b'<html>\n<title> - ENHANCING DATA SECURITY: THE REGULATORS\' PERSPECTIVE</title>\n<body><pre>[House Hearing, 109 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n \n                        ENHANCING DATA SECURITY:\n                      THE REGULATORS\' PERSPECTIVE\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n               FINANCIAL INSTITUTIONS AND CONSUMER CREDIT\n\n                                 OF THE\n\n                    COMMITTEE ON FINANCIAL SERVICES\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              MAY 18, 2005\n\n                               __________\n\n       Printed for the use of the Committee on Financial Services\n\n                           Serial No. 109-31\n\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n25-573                      WASHINGTON : 2006\n_____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n\n                 HOUSE COMMITTEE ON FINANCIAL SERVICES\n\n                    MICHAEL G. OXLEY, Ohio, Chairman\n\nJAMES A. LEACH, Iowa                 BARNEY FRANK, Massachusetts\nRICHARD H. BAKER, Louisiana          PAUL E. KANJORSKI, Pennsylvania\nDEBORAH PRYCE, Ohio                  MAXINE WATERS, California\nSPENCER BACHUS, Alabama              CAROLYN B. MALONEY, New York\nMICHAEL N. CASTLE, Delaware          LUIS V. GUTIERREZ, Illinois\nPETER T. KING, New York              NYDIA M. VELAZQUEZ, New York\nEDWARD R. ROYCE, California          MELVIN L. WATT, North Carolina\nFRANK D. LUCAS, Oklahoma             GARY L. ACKERMAN, New York\nROBERT W. NEY, Ohio                  DARLENE HOOLEY, Oregon\nSUE W. KELLY, New York, Vice Chair   JULIA CARSON, Indiana\nRON PAUL, Texas                      BRAD SHERMAN, California\nPAUL E. GILLMOR, Ohio                GREGORY W. MEEKS, New York\nJIM RYUN, Kansas                     BARBARA LEE, California\nSTEVEN C. LaTOURETTE, Ohio           DENNIS MOORE, Kansas\nDONALD A. MANZULLO, Illinois         MICHAEL E. CAPUANO, Massachusetts\nWALTER B. JONES, Jr., North          HAROLD E. FORD, Jr., Tennessee\n    Carolina                         RUBEN HINOJOSA, Texas\nJUDY BIGGERT, Illinois               JOSEPH CROWLEY, New York\nCHRISTOPHER SHAYS, Connecticut       WM. LACY CLAY, Missouri\nVITO FOSSELLA, New York              STEVE ISRAEL, New York\nGARY G. MILLER, California           CAROLYN McCARTHY, New York\nPATRICK J. TIBERI, Ohio              JOE BACA, California\nMARK R. KENNEDY, Minnesota           JIM MATHESON, Utah\nTOM FEENEY, Florida                  STEPHEN F. LYNCH, Massachusetts\nJEB HENSARLING, Texas                BRAD MILLER, North Carolina\nSCOTT GARRETT, New Jersey            DAVID SCOTT, Georgia\nGINNY BROWN-WAITE, Florida           ARTUR DAVIS, Alabama\nJ. GRESHAM BARRETT, South Carolina   AL GREEN, Texas\nKATHERINE HARRIS, Florida            EMANUEL CLEAVER, Missouri\nRICK RENZI, Arizona                  MELISSA L. BEAN, Illinois\nJIM GERLACH, Pennsylvania            DEBBIE WASSERMAN SCHULTZ, Florida\nSTEVAN PEARCE, New Mexico            GWEN MOORE, Wisconsin,\nRANDY NEUGEBAUER, Texas               \nTOM PRICE, Georgia                   BERNARD SANDERS, Vermont\nMICHAEL G. FITZPATRICK, \n    Pennsylvania\nGEOFF DAVIS, Kentucky\nPATRICK T. McHENRY, North Carolina\n\n                 Robert U. Foster, III, Staff Director\n       Subcommittee on Financial Institutions and Consumer Credit\n\n                   SPENCER BACHUS, Alabama, Chairman\n\nWALTER B. JONES, Jr., North          BERNARD SANDERS, Vermont\n    Carolina, Vice Chairman          CAROLYN B. MALONEY, New York\nRICHARD H. BAKER, Louisiana          MELVIN L. WATT, North Carolina\nMICHAEL N. CASTLE, Delaware          GARY L. ACKERMAN, New York\nEDWARD R. ROYCE, California          BRAD SHERMAN, California\nFRANK D. LUCAS, Oklahoma             GREGORY W. MEEKS, New York\nSUE W. KELLY, New York               LUIS V. GUTIERREZ, Illinois\nRON PAUL, Texas                      DENNIS MOORE, Kansas\nPAUL E. GILLMOR, Ohio                PAUL E. KANJORSKI, Pennsylvania\nJIM RYUN, Kansas                     MAXINE WATERS, California\nSTEVEN C. LaTOURETTE, Ohio           DARLENE HOOLEY, Oregon\nJUDY BIGGERT, Illinois               JULIA CARSON, Indiana\nVITO FOSSELLA, New York              HAROLD E. FORD, Jr., Tennessee\nGARY G. MILLER, California           RUBEN HINOJOSA, Texas\nPATRICK J. TIBERI, Ohio              JOSEPH CROWLEY, New York\nTOM FEENEY, Florida                  STEVE ISRAEL, New York\nJEB HENSARLING, Texas                CAROLYN McCARTHY, New York\nSCOTT GARRETT, New Jersey            JOE BACA, California\nGINNY BROWN-WAITE, Florida           AL GREEN, Texas\nJ. GRESHAM BARRETT, South Carolina   GWEN MOORE, Wisconsin\nRICK RENZI, Arizona                  WM. LACY CLAY, Missouri\nSTEVAN PEARCE, New Mexico            JIM MATHESON, Utah\nRANDY NEUGEBAUER, Texas              BARNEY FRANK, Massachusetts\nTOM PRICE, Georgia\nPATRICK T. McHENRY, North Carolina\nMICHAEL G. OXLEY, Ohio\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on:\n    May 18, 2005.................................................     1\nAppendix:\n    May 18, 2005.................................................    29\n\n                               WITNESSES\n                        Wednesday, May 18, 2005\n\nFenner, Robert M., General Counsel, National Credit Union \n  Administraton..................................................     7\nParnes, Lydia B., Director, Bureau of Consumer Protection, \n  Federal Trade Commission.......................................     4\nThompson, Sandra, Deputy Director, Division of Supervision and \n  Consumer Protection, Federal Deposit Insurance Corporation.....     5\n\n                                APPENDIX\n\nPrepared statements:\n    Oxley, Hon. Michael G........................................    30\n    Bachus, Hon. Spencer.........................................    34\n    Hinojosa, Hon. Ruben.........................................    37\n    Sanders, Hon. Bernard........................................    40\n    Fenner, Robert M.............................................    44\n    Parnes, Lydia B..............................................    63\n    Thompson, Sandra.............................................    84\n\n              Additional Material Submitted for the Record\n\nHinojosa, Hon. Ruben:\n    Letter from Consumers Union, May 17, 2005....................   103\nFenner, Robert M.:\n    Written response to question from Hon. Sue W. Kelly..........   106\nParnes, Lydia B.:\n    Written response to question from Hon. Sue W. Kelly..........   108\nThompson, Sandra:\n    Written response to question from Hon. Sue W. Kelly..........   110\nConsumers Union, prepared statement..............................   112\n\n\n                        ENHANCING DATA SECURITY:\n                      THE REGULATORS\' PERSPECTIVE\n\n                              ----------                              \n\n\n                        Wednesday, May 18, 2005\n\n             U.S. House of Representatives,\n             Subcommittee on Financial Institutions\n                               and Consumer Credit,\n                           Committee on Financial Services,\n                                                   Washington, D.C.\n    The subcommittee met, pursuant to call, at 10:04 a.m., in \nRoom 2128, Rayburn House Office Building, Hon. Spencer Bachus \n[chairman of the subcommittee] Presiding.\n    Present: Representatives Bachus, Kelly, Hensarling, Pearce, \nNeugebauer, McHenry, Sanders, Maloney, Sherman, Moore, Frank, \nCarson, Baca, Green, Moore, Clay, and Matheson.