class of sensitive \npersonal information and only with respect to any such information \nmaintained in electronic form. For the reasons stated above, Microsoft \nurges Congress to expand the scope of this provision.\n(3) Providing Flexibility in the Information Security Requirement is \n        Essential to Avoid Unnecessary Burdens on Small Businesses and \n        Those That Handle Minimal Amounts of Personal Information.\n    Finally, we note that a flexible approach to security, such as the \none outlined above, also is essential to alleviate the potential burden \nthat a national information security requirement could impose on small \nbusinesses. However, if the Committee believes that the potential costs \nof a national information security requirement necessitates some sort \nof small business exemption even with the flexible approach that we \nrecommend, Microsoft believes that such an exemption should be \ntriggered by the number of individuals whose personal information an \nentity handles and not by the size of the business. For example, given \nthe costs of compliance relative to the risks of exposure, it might \nmake sense to exempt from at least section 2(a) an entity that \ncollects, stores, uses or discloses personal information from fewer \nthan 5,000 individuals in any twelve (12) month period.\n   businesses should be required to notify consumers when there is a \n                         material risk of harm.\n    Microsoft recognizes that notifying individuals of security \nbreaches can be an effective element in the effort to reduce the costs \nand other harms associated with identity theft. But we believe that for \na notification requirement to provide effective warning to consumers, \nand to be reasonable and fair for all business entities engaged in \ninterstate commerce, it must be triggered only when there is a material \nrisk of harm to an individual. As recent reports have indicated, an \noverly broad notification requirement could have negative \neffects.<SUP>9</SUP> For example, consumers may begin to receive so \nmany notices that they become accustomed to such notices and/or become \nunable to differentiate between those breaches that represent a serious \nrisk and those that do not. One likely result is that some consumers \nwill do nothing in response; as a result, the costs of the notice will \nbe incurred in vain, and consumers will continue to bear the risk of \nany resulting identity theft. Other consumers may err on the side of \nover-reaction, responding to even harmless breaches by imposing credit \nfreezes, fraud alerts or changing or closing accounts--all of which \nimpose significant and unnecessary costs.<SUP>10</SUP> For these \nreasons, Congress should proceed carefully when articulating the \nstandard that triggers notification. We believe that the best standard \nis one that incorporates a materiality threshold like the federal \nbanking regulators have applied in the Interagency Guidance on GLB--\nnamely, notification is required when there is a reasonable possibility \nof misuse.\n---------------------------------------------------------------------------\n    \\9\\ See, e.g., Henry Fountain, ``Worry. But Don\'t Stress Out,\'\' \nWall Street Journal, June 26, 2005, Section 4, p.1.\n    \\10\\ See Thomas M. Lenard & Paul H. Rubin, ``An Economic Analysis \nof Notification Requirements for Data Security Breaches,\'\' The Progress \n& Freedom Foundation 10-11 (July 2005).\n---------------------------------------------------------------------------\n(1) Notification Obligations Should Be Triggered When Misuse Is \n        Reasonably Possible.\n    Microsoft believes that the Interagency Guidance on GLB provides a \nworkable framework for a national notification standard. That guidance \nfocuses on whether, as a result of unauthorized access, ``misuse of . . \n. information . . . has occurred or is reasonably possible.\'\' \n<SUP>11</SUP> Although the Discussion Draft contains a relatively \nflexible standard, we have some concern that the ``may result in \nidentify theft\'\' formulation is vague, and in any event, that the \nformulation would establish a slightly different standard than GLB has \nbeen interpreted to apply to financial institutions. This Interagency \nstandard provides clear guidance to industry and consumers: it \nappropriately requires an organization to investigate the circumstances \nof any unauthorized access, and to analyze the risks posed to affected \nindividuals before any notification is required. Microsoft believes it \nis critical to make companies responsible for determining the details \nof an unauthorized access to sensitive financial information and the \nlevel of threat resulting from the specific circumstances. If an \ninvestigation concludes that misuse of a consumer\'s information has \noccurred or is reasonably possible in light of the facts surrounding \nthe security breach and the exposure of the information, then \nnotification must be provided. Thus, this standard ensures that only \nthose consumers who are reasonably at risk receive notification, and in \nso doing, it mitigates against both the risk of over-notification and \nthe risk of consumer over- and under-reaction.\n---------------------------------------------------------------------------\n    \\11\\ Interagency Guidance on Response Programs for Unauthorized \nAccess to Customer Information and Customer Notice, 70 Fed. Reg. 15736, \n15752 (Mar. 29, 2005) (emphasis added) [hereinafter ``Interagency \nGuidance\'\'].\n---------------------------------------------------------------------------\n(2) Notification Obligations Should Cover Only Unencrypted Sensitive \n        Personal Information.\n    The purpose of notifying an individual of a security breach is to \nenable that person to prevent two potential types of identity theft: \n(1) the misuse of his or her existing credit card or other account, and \n(2) the fraud that is perpetrated when a thief opens a new account in \nhis or her name.<SUP>12</SUP> The scope of any notification obligation \nshould be limited to the class of personal information that could lead \nto such misuse. This information should include Social Security \nnumbers, and it should include credit card information associated with \nother information that could enable someone to access an account or \nmake a credit card purchase. This information should not include basic \npersonal information--such as name, address or telephone number--that \nalone or in combination with one another presents virtually no \nincreased risk of identity theft.\n---------------------------------------------------------------------------\n    \\12\\ See Identity Theft Survey Report, supra note 1, at 4.\n---------------------------------------------------------------------------\n    The Discussion Draft applies its notification requirements to a \nnarrow class of personal information, which is appropriate. To clarify \nthat this information is particularly sensitive, Microsoft recommends \nthat the Discussion Draft rename this class of information ``sensitive \nfinancial information.\'\' It should then include a broader definition of \n``personal information\'\' to which the obligations set forth in section \n2(a), as described above, apply.\n    However, within this class of so-called ``sensitive financial \ninformation,\'\' Microsoft believes that encrypted information should be \nexcluded. Data encrypted using standard methods is either impossible or \nimpracticable to decipher. Therefore, there is no reasonable \npossibility of its misuse if it is accessed without authorization. In \naddition, by specifically exempting such encrypted information from the \nstandard for notification, Congress will be creating an explicit \nincentive for companies to adopt encryption technology, thereby \nreducing the risk of a security breach in the first instance. If \nCongress has concerns that a general encryption exception is too vague \nand could be abused,<SUP>13</SUP> Microsoft would support allowing the \nexception to apply only to certain levels of encryption--e.g., the \nencryption level set forth in the Federal Information Processing \nStandards issued by the National Institute of Standards and \nTechnology--or more generally to encryption adopted by an established \nstandard setting body combined with an appropriate key management \nmechanism to protect the confidentiality and integrity of associated \ncryptographic keys in storage or in transit.\n---------------------------------------------------------------------------\n    \\13\\ We think that, if Congress explicitly exempted encrypted \ninformation from the notification requirement, there would be little \nrisk of abuse--after all, as a general matter, it is just as easy to \nuse readily available good encryption technology as it is to use \nreadily available weak encryption technology, so there would be little \nincentive to use a lower standard.\n---------------------------------------------------------------------------\n(3) Notification Obligations Should Capture Data Maintained In Any \n        Form.\n    Microsoft believes that the public policy interest in protecting \nsensitive financial information against malicious use by third parties \nextends to all forms of data, regardless of whether it is housed in \nelectronic or paper form. For this reason, we believe the notification \nrequirements set forth in section 3 of the Discussion Draft (like the \ngeneral security obligations set forth in section 2(a)) should not be \nlimited to electronic or computerized data. This is the approach \nfollowed in the Interagency Guidance on GLB.\n    Although expanding the requirement beyond data in electronic form \nwould potentially heighten the compliance costs associated with this \nfederal legislation, the public policy supports such an expansion. \nIdentity theft can be committed using information obtained offline and \nin a form other than just computerized data. Simply put, an identity \nthief can defraud a consumer using sensitive personal information \nmaintained in paper form just as easily as the thief can using \ncomputerized data. To adequately protect consumers, the notification \nrequirements of the legislation should therefore apply to all sensitive \nfinancial information--regardless of the form in which the information \nis maintained.\n    congress should give companies discretion to determine the most \n           appropriate and effective method for notification.\n    Microsoft believes that for a nationwide notification requirement \nto be administratively workable, business entities subject to the \nrequirement should have flexibility in how notice is provided. This is \nbecause the appropriate method for notice will turn on the size and \ntype of the entity providing the notice, the number of people required \nto receive notice, the methods by which the entity typically \ncommunicates with its customers or other individuals, and the relative \ncosts for different methods of providing notice. For these reasons, the \nInteragency Guidance on GLB provides discretion to covered entities to \nprovide notice ``in any manner designed to ensure that a customer can \nreasonably be expected to receive [the notice.]\'\' <SUP>14</SUP>\n---------------------------------------------------------------------------\n    \\14\\ Interagency Guidance, supra note 11, at 15753.\n---------------------------------------------------------------------------\n    Microsoft urges Congress to follow the model of the Interagency \nGuidance by giving companies discretion to issue notice in various \nways, so long as the notice is reasonably expected to reach the \naffected individuals. The Discussion Draft, which would obligate an \nentity to provide notice to an individual in writing and by email and \nthrough the entity\'s website, is too restrictive, and there is a real \nrisk that it could lead to less effective notifications and/or be too \ncostly for many entities to implement. Rather, federal legislation \nshould enable entities to provide notice via telephone, regular mail, \nor electronic mail, depending on the circumstance. Indeed, many \nindividuals who have received notices of security breaches report that \nthey appreciate getting them by telephone, which personalizes the \nprocess, makes the notice less intimidating, and provides an immediate \nforum for the individual to ask questions.<SUP>15</SUP> While telephone \nnotice may not be feasible in cases requiring mass notification, it is \nan option that should be permissible consistent with the interpretation \nof GLB.\n---------------------------------------------------------------------------\n    \\15\\ Larry Ponemon, ``Opinion: After a Privacy Breach, How Should \nYou Break the News,\'\' Computerworld, July 5, 2005.\n---------------------------------------------------------------------------\n    Microsoft also believes that entities should be required to try to \nreach individuals directly, unless certain cost or quantity thresholds \nare present or there is no known number, mailing address, or electronic \nmail address for an individual. Accordingly, Microsoft would propose \nusing mass media notice and Internet postings only in exceptional \ncircumstances requiring substitute notice.\n congress should consider internal and law enforcement investigations \n       when analyzing the appropriate timeliness of notification.\n    Microsoft is pleased that the Discussion Draft accounts for the \nimmediate obligations of a company in the aftermath of a breach by \nallowing reasonable time for a company to determine the scope of the \nbreach and to restore any compromised systems before issuing notice of \nthe breach. Microsoft also believes, however, that federal legislation \nshould account for the needs of law enforcement in investigating the \nbreach. It is often the case that immediate notification to the public \ncan interfere with a criminal investigation of the underlying incident. \nIf, for example, law enforcement officials are in the process of \nidentifying or apprehending potential suspects, a public announcement \nmay cause the suspects to flee, destroy evidence, or otherwise obstruct \nthese efforts to bring the perpetrators to justice. The existing GLB \nguidelines regulating financial institutions, as well as most state \nbreach notification laws, have accounted for these concerns by allowing \nfor delayed notification, consistent with the legitimate needs of law \nenforcement.\n    The risk of any abuse with this delay in notification is easily \naddressed by vesting the authority for any such determination in law \nenforcement, rather than the company itself. As the Interagency \nGuidance on GLB provides, ``notice may be delayed if an appropriate law \nenforcement agency determines that notification will interfere with a \ncriminal investigation and provides the institution with a written \nrequest for the delay.\'\' <SUP>16</SUP> By accounting for these \ncontingencies in imposing a notification requirement, Congress can \nbalance the interests of consumers, the legitimate needs of law \nenforcement, and the immediate responsibilities of companies suffering \ndata security breaches.\n---------------------------------------------------------------------------\n    \\16\\ Interagency Guidance, supra note 11, at 15752.\n---------------------------------------------------------------------------\n                strong federal preemption is warranted.\n    Microsoft believes that for federal legislation to be meaningful in \nthis area, it must address the problem of state laws imposing \npotentially inconsistent security and notification requirements. In \nother words, we strongly feel that federal legislation requiring \nentities to implement an information security program and to notify \nindividuals of security breaches must ``occupy the field.\'\' As we have \nseen with the rash of major security breaches over the past several \nmonths, information security is a national problem that affects all \nAmericans. Federal legislation that preempts inconsistent state laws is \ntherefore crucial to protect consumers while allowing responsible \nbusinesses to operate without unnecessary burdens.