\n    Chairman Bachus. Good morning. The Subcommittee on \nFinancial Institutions and Consumer Credit will come to order. \nThis morning the subcommittee is continuing its hearings on \ndata security breaches.\n    In the past few months there has been widely reported \nbreaches of security at financial institutions and other stores \nof data about security breaches, and the subject of these \nhearings is whether or not there ought to be a standard notice \nwhen that occurs, what the standard of care ought to be for \nthose who maintain consumers\' personal information, and whether \nor not the current legislation both in Gramm-Leach-Bliley and \nthe FACT Act and the guidance from the regulators is sufficient \nor whether we need to go further, whether consumers, in \naddition to notice, ought to have other rights or ought to be \nempowered further. I think the standards were just issued in \nMarch under Gramm-Leach-Bliley for the notifications, so it may \nbe a little premature to make a final decision at this time.\n    We have several members that are working on legislation, I \nknow Chairman Castle and Chairman Price are working on \nlegislation establishing a standard. I also know Mr. LaTourette \nis working on legislation which would give consumers the right \nto freeze their credit information in the event that they felt \nlike it was being fraudulently used as a result of a data \nbreach.\n    The witnesses here today have only been given about a week \nto prepare for their testimony today, which is about half the \ntime we normally like to give our witnesses, so I do apologize \nfor that. And at this time I am going to take the opportunity \nto introduce our witnesses, and then I am going to yield to Mr. \nSanders for an opening statement. I am going to introduce my \nentire opening statement for the record, but in the interest of \ngoing ahead and expediting the hearing, hearing from our \nwitnesses, I will abbreviate my opening statement.\n    But we have with us today the FTC Director of the Bureau of \nConsumer Protection, Lydia Parnes.\n    Ms. Parnes. Parnes.\n    Chairman Bachus. Thank you.\n    FDIC Deputy Director of the Division of Supervision and \nConsumer Protection, Sandra Thompson. We welcome you, Ms. \nThompson. And Ms. Parnes, am I getting it right now?\n    Ms. Parnes. Yes, you are.\n    Chairman Bachus. Thank you. And I should have asked before \nthe hearing. I apologize.\n    And NCUA General Counsel Robert Fenner. Thank you.\n    We look forward to hearing from the witnesses and thank \nthem for taking time from their schedules to join us. And if \nyou all would move the mikes up pretty close to you.\n    And at this time I will yield to Mr. Sanders for an opening \nstatement.\n    [The prepared statement of Hon. Spencer Bachus can be found \non page 34 in the appendix.]\n    Mr. Sanders. Thank you very much, Mr. Chairman. And thank \nyou very much to our panelists who are here today.\n    This is clearly an important issue. Identity theft and \nbreach in security at some of our Nation\'s largest companies \nare huge issues that this committee has got to address, and I \nam glad that we are holding this hearing today.\n    According to the Federal Trade Commission, 27.3 million \nAmericans have been victims of identity theft in the past 5 \nyears--that is a huge number of people--costing businesses and \nfinancial institutions some 48 billion and consumers $5 \nbillion. Victims of identity theft pay an average of about \n$1,400, not including attorney fees, and spend an average of \n600 hours to clear their credit reports. So we are dealing with \nan issue of real concern to the American people.\n    In addition, Mr. Chairman, since 2003, there have been a \nnumber of security breaches at some of the biggest companies in \nthis country, threatening the financial privacy of millions of \nAmericans. The largest one became public in February of 2003 \nwhen the FBI announced a nationwide investigation of a computer \ndatabase security breach containing roughly 8 million Visa, \nMasterCard, and American Express credit card numbers. This \nbreach forced many financial institutions to reissue thousands \nof Visa and MasterCards as a precaution against potential \nfraud.\n    But we are not just talking about credit card companies; we \nare talking about TimeWarner, Lowe\'s stores, T-Mobile USA, \nChoicePoint, Lexus Nexus, Wells Fargo, Bank of America, Chevy \nChase, and SunTrust. The list goes on and on.\n    For a variety of reasons, Social Security numbers, debit \nand check card information, driver\'s license numbers, e-mails, \npersonal computer files, and information about student loans \nand mortgages are being stolen by computer hackers and other \nscam artists. Mr. Chairman, this has got to stop. We must make \nsure that identity thieves are prosecuted to the fullest extent \nof the law, but we must also make sure that the largest, the \nmost profitable multinational companies in this country do \neverything they can to make sure that these scam artists don\'t \nsucceed in the first place.\n    In addition, Mr. Chairman, this committee must focus on how \nthe outsourcing of financial service jobs to China, India, and \nother low-wage countries are threatening the privacy of our \ncitizens. That is an issue I think that we can no longer \nignore.\n    According to a study published by the consulting firm A.T. \nKearney, more than 500,000 financial service jobs in the United \nStates, representing 8 percent of all jobs in banking, \nbrokerage, and insurance firms, will move offshore in the next \n5 years, saving these companies some $30 billion. Now that is \nan issue unto itself from a worker perspective, but it is also \na major issue in terms of the privacy issue that we are dealing \nwith today.\n    It seems that no financial service firms or credit bureau \nagency is immune to overseas outsourcing, and we are the \nbiggest ones doing that. One example of the troubling trend in \noutsourcing is occurring at TransUnion. According to David \nEmory, executive vice president and chief financial officer of \nTransUnion, quote, 100 percent of our mail regarding customer \ndisputes is going to India at some point, end of quote.\n    And according to a report in the San Francisco chronicle, \nquote, two of the three major credit reporting agencies, each \nholding detailed files on about 220 million U.S. consumers, are \nin the process of outsourcing sensitive operations abroad, and \na third may follow suit shortly, industry officials acknowledge \nfor the first time, end of quote.\n    Mr. Chairman, with growing problems in identity theft and \nwith no domestic legal protection for the privacy of the \npersonal records of American citizens, the situation is \nunhappily ripe for abuse, and the evidence is mounting. It was \nrecently reported that three former call center workers in \nIndia allegedly cheated Citibank customers in the U.S. out of \nhundreds of thousands of dollars. It has also been reported \nthat Geometric Software Solutions in India, another overseas \noutsourcer, illegally tried to sell the U.S. clients\' \nintellectual property. And an employee in Pakistan doing \nclerical work for a medical center in California threatened to \npost confidential medical records of U.S. patients on the \nInternet unless she was adequately compensated for her work.