\n    Over the past several months, more than a dozen states have enacted \nbreach notification laws, with a few of these states also requiring \nentities to adopt security procedures. Although these statutes \ngenerally have been patterned after the California law, which pioneered \nbreach-related legislation, the statutes are not uniform, and their \ndifferences can be striking. For one, the statutes sometimes differ on \nthe very definition of ``personal information,\'\' with some states \nbroadly covering any account information, some requiring a name coupled \nwith other identifying information, and some including a Social \nSecurity number alone. Similarly, the statutes differ in their \njurisdictional scope, with most applying to entities conducting \nbusiness within the state, but others applying to anyone who possesses \ninformation about residents of the state. The statutes are also \ninconsistent as to when notification is required, with some states \nproviding an exception when the breach is reasonably believed to be \nharmless. In addition to these disparities, provisions regarding \nnotification period, notification method, and available remedies often \nvary from state to state.\n    Although some have argued that the federal provision should create \na ``floor,\'\' above which states are free to impose additional \nrequirements, this would not solve the problem caused by the existing \npatchwork of state regulation. In such an environment, any company that \nparticipates broadly in the national economy must either abide by the \nstrictest applicable standard, or otherwise take measures to \ncompartmentalize its transactions on a state-by-state basis. Under the \nformer approach, any federal legislation would be rendered meaningless \nabsent preemption. And given the realities of today\'s virtual economy, \nthe latter option is largely impracticable; or, for those companies \nthat tried to comply with requirements on a state-by-state basis, it \nwould potentially cause a harmful distraction from what is important--\nprotecting the security of consumers\' personal information and promptly \nnotifying any affected consumers in the event of a security breach that \nis reasonably possible to lead to the misuse of unencrypted sensitive \nfinancial information. Therefore, the only realistic solution that \nprotects consumers while minimizing the operational burdens in \nresponsible businesses is to adopt a nationwide standard for security \nand notification. That standard should certainly be robust, but, once \nadopted, should apply uniformly. Hence, any federal legislation on this \ntopic should specifically preempt state security and notification laws.\n    The Discussion Draft includes an appropriate preemption provision. \nThat said, Microsoft supports adding language to the preemption \nprovision to make clear that only State Attorneys General can bring a \ncivil action under state law that is premised on a violation of the \nfederal legislation. At the same time, we recognize that State \nAttorneys General can play a vital role in ensuring that companies \nadhere to sound information security practices. Accordingly, Microsoft \nalso supports any clarification that enables State AGs to directly \nenforce the provisions of the legislation and also ensures they can \ncontinue to rely on their enforcement authority under state consumer \nprotection laws.\n    congress should consider additional provisions in data security \n                              legislation.\n    Requiring entities to implement security procedures that apply to \npersonal information and to notify individuals of security breaches, \nwhere the misuse of unencrypted sensitive financial information is \nreasonably possible, makes sense. But these approaches do not fully \naddress a key concern raised in response to recent security breaches--a \nlack of transparency as to how companies are using and disclosing \npersonal information in the first place. Individuals want to understand \nbetter the entities that maintain their personal information, the types \nof information they maintain, how they use that information, and the \nthird parties with whom they share such information. For this reason, \nin addition to supporting reasonable security precautions and \nnotification requirements, Microsoft looks forward to working with the \nSubcommittee on appropriate legislation that addresses these broader \nconcerns. Microsoft believes that adopting a tailored but more complete \napproach to data security legislation at the federal level will better \ninform consumers about who is using their personal information and how, \nand thereby empower consumers to exercise meaningful control over their \npersonal information both before and after any security breach occurs. \nIn addition, a national standard will give consumers and organizations \nthat are facing a patchwork of privacy and data security requirements \nat the state level clarity about the standards for collecting, using, \ndisclosing, and storing personal information.\n    We commend the Subcommittee for holding this hearing today and \nappreciate your determination to seek strong legislation to help curb \nidentity theft. Thank you for extending us an invitation to share our \nrecommendations on the Discussion Draft, and we look forward to working \nwith you on additional means to help inform and empower consumers both \nbefore and after a security breach occurs. Microsoft is committed to \ncreating a trusted environment for Internet users, and looks forward to \nworking with you toward this common goal.\n\n    Mr. Stearns. I thank the gentleman.\n    Mr. Hoofnagle, welcome.\n\n                STATEMENT OF CHRIS JAY HOOFNAGLE\n\n    Mr. Hoofnagle. Good morning, Chairman Stearns, Ranking \nMember Towns, and good morning, Chairman Barton.\n    My name is Chris Hoofnagle. I am senior counsel with the \nElectronic Privacy Information Center. We are a not-for-profit \nresearch center that focuses on privacy founded in 1994 here in \nWashington. I run the organization\'s West Coast office in San \nFrancisco.\n    There are many different consumer protection issues that \nneed the attention in this committee, and we thank you for \nfocusing your attention on privacy and security. Ranking Member \nTowns, in your introduction, you discussed about how there are \nnew security breaches, it seems, bimonthly. It is actually more \nthan that. The Privacy Rights Clearinghouse has a chronology of \ndata breaches online, and there have been 60 known such \nbreaches since ChoicePoint, the commercial data broker, \nannounced their breach back in February. And when you look at \nthis chronology, you see that it has been a diverse array of \nbusinesses. They are in the financial services sector. They are \nin the retail sector. You also see that there is a diverse \nnumber of attackers. There is a diverse number of threats to \npersonal information. Sometimes these breaches are caused by \ninsiders. Sometimes they are caused by outsiders. Sometimes it \nis just a mistake. And then sometimes it is willful.\n    So your committee is charged with dealing with a very \ndifficult situation of writing a law that addresses all of \nthese different types of data risks and risks to identity theft \nand other misuse of information.\n    With that said, let me focus on just some parts of my \ntestimony.\n    We were very happy to see the discussion draft. I think it \nis an important first step in addressing security breach \nissues. But there are several issues that we wanted to tweak. \nWe have already heard testimony this morning regarding the \nstandard for providing notice. And under this bill, there has \nto be a risk of identity theft. We really want to emphasize \nthat identity theft is not the only risk to data security.\n    There have been cases involving stalking. One of the things \nwe work at at EPIC is the problem of investigators who operate \nonline who break security of other companies to get information \nand sell that information to other people, including stalkers. \nData might be accessed by other businesses that are engaged in \nthe attempt to locate people. So, for instance, in New Jersey, \nthere was a major security breach involving 600,000 records at \nBank of America and Wachovia. And the people obtaining that \ninformation weren\'t trying to steal anybody\'s identity. What \nthey were trying to do was sell that data to debt collectors so \nthat the debt collectors could locate them. Data might be \naccessed for corporate espionage purposes. It might even be \naccess for extortion. There was a case out in California where \na hospital had outsourced sensitive medical information to \nPakistan. The person in Pakistan handling the data was never \npaid, and so she took the data and she put it online saying if \nyou don\'t pay me, I am going to post the rest of this medical \ndata.\n    And finally, sometimes data is stolen for spam purposes. \nThere was a case here on the east coast where a Time Warner \nemployee was caught with 92 e-mail addresses of AOL \nsubscribers, and he broke the system in order to sell that data \nfor direct marketing purposes.\n    I also wanted to amplify Ms. Maier\'s point that it is also \nvery difficult to determine whether or not identity theft is \nthe intent of an attacker and whether or not the attacker is \neven competent enough to commit that crime. We really need to \nfocus on misuse of data rather than identity theft.\n    We were also pleased to see that this is a discussion draft \non data protection. To us, data protection is an issue that is \nmuch broader than security. Data protection includes privacy, \nthe idea that a minimum amount of information should be \ntransferred when entering into a transaction, the idea that \npeople should have access to their information. They should be \nable to correct it. However, those rights aren\'t all \nencompassed in this discussion draft. And we urge you in future \ndrafts to include other privacy rights, because some of the \nproblem here is not just insecurity. The problem is that even \nif this data were sold securely, there is a problem with the \nsale that, in some cases, this information should never be \nsold.\n    We also emphasize you to include audit trails in the bills. \nWhile encryption is a great tool for protecting data from \noutsiders, encryption does not do a good job when insiders are \nstealing data and selling it to other people. And it is at that \npoint where audit trails are really important. And what audit \ntrails do essentially is track who accesses data, for what \npurpose, and whether they disclose it to anyone. And it is the \nbest way to not only deter insiders, but also to catch them \nonce they have broken the security.\n    I see that I have run out of time, so I want to conclude by \nsaying thank you for holding this hearing and for considering \nthis legislation. And if I can be of help to the committee, \nplease feel free to contact me.\n    [The prepared statement of Chris Jay Hoofnagle follows:]\nPrepared Statement of Chris Jay Hoofnagle, Director and Senior Counsel, \n        Electronic Privacy Information Center West Coast Office\n                              introduction\n    Chairman Stearns, Ranking Member Schakowsky, and Members of the \nSubcommittee, thank you for extending the opportunity to testify on \ndata security legislation.\n    My name is Chris Hoofnagle and I am Senior Counsel to the \nElectronic Privacy Information Center, and director of the group\'s West \nCoast office, located in San Francisco. Founded in 1994, EPIC is a not-\nfor-profit research center established to focus public attention on \nemerging civil liberties issues and to protect privacy, the First \nAmendment, and constitutional values.\n    EPIC has been on the forefront of the issues being considered in \ntoday\'s hearing. For instance, ``commercial data brokers,\'\' companies \nthat extract sensitive information from many sources and sell it as a \n``dossier\'\' to others, have long been a matter of public \nconcern.<SUP>1</SUP> EPIC has engaged in extensive use of the Freedom \nof Information Act to determine the extent of interaction between the \ngovernment and data brokers such as Lexis-Nexis, Acxiom, InfoUSA, and \nMerlin.<SUP>2</SUP>\n---------------------------------------------------------------------------\n    \\1\\ See Chris Jay Hoofnagle, Big Brother\'s Little Helpers: How \nChoicePoint and Other Commercial Data Brokers Collect, Process, and \nPackage Your Data for Law Enforcement, 29 N.C.J. Int\'l L. & Com. Reg. \n595 (Summer 2004), available at http://www.epic.org/privacy/\nchoicepoint/cp--article.pdf.\n    \\2\\ EPIC Choicepoint Page, available at http://www.epic.org/\nprivacy/choicepoint/.\n---------------------------------------------------------------------------\n    We applaud the Members of the Committee and others who have crafted \nlegislation to address security standards for companies that maintain \npersonal information. In my testimony today, I will provide comment on \nthe Discussion Draft of Data Protection Legislation. The Discussion \nDraft is a good first step in addressing the security risks presented \nby companies with personal information, but fails to fully confer upon \nindividuals the tools they need to avoid misuse of personal \ninformation. I therefore recommend that the Committee move this \nlegislation, with reasonable enhancements including: an option for \ncredit freeze, a requirement that security measures include audit \ntrails, and public reporting of security breaches to the Federal Trade \nCommission. I further recommend that the Committee go beyond security \nissues and consider the privacy risks raised by data brokers.\n                            data insecurity\n    Well before the recent news of the Choicepoint debacle became \npublic, EPIC had been pursuing the company and had written to the FTC \nto express deep concern about its business practices. On December 16, \n2004, EPIC urged the Federal Trade Commission to investigate \nChoicepoint and other data brokers for compliance with the Fair Credit \nReporting Act (FCRA), the federal privacy law that helps ensure \npersonal financial information is not used improperly.<SUP>3</SUP> The \nEPIC letter said that Choicepoint and its clients had performed an end-\nrun around the FCRA and were selling personal information to law \nenforcement agencies, private investigators, and businesses without \nadequate privacy protection.\n---------------------------------------------------------------------------\n    \\3\\ Letter from Chris Jay Hoofnagle, Associate Director, EPIC, and \nDaniel J. Solove, Associate Professor, George Washington University Law \nSchool, to Federal Trade Commission, Dec. 16, 2004, available at http:/\n/www.epic.org/privacy/choicepoint/fcraltr12.16.04.html.\n---------------------------------------------------------------------------\n    Since the Choicepoint breach, there has been a steady stream of \nnews articles and public announcements concerning other companies that \nhave failed to secure the personal information of individuals. The \nPrivacy Rights Clearinghouse, a San Diego-based group, has posted a \nChronology of these data breaches.<SUP>4</SUP> As of this writing, this \nChronology notes 60 different incidents where a company or government \nentity reported a security breach involving the Social Security number, \ndrivers license number or financial account number. The Privacy Rights \nClearinghouse estimates that 50,000,000 individuals have been affected \nby these known breaches.\n---------------------------------------------------------------------------\n    \\4\\ Privacy Rights Clearinghouse, A Chronology of Data Breaches \nReported Since the ChoicePoint Incident, available at http://\nwww.privacyrights.org/ar/ChronDataBreaches.htm (last visited Jul. 24, \n2005).\n---------------------------------------------------------------------------\n    This Chronology is worth revisiting for at least three reasons. \nFirst, it demonstrates the diversity of entities that store sensitive \npersonal information and yet have experienced a security incident. \nWhile there have been major security breaches at commercial data \nbrokers such as Lexis-Nexis and Merlin, there have also been security \nproblems at banks, schools, government entities such as motor vehicle \nadministrations, and retailers. This demonstrates the need for \nintervention across a broad array of entities.\n    A privacy-friendly approach would first emphasize the need for \nreducing the amount of personal information collected and maintained. \nWhere retention of personal information is necessary, these entities \nshould be subject to a framework of ``Fair Information Practices.\'\' \nFair Information Practices, or ``FIPs,\'\' constitute a framework of \nrights and responsibilities that require entities to minimize the \namount of information they collect, to use it only for purposes \nspecified by the individual, to hold it in a secure manner, and to \nprovide the individual access to and of the ability to correct their \npersonal data.\n    Second, the Chronology demonstrates that security breaches may \noccur for reasons other than to commit identity theft. For instance, \ninsiders at Bank of America, Wachovia, PNC Bank and Commerce Bank sold \ncustomers\' personal information to attorneys and others who were \nengaged in debt collection efforts.<SUP>5</SUP> That breach affected \nthe records of over 600,000 accountholders. Sometimes systems are \ncompromised for voyeuristic purposes, such as obtaining the contact \ninformation or communications data of celebrities or law enforcement \nofficials.<SUP>6</SUP> Security breaches may be motivated by a company \nattempting to obtain information about a competitor. Finally, extortion \nmay motivate someone to obtain and disclose an individual\'s personal \ninformation. For instance, in 2003, a Pakistani clerical worker \nperforming transcription services for an American hospital threatened \nto release medical records if she was not paid for her \nservices.<SUP>7</SUP> Accordingly, Congress\' approach should recognize \nthat identity theft is not the only harm to be avoided. Legislation \npassed by Congress should recognize that security breaches may be \nmotivated by a number of crimes unrelated to attempted identity theft.\n---------------------------------------------------------------------------\n    \\5\\ Jonathan Krim, Banks Alert Customers of Data Theft, Washington \nPost, May 26, 2005, available at http://www.washingtonpost.com/wp-dyn/\ncontent/article/2005/05/25/AR2005052501777.\nhtml\n    \\6\\ Kelly Martin, Hacker breaches T-Mobile systems, reads US Secret \nService email and downloads candid shots of celebrities, SecurityFocus, \nJan. 12, 2005\n    \\7\\ David Lazarus, A tough lesson on medical privacy Pakistani \ntranscriber threatens UCSF over back pay, Oct. 22, 2003, available at \nhttp://www.sfgate.com/article.cgi?file=/c/a/2003/10/22/MNGCO2FN8G1.DTL.\n---------------------------------------------------------------------------\n    Third, the Chronology demonstrates that entities that maintain \npersonal information are subject to many different security risks. \nWhile we typically think of outsiders, such as malicious computer \nhackers, as the prime security risk, the Chronology shows that \ndishonest employees are a major security problem. Accordingly, \nCongress\' approach should include measures likely to catch insiders who \nsell information. Audit trails--a requirement that entities record who \naccesses and discloses personal information--would go far in deterring \nand detecting dishonest insiders.\n            the draft should contain credit freeze language\n    In the Senate, Members are considering legislation that will \nprevent identity theft by allowing individuals to ``freeze\'\' their \ncredit. Under these proposals, individuals can opt to erect a strong \nshield against identity theft by preventing the release of their credit \nreport to certain businesses. Because a credit report is always pulled \nbefore a business issues a new line of credit, a freeze will make it \nvery difficult for an impostor to obtain credit in the name of another \nperson.<SUP>8</SUP>\n---------------------------------------------------------------------------\n    \\8\\ Chris Hoofnagle, Putting Identity Theft on Ice: Freezing Credit \nReports to Prevent Lending to Impostors, Securing Privacy in the \nInternet Age, Stanford University Press (forthcoming 2006) available at \nhttp://ssrn.com/abstract=650162\n---------------------------------------------------------------------------\n    According to US PIRG, 10 states have credit freeze laws \nenacted.<SUP>9</SUP> The New Jersey law offers consumers the most \nbenefit--any resident may freeze their credit report at minimal cost, \nand consumer reporting agencies must make the thaw mechanism work \nquickly, so that individuals can take advantage of instant credit \noffers.\n---------------------------------------------------------------------------\n    \\9\\ US PIRG, State Breach and Freeze Laws, available at http://\nwww.pirg.org/consumer/credit/statelaws.htm.\n---------------------------------------------------------------------------\n    We believe that a credit freeze is a good approach that will \nminimize security risks and reduce the risk of identity theft. Simply \nstated, this provision will make it more difficult for others to use a \nconsumer\'s credit report without their consent. Consumers will always \nhave the ability to provide their credit reports in those transactions \nthat they initiate.\n            the need to consider general privacy protections\n    The Discussion Draft would establish important security safeguards \nfor all businesses with personal information, and heightened duties on \ninformation brokers. But while the Discussion Draft addresses security \nconcerns, it does not contemplate whether general privacy restrictions \nare appropriate.\n    Information brokers have operated under a self-regulatory schema, \nknown as the Individual Reference Service Group (``IRSG\'\') Principles. \nThrough these principles, the industry conferred upon itself the \nauthority to sell detailed dossiers to almost anyone for almost any \npurpose. It was the promiscuity of these principles that led to the \nmost recent Choicepoint breach, because the principles allowed data \nbrokers to choose who is ``qualified\'\' buyer of personal information, \nand allowed sale to anyone with a ``legitimate\'\' business purpose.\n    A serious inquiry should be made into the purposes for which these \ndossiers are being sold. Congress should set limits on the contexts in \nwhich personal information can be sold, and when data is sold, limit \nthe secondary uses of personal information.\n          the discussion draft of data protection legislation\nSection 2 Requirements for Information Security: All Companies\n    This section directs the Federal Trade Commission (``Commission\'\') \nto promulgate regulations to require companies to implement policies \nand procedures to protect personal information. Companies would have to \ndevelop a security policy and statement on use of personal information. \nCompanies would have to identify an employee as being responsible for \ninformation security. Finally, companies would have to develop \nprocesses to take preventive and corrective action to address security \nvulnerabilities, including the use of encryption.\n    We applaud the Members for encouraging the use of encryption to \nprotect personal information. However, we wish to emphasize that once \ndata is encrypted, it may still be vulnerable. For instance, the \ncompany may choose a poor encryption method that can be decoded easily. \nThere is also the risk that a malicious actor, especially when he is an \ninsider, will have the key or password to decode the encryption. \nAccordingly, an entity that uses encryption should not automatically be \nexempt from other data security responsibilities, such as the \nrequirement to provide security breach notices.\n    We suggest three improvements to this section:\n    First, this section could be significantly enhanced by a \nrequirement that companies employ audit trails to deter and detect \ninsider misuse of personal information. An audit trail would record who \naccessed individuals\' information, the purposes for which it was \naccessed, whether it was disclosed, and to whom it was disclosed. \nSimply put, encryption will be most effective at protecting data from \noutsiders; auditing will be a strong deterrent to insiders.\n    Second, where possible, companies should require customers to \nestablish a password system for access to their file. Currently, many \nentities with sensitive personal information will give access to files \nbased on the provision of simple biographical information, such as \nbilling address, phone number, date of birth, or Social Security \nnumber. The problem is that these biographical identifiers often are \nfound in publicly-available databases, such as phone books, public \nrecords, or the Internet.\n    Passwords have some disadvantages. Sometimes people choose poor \npasswords, but an institution can correct this by requiring the \npassword to be a certain length. Sometimes individuals forget \npasswords, and in cases where that is a concern, a ``shared secrets\'\' \npassword system could be employed. In such a system, the customer and \nbusiness agrees upon a series of questions that can be asked to verify \nidentity. They could include asking the customer what street they lived \non as a child, the name of their first pet, or their favorite book or \nsports team. The questions are periodically rotated to prevent an \nimpostor from learning these secrets.\n    Third, some companies are using automatic number identification \n(``ANI\'\'), a form of caller ID, to identify or authenticate customers. \nANI offers additional security over caller ID, but it now appears that \nANI too can easily be ``spoofed,\'\' or falsified, through the use of \nVOIP telephony.\n    In crafting security guidelines, the Commission will have to \nconsider that new technologies may pose new risks to security systems. \nAccordingly, we recommend that the Commission be directed to \nperiodically review security requirements, and new threats to personal \ndata.\nSection 2 Requirements for Information Security: Special Requirements \n        for Data Brokers\n    This section would require information brokers to be audited by the \nCommission. It would also require data brokers to allow individuals to \nobtain their dossier annually at no cost.\n    We applaud these requirements. Individuals should be able to obtain \npersonal information held by data brokers at no charge. Currently, \nindustry practice on providing individuals access to their personal \ninformation varies widely. For instance, it is not clear whether \ninformation brokers provide the complete file of personal information \nwhen an individual makes a request for access. Choicepoint provides \nfree access, and in a recent study where 11 people requested their \nfiles, the company provided individuals with their dossiers in a timely \nfashion. However, the study showed the many errors were found in the \nChoicepoint dossiers.<SUP>10</SUP> Acxiom charges $20 for access, but \nin the study, the company only fulfilled half of the requests made and \ntook an average of 89 days to comply. A legal mandate for free and \ntimely access is needed.\n---------------------------------------------------------------------------\n    \\10\\ PrivacyActivism, Data Aggregators: A Study of Data Quality and \nResponsiveness, May 18, 2005, available at http://\nwww.privacyactivism.org/Item/222.\n---------------------------------------------------------------------------\nSection 3 Notification of Database Security Breach\n    This section specifies the instances when a company must disclose \nto individuals that their personal information has been obtained by an \nunauthorized person. It defines breach of security as ``the compromise \nof the security, confidentiality, or integrity of data that results in, \nor there is a reasonable basis to conclude has resulted in, the \nacquisition of personal information by an unauthorized person that may \nresult in identity theft.\'\' It specifies how a company must give \nnotice, and what the notice must contain. It specifies that a company \nwith a security breach must provide three credit reports and a year of \ncredit monitoring service to victims.\n    There are several critical aspects to this portion of the \nlegislation. First, of course, is the severity of events that \nconstitute a ``breach of security.\'\' The language in the Discussion \nDraft tracks the California standard, except that the Discussion Draft \nincludes the requirement that the security breach ``may result in \nidentity theft.\'\'\n    As we explained above, identity theft is only one risk from \nunauthorized access to personal information. Unauthorized access may be \ngained for other purposes that cause harm to the individual, such as \nstalking, obtaining information for debt collectors, corporate \nespionage, extortion, or mere voyeurism. The purpose of data security \nbreach legislation is not just to warn individuals of a risk of \nidentity theft; it is also designed to shine a light on poor data \npractices.\n    More importantly, as identity theft expert Beth Givens has argued, \ncompanies often cannot tell whether a security breach may result in \nidentity theft. The motives of a person who gained access are not \nalways clear. Identity theft can also occur months or even years after \na security breach.\n    There has been much discussion of whether to give companies \ndiscretion to determine whether notice to the public is justified. No \nsuch discretion is given by the California law, and Congress should \ncarefully consider the consequences of extending discretion at the \nfederal level. It is already the case that one information broker, \nAcxiom, engaged in acrobatics to avoid giving notice of a 2003 security \nbreach that reportedly involved 20 million records.<SUP>11</SUP>\n---------------------------------------------------------------------------\n    \\11\\ Robert O\' Harrow, Jr., No Place to Hide 71-72, Free Press \n(2005). DOJ, Milford Man Pleads Guilty to Hacking Intrusion and Theft \nof Data Cost Company $5.8 Million, Dec. 18, 2003, available at http://\nwww.usdoj.gov/criminal/cybercrime/baasPlea.htm; DOJ, Florida Man \nCharged with Breaking Into Acxiom Computer Records, Jul. 21, 2004, \navailable at http://www.usdoj.gov/opa/pr/2004/July/04_crm_501.htm.\n---------------------------------------------------------------------------\n    Because it is difficult to gauge the risk of identity theft, \nbecause there are harms other than identity theft which may result from \nsecurity breaches, and because there is already evidence that companies \nwill go to great lengths to avoid giving security breach notices, we \nrecommend eliminating the language that gives companies discretion not \nto give notice based on a determination whether the breach ``may result \nin identity theft.\'\'\n    If Congress chooses to give some measure of discretion, it should \nset a standard that requires notice where there is a ``reasonable risk \nor reasonable basis to believe that such access could lead to misuse of \npersonal information.\'\' This standard recognizes that security breaches \nshould focus on ``misuse\'\' of personal information instead of just \nidentity theft, and would allow companies not to give notice where \nthere is no reasonable risk of harm. There should also be a duty to \nthoroughly investigate suspected breaches. The standard set should not \ngive data holders incentives to ignore these incidents.\n    The second critical factor is the scope of businesses that will be \nsubject to the notification requirement. We think the standard set \nforth by the bill--any company that owns or possesses data--is the \nappropriate one. The California standard--any company that owns or \nlicenses data--misses the mark in that some companies merely process \ndata for others, but may still experience a breach.\n    A third critical factor is the form of notice. The California \nsecurity notice legislation was in effect a type of ``Freedom of \nInformation Act\'\' for security standards. Consumers and policymakers \nhave benefited from learning more about security standards and \nbreaches, but there have also been significant limitations--in many \ncases, only the victims learn of the breach. Consumers and policymakers \nwould benefit from hearing of all breaches through a website that could \nbe operated by the Commission. We would recommend that the following \nlanguage be added to the legislation, so that there will be public \nreporting of security breaches:\n        ``Information submitted to the Commission under sections \n        2(b)(1) and 3(a)(2) shall be posted at a publicly available \n        website operated by the Commission.\'\'\nSection 4 Enforcement by the Federal Trade Commission\n    This section specifies that the Commission will enforce the law, \nunder its authority to address unfair and deceptive trade practices.\n    We recommend adding enforcement powers so that state Attorneys \nGeneral can also enforce the law.\n    We further recommend that the Commission\'s authorization and \nappropriation be increased to account for the burdens associated with \nenforcing this law. The Commission must oversee a plethora of business \npractices--from deception in funeral businesses to ``power output \nclaims for amplifiers utilized in home entertainment products.\'\' \n<SUP>12</SUP> This wide range of responsibility requires adequate \nfunding.\n---------------------------------------------------------------------------\n    \\12\\ See generally Title 16 of the Code of Federal Regulations, \navailable at http://www.access.gpo.gov/nara/cfr/waisidx_05/\n16cfrv1_05.html.\n---------------------------------------------------------------------------\nSection 5 Definitions\n    This section defines the many terms in the legislation, including \nidentity theft and information broker.