\n    I would like to ask that witnesses today--and I hope that \nthis is an issue that you will cover, the following questions. \nExactly what kind of legal protections do U.S. consumers have \nwhen our privacy laws are violated overseas? As I understand \nit, it would be difficult, if not impossible, to prosecute \nfinancial services or credit bureau workers outside of the \nUnited States for breaking laws relating to financial privacy \nand consumer protection. That is why I am supportive of \nlegislation introduced by Congressman Markey that would make it \nillegal for companies in the U.S. to send financial data abroad \nwithout the express written consent of their customers.\n    Mr. Chairman, thank you again for holding this very \nimportant hearing. And I look forward to hearing our witnesses.\n    [The prepared statement of Hon. Bernard Sanders can be \nfound on page 40 in the appendix.]\n    Chairman Bachus. I thank the ranking member.\n    Are there other members that wish to make an opening \nstatement? If not, we will hear from our witnesses. Ms. Parnes.\n\n  STATEMENT OF LYDIA B. PARNES, DIRECTOR, BUREAU OF CONSUMER \n              PROTECTION, FEDERAL TRADE COMMISSION\n\n    Ms. Parnes. Thank you. Mr. Chairman and members of this \nsubcommittee, I am Lydia Parnes, Director of the Bureau of \nConsumer Protection of the Federal Trade Commission.\n    I want to thank you for holding today\'s hearing on the \nimportant issue of improving the security of consumers\' \npersonal information and reducing the risks of identity theft. \nThe FTC staff greatly appreciate the leadership of Chairman \nBachus, Representative Sanders, and the Financial Services \nCommittee in the recent revisions to the Fair Credit Reporting \nAct. And I look forward to working with you on this issue as \nwell.\n    Although the written testimony submitted to the \nsubcommittee represents the views of the Commission, my oral \npresentation and responses to your questions are my own and do \nnot necessarily reflect the views of the Commission or any \nindividual commissioner.\n    Americans are very concerned about the security of their \npersonal information, and for good reason. All told, each year \nidentity theft costs American businesses $48 billion and \nconsumers $5 billion more. Not surprisingly, there is a direct \ncorrelation between the type of identity theft and its cost to \nvictims. According to an FTC survey, although people who had \nnew accounts opened in their names made up only one-third of \nthe victims, they suffered two-thirds of the harm.\n    The Commission has worked hard to assist victims and to \neducate consumers and businesses about the risks of identity \ntheft. We facilitate cooperation, information sharing, and \ntraining among Federal, State, and local law enforcement. The \nCommission maintains a Web site and a toll-free hotline to \nrespond to the 15,000 to 20,000 inquiries we receive each week, \nand our trained counselors advise victims on how to reclaim \ntheir identities. In addition, many of the recent revisions to \nthe Fair Credit Reporting Act are designed to assist victims of \nidentity theft, and the Commission is working hard to implement \nthese provisions.\n    The recent breaches of consumer information have focused \nattention on the practices of data brokers that collect and \nsell information for a wide variety of purposes. Despite the \npotential benefits of these information services, as recent \nevents demonstrate, if the sensitive information they collect \ngets into the wrong hands, it can cause serious harm to \nconsumers.\n    A variety of laws and regulations address the security of \nand access to sensitive information that these companies \nmaintain. When breaches occur, the Commission staff takes a \nclose look to determine if existing laws have been violated. \nAlthough such investigations are nonpublic, ChoicePoint has \npublicly acknowledged that it is under investigation by the \nFTC.\n    The recent breaches raise the question of whether existing \nlaws are sufficient to protect consumers\' information, and new \nlegislation in fact could be useful. As FTC Chairman Majoras \nhas testified, the most immediate need is to address the risks \nto the security of the information. At the outset, companies \nshould take steps to prevent breaches before they happen. \nTherefore, it makes sense to impose substantive security \nrequirements on data brokers and other entities that collect \nsensitive personal information, much like the security \nrequirements imposed under the Commission\'s safeguards rule.\n    Another step to consider would be a workable Federal \nrequirement for notice to consumers when there has been a \nsecurity breach that raises a significant risk of harm to \nconsumers. As was the case in this committee\'s consideration of \nthe FACT Act, the challenge is to fashion effective consumer \nprotection while preserving the benefits that legitimate \ninformation services provide to consumers and the economy.\n    Mr. Chairman, members of the subcommittee, the FTC shares \nyour concern for the security of consumer information, and we \nwill continue to take steps within our authority to protect \nconsumers.\n    Thank you for the opportunity to discuss this vitally \nimportant subject, and I am happy to respond to your questions.\n    Chairman Bachus. Thank you.\n    [The prepared statement of Lydia B. Parnes can be found on \npage 63 in the appendix.]\n    Chairman Bachus. Ms. Thompson.\n\n  STATEMENT OF SANDRA THOMPSON, DEPUTY DIRECTOR, DIVISION OF \nSUPERVISION AND CONSUMER PROTECTION, FEDERAL DEPOSIT INSURANCE \n                          CORPORATION\n\n    Ms. Thompson. Thank you, Chairman Bachus, Ranking Member \nSanders, and members of the subcommittee. I appreciate the \nopportunity to testify before this subcommittee on behalf of \nthe FDIC. I cannot overemphasize the importance we place on \ndata security and protecting sensitive information. As well as \ncausing financial harm and emotional distress to consumers, the \nfailure or misuse of data security can impact the safety and \nsoundness of an institution and undermine confidence in the \nbanking system and the economy.\n    My oral statement this morning will briefly describe some \nof the emerging trends and developing threats we see in terms \nof security breaches. I will also discuss the FDIC\'s \nexamination programs, and I will touch on our outreach efforts \nto the industry and consumers.\n    The Internet has made it possible to build a virtual \nstorefront that criminals can use to conduct business.\n    Malicious software on users\' computers, phishing, schemes, \nand pharming technologies are all aimed at consumers. Financial \ninstitutions and companies that store, transport, and use \nconsumers\' information are also targets.\n    Phishing continues to increase and now comprises over 50 \npercent of the incidents reported to the FDIC. Phishers have \nbegun attacking smaller institutions, expanding their \noperations as the larger often phished banks become less \nfertile.\n    The FDIC recently published a study discussed in my written \nstatement that recommends financial institutions and service \nproviders consider stronger risk-based authentication \nstrategies to reduce fraud related to passwords and other \nInternet account access vehicles. The Federal banking agencies \nhave plans to release guidance on authentication later this \nyear. To address the specialized nature of technology-related \nsupervision, risks, and controls in the banking industry, the \nFDIC regularly and routinely evaluates all of its regulated \nfinancial institutions\' information security programs through \nour information technology examinations, as well as enforcing \nprivacy requirements through our compliance examination \nprogram.