\n    The definition of ``identity theft\'\' is narrow and does not \nencompass the full range of activities normally understood as identity \ntheft. The current definition focuses on the use of others\' personal \ninformation for the purpose of engaging in ``commercial transactions.\'\' \nThis does not recognize the problem of ``criminal identity theft,\'\' \nwhere an individual uses the personal information of another in his \ninteractions with law enforcement, leaving the victim with a criminal \nrecord. Accordingly, we recommend that if the law continues to include \nthis term, that it be broadened to recognize other activities commonly \nunderstood to be ``identity theft.\'\'\n    Defining ``information broker\'\' is a challenge. Many companies are \nengaged in the transmission of personal information to third parties. \nIn some cases, this occurs within the individual\'s expectation, such as \nwhen information must be transferred to execute a transaction requested \nby a consumer. In others, the transfer of personal information raises \nunique privacy risks, and such businesses should be included in the \ndefinition of ``information broker.\'\'\n    Further complicating this matter is the qualifier ``whose business \nis to collect, assemble, or maintain personal information.\'\' \nInformation brokerage is just a small percentage of the business of a \ncompany like Lexis-Nexis or even Choicepoint. Lexis-Nexis is a huge \ncompany; most of its information products have no bearing on privacy, \nsuch as the company\'s legal and scholarly research databases. According \nto Choicepoint, only about 11% of its operations consist of information \nbrokerage outside the Fair Credit Reporting Act. Can it be said that \nLexis-Nexis and Choicepoint are entities ``whose business is to \ncollect, assemble, or maintain personal information\'\' for provision to \nthird parties?\n    There have been many attempts to define an information broker, and \nthus far, we think the best is contained in S. 1332:\n          The term `data broker\' means a business entity which for \n        monetary fees, dues, or on a cooperative nonprofit basis, \n        regularly engages, in whole or in part, in the practice of \n        collecting, transmitting, or otherwise providing personally \n        identifiable information on a nationwide basis on more than \n        5,000 individuals who are not the customers or employees of the \n        business entity or affiliate.\n    This definition limits the scope of the law to companies that \nregularly engage in maintaining large databases on non-customers for \nthe purpose of providing them to a third party. It provides a good \nstarting point for further discussion.\n    Congress should also consider giving the Commission rulemaking \nauthority to address circumvention of this definition through corporate \nrestructuring or technological tweaks. In passing the Fair and Accurate \nCredit Transactions Act, Congress included a provision that prohibits \n``technological circumvention\'\' of the Fair Credit Reporting Act\'s \nprovisions. The concern was that through database design or corporate \nreorganization, a consumer reporting agency may escape obligations to \nprovide a free credit report. We think that a similar provision would \nbe appropriate her to avoid a situation where a company simply \nreorganized to avoid security or privacy responsibilities.\n    The definition of ``personal information\'\' in the Discussion Draft \nis narrower than the California law. Under the California law, personal \ninformation ``means an individual\'s first name or first initial and \nlast name in combination with . . .\'\' a Social Security number, drivers \nlicense number, or account number. The Discussion Draft would require \nthe individual\'s first and last name, instead of just the first \ninitial. We think that the federal legislation should be as broad as \nthe California definition in this regard.\n    We further recommend that section 5(5)(A)(iii) should be modified. \nThat section treats an account number in combination with an access \ncode as ``personal information.\'\' As currently written, it gives credit \ncard companies an out from giving notice by claiming that the three-\ndigit security code on the card must be present for a breach to occur. \nThat is, even though the three-digit code is not necessary to make \ncharges, they will claim that a breach does not require notice unless \nthat code is included in the compromised files. We accordingly \nrecommend that this section be changed to:\n          ``(iii) Financial account number, or a credit card number, or \n        a debit card number in combination with any required security \n        code.\'\'\nSection 6 Effect on Other Laws\n    This section specifies that all state laws concerning breaches of \nsecurity or notification to individuals of breaches of security would \nbe preempted.\n    The preemption language in the Discussion Draft is overly broad; it \nrisks unintentionally preempting many different state laws that address \nsecurity, but are not the target of this law. Data security needs are \ntoo varied to accommodate a nationwide uniform standard. Floor \npreemption is more appropriate here.\n    In privacy and consumer protection law, federal ceiling preemption \nis an aberration. Historically, federal privacy laws have not preempted \nstronger state protections or enforcement efforts. Federal consumer \nprotection and privacy laws, as a general matter, operate as regulatory \nbaselines and do not prevent states from enacting and enforcing \nstronger state statutes. The Electronic Communications Privacy Act, the \nRight to Financial Privacy Act, the Cable Communications Privacy Act, \nthe Video Privacy Protection Act, the Employee Polygraph Protection \nAct, the Telephone Consumer Protection Act, the Driver\'s Privacy \nProtection Act, and the Gramm-Leach-Bliley Act all allow states to \ncraft protections that exceed federal law.<SUP>13</SUP> Even the Fair \nCredit Reporting Act is largely not preemptive.<SUP>14</SUP>\n---------------------------------------------------------------------------\n    \\13\\ Respectively at 18 U.S.C. \x06 2510 et. seq., 12 U.S.C \x06 3401, 47 \nUSC \x06 551(g), 18 USC \x06 2710(f), 29 USC \x06 2009, 47 USC \x06 227(e), 18 \nU.S.C. \x06 2721, and Pub. L. No. 106-102, \x06\x06507, 524 (1999).\n    \\14\\ See 15 USC \x06 1681t.\n---------------------------------------------------------------------------\n    Although the federal government has enacted privacy laws, most \nprivacy legislation in the United States is enacted at the state level. \nMany states have privacy legislation on employment privacy (drug \ntesting, background checks, employment records), Social Security \nNumbers, video rental data, credit reporting, cable television records, \narrest and conviction records, student records, tax records, \nwiretapping, video surveillance, identity theft, library records, \nfinancial records, insurance records, privileges (relationships between \nindividuals that entitle their communications to privacy), and medical \nrecords.<SUP>15</SUP>\n---------------------------------------------------------------------------\n    \\15\\ See generally, Robert Ellis Smith, Compilation of State and \nFederal Privacy Laws (Privacy Journal 2002).\n---------------------------------------------------------------------------\n    Finally, the data industry is in a weak position to argue that it \ncannot comply with state laws. This is an industry that ``segments\'\' or \ngroups people by characteristics at the zip+4 level. They know where \nyou live now, and where you lived ten years ago. No other industry is \nbetter equipped to use technology to comply with state law than the \ndata brokers.\nSection 7 Effective Date and Sunset\n    This section specifies that the act will take effect a year after \nenactment, and sunset 10 years from enactment.\n    While Congress and the Commission should continue to revisit data \nsecurity issues, security requirements and rights in personal \ninformation should not automatically sunset. We suggest striking the \nsunset provision.\nSection 8 Authorization of Appropriations\n    This section would authorize a yet to be determined amount to the \nCommission. For reasons explained above, we support greater funding of \nthe Commission.\n                               conclusion\n    Mr. Chairman and Members of the Committee, thank you for inviting \nme to on the Discussion Draft of Data Protection Legislation. The \nDiscussion Draft is a good first step in addressing security risks \npresented both by ordinary companies and information brokers. We \nrecommend that the Committee move the legislation, with reasonable \nenhancements, including an option for credit freeze, requirements that \nsecurity measures include audit trails, and public reporting of \nsecurity breaches to the Federal Trade Commission.\n\n    Mr. Stearns. Thank you.\n    Mr. Burton, welcome.\n\n                   STATEMENT OF DANIEL BURTON\n\n    Mr. Burton. Thank you, Chairman Stearns, Congressman Towns, \ndistinguished members of the committee. My name is Daniel \nBurton. I am Vice President of Entrust, Inc., which is \nheadquartered in Addison, Texas. And Entrust is proud to secure \nthe digital identities and information of over 1,400 government \nagencies and enterprises and over 50 countries around the \nworld.\n    Let me start by underscoring two points. First, the data \nsecurity threat you address today is very real, and your \nefforts are timely and critically needed.\n    Second, there are effective market solutions readily \navailable that can address most of today\'s threats and give \nyour constituents greater peace of mind.\n    Over the past few years, while the public\'s attention has \nbeen riveted on homeland security, old-fashioned crime has \ninfiltrated the Internet. The terms we use to describe it: \nspyware, phishing, identity theft, were relatively unknown only \na few years ago. These cybercrimes occur at the crossroads of \nprivacy and security and are prevalent today.\n    This committee\'s draft bill correctly embodies two critical \nprinciples necessary to combat cybercrime.\n    First, it encourages enterprises to implement effective \ndata protection programs to prevent the theft of digital \ninformation. Second, it encourages them to alert individuals \nwhen their personal information has been compromised.\n    Since I last testified before this committee just 2 short \nmonths ago, 17 new data breaches have been made public. They \ncover a broad cross-section of organization, from a big data \nservices company to a high school. In the aggregate, these \nnotifications indicate that over 44 million identities may have \nbeen compromised in just the past 78 days. And these are just \nthe breaches we know about.\n    In response, 18 States, most of which are represented by \ndistinguished members on this committee, have passed breach \nnotification laws. In addition, we have seen private class \naction lawsuits, State lawsuits, shareholder lawsuits, an FTC \nenforcement action, and a major corporation assert that it will \nno longer tolerate lax data security from business partners.\n    The fact is, many entities who hold sensitive personal data \nsimply do not keep it safe, either by choice or because they do \nnot understand how to protect it. If they are left to figure it \nout on their own without any guidance from Congress, many of \nthem will continue to lose the battle against today\'s \nsophisticated cybercriminals, and your constituents will pay \nthe price.\n    Clearly, it is time for Congress to act. This committee\'s \ndraft bill is an essential step in the right direction, and \nEntrust is proud to support it. This draft gets a lot of the \nkey elements right. It focuses on electronic data. It covers \nall persons who hold personal data, and includes special \nrequirements for data brokers. It encourages comprehensive \ninformation security policies and procedures. It establishes a \nnational breach notification requirement that preempts State \nlaw. It gives regulatory authority to the Federal Trade \nCommission. It points to a reasonable notification standard. \nThe committee is to be commended for including these elements \nin the draft bill.\n    Given Entrust\'s experience, I would recommend three other \ncritically important additions to make sure that this bill \naccomplishes what you want it to.\n    No. 1, you must actively engage corporate executive \nmanagement and boards of directors in the effort to secure \nsensitive digital information. Specifically, the bill should \nrequire regular information security risk assessments, audits, \nand progress reports to CEOs and boards of directors. These \nmeasures will assure that American board rooms begin to view \ninformation security as a key component of business plans, not \njust another burdensome technology issue.\n    No. 2, just like the 18 States that have passed breach \nnotification laws, you should create a safe harbor for \ncompanies who do the right thing and encrypt their data. All of \nthe State breach notification laws that have been passed so far \nrequire consumer notification only in the event of a breach of \nunencrypted personal information. The reason is that even if \nthieves get access to encrypted data, they will not be able to \nmake sense of it since it consists of an indecipherable jumble \nof symbols to anyone looking at it without the proper keys. If \nthe members of this committee are going to preempt their own \nState laws, I would strongly encourage you to embrace their \nwisdom on this issue.\n    Third, and finally, in order to create a safe harbor for \nstrong encryption, you must define it. To assure that you \ndefine strong encryption without picking winners and losers or \nlocking in a static technology, you should reference NIST\'s \nstandards. NIST\'s standards are developed in close consultation \nwith industry and are flexible enough to allow standards bodies \nto drop older encryption products and certify new ones as the \ntechnology evolves. Failure to define encryption in Federal \nlegislation could lead to the emergence of conflicting \nrequirements across the United States.\n    In closing, I want to reaffirm that your draft data \nsecurity bill makes a strong legislated statement. These \nadditions will help make sure that it fully accomplishes your \npurposes of protecting sensitive personal information.\n    Thank you.\n    [The prepared statement of Daniel Burton follows:]\n   Prepared Statement of Daniel Burton, Vice President of Government \n                         Affairs, Entrust, Inc.\n    Good Morning. Chairman Stearns, Ranking Member Schakowsky and \ndistinguished Members of the Subcommittee, thank you for holding this \nhearing and giving me the opportunity to provide testimony on this \nimportant subject. My name is Daniel Burton, and I am Vice President of \nGovernment Affairs for Entrust, Inc. We are headquartered in Addison, \nTexas and are proud to provide cybersecurity software solutions for \nover 1,400 government agencies and enterprises in more than 50 \ncountries. In my testimony today, I will discuss data security and this \nCommittee\'s draft legislation.\n    As a global leader in securing digital identities and information, \nEntrust has insight into the severity of the risks and the nature of \nthe threats that concern consumers, enterprises and policymakers alike. \nOur extensive international experience securing governments and \nenterprises around the globe, along with our policy experience co-\nchairing two national information security task forces, leads me to \nunderscore two points. First, the threat you attempt to address today \nis very real and your efforts are timely and critically needed. Second, \nthere are ready and effective market solutions available that can \naddress most of today\'s threats, secure many of our most vulnerable \ndigital assets and, more importantly, give your constituents a greater \npeace of mind.\n    Over the past several years, while the public\'s attention has been \nriveted on homeland security, old fashioned crime has infiltrated the \nInternet. The terms we use to describe it--spyware, phishing and \nidentity theft--were relatively unknown only a few years ago. These \ncrimes occur at the cross-roads of privacy and security. Most of them \ninvolve gaining unauthorized access to sensitive personal data. \nSometimes criminals gain this access through technological means; \nsometimes they trick users into revealing the data; sometimes they rely \non insiders with privileged access; and sometimes they hack into data \nbases or steal the information outright. No matter how the crime is \ncommitted, however, the goal of public policy remains the same--\nencouraging enterprises to implement effective data protection programs \nto prevent theft and to alert individuals when their personal \ninformation has been compromised. This Committee\'s draft bill correctly \nembodies these two important principles.