\n    The FDIC also conducts IT examinations of the major \ntechnology service providers that support financial \ninstitutions. Through a national examination program, onsite \nreviews of large technology service providers are conducted on \nan interagency basis.\n    As you know, Congress has passed several key laws designed \nto protect personal information. These laws have become part of \nthe business of banking and include the Gramm-Leach-Bliley Act, \nthe Fair and Accurate Credit Transaction Act, and the Fair \nCredit Reporting Act. Institutions that fail to comply with \nthese laws may face enforcement actions ranging from informal \nagreements to civil money penalties or other administrative \nactions.\n    The FDIC takes a proactive approach to enforcing data \nsecurity regulations and guidance. If an institution\'s program \nfor securing customer data is inadequate, the FDIC takes action \nregardless of whether or not there has been a compromise in \ndata security. When data protection fails, financial \ninstitutions must adhere to the "Response Program" guidance \nissued by the FDIC and the other regulators in late March. The \nguidance is designed to address incidents of unauthorized \naccess to sensitive customer information. Among many other \nthings, customer notice should be given in a clear and \nconspicuous manner and should include a description of the \nincident, the types of information subject to unauthorized \naccess, measures taken to protect the customers from further \nunauthorized access, a telephone number customers can call for \ninformation and assistance, and a reminder to customers to be \nvigilant in monitoring their account activity over the next 12 \nto 24 months.\n    With regard to outreach, the FDIC has taken an active role \nin reaching out to large numbers of people in the financial \ncommunity to discuss cyber risks and controls. We have done \nthis in several ways. As members with our fellow regulators in \nthe Finance and Banking Information Infrastructure Committee, a \nbody committed to promoting public-private partnership and \nimproving coordination and communication among financial \nregulators, we hosted a series of symposia examining the \nsecurity of the U.S. financial sector and identifying steps \nbanks should take to protect themselves. To date, we have held \n20 of these sessions around the country, and over 1,000 bank \nexecutives have attended.\n    In terms of consumer education, we recently launched a \nseries of identity theft symposia, the first here in Washington \nin conjunction with National Consumer Protection Week. Given \nthe standing-room-only crowd, we decided to do several more \nacross the country. The idea is to bring together government, \nindustry, law enforcement, and consumer interests to identify \nthe scope of the identity theft problem and discuss proposed \nsolutions. At our February symposium, we invited audience \nmembers and speakers to participate in a consumer education \nfocus group and give us input on our education efforts and to \nhelp identify consumer needs in this area.\n    Finally, I would mention that our publication, the \nquarterly FDIC Consumer News, frequently includes articles on \nidentity theft. This publication goes to 60,000 subscribers \nbesides being available on our Web site.\n    Mr. Chairman and members of the subcommittee, thank you for \ninviting us to speak on this very important topic. No amount of \nlegislation or regulation can completely eliminate the threats \nto data security; however, we believe that our collaborative \nefforts with the industry, the public, and our fellow \nregulators have and will continue to significantly minimize \nthreats.\n    We stand ready to work with the committee to provide any \nassistance to effectively address the elusive issues associated \nwith data security.\n    Chairman Bachus. Thank you.\n    [The prepared statement of Sandra Thompson can be found on \npage 84 in the appendix.]\n    Chairman Bachus. Mr. Fenner.\n\nSTATEMENT OF ROBERT M. FENNER, GENERAL COUNSEL, NATIONAL CREDIT \n                      UNION ADMINISTRATION\n\n    Mr. Fenner. Thank you. Mr. Chairman and members of the \nsubcommittee, thanks for the opportunity to present NCUA\'s \nviews on this important subject of personal data security.\n    Chairman Bachus. I don\'t think the mike is on.\n    Mr. Fenner. Off to a good start. Can you hear me now, Mr. \nChairman?\n    Chairman Bachus. That is great.\n    Mr. Fenner. All right. Mr. Chairman and members of the \nsubcommittee, I want to thank you for the opportunity to \npresent NCUA\'s views on this important subject of personal data \nsecurity. And knowing that my written testimony is part of the \nrecord, I will be brief in my oral statement.\n    My written testimony is in three parts. The first part \ndescribes examples of data security breaches that NCUA has \nencountered involving credit unions and credit union members. \nIt is our hope that this information will be useful to the \ncommittee as you continue to study this serious problem and as \nyou consider whether additional legislative measures are \nappropriate.\n    Also, we believe these examples show that when breaches \nhave occurred in the credit union system, NCUA and credit \nunions have been aggressive about taking the necessary steps \nboth to notify credit union members and to minimize potential \nlosses.\n    The second part of my testimony describes the measures that \nNCUA has taken to enhance data security in credit unions and to \nimplement the provisions of the Gramm-Leach-Bliley Act and the \nFACT Act related to data security issues. These actions include \nregulations and guidelines requiring data security programs of \nall federally insured credit unions and regulations and \nguidelines which will take effect this June 1st requiring \nresponse programs in the event of security breaches. These \nresponse programs guidelines include a requirement to notify \nmembers of the credit union whenever misuse of information has \noccurred or is reasonably possible and to inform members of the \ntype of information that was subject to unauthorized access or \nuse.\n    Regulation and guidance to implement the relevant FACT Act \nprovision are also well underway. Included are rules on proper \ndisposal of information--those rules took effect last \nDecember--and ongoing interagency work to develop regulations \non red flag programs.\n    My written testimony also describes numerous other actions \nthat NCUA has taken to keep the issue of data security in the \nforefront with credit unions and the interagency effort to \nexamination and enforcement procedures. And we appreciate, by \nthe way, the lead that both the FTC and the FDIC have taken in \ndeveloping many of these rules and guidelines.\n    Finally, NCUA has two recommendations. First, we recommend \nthat Congress restore NCUA\'s authority to examine third-party \nvendors that provide data processing and other services to \ncredit unions. We note that we are the only FFIEC agency that \ndoes not possess this authority.\n    Also, while the vast majority of vendors are fully \ncooperative with NCUA, we have encountered instances of lack of \ncooperation, and as you can imagine, those tend to be the \nvendors who have something to hide. We believe that examination \nauthority would strengthen NCUA\'s bargaining position in \nobtaining needed information quickly from vendors as well as \nenabling us to actually conduct full examinations in those rare \ncases where it becomes necessary.