\n    Since I last testified before this committee two months ago, \nseventeen new data breaches have been made public. They cover a broad \ncross-section of organizations--data services companies, banks, \ncorporations, universities, a high school, a community college and a \ntravel agency. In the aggregate, these notifications indicate that over \n44,600,000 identities may have been compromised since May of 2005. And \nthese are just the breaches we know about. Many breaches are uncovered \ndeep inside an organization, never brought to the attention of senior \nmanagement and therefore never made public. Others, as we have learned \nfrom some recent announcements, tend to be minimized in initial public \nstatements and only fully disclosed later under scrutiny. As the legal \nand market penalties for these breaches mount, organizations will be \neven more careful about what they reveal.\n    In reaction to data breaches, 35 states have introduced data breach \nlegislation, and 18 states have passed breach notification laws. The \nspecifics of these laws vary from state to state, but they all require \norganizations to notify individuals whose personal information has been \ncompromised. In doing so, they aim not only to protect consumers, but \nalso to encourage organizations to be more diligent in securing \npersonal information. In the absence of Federal legislation, we\'re sure \nto see even more states pass data breach notification bills next year.\n    State legislatures are not alone in responding to these breaches. \nIn the past few months, we have seen private class action lawsuits, \nstate lawsuits and shareholder lawsuits against organizations that have \nsuffered breaches. As more and more breaches are made public, more \nlawsuits are sure to be filed. In addition, Federal regulators have \nengaged. The FTC recently settled an enforcement action against BJ\'s \nWholesale Club that requires it to implement a comprehensive security \nprogram and undergo independent audits. Perhaps most importantly, the \nrecent announcement of VISA that it may no longer do business with \nCardSystems Solutions, Inc., is a clear market signal that business \npartners will no longer tolerate lax data security.\n    The public avalanche of data breaches is damaging consumer \nconfidence and could endanger our economy. A January 2005 IDC Survey \nshowed that close to 60% of US consumers are concerned about identity \ntheft. A recent survey that Entrust conducted reaffirmed this concern. \nIt found that 80% of individuals are worried about someone stealing \ntheir on-line identity and using it to access their on-line bank \naccounts. If consumers pull back from online transactions, the promise \nof e-commerce and the productivity gains of the past decade will be at \nrisk.\n    We should remember that it\'s no longer just your local bank and \ncredit card company that hold your personal information. Numerous \nretailers, data brokers, on-line merchants, corporations and other \nvendors also have ready access to it. Many of these entities do not \ntake adequate measures to keep this information safe, either by choice \nor simply because they do not understand how to protect it in a world \nof constantly evolving digital threats. If they are left to figure it \nout on their own, many of them will continue to lose the battle against \ntoday\'s sophisticated cyber-criminals. In fact, things may get worse \nbefore they get better because even when organizations do grasp the \nneed for comprehensive data security, it still takes time to put \neffective programs in place. This delay is unfortunate because there \nare ready and effective solutions available to address most of today\'s \nthreats.\n    Given the substantial risks facing American consumers and the US \neconomy, it is time for Congress to act. In doing so, it should take \ninto account the needs of consumers, corporations and citizens, and \nembrace the protections embodied in the 18 state breach notification \nlaws. Congress should encourage a program of security management that \nbalances the need to protect personal information and notify consumers \nin the event of a breach with the need to grow the digital economy and \nencourage innovative technology solutions. This Committee\'s draft data \nsecurity bill is an essential step in the right direction, and Entrust \nis proud to support it.\n    This draft bill gets a lot of the key elements right:\n\n\x01 It focuses on electronic data. The bill correctly recognizes that the \n        crux of the problem is the growing theft of computerized data. \n        As you know, the electronic data targeted by cyber criminals \n        contains the personal information that has become such a \n        valuable commodity in today\'s world. Your draft bill, by \n        resisting the temptation to create an overly expansive approach \n        to data security that includes both paper and electronic \n        records, strikes to very core of what must be protected.\n\x01 It covers all persons who hold personal data and includes special \n        requirements for data brokers. Breach notification should apply \n        to any agency, enterprise or person who owns or licenses \n        computerized data containing the sensitive personal information \n        of others. It should not be limited to data brokers. The goal \n        should be to protect sensitive personal data, no matter who \n        holds it, instead of focusing exclusively on a few specific \n        sectors or industries.\n\x01 It encourages comprehensive information policies and procedures. This \n        is a vital provision that is not yet included in many state \n        breach notification bills. Reasonable security practices \n        encompass a combination of technology, policy and management \n        expertise. Organizations that own or license computerized data \n        containing personal information should be required to develop, \n        implement and maintain reasonable security measures based on \n        widely accepted voluntary industry standards or existing \n        Federal law.\n\x01 It establishes a national breach notification requirement that pre-\n        empts state law. Since 18 states have already passed data \n        breach notification laws and more are sure to do so, it is \n        incumbent on Congress to create a consistent national standard.\n\x01 It gives regulatory authority to the Federal Trade Commission (FTC). \n        Given the reality of widespread cyber crime and the fact that \n        market forces have not resulted in adequate data security \n        programs, it is appropriate for Congress to provide regulatory \n        guidance. The FTC is the proper regulatory agency to undertake \n        this responsibility.\n\x01 It points to a reasonable notification standard. The goal of \n        legislation should be to make the notification standard as \n        narrow yet as effective as possible in order to encourage \n        notice of breaches that carry a significant risk and discourage \n        over-notification. In crafting this trigger, Congress should \n        bear in mind that in most cases it is difficult to determine \n        what happens to the data after it is breached and therefore to \n        calibrate precisely the risk to consumers.\n    The inclusion of these important elements in the Draft Bill is to \nbe commended. Given Entrust\'s experience, I would encourage this \nCommittee to include three additional changes to the bill in the hope \nof further improving its efficacy and cost efficiency. These changes \nwill appeal to governments, businesses and other entities that control \ncritical data since they will help provide a meaningful road map to \nnavigate the tricky and technical world of data management.\n    1. Require the Active Engagement of Executive Management--Whether \nCongress gives the FTC responsibility for providing regulatory guidance \nfor reasonable security or leaves that responsibility with industry, it \nis imperative that corporate executive management and boards of \ndirectors be actively engaged. American board rooms must begin to view \ninformation security as a key component of business plans, not just \nanother burdensome technology issue. Congress must realize that \nsecuring digital information is not simply a technical challenge, but \none that begins with management embracing its responsibility to protect \ndata in the first place. While it is essential to encourage such \ntechnologies as strong authentication and encryption, they cannot \nsubstitute for executive attention and corporate policy. In this \nrespect, the draft bill\'s focus on appropriate policies and procedures \nis critical. Specifically, the bill should require regular risk \nassessments, audits, and progress reports to the CEO and Board of \nDirectors. These types of actions will go a long way toward elevating \ninformation security in the corporate decision-making process.\n    2. Create an exemption for Encryption--The Committee\'s bill should \nalso encourage the use of strong encryption, just as California and \nother states have done. All of the 18 state breach notification laws \nthat have been passed so far (Arkansas, California, Connecticut, \nDelaware, Florida, Georgia, Illinois, Indiana, Louisiana, Maine, \nMinnesota, Montana, Nevada, North Dakota, Rhode Island, Tennessee, \nTexas and Washington) require consumer notification only in the event \nof a breach of unencrypted personal information.\n    The reason for this exemption is that even if thieves get access to \nencrypted data, they will not be able to make sense of it. Encrypted \ndata consists of an undecipherable jumble of symbols to anyone looking \nat it without the proper keys. This provision is especially important \nfor laptops and disks that are lost or stolen in transit. I should note \nthat state legislatures included this exemption not because of any \nlobbying by the high tech industry, but because of the requests of \norganizations that hold significant amounts of personal data. These \norganizations view this technology as the final line of protection to \nensure that even if criminals get past the gate they cannot access the \nreal content. This provision also helps provide guidance to \norganizations that want to secure their digital information but are \nunsure what baseline measures to take.\n    3. Define Encryption--In order to define encryption without picking \nwinners and losers or locking in a static technology, Congress should \nreference NIST standards. I would recommend the following definition \nfor encryption, which has been adopted by the Cyber Security Industry \nAlliance:\n        The protection of data in storage or in transit using an \n        approved encryption algorithm implemented within a validated \n        cryptographic module that has been approved by NIST or another \n        recognized standards body, combined with the appropriate key \n        management mechanism to protect the confidentiality and \n        integrity of associated cryptographic keys in storage or in \n        transit.\n    This definition references standards that are developed in close \nconsultation with industry, and does so in a flexible way that allows \nstandards bodies to drop older encryption products and certify new ones \nas the technology evolves. It is important to note that it also \nrequires that the cryptographic keys which can unlock this data be \nmanaged in an appropriate, secure manner since these keys are just as \nvaluable and sensitive as the data they protect. The flexibility this \ndefinition allows is crucial since any definition that cannot \naccommodate evolving technology cannot help defend against evolving \nthreats. Because this definition is not vendor or product specific, it \nwill allow the market to drive choices about security solutions. \nFailure to include a definition in Federal legislation could lead to \nthe emergence of conflicting encryption requirements across the United \nStates.\n    This Committee\'s draft Data Security Bill makes a strong \nlegislative statement. These additional suggestions will better protect \ndata, harmonize the Federal plan with laws that have been adopted by 18 \nstates, and help show organizations how to secure the personal \ninformation in their possession. By including language that encourages \norganizations to consider information security at the highest levels of \nmanagement, Congress can encourage appropriate data security practices \nat all levels of an organization. And by including language that \nencourages the use of encryption and defines it, Congress can create a \nformidable second line of defense against thieves and hackers.\n    The stage is set for Federal legislation. The menace of cyber crime \nis undeniable. The cost to consumers and enterprises is enormous. And \nthe multiplicity of state bills highlights the need for a consistent \nFederal regulatory framework. This draft bill gets a lot of the key \nelements right and provides an excellent platform for legislation. This \nCommittee should be congratulated for its leadership.\n\n    Mr. Stearns. Thank you, Mr. Burton.\n    I will start with the questions.\n    Mr. Hoofnagle, I think you read about these security \nbreaches and its great headlines. And I guess of the 60 \ndifferent breaches, 50 million American consumers have been \naffected. I think you mentioned that in your testimony. Do you \nknow how many individuals were either victims of identity theft \nor information that was misused within this huge number?\n    Mr. Hoofnagle. Mr. Chairman, that is a very difficult issue \nto determine.\n    Mr. Stearns. Yes.\n    Mr. Hoofnagle. In reference to the ChoicePoint breach where \nreportedly 144,000 records were stolen by a fraud ring, a \nNigerian fraud ring in California, 750 of those cases have been \nassociated, in some way, with identity theft. But it is very \ndifficult to track down when or if identity theft occurs. There \nis also the difficulty that there might be major delay between \nthe data security breach and the actual crime of identity theft \nsince critical identifiers used by credit companies, such as \nyour Social Security number and date of birth, do not change, \nif it is stolen today, there is really no reason why someone \ncan\'t victimize you 2 years down the road.\n    Mr. Stearns. You know, I read these in the newspaper, and \nyou know, it is just so alarming. But as you point out, a very \nsmall number of that are affected by this identity theft. You \ntestify that security breaches can occur for reasons other than \nidentity theft, and so I mean, do we want to come back with \nthis bill and put this overlay of the Federal Government on \nthese people when we are trying to really pinhole a problem \nhere? Should the bill require notification for risk of these \nother misuses?\n    Mr. Hoofnagle. I think the Federal banking standards are \nset at reasonable risk of misuse of personal information, and I \nthink misuse is the right term to use rather than identity \ntheft. For instance, in this New Jersey case where bank \nofficials were selling data to debt collectors, it did not \ninvolve----\n    Mr. Stearns. Identity theft, right.\n    Mr. Hoofnagle. It did not involve identity theft. This was \na case where, you know, the security was being breached for \nprofit at these sophisticated financial institutions. It didn\'t \nhave anything to do with identity theft. It had to do with this \nother type of privacy violation. And I think that the \nlegislation should encompass that type of security breach.\n    Mr. Stearns. Mr. Hintze, you state in your testimony that \nlegislation should codify into law the FTC implementing \nregulations under the Gramm-Leach-Bliley. Should the FTC be \ngiven the authority to modify these provisions by rule to adapt \nto changing business and security concerns? Why or why not?\n    Mr. Hintze. Yes, Mr. Chairman. We think that the FTC should \nhave the authority to make rules in this space, however that \nauthority should be guided by Congress in terms of directing \nthe FTC to adopt a flexible standard around information \nsecurity programs.\n    Mr. Stearns. If the notification obligations are only \napplied to encrypted data, might that let some potential bad \nactors off the hook? Why or why not?