\n    Lastly, we want to note that we support Congress\' \nconsideration of whether data brokers and other nonfinancial \ninstitutions that maintain and distribute consumer data should \nbe subject to requirements similar to those of Gramm-Leach-\nBliley and the FACT Act.\n    Again, I want to thank you for the opportunity to appear \ntoday, and I would be happy to answer any questions.\n    Chairman Bachus. Thank you.\n    [The prepared statement of Robert M. Fenner can be found on \npage 44 in the appendix.]\n    Chairman Bachus. Mr. Hensarling, do you have questions?\n    Mr. Hensarling. Thank you, Mr. Chairman.\n    Ms. Parnes, under one of the titles of Gramm-Leach-Bliley, \nI believe it is a criminal act to use deceptive tactics to \nobtain certain sensitive financial information. I understand \nthat an ounce of prevention is worth a pound of cure, but with \nrespect to the FTC can you give me some insight into what is \ngoing on in the enforcement side to the bad actors out there?\n    Mr. Parnes. Of course. Congressman, the FTC, as you know, \nhas only civil authority; we do not have any criminal \nauthority. On the civil side, the Commission enforces the \nsafeguards rule which was issued under Gramm-Leach-Bliley. The \nrule requires financial institutions--and that would include \nconsumer reporting agencies--or other service providers to \nmaintain reasonable procedures to safeguard the customer \ninformation that they have. And the Commission has brought \ncases to enforce the safeguards rule.\n    We also enforce section 5 of the Federal Trade Commission \nAct, which prohibits unfair and deceptive practices. And the \nCommission has brought a number of cases challenging, as \ndeceptive, promises that were made to keep consumers\' \ninformation secure. Although the Commission has not exercised \nits unfairness authority, the Commission has stated that it \nbelieves that security breaches can be unfair under the FTC \nAct. So we have engaged in enforcement both under Gramm-Leach-\nBliley and under the FTC Act.\n    Mr. Hensarling. I am still a little unclear on exactly \nwhere the trigger mechanism might be under the interagency \nguidance document on when a consumer would be notified that \nthere has been a breach of security. Or are you concerned that \nif the trigger--or I guess to use a different metaphor, if the \nhurdle rate is too low, that consumers will be getting perhaps \ntoo many of these notices to where those that really do not \npose a significant risk somehow detract from those that \nactually do, and the consumer ends up ignoring all of this \ndisclosure to their detriment?\n    Ms. Parnes. I think that the trigger for notice is probably \nthe most difficult issue here. And the issue that you are \nraising is precisely the concern. If consumers are inundated \nwith notices, there are two potential problems: One is that \nthey may put fraud alerts on their consumer reports when there \nreally is no problem, and that can cause--that can create \nproblems for consumers and for the industry as well.\n    On the other hand, they may get so many notices that they \njust start ignoring them, and when there is a notice that \nrepresents a real threat, they won\'t act on it. So I think that \nis a balance that we will have to consider.\n    Mr. Hensarling. Ms. Thompson.\n    Ms. Thompson. I would like to add to that, because the \nbanking regulators spend a considerable amount of time trying \nto determine the threshold. And I think that in the "Response \nGuidance" that we recently issued in March, the threshold for \ncustomer notification was after the institution conducts an \ninvestigation on the incident and there is clear evidence that \nmisuse has occurred or there is a reasonable possibility that \nmisuse is likely to occur, then that sets the threshold for the \ncustomer notice. But, again, we did want to strike a balance \nand make sure that customers and consumers were not inundated \nwith notices that would over time become meaningless. But the \nagencies did spend a considerable amount of time on this issue.\n    Mr. Hensarling. I was pleased to see in the interagency \nguidance that it seemingly avoids kind of a one-size-fits-all \napproach. Ms. Thompson, can you tell us why the security and \nnotification guidelines might be different for Citibank and \nFirst State Bank of Athens, Texas, in the Fifth Congressional \nDistrict of Texas?\n    Ms. Thompson. Congressman, I would be happy to. We believe \nthat it is inappropriate to have the same procedures for small \nand large institutions. There are approximately 8,000 \ninstitutions that have Federal deposit insurance, and they \nrange from the very small community banks to the large \ninstitutions. And the risk profiles for each bank are \nsignificantly different. For example, a small community bank \nwould typically offer limited Internet banking services to \nretail customers and/or small businesses; whereas a large \ninstitution, such as the one that you have mentioned, would \nhave very extensive Internet access and sophisticated online \nservices that would entail a much greater risk to the bank and \nits customers. We believe that the controls that are in place \nshould be commensurate with the risk and that each institution \nposes a different risk.\n    Mr. Hensarling. My time has expired. Thank you. Thank you, \nMr. Chairman.\n    Chairman Bachus. Thank you. Mr. Moore.\n    Mr. Moore of Kansas. Mr. Chairman, I thank the witnesses \nfor being here this morning. I just want to listen to the \ntestimony and the other questions. Thank you, sir.\n    Chairman Bachus. Thank you.\n    Mr. Neugenbauer.\n    Mr. Neugenbauer. Thank you, Mr. Chairman.\n    I think the first question I would have to the panel is \nthat once these breaches have occurred and this personal data \nis out into somewhat of a public domain, what are some of the \nremedies or things that we can do or the public can do? Do they \nneed to start changing their driver\'s license numbers? I mean, \nobviously you can\'t change their birthday, although some of us \nmight would like to do that. But what are some of the things \nthat we can do and the industry can do to help mitigate the \nissue once we do have a breach?\n    Ms. Parnes. Well, Congressman, I will respond to that, but \nI think that your question really underscores the fact that \nonce there has been a breach, that horse is out of the barn. \nYou know, it really becomes a problem for consumers. And so in \nthe first instance we really think that data brokers need to \nfocus on security procedures, safeguards. And, in fact, all \nbusinesses that maintain personal sensitive information should \nhave safeguards that they apply to personal information that \nthey maintain.\n    When there has been a breach, though, the FACT Act has \nprovided a number of new protections for consumers who may be \nID theft victims. For example, identity theft victims can place \na fraud alert on their credit report. They can obtain from \ncreditors the business records of the fraudulent accounts that \nwere opened in their name. And that is a very important new \nright for consumers. They can get multiple free credit reports \nthroughout the year to check to see if there are still problems \nbeing caused by the identity thief, and they can get \ninformation about the bad accounts that were opened by identity \nthieves. I would say victims of identity theft are also \nencouraged to contact the FTC either on our Web site or our \ntoll-free number because we do have really a library of very \ngood advice for consumers. The information that we have gives \nthem step-by-step advice on how to regain their good name and \nmodel forms that they can use.\n    Mr. Neugenbauer. I think this second question, Ms. \nThompson, how important is the data sharing that is going on \ntoday? I mean, we have data brokers and information brokers, \nand, you know, how--I mean, I think one of the concerns we have \nis it is just probably a lot of people that have a lot of \ninformation, probably no telling how many people have \ninformation about me individually. What is the impact on \ncommerce if we just start saying to individuals and \ninstitutions and banks is we just don\'t share that information \nmaybe other than with for credit reporting or--but selling \nlists and that type of thing. What impact would that have?\n    Ms. Thompson. Well, Congressman, data brokers don\'t come \nunder the authority of the FDIC, so I will speak to what \nhappens in financial institutions. Financial institutions are \nrequired, as you may be aware, to have opt-out provisions, and \nthey are only allowed to share information with affiliates. The \nfinancial regulators know that financial institutions engage in \nactivities with service providers. They outsource information. \nAnd we hold the financial institution, the bank management, and \nthe board of directors accountable for that information whether \nthey process it or whether it is processed by a service \nprovider.\n    We conduct onsite examinations of our institutions, and in \nthose examinations we make sure that we look at the contractual \narrangements between a financial institution and a service \nprovider because they are held to the same standards as the \nfinancial institution.\n    Mr. Neugenbauer. Ms. Parnes.\n    Ms. Parnes. Well, we do--data brokers do come under the \nCommission\'s jurisdiction. And I think that while consumers are \nvery concerned about the security of their personal \ninformation, they also really care about the economic benefits \nthat accrue to all of us based on the free flow of information \nin the economy. So I think that those are interests that we \nneed to balance.\n    It is important for information to be secure, for personal \nsensitive information to be secure. It is also at the same time \nimportant for information to be able to flow so that consumers \ncan get credit, they can get--they can, you know, purchase a \ncar, get a mortgage with the ease that they are used to.\n    Mr. Neugenbauer. I think my time has expired, Mr. Chairman. \nThank you.\n    Chairman Bachus. Ms. Carson, did you? You were through, \nright?\n    Mr. Neugenbauer. My time has expired. I am sorry, Mr. \nChairman.\n    Chairman Bachus. Okay. Ms. Carson. No questions? Mr. Baca.\n    Mr. Baca. Thank you very much, Mr. Chairman.\n    Ms. Parnes, my first question. My home State of California \nhas been a leader in consumer notification through the 2003 \nlaws, which require companies to notify the public about any \nsecurity breach of computer data. However, according to USA \nToday\'s article in March, California is still a main target for \nidentity theft, knowing that we have 36 million people in that \narea. Being the only State this year to have 1 million reported \nvictims of identity theft, according to FTC California, \nRiverside, Los Angeles, San Francisco, San Diego, and my home \ncounty of San Bernardino are likely vulnerable. The article \nstates that California\'s reputation as identity theft capital \ncan be tied to major methamphetamine sales.\n    I am wondering if you have any comments on the link and \nmeth labs, and how the two problems can be dealt with together.\n    Ms. Parnes. I am going to have to give that some thought. \nThis is linking identity--the problem of identity theft?\n    Mr. Baca. With meth labs in our area, since we have quite a \nfew in those counties, in that area, and the availability to \nget that. I just wanted to hear your comments. But if not, you \ncan submit a written statement later on and answer the \nquestion, if you don\'t mind.\n    Ms. Parnes. Thank you.\n    Mr. Baca. If not, my next question would be to Sandra \nThompson. As you know, in your testimony, consumer data in \ntransit, such as information stored in backup tapes and hard \ndrives, have always been vulnerable to theft. However, the \nknowledge of the theft of such data can contribute to identity \ntheft growing. Well, we know that. We know what our prison \nsystem is doing right now. What is FDIC guidance? How much \nsensitive information should be transported is the question \nnumber one. Does FDIC suggest that such data be encrypted to \nprotect the information from hackers is question number two, or \ndoes the guidance encourage more common sense in physically \nprotecting the backup tapes and hard drives?\n    Ms. Thompson. Congressman, all of the banking regulators \nhave guidance. We have 12 examination handbooks that are \navailable to the public, the industry, and these handbooks have \nthe examination procedures that all of the Federal banking \nregulators use when they go in and conduct banking examinations \non IT security systems at banks.\n    One of the things that is addressed in our handbooks is the \ntransport of data. We don\'t recommend encryption specifically. \nWe do suggest that data be transported in a safe and secure \nmanner and that institutions consider using bonded services or \nsecure vehicles to transport information.\n    Generally speaking, banks back up their data so that they \ncan have a system, or the information, to return to should \nsomething take place, and this is part of the bank\'s business \ncontinuity plan. We don\'t recommend specific instructions on \nexactly what to do, but we do have some suggestions on how to \ntransport data, and confidential data specifically.\n    Mr. Baca. Have any studies been done in reference to what I \nhave been seeing on "60 Minutes" this last week on prisons and \ntheir availability to gather data and run their companies like \nFortune 500 companies? Has a study been done based on the \navailability of our prisoners being able to obtain identity \ntheft and the utilization of information?\n    Ms. Thompson. Congressman, I am not aware of any studies \nthat the FDIC has conducted in that area, but I would be happy \nto--\n    Mr. Baca. I think we have got to look at it since these \nguys are so sophisticated right now and there is so much \nidentity theft going on. Is there some kind of linkage that is \ndone within our prison systems that is done outside that may \naffect the consumer? It is just some studies that need to be \ndone. Hopefully, we can look at that.\n    My next question, since I still have got some time, is for \nMr. Fenner.\n    As you know, FACTA requires--when reporting data to \nconsumer reporting agencies, credit unions must use reasonable \nprocedures to stop reporting data that has been already stolen \nupon notice there has been identify theft.\n    In your written testimony, you explain that large credit \nunions may be able to report identity theft almost immediately, \nwhile smaller credit unions can take even a week to report.\n    How would you describe reasonable procedures--and I state, \nreasonable procedures--and how do these procedures differ \ndepending on the size of the credit union? Which is question \nnumber one.