\n    Mr. Hintze. We don\'t think so. We think the standard around \nunencrypted data is a reasonable standard. It is the standard \nthat the States have adopted. There have been questions raised \nabout how you define encryption, and while we wouldn\'t support \na specific mandate in the legislation itself, we could support \nsomething like a reference to the NIST standards or some other \nstandard that could evolve over time to ensure that reasonable \nand strong encryption is used.\n    Mr. Stearns. Mr. Burton, do you have a comment on that?\n    Mr. Burton. Yes, I think that the encryption standard is \nvery important. I think first, as I mentioned in my testimony, \n18 States have that unencrypted information in the definition \nof their laws, and I would note that those include Florida, \nTexas, and Tennessee. And I think that encryption is perceived \noften as a complex issue. The way these States have mentioned \nit, it is not a mandate: it is a voluntary action, which \nprovides a safe harbor. And I think this is especially \nimportant for mainstream companies who do not understand the \nworld of cybercrime and protecting digital information, and it \ngives them a straightforward way to go in, protect their data, \nand know that they have some sort of safe harbor. And if that \nis associated with NIST standards, then Congress can rest \nassured that it is good, solid encryption.\n    Mr. Stearns. So if you were writing the bill, would you \nmandate that we use the National Institute of Standards and \nTechnology as a guide?\n    Mr. Burton. I would. In my formal testimony to this \ncommittee, I included a definition of encryption, which \nreferences NIST standards, which has been endorsed, actually, \nby the Cybersecurity Industry Alliance.\n    Mr. Stearns. Okay.\n    Mr. Burton. And I think I would include that definition in \nthe legislation, yes.\n    Mr. Stearns. Ms. Maier, you suggest changing the definition \nof security breach, eliminating the need for an FTC rulemaking. \nBut you also state in TRUSTe\'s guidelines that those guidelines \nare intended as a first draft and that security policies and \nprocedures need to change and evolve as technologies and \nbusinesses do the same. By that logic, wouldn\'t it make sense \nto allow the FTC to do this by rule so that the FTC can modify \nthe standard in the future if it is necessary?\n    Ms. Maier. Chairman Stearns, yes, I agree that I think the \nFTC can find positive and good ways to provide the rulemaking \nthat does provide for the flexibility and the evolution of the \nrules. So I would agree, yes.\n    Mr. Stearns. Okay.\n    Mr. Towns.\n    Mr. Towns. Thank you very much, Mr. Chairman.\n    Let me begin with you, Ms. Maier.\n    You mentioned in your remarks that TRUSTe works closely \nwith the California Office of Privacy Protection and its \nongoing efforts to provide guidance to businesses and consumers \non privacy and security issues. First of all, I want you to \nelaborate a little more on that, but how did these 1,500 \ncompanies become affiliated with you?\n    Ms. Maier. Thank you for asking that question.\n    TRUSTe has been around since 1997. Companies who want to \nshow to their consumers as well as to others that they take \nprivacy seriously voluntarily join the TRUSTe program and \nsubject themselves to our standards. And our standards require \na very good privacy statement, disclosure about their practices \nrelating to the data that they collect on their website, that \nthey abide by reasonable security standards, and provide \nprovision and choice to consumers regarding the sharing of \ntheir information. And so it has been a successful program with \n1,500 companies joining in and subjecting themselves to the \nstandards. We developed the security guidelines to help them \ndefine what is reasonable security, and that has also been very \nsuccessful.\n    It makes sense for us to work with the California Office of \nPrivacy Protection, because many times, as you well know, a lot \nof legislation comes out of the State of California and has \nvery broad impact, and we have enjoyed a good relationship with \nthem serving to help develop some guidelines, not rules, per \nse, but guidelines for businesses in terms of the practical \nimplementation of these rules. And our experience in California \nin our relationship with the California Office of Privacy \nProtection suggests that the California law is working, and it \nis having a positive impact in two ways: one, in providing \nconsumers with notice of breaches and some redrafts and \ninformation in terms of what to do under that notice; and two, \nproviding a market incentive for companies to put into place \nbetter security.\n    Mr. Towns. Thank you. Thank you very much.\n    Mr. Hintze, what is your position on broader legislation \nthat it would better inform consumers about who is using their \npersonal information and how?\n    Mr. Hintze. We recognize that as a result of the recent \nsecurity breaches that have been publicized, there is an \nincreasing concern among consumers that they simply don\'t \nunderstand how their data is collected and used and transferred \namong different entities, and there is a lack of transparency \nthere. We believe there is an appropriate role for legislation \nto address those broader issues, and we look forward to working \nwith the committee on developing the right rules around that.\n    Mr. Towns. All right. State Attorney Generals have played \nan important role over the past few years on data security \nissues. Does Microsoft believe that State Attorney Generals \nshould be able to enforce the Federal legislation?\n    Mr. Hintze. Yes, we do. Similar to the approach that was \ntaken in the Can Spam Act, we think that State Attorney \nGenerals have an important enforcement role, and we would \nsupport an addition to the discussion draft that would make \nthat clear.\n    Mr. Towns. All right.\n    Mr. Hoofnagle, regarding your concerns with our draft, what \nare your thoughts on the feasibility of general privacy \nrestrictions? How can we work to structure the limit of the \nsale of information, which is a problem, as you indicated?\n    Mr. Hoofnagle. Representative Towns, thanks for asking that \nquestion. It is very difficult to describe data protection in 5 \nminutes, but the common denominator for data protection are \nfair information practices. These are rights that limit the \ncollection of information to the minimum necessary to engage in \na transaction. They are rights to give you access to your data \nwhen they are held by companies, a right to correct your data \nwhen it is inaccurate, and a right to have your data deleted \nafter a certain amount of time when it is no longer relevant or \nneeded for business purposes. These rights are present in many \nnations\' laws, but to this date, the United States has not \nadopted these types of restrictions in the private sector. They \ndo apply to the Federal Government, however, and the Privacy \nAct itself has many of these fair information practices to stop \nthe government from creating a data center on its citizens.\n    Mr. Towns. All right. Thank you very much.\n    Let me ask you, Mr. Burton.\n    In your testimony, you state that you believe that if data \nis encrypted, companies should be provided a safe harbor and \nnot be required to disclose when there has been a breach of \nsecurity. Do you believe this should be the case when the \ncompromise of information was due to an insider who has the key \nto the encryption? Couldn\'t an insider provide the key to the \nsame people he or she is selling the data to? Or how should \nencryption protect against insiders who are accessing and \nperhaps selling personal information that they shouldn\'t be \nselling?\n    Mr. Burton. That is a very good question, Congressman, and \none which was alluded to earlier.\n    I think the way that I would use the term encryption, and I \nthink the way that all of the States use this term, is if you \nhave a key, the data is not encrypted. Whether I am an insider \nor an outsider, if I have the encryption keys, I can, \ntherefore, unlock the data, and then it is clear text. So the \nencryption safe harbor would only apply to data for which one \ndid not have the keys and therefore it was still encrypted. And \nI will give you an example. Actually, I think it happened in \nthe State of New York. Time Warner had disks. 600,000 of its \nemployees were compromised. Those disks, had they been \nencrypted, you know, they were lost in transit. And that would \nnot have had to have been reported, because the data would have \nbeen scrambled. Similarly, I think there are something like \n50,000 laptops which are left in airports around the country \ntoday. It is very easy to encrypt the data on those laptops. It \nis not expensive. It is not complex technology. If those are \nencrypted and lost, the person who is going to find those will \nnot have the keys, and therefore the data would be safe.\n    Mr. Towns. Thank you very much.\n    Mr. Stearns. I thank the gentleman.\n    Ms. Blackburn.\n    Ms. Blackburn. Thank you, Mr. Chairman, and thank you to \nthe witnesses.\n    You know, I find it really interesting we are sitting here \nhaving this discussion, and a decade ago, there was PGP and the \ntroubles that surrounded that and the designer of that \ntechnology and application. And of course, we all know what \nhappened with that. And the government didn\'t want that \napplication taking place, and now we are sitting here talking \nabout how government wants files encrypted and data protected, \nand it is for privacy concerns. And so it is an interesting \ndebate and an interesting discussion.\n    I do have several questions. I know I am not going to get \nthrough them, and I will not be here when we do a second round, \nso I am going to submit some questions to you all.\n    Mr. Hoofnagle, I think I am going to begin with you.\n    And let us talk about the misuse to which you spoke, \nbecause as we have worked on the identity theft issue and the \npiracy issue with our constituents, this misuse, as you \nmentioned, does come up regularly. And have you all noticed any \nattempts by foreign corporations or businesses or governments \nto try to buy data on Americans from any data brokers?\n    Mr. Hoofnagle. We at EPIC have extensively used the Freedom \nof Information Act to determine how companies like ChoicePoint \nand Axiom and Lexus Nexus, which are where commercial data \nbrokers buy and sell data. We do not have evidence that these \nentities are selling data to outside the country. I don\'t think \nthat there would be any law restricting them from doing so, if \nthey chose to. We do know that the companies have data on \ncitizens of other nations, and sometimes the reverse happens. \nAmerican companies, or American governments, buy data on \ncitizens of other nations.\n    Ms. Blackburn. Okay.\n    Ms. Maier, do you have a comment on that, please?\n    Ms. Maier. We have not been able to identify absolutely \nthat foreign companies have been able to access or sell or \nmisuse American data. That is not to say it hasn\'t happened.\n    Ms. Blackburn. Okay. Ms. Maier, let me ask you one other \nthing.\n    I noticed in the security guidelines paper that you \nsubmitted to us, you reference a couple of European countries \nin your footnoting there. Do you all work with any foreign \ngovernments?\n    Ms. Maier. No, we do not have direct relationships with any \nforeign governments. We do sometimes look at some of the data \nprotection trends happening.\n    Ms. Blackburn. Okay. Great. Then let us talk to those \ntrends for a minute.\n    How are European countries handling their data security \nproblems? Is there anything there that you all have noticed \nthat would be a good lesson learned for us?\n    Ms. Maier. My experience with the European data protection \nstandards is that they have a very strict standard in terms of \nthat individuals own their data and have control. And I think \nto the extent that this proposed legislation and some of the \ncomments that I think EPIC has provided as well as TRUSTe \nsuggest that we continue to provide individuals with access to \ntheir information and ability to change, update it, or redact \nit. That is a really important lesson that I think we can take \nfrom the EU experience.\n    I also would say that the EU experience has demonstrated, \nto some extent, that a lack of enforcement hinders the \nimplementation and the incentive to do some of the right \nthings. And I think that we can do a better job here in the \nUnited States by actively enforcing and providing incentives \nfor companies to really live up to a higher standard.\n    Ms. Blackburn. Okay. Thank you.\n    Mr. Burton, one quick question for you.\n    I think it is fair to say that you and some of our \nwitnesses may differ on how this legislation should apply to \nindividuals who may store and use their personal information. \nAnd what I would like to ask you is would it or would it not, \ndo you think, be a substantial economic burden to associations \nand organizations, like churches and private individuals, who \nhave personal information to implement the requirements of the \nbill?\n    Mr. Burton. I think that is a very good question. And I \nthink in my comments I said that the committee was correct in \napplying this to all persons who hold sensitive data. Clearly, \nif you are a small business, if you are a small non-profit, if \nyou do not have, sort of, a lot of administrative ability, then \nthat is something that the committee should take into account. \nSo I think in terms of size of the data set, size of the \norganization, those may be some limits that you want to \nconsider.\n    And Congresswoman, if I can beg your deference for one \nmoment, I would like to go back to encryption, which is an \nissue that I am obviously focused on. And Congressman Towns, \nthere is one important point that I just wanted to make in \nfollowing up your question about the keys to encrypted data. \nAnd I would just like to alert the committee that if you think \nSocial Security numbers are important, encryption keys are an \nextremely important part of personal data, because as you \nrightly pointed out, if you get those keys, you not only get \nSocial Security numbers, you get whatever data is encrypted. \nAnd that is why when I submitted a definition of encryption, we \nvery specifically took into account the need to protect those \nkeys. There are lots of encryption schemes that leave the keys \nin the clear, they are easy to get, and easy to hack into. And \nso as this committee thinks through that issue, you should pay \ncareful attention to making sure that those encryption keys are \nprotected.\n    Thank you, Congresswoman.\n    Ms. Blackburn. Thank you.\n    I yield back.\n    Mr. Stearns. The gentlelady yields back.\n    Mr. Gonzalez.\n    Mr. Gonzalez. Thank you very much, Mr. Chairman.\n    And I guess I am going to pose this question to all of the \nwitnesses. You have already touched on it, and I think, Mr. \nBurton, in response to Congresswoman Blackburn\'s own question \nregarding about size and who would it apply to. As currently \nwritten, it would apply to each person engaged in interstate \ncommerce that owns or possesses data in electronic form \ncontaining personal information. And we do many things here \nwith unintended consequences, but we are going to go ahead and \ndelegate these duties to the FTC and such. And the first \nquestion that they are going to have is, you know, who comes \nunder this jurisdiction of this particular law. And while I \nrecognize that there may be problems in its application to \neveryone and everything, the way I would like this law to end \nup is something to the effect of, you know, don\'t collect it if \nyou can\'t protect it. And that really should be driving this. \nAnd still be practical about it. And that is going to be a \nreally hard balance, and I don\'t know how we are going to pull \nthis thing off.\n    So that is my question to each and every one of you, and I \nknow that some of you may want to expand on earlier remarks. Do \nwe have a problem in just defining who comes under this \nparticular net or who we capture in this particular regulatory \nnet, if each person engaged in interstate commerce that owns or \npossesses the data? We have made some distinction with \ninformation and data brokers, which we understand, and we can \nidentify those people pretty easily. But there is a whole lot \nelse happening out there, and we will get to this solution \nagain. But let us start off with this basic concept on \njurisdiction and who comes within it. And we will go with the \nfirst witness.\n    Ms. Maier. Thank you very much.