\n    And does NCUA make the recommendations to member credit \nunions of varying size and capabilities on how to handle the \ndifferences and notification process when there has been \nidentity theft?\n    Mr. Fenner. Well, I do think that especially in the case of \ncredit unions, where many of the institutions are very small, \noften run by volunteer employees, that it is important for us \nto distinguish and to clarify that the procedures need to be \nreasonable and may vary from one size institution to the next.\n    Now I think that in the case of very small credit unions, a \nreasonable procedure might be as simple as keeping paper files \non situations where members file fraud alerts, or other \nnotices, that they may have been subject to identity theft so \nthat that credit union, which is not run on an automated \nsystem--the employees and the volunteers who run the credit \nunion can simply know that that is a member on whom they should \nnot be re-reporting to the consumer reporting agency what might \nbe fraudulent information. In other larger credit unions, it is \ngoing to be more of a fully automated system, but it should be \nequally effective.\n    Mr. Baca. Yes. But there is a difference in the process \nbetween the larger ones that have an automatic system. They \nimmediately get it, while the other ones, the system may vary. \nAnd that is what we are trying to do, is have the same kind of \nprocess.\n    Mr. Fenner. I don\'t think there is any reason that it can\'t \nbe immediate in the case of a smaller credit union as soon as \nthey receive the notice from their member.\n    Mr. Baca. Thank you.\n    Thank you, Mr. Chairman.\n    Chairman Bachus. Ms. Kelly.\n    Mrs. Kelly. Thank you, Mr. Chairman.\n    I want to thank all of you for your testimony, and \nspecifically the FDIC and the NCUA. I am discouraged, however, \nthat the FTC only referred to the practice of phishing in its \nfootnotes. This is my BlackBerry. It was given to me after 9/11 \nby the Federal Government. This morning I came in, and on my \nBlackBerry there are two messages. The messages are in German \nfrom people I have never heard of.\n    I believe that phishing is the greatest threat to consumers \nin our financial system, and I think it is one of the most \nimportant things that we need to look at because, unlike other \nforms of financial crime, even an unsuccessful phishing effort \nundermines confidence in the institutions whose names are \nstolen, and the Federal Government\'s ability to protect us is \nclearly not total.\n    I have on this very recently had messages coming that \nlooked like they are coming from banks, the Bank of America, \nCitibank. I don\'t have accounts in those banks, so I \nimmediately blank them out, but other people may open them.\n    I would like to read to you an article that was posted on \nanti-phishing.org yesterday. It is called Phishing Gets \nPersonal by John Leyden. It says, "Fraudsters are using stolen \ninformation to lure victims into divulging additional sensitive \ninformation in a new form of phishing attack. These so-called \npersonalized phishing attacks target individual, named account \nholders at specific banks. Crooks are using real information \nabout the account holder, such as a person\'s name, the correct \nfull account number, and other bank information to make the e-\nmails look more legitimate and, thereby, increase response \nrates.\n    "The approach contrasts with typical phishing attacks where \nfraudsters randomly dispatch thousands of spam e-mails without \nthe slightest attempts to target their attacks. Personalized \nphishing attacks seek to supplement existing lists of stolen \ncredentials with even more sensitive information such as ATM \npin numbers or credit card CVD codes." And I am ending the \nquote there.\n    I think with the continued epidemic of phishing and \npharming that is assaulting millions of Americans and while I \nknow both the FDIC and the NCUA have issued guidance on this \nissue to their members and made information available to share \nwith customers, I want to know when we will expect further \nguidance from your agencies on steps that the institutions can \ntake to make sure that their Web sites are secure from \nexploitation, but also what you think we in Congress can do to \nstop this kind of phishing attack.\n    And I am going to throw that out to all three of you.\n    Ms. Parnes. Representative, I would be--I am happy to \nanswer that question from the Commission\'s perspective.\n    We actually have a lot of information that we provide to \nconsumers in terms of how to protect themselves from phishing. \nOur Web site provides that information as part of our consumer \neducation.\n    Phishing clearly violates the FTC Act, and we have brought \ncases under the act challenging those practices. We have also \nworked with criminal authorities. And, in fact, in one of the \ncases that we brought, the Department of Justice acted also and \nthe phisher was sentenced to 46 months in prison. We actually \nthink that criminal prosecution of phishing is much more \neffective than civil prosecution.\n    I have to say, though, from our perspective, the most \nsignificant challenge in fighting this scam is not proving a \nlaw violation; it is finding the individuals who committed the \nviolation, because they are hidden behind walls in the \nInternet. Often we find that they are overseas or that the \ntransaction is crossing many borders, and it is very difficult \nfor us to conduct those investigations and to really find those \npeople.\n    One of the things that we think will help is legislation \nthat was introduced last year, the International Consumer \nProtection Act, which would give the FTC additional authority \nto conduct investigations when the fraudsters are overseas. And \nwhile it wasn\'t--this was not--this was introduced last year, \nbut not passed, we are hopeful that in this session of Congress \nit will be reintroduced and become law.\n    Mrs. Kelly. Do you think that there is a need for a Federal \ncoordinator on consumer financial data security who could be \nput in a position not only to try to track this back, but also \nprosecute phishing and pharming?\n    Ms. Parnes. I actually think that with additional tools at \nthe Commission, if we had--if we had additional tools to go--to \npursue some of these actors cross-border, I think that we would \nbe in a good position to--in a better position to bring more \nenforcement actions.\n    But, again, I also think that there are laws in place, and \nI think that the criminal authorities--the Justice Department, \nthe U.S. Attorneys--I think that if they are able to turn their \nattention to this, I think that they have ample authority.\n    Mrs. Kelly. Most of the agencies you mentioned have a lot \non their plates.\n    Ms. Parnes. They do.\n    Mrs. Kelly. So I am going to ask again: Would it be a good \nthing for us to put together a Federal coordinator for this, to \nmake sure that the agencies are working together to drill down \non this problem? This is a growing problem. Anybody who has--it \nis not just on the BlackBerrys; it is on any type of electronic \nmoney transfer.