\n    We do very much care about the definition of who is under \nthe jurisdiction. As I mentioned in my testimony earlier today, \nconsumers don\'t care. If your information is breached and it is \nyour sensitive information or your Social Security number, your \ndriver\'s license, your mother\'s maiden name, your health \nrecords, your financial accounts, it does not matter if it \ncomes from your retailer online or off-line nor does it matter \nif it comes from, perhaps, the California Department of Motor \nVehicles or some other State\'s motor vehicles or my employer \nrecords. So I think it is important that we try to keep the \njurisdiction, at least for the notice and the implementation of \nsecurity guidelines with incentives for security to be as broad \nas possible. And we recognize some other committees might be \nlooking at their own jurisdiction, for example, or a financial \ninstitutions. We applaud those efforts. But to the extent that \nthis committee can apply it broadly and extend it even to \ngovernment, we think that that would be a very good place. And \none reason for that is we think, again, consumers are going to \nfeel violated no matter where it happens. They don\'t draw the \nlines as fine as we do. And the second thing is that you really \nwant to provide incentives for everybody to put in proper \nsecurity.\n    Mr. Hintze. We agree that we think the legislation should \napply to all entities that hold personal information. A couple \nof things that we would point out, though, in the position that \nwe have taken on this that would alleviate some of the concerns \nthat you have raised, we have advocated a similar approach \nunder this legislation as is taken in Gramm-Leach-Bliley. As \nMs. Maier said, consumers don\'t care about whether or not the \ndata was breached by a bank, a retailer, or a small business. \nIf the data is breached, the threat can potentially be as \nserious regardless of the source. And so we would urge the \ncommittee to look at adopting a consistent standard with what \nis currently imposed upon banks and financial institutions \nunder the GLB. We have also suggested a flexible standard here. \nAnd some of the factors that should be considered in \ndetermining what the right kind of information security program \nthat a business should adopt include the size and complexity of \nthe business and the sensitivity of the personal information \nthat they collect. And so that gives a great deal of \nflexibility to reduce the burden on smaller businesses and \nbusinesses that don\'t collect the most sensitive personal \ninformation. And if we still think that there is a concern \naround the burden on small businesses, we have suggested in our \nwritten testimony, I believe, that we could support an \nexception for businesses that handle small amounts of \ninformation rather than based on the size of the business \nitself. We think that a reasonable approach might be something \nlike if a business handles less than 5,000 records over the \ncourse of a year that there could be a reasonable exception \nthere or a reduction of the burdens there rather than just \nbasing it on small businesses, because a very small business \ncould hold enormous amounts of very sensitive personal \ninformation, and it just doesn\'t make sense to exempt them.\n    Mr. Hoofnagle. Representative Gonzalez, we think that there \nneeds to be very broad application of data security standards, \nbecause in previous laws where there have been limited \njurisdiction or limited applicability of privacy laws, data \nbrokers and other companies that sell data organize in such a \nfashion so that they do not have to comply with those Federal \nlaws. And the standard example is the way ChoicePoint and other \ndata brokers are organized to escape some provisions of the \nFair Credit Reporting Act. And so unless there is broad \napplication, we risk creating a new industry that fits into a \nloophole.\n    Mr. Burton. Yes, Congressman Gonzalez. I think one could \nsuccessfully run for political office on the slogan, ``Don\'t \ncollect it if you can\'t protect it.\'\' And I think that you are \nabsolutely right, and the Committee is absolutely right, to \nfocus on the data, not who holds it. And what this legislation \ndoes, which tries, and I think in large extent, successfully \ngets at that question, it is not any data. It is sensitive \nprivate data commingled with public identifiers. And it is when \nyou put those two data sets together that there is the \npossibility for harm.\n    In response to the Congresswoman\'s question earlier, I \nwould doubt that most churches hold Social Security number, but \nif my church is holding my Social Security number and they get \nhacked, I would sort of like to know about it. So I think there \ndo have to be some limits, some size of data sets, but I think \nthe basic principle embodied in this legislation to follow the \ndata is the correct one.\n    Mr. Gonzalez. Thank you very much.\n    Mr. Stearns. I thank the gentleman.\n    The gentleman from Nebraska, Mr. Terry.\n    Mr. Terry. You would be surprised what churches have. Most \nchurches now have financial records, because they want you to \ndo direct deposits now, electronic transfers so they don\'t have \nto worry about whether you show up on Sunday and put your check \nin the basket, because it was automatically done on Friday. So \nwe have got to worry about the little neighborhood vitamin \nstore that may have personal information, including health \ninformation. So I do agree with the phrase you need to protect \nthe data.\n    So let us talk about that a little bit.\n    And Mr. Burton, you have come here with the theme of \nencryption, and I believe that that is kind of the last \ndefense. And I have had people show me how easy it is to \nunencrypt or decrypt, and in fact, at the University of \nNebraska in Omaha, they went online for me and showed me all of \nthe different downloads that you can get just online that will \nunencrypt the basic information. So to me, that is the last \nline of defense. At least you make it tougher, and it is only \nthe real data-miners that are out there that are going to know \nwhere to get that technology. The casual user that finds a \nlaptop in the airport probably isn\'t going to know which sites \nto go to to get their de-encryption software. But as I also \nunderstand, that is free on the Internet, too.\n    So the issue then becomes the vulnerabilities, and this \nproposed legislation does talk about redacting. In fact, I \nthink the language in is to mitigate and reduce all of the \noperating software vulnerabilities, which takes me back to part \nof a presentation I had by an IT professor to Microsoft that \nsaid that there are literally thousands of vulnerabilities in \nthe operating software.\n    So to Microsoft, let us talk a little bit about the \nvulnerabilities that are inherent in the operating software, \nnot necessarily yours, but you do kind of dominate the market \nin operating software. As I understand there are inherent \nvulnerabilities that are absolutely necessary to the operation, \nand sometimes there aren\'t. How do we differentiate? Because I \nthink the first line of attack is reducing the number of \nvulnerabilities that hackers or data-miners can use to \npenetrate the system. So what is Microsoft doing? What do you \nrecommend to us by way of the proper language where we can \nrealistically close those vulnerabilities but yet still have \nthe vulnerabilities? And then my last question is who has the \nresponsibility for us in the legislation? Who do we place the \nresponsibility on? The Acme Data Corporation who has the \nresponsibility of protecting the data directly, because they \nare the ones that own the data? Or is it somewhere that the \nowner or the makers of the operating software?\n    So I will start with you, Mr. Hintze, and anyone else who \nwants to chime in on that issue.\n    Mr. Hintze. Thank you, Congressman.\n    I would first like to point out that Microsoft does take \nsecurity very, very seriously. It is our No. 1 priority in \nsoftware development now. We have invested hundreds of millions \nof dollars over the last couple of years in retraining our \ndevelopers, fundamentally changing our development and release \nprocesses to make security the No. 1 priority, and those \neffects are paying off in the latest releases and security \npatches and updates that we make available free to users \nonline.\n    Having said that, I would also point out that the highly \npublicized issues of security breaches we have seen recently \nhave not been results of software vulnerabilities. They have \nbeen failures of processes, they have been human error and the \nlike. When software is hacked, and it is impossible to make \nperfect software. It is an enormously complex undertaking.\n    Mr. Terry. Are you worried about the language in the bill \nthat says that the operating software has to mitigate all \nvulnerabilities?\n    Mr. Hintze. I am not familiar with that language in there.\n    Mr. Terry. Well, I think that is the intention, and I think \nwe need to work through that.\n    Mr. Hintze. Yes, we will definitely work with the committee \non those issues.\n    The other point is that when there is a hacker attack, \nthere is an intervening criminal act going on, and I think it \nis important to keep that in mind. As I said, Microsoft takes \nthis issue very seriously, and we are working very, very hard \nwith our partners, with law enforcement and others and our \nconsumers to help reduce the problem, and we look forward to \nworking with this committee further on that.\n    Mr. Terry. And my last question is who has the \nresponsibility to control the vulnerabilities of the software?\n    Mr. Hintze. As I said, we will continue to work as hard as \nwe can to reduce those vulnerabilities and make the software as \nsafe as it possibly can be. And we think it is a joint \nresponsibility among us, consumers, law enforcement, and \nCongress in helping to make the consumer safe.\n    Mr. Burton. Yes, Mr. Congressman, if I could just comment \nbriefly on your opening statement about encryption.\n    And first of all, thank you for taking the time to have \ndemonstrations and look seriously at it.\n    If you look at encryption, there are sort of three pieces \nto it, and this is why we reference NIST. Are you using a \nstrong algorithm? Is it implemented correctly? Are you \nprotecting the keys? If you do those three things, you are left \nwith a brute force attack in trying to decrypt the data, and \nthat takes hundreds of years. You can\'t download software from \nthe Internet to do that. And I think once you really get strong \nencryption in place, as you say, it is a second line of \ndefense, and it is very important.\n    Mr. Stearns. Maybe just for clarification, I asked counsel \njust about what the gentleman from Nebraska was talking about, \nand I think within the bill, I think what we are talking about \nis requiring the entity that possesses the consumer data, \npersonal data, to take administrative and technological actions \nto secure the data, but we are not asking you to restructure \nthe software or restructure things like that.\n    I am going to ask you, and every member is welcome to a \nsecond round here. I am going to go to the heart of where we \nare in this bill and ask--I am sorry, the gentlelady from \nWisconsin. Yes. Sorry.\n    Ms. Baldwin. Thank you, Mr. Chairman.\n    Mr. Stearns. I apologize.\n    Ms. Baldwin. I am going to try, if I can, to ask a series \nof questions and get all of your perspectives, hopefully with \nvery brief answers so that I can get through a couple of \nquestions, some of which you might have already dealt with in \nyour testimony.\n    I am wondering your opinion first on whether there should \nbe State Attorney General enforcement added to the bill. And \nwhy don\'t we just go from my left to right, if you wouldn\'t \nmind, Ms. Maier?\n    Ms. Maier. Yes, we would be in support of State Attorney \nGeneral enforcement.\n    Ms. Baldwin. Okay.\n    Mr. Hintze. We are as well.\n    Mr. Hoofnagle. Yes, the Federal Trade Commission has too \nmuch to do.\n    Mr. Burton. Yes, we support that.\n    Ms. Baldwin. Okay. Is there anyone in the panel who thinks \nthat this legislation should be expanded to deal not only with \nelectronic personal records but paper personal records?\n    Ms. Maier. If I could comment, I think that, first of all, \nwe are very happy to see that was expanded to all electronic \ndata, not just data collected online. That is the most \nvulnerable, or that is the most useful, to a hacker. But we \nwould be supportive of expanding it to paper-based data as \nwell.\n    Mr. Hintze. As we noted in our oral statement, we support \nthat as well. We think whether data was breached in electronic \nor paper form, the effects can be just as devastating to the \naffected individual.\n    Mr. Hoofnagle. Yes, we would agree. There are many cases \nwere sensitive personal information has been on paper and then \nends up in a dumpster, thus the phrase ``dumpster diving\'\'. In \nCalifornia, there was an attempt to expand the security of the \nbreach notification bill to cover paper, but that quest failed.\n    Ms. Baldwin. Okay. Mr. Burton?\n    Mr. Burton. Yes, we would prefer a focus on electronic \ndata. If you look at the breaches which actually sparked this \ncommittee\'s interest in this issue, they were all electronic, \nand I think that that really gets at the bulk of the issue, and \nI think that that is the appropriate focus of the bill.\n    Ms. Baldwin. Okay. What is each of your opinion on whether \nwe should have a provision dealing with audit trails for the \ninside jobs?\n    Ms. Maier. Our opinion is that as security policies are \nadopted, audit trails will probably become part of the internal \npolicy. I am not sure if it is required for a broad Federal \nlegislation. With that being said, I think there are some \nopportunities, through a safe harbor program, to allow for \nauditing or encourage it.\n    Mr. Hintze. We think that that may not be the appropriate \nlevel of detail to get into in the bill itself, but certainly \nthat is something that the FTC could look at in the \nimplementing regulations around the development of an \ninformation security program.\n    Mr. Hoofnagle. We support audit trails in part because it \nwas clear in the California hearings concerning ChoicePoint \nthat the company didn\'t know exactly what information was \nacquired by the criminals and in fact had to rerun the searches \none by one to determine what data were actually obtained. An \naudit trail requirement would substantially reduce that \nproblem.\n    Mr. Burton. Yes, I think the audit feature that we would be \nin favor of is broader than that, and that is there needs to be \nan audit of an organization\'s information security programs and \nthat that is really the most important, because that gets at \nprevention. And not only does there need to be an audit, that \naudit needs to be communicated to senior management and the \nboard of directors, because ultimately that then changes the \nculture, which is responsible for better information security.\n    Ms. Baldwin. Okay. What is your position on a provision in \nthe bill that would focus on transparency, some sort requiring \nsecurity breaches to be reported to the FTC and perhaps put on \na public website or some additional transparency about these \nbreaches?\n    Ms. Maier. Our opinion is that, first of all, the consumers \nneed to know who are affected, and that should be the No. 1 \nfocus. However, I think that to the extent that any sort of \nnotice, be it public-owned websites at the FTC, in sense \ncompanies have better security practices, then we are \nsupportive.\n    Mr. Hintze. We think that directly notifying consumers is \nclearly the best way to get the message to the people that need \nto know it the most. In terms of public posting through a \nwebsite or through the press, that should be a provision that \nis in the alternative notice when direct notice is either \nfeasible or impossible. Having said that, we would not oppose \nany provision that would require cases where notices are \nrequired to be reported to the FTC.\n    Mr. Hoofnagle. Especially if companies are given discretion \nof whether or not to mail the consumers a notice, we think it \nis very important that the Federal Trade Commission be aware of \nall of the security breaches. It is a weakness in the \nCalifornia law that only those who are affected get notice, but \nthe corresponding strength of that law is that all breaches \nhave to be disclosed. So especially if there is going to be a \ndiscretion standard, and by the way I think there should be \nsome level of discretion. There should be a check on that \ndiscretion by public reporting to the Federal Trade Commission.\n    Mr. Burton. Consumers should clearly be notified of \nbreaches. Sunshine is the best disinfectant, therefore public \nnotices of breaches are also very important.\n    Ms. Baldwin. Thank you.\n    I see I have run out of time, so I yield back.\n    Mr. Stearns. I thank the gentlelady for asking those \nquestions.\n    I would like to follow up a little bit on what she talked \nabout. This idea of a State Attorney General enforcement of the \nFederal statute. This is an area that has probably has the most \ncontroversial aspect of our bill. Mr. Burton, your testimony \nstates that Entrust agrees with the preemption provisions of \nthe bill, but some have said that a Federal standard should \ncreate a statutory floor and not a ceiling, allowing States to \ngo further, if they so desire. I guess please explain why \nEntrust believes that a more comprehensive preemption is \nappropriate.\n    Mr. Burton. Well, the concern of much of the private sector \nis that you now have 18 different State breach notification \nbills that is multiplicity of standards, reporting mechanisms, \npenalties, and so what industry is looking to this committee \nfor and the Congress for is sort of a baseline, and I think \nthat is the reason that you will get so much support for your \nlegislation and for preemption. I think given the active \ninterest of States in this bill, you have to allow, and you \nshould allow State Attorney Generals to enforce----\n    Mr. Stearns. The Federal statutes.\n    Mr. Burton. Yes, the Federal statutes.\n    Mr. Stearns. And State courts?\n    Mr. Burton. Let us see. I am not a lawyer, and so I would \nhave to take that under advisement and get back to you.\n    Mr. Stearns. Well, I am going to ask each of you just to \nmake a shot at it, because what the gentlelady from Wisconsin \ntalked about, we had in the spam, but we did not have it in \nspyware, and we have taken, in this bill, the same language \nthat was adopted in the spyware dealing with the preemption. \nAnd, in our opinion, this preemption is important, but we \ncertainly think there are areas that it could be changed. And \nmaybe I will just go to Mr. Hoofnagle. You might comment on \nthis, too, about the preemption provisions in our bill.\n    Mr. Hoofnagle. We think the preemption provisions should be \na floor so that States can innovate new solutions, too.\n    Mr. Stearns. So, for example, if California has a higher \nstandard, there would be an exemption for California?\n    Mr. Hoofnagle. No, more broadly, we think, that States \nshould be able to pass new laws when new problems arise. We are \nhere today----\n    Mr. Stearns. So we establish the floor of the bill, and \nthen above that, the States. But then wouldn\'t you be back to \nhaving 50 States with 50 different----\n    Mr. Hoofnagle. In most privacy legislation, it preempts at \nthe floor level.\n    Mr. Stearns. Okay.\n    Mr. Hoofnagle. And it has not created a 50-State set of \nlaws, when Congress does a good job and passes a good law. The \nStates tend not to try to pass conflicting responsibilities.\n    Mr. Stearns. Okay. Mr. Hintze?\n    Mr. Hintze. Yes.\n    Mr. Stearns. Yes, what is your opinion about what the \npreemption in the bill is and do you support it?\n    Mr. Hintze. We do support it. We also would support an \naddition that would permit State Attorney General enforcement \nin Federal court, much like is done in the spam----\n    Mr. Stearns. Okay. So you support what is in the spam \nlanguage----\n    Mr. Hintze. Yes.\n    Mr. Stearns. [continuing] more so than what is in the \nspyware?\n    Mr. Hintze. In this case, we think that State Attorney \nGeneral enforcement at Federal courts is appropriate.\n    Mr. Stearns. Okay. Ms. Maier?\n    Ms. Maier. We are in basic agreement with that as well. \nComing from California, we certainly would like to see this law \nat least meet the standard that California has set.\n    Mr. Stearns. Okay. Well, let me ask one last question.\n    The definition of ``information broker\'\' that has been \ntouched on a little bit by the gentleman from Nebraska. And Mr. \nHoofnagle, is the definition of information broker in the draft \nlegislation appropriate, in your opinion, and does it sweep in \nentities that are not information brokers, and does it cover \nall information brokers? That is another area that----\n    Mr. Hoofnagle. Information brokers are very difficult to \ndefine. We have worked----\n    Mr. Stearns. Yes, but you have all of the affiliates of \nAmerican Express. I mean, how much should this bill apply to \nall of those?\n    Mr. Hoofnagle. In some cases, information is traded in such \na way that is consistent with the consumer\'s expectation. So, \nfor instance, a check-cashing clearinghouse you wouldn\'t want \nto consider an information broker. They are affecting a \ntransaction that you requested. Generally, information brokers \nare companies that obtain personal information, often from \npublic records, but also from private sources, and they sell it \nto third parties, who are not affiliates. And I think if you \ncraft a definition that applies to companies that are generally \nselling personal information to third parties and that are not \ninitiated by the consumer, for purposes not initiated by the \nconsumer, I think you limit the field substantially. But you \nare right. It is a very difficult thing to do, because there \nare many companies out there that are selling sensitive \npersonal information without telling anyone and without the \nindividual\'s consent.\n    Mr. Stearns. I think we are going to complete our hearing \ntoday. I want to thank all four witnesses for their time. And I \nthink it has been very educational and helpful to myself and \nour staff on both sides.\n    And with that, the committee is adjourned.\n    Ms. Maier. Thank you.\n    Mr. Hoofnagle. Thank you.\n    [Whereupon, at 11:32 a.m., the subcommittee was adjourned.]\n    [Additional material submitted for the record follows:]\n\n                Retail Industry Leaders Association\n                                              Arlington, VA\n                                                      July 28, 2005\nThe Honorable Cliff Stearns\nChairman\nSubcommittee on Commerce, Trade, and Consumer Protection\nCommittee on Energy and Commerce\n2123 Rayburn House Office Building\nU.S. House of Representatives\nWashington, D.C. 20515\n\nRE: Statement for the Hearing Record on ``Data Security: The Discussion \nDraft of Data Protection Legislation.\'\'\n\n    Dear Chairman Stearns: On behalf of the Retail Industry Leaders \nAssociation (RILA), I am submitting this letter for the record of the \nsubcommittee\'s hearing entitled ``Data Security: The Discussion Draft \nof Data Protection Legislation.\'\' We appreciate the opportunity to \nsubmit these comments.\n    The Retail Industry Leaders Association (RILA) is an alliance of \nthe world\'s most successful and innovative retailer and supplier \ncompanies--the leaders of the retail industry. RILA members represent \nalmost $1.4 trillion in sales annually and operate more than 100,000 \nstores, manufacturing facilities and distribution centers nationwide. \nIts member retailers and suppliers have facilities in all 50 states, as \nwell as internationally, and employ millions of workers domestically \nand worldwide. Through RILA, leaders in the critical disciplines of the \nretail industry work together to improve their businesses and the \nindustry as a whole.\n    Retailers and their product and service suppliers value their \nrelationship with their customers above all else. Consumers vote with \ntheir feet every day by purchasing goods and services from retailers \nand suppliers that they know and trust to provide the quality, prices \nand services that they expect.\n    RILA members are committed to maintaining the security and \nconfidentiality of consumer information. RILA supports a uniform \nfederal standard should sensitive customer information be breached and \nthere is a reasonable belief or actual knowledge that harm has been \ncaused by a result of the breach.\n    As the Judiciary Committee considers data security legislation RILA \nasks that the committee consider the following core principles:\n\n\x01 Preemption: RILA members are committed to policies and practices that \n        safeguard personal data and records and are in full compliance \n        with the current California data breech notification statute. \n        However, other states and jurisdictions have also enacted or \n        are considering similar laws. While these proposals similar, \n        they are rarely consistent, making the potential for a \n        conflicting and confusing regulatory and legal framework all \n        too real. Complying with various and inconsistent state laws \n        could, in fact, slow down the notification process, create \n        unnecessarily complex internal systems, and add cost to the \n        bottom line. Therefore, RILA supports a strong federal \n        preemption that would create a uniform standard ``trigger\'\' for \n        notification and for the type of notification that must occur.\n\x01 Trigger: RILA members believe that notification should only be \n        ``triggered\'\' when it is determined that there is, or there is \n        a reasonable belief that there is, a significant risk of harm \n        to consumers. We would note that this is a similar standard \n        supported by the Federal Trade Commission in testimony it has \n        presented before Congress this year. RILA members have \n        legitimate concerns about over notification and believe that \n        clearly defining an appropriate trigger is fundamental to \n        achieving meaningful consumer notice.\n\x01 Covered Data: Proposals should be limited to unencrypted computerized \n        information.\n\x01 Notification: RILA members support a uniform notification standard \n        through direct mail or email and are opposed to redundant and \n        costly notification requirements that would do little to \n        increase awareness. RILA also supports a substitute \n        notification delivery method--email, website, local media, \n        etc.--if notification costs would exceed $250,000 or the breach \n        affects more than 500,000 consumers.\n\x01 Private Right of Action: RILA supports data security legislation that \n        would prohibit individual private rights of action.\n\x01 Credit Freeze: RILA has concerns regarding the impact of so-called \n        credit freeze proposals that would allow consumers to place a \n        freeze on their credit report. While proposals of this nature \n        have the biggest impact on the credit agencies, retailers, \n        particularly those who provide instant credit, are concerned \n        about the spill over effects of credit freeze requirements. \n        When a customer freezes their credit file they are likely to \n        forget to ``unfreeze\'\' their file before they apply for instant \n        credit creating consumer frustration and confusion when instant \n        credit cannot be issued. In addition, retailers are concerned \n        that additional credit agency requirements could drive up the \n        cost of credit reports. While the industry has concerns with \n        credit freeze requirements, if provisions are adopted, there \n        should be a uniform national standard.\n    With regard to the draft document that the committee is considering \nat today\'s hearing, we have prepared the attached comments, which we \nhave previously provided to the subcommittee staff.\n    If you have any questions about this matter, please don\'t hesitate \nto contact me or my colleague Lori Denham, Senior Vice President, \nPolicy and Planning.\n            Sincerely,\n                                              Paul T. Kelly\n        Senior Vice President, Federal and State Government Affairs\nAttachment\nRetail Industry Leaders Association General Comments on Barton/Stearns \n   Discussion Draft ``Data Security & Security Breach Notification\'\'\n                             july 28, 2005\nSecurity Requirements for Data\nSection 2\n\x01 Rules promulgated by the FTC may require specific policies and \n        procedures that may or may not be appropriate for the \n        protection of the personal information maintained by companies. \n        While we support the idea that companies should have policies \n        and procedures in place to protect personal information, we \n        believe individual companies are in the best position to \n        determine what form those policies and procedures should take.\n\x01 RILA supports an exemption for data that is encrypted.\nNationwide Notification for Material Security Breaches\nSection 3\n\x01 Breach of Security. We agree with the concept of risk assessment in \n        determining whether a notice of breach to consumers is \n        necessary. Inundating consumers with notices regarding a breach \n        of information when there is no evidence that the breach has, \n        or will, result in identity theft is counter-productive. There \n        is a real danger that over notification will result in \n        consumers becoming numb to the notices and they will, \n        therefore, fail to take necessary steps to protect their \n        information.\n\x01 Timeliness of Notification. Many of the state laws regarding security \n        breach notification have included a provision that would allow \n        for the delay of notification to consumers in cases where law \n        enforcement requests a delay so they can complete an \n        investigation.\n\x01 Method of Notification. Notification by mail and email and web site \n        could prove burdensome. We would support a notification scheme \n        whereby individuals could be notified by mail or email and by \n        the posting of a notice on the company\'s web site. It is not \n        necessary to notify consumers by both mail and email. Companies \n        should be able to choose the method that is most practical and \n        efficient depending on the circumstances. Providing notice on \n        the company\'s web site would then be an appropriate and \n        practical addition to the mail or email notification. If a \n        company chose to send notice by email, it should be allowed to \n        do so without having prior ``consent\'\' from the consumer to \n        receive such messages. This would be an operational (not a \n        commercial) email message and one that consumers would want and \n        need to receive regardless of whether they had previously \n        provided consent.\nDefinitions\nSection 5\n\x01 ``Personal Information\'\'. The definition of personal information is \n        consistent with the definitions established in California\'s \n        (and other state\'s) security breach notification laws. If this \n        definition is acceptable, why would the Commission be allowed \n        to modify it in the rulemaking?\nEffect on Other Laws\nSection 6\n\x01 The preemption language is limited to ``. . . breaches of security of \n        data in electronic form.\'\' State laws have contemplated \n        breaches in forms other than electronic. The preemption should \n        be complete so that companies can implement one security breach \n        notification process. Companies should not be put in a position \n        whereby they have to follow specific state laws for information \n        that is maintained in forms other than electronic.\n\x01 Banks, credit unions, thrifts and common carriers are exempt from \n        coverage because they do not fall under the jurisdiction of the \n        FTC. However, these entities would need/want to take advantage \n        of the preemption provision. If these entities are not included \n        in the preemption provision they will be subject to federal \n        regulatory guidance and the myriad state laws that address \n        security of information and notification in the event a \n        security breach occurs.\nEffective Date and Sunset\nSection 7\n\x01 What is the reason for attaching a sunset provision to this \n        legislation?\n    For more information, contact Lori Denham, Senior Vice President, \nPolicy and Planning (703) 600-2012 or <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="9bf7f4e9f2b5fffef5f3faf6dbe9feeffaf2f7b6f7fefafee9e8b5f4e9fc">[email&#160;protected]</a> or \nPaul T. Kelly, Senior Vice President, Federal and State Government \nAffairs (703) 600-2014 or <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f484958198da9f9198988db4869180959d98d998919590918687da9b8693da">[email&#160;protected]</a>\n\n                                 <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'