\n    Mr. Chairman, I wonder if we could ask the FDIC if they \nhave some specific suggestions for what we might be able to do \nto help you legislatively? If you would be willing to give us--\nto report back to this committee with a list of some specific \nsuggestions to try to help coordination between agencies and to \nhelp you get your job done, utilizing what laws are already on \nthe books, there may be some ways that we can integrate what is \nout there, because phishing and pharming--both of these, \nincidentally, are spelled with a PF--I don\'t want the farmers \nin my district to call me up and say, "Why are you trying to \nstop farming?"\n    But I think it is very important that we start focusing on \nthis. And would you be willing to ask for that?\n    Chairman Bachus. Sure. And we will do that. And, in fact, \nMs. Kelly and I will join on a letter and outline some of the \ninformation we would like.\n    And I will also ask Ms. Hooley--she is working on \nlegislation--and Chairman Pryce and Chairman Castle to join \nwith us, along with Chairman Kelly. Chairman Kelly has actually \nconducted hearings for probably 2 years on this issue.\n    I think you were the first person on the committee to \nconduct those hearings.\n    Mrs. Kelly. Thank you.\n    My time is up, but I appreciate your response.\n    Chairman Bachus. Thank you.\n    Mr. Green.\n    Mr. Green. Thank you, Mr. Chairman. And thank you, \nCongresswoman Kelly. I appreciate greatly what you have just \ndiscussed because those were some of my concerns. I would also \nadd spyware into the mix of concerns.\n    I am also concerned about the punishment that was mentioned \njust a moment ago, 46 months; and that causes me some concern \nbecause, if you get 46 months, is that sufficient punishment? \nAnd I ask because a low-tech criminal can get 5 years for \nsnatching a purse, and a high-tech criminal gets 46 months for \nsnatching thousands of purses. Is that appropriate punishment \nfor the high-tech criminal? Are the criminal penalties \nsufficient?\n    In Harris County, the district attorney himself had his \nidentity stolen. Is this sufficient punishment?\n    Would someone kindly give me a response to the query?\n    Ms. Parnes. Well, Congressman, as a civil enforcement \nagency, we would certainly have to defer to the Department of \nJustice with respect to the adequacy of criminal penalties. \nFrom our perspective, the fact that criminal authorities are \nprosecuting these frauds is an incredibly important step, and \nwe want to see more of that.\n    Mr. Green. Would someone else care to comment? And I am \npursuing it persistently because we don\'t want a standard that \nallows high-tech criminals to get slaps on the hands and low-\ntech criminals to get incarceration. I want all criminals to be \npunished appropriately.\n    Yes, ma\'am.\n    Ms. Thompson. Congressman Green, in one case that I am \naware of, it was an insider transaction, and that person got \nconvicted for 10 years. So I am not sure that there is one \nparticular rule or one particular sentence for every single \nviolation.\n    Mr. Green. My next concern has to do with whether there is \na market for this information. Are we finding that this is the \ncase, that people are actually acquiring this intelligence and \nthen they are marketing it to persons for a fee?\n    And if so, give me some information, if you would, please, \non the extent to which this marketing takes place.\n    Ms. Thompson. Well, as you know, the Internet makes \navailable a global market. And I think I mentioned in my \nopening remarks that the Internet provides a virtual store for \nthe exchange of information.\n    We break identity theft into two phases: the acquiring of \ninformation, which is done through phishing or pharming, and \nthe actual sale or misuse of that information. And we do \nbelieve and know that there is a market for that information \nand that that information can and will be misused and nine \ntimes out of ten ends up in cases of identity theft.\n    We believe at the FDIC that consumer education is really \nimportant because in phishing scams the consumer has to \nactively give information. And to the extent that people are \naware that these types of scams are taking place, we would like \nto facilitate more consumer education, more consumer awareness \nabout these issues.\n    Mr. Green. I concur with you, and I support an intelligent \nsociety, especially consumers acquiring as much intelligence as \npossible. But I do still have concerns about the punishments.\n    And I appreciate this market information because those who \nacquire the information, they do so with malice aforethought, \nand they ought to be punished severely as well. Criminals are \ncriminals. If you are high tech, you are just a sophisticated \nthug, and you ought to be punished just like we punish other \nthugs and thieves.\n    Mr. Chairman, I yield back the balance of my time.\n    Chairman Bachus. Thank you, Mr. Green.\n    Mr. McHenry.\n    Mr. McHenry. Thank you, Mr. Chairman. And thank you for \nhaving this hearing.\n    My question really goes to the question of whether or not \nwe have enough regulations on the books already dealing with \ndata security--whether or not we have enough laws on the books \nalready for data security. And is it a question more of \nenforcement of the laws and regs that we have on the books, or \ndo we need to rewrite everything?\n    And this really goes to the heart of the FDIC and NCUA, and \nso if Mr. Fenner and Ms. Thompson, if you could address this.\n    Ms. Thompson. We believe that Congress has been very \nproactive in the area of data security with the Gramm-Leach-\nBliley Act, the Fair and Accurate Credit Transaction Act, and \nthe Fair Credit Reporting Act, coupled with interagency \nguidance that provides mechanisms for financial institutions to \nmake sure that the data is secure.\n    I think when Gramm-Leach-Bliley was implemented, it \nrecommended or required that every financial institution have \nan information security program that goes to the institution\'s \nboard of directors. And that is a very important step, coupled \nwith the interagency guidance. Most recently, we issued \n"Response Program" guidance, in late March. We think that we \nhave a lot of tools at our disposal to ensure that data is \nsecure in financial institutions.\n    And because I think Chairman Bachus mentioned it earlier, \nthis guidance was just issued in March, so it is a little \npremature for us to comment on that. But we do think that we \nhave a lot of tools available.\n    Mr. Fenner. Congressman, I would agree that, for the most \npart, with respect to financial institutions, the laws and the \nregulations that we have in place and are now developing will \nprove adequate, including our Gramm-Leach-Bliley implementing \nregulations that require in our case that every credit union \nhave a data security program and, moreover, that they have a \nresponse program to deal with instances of unauthorized access \nwhere the security program, in fact, has failed in some \nfashion, and also, as Ms. Thompson mentioned, the rules that we \nare now developing to implement the provisions of the FACT Act.\n    I would add that with respect to NCUA, as I mentioned in \nboth my written and my oral testimony, there is one area where \nwe do come up short, and that is that the other Federal \nfinancial regulatory agencies do have authority to examine \nthird-party vendors such as data processing firms. We don\'t. We \nhad that authority at one time; under a sunset provision, we \nhave lost it. We would like to see it restored.\n    And it is not that we would have the intent of examining \nevery third-party vendor that does business with credit unions, \nbut we think just the existence of the authority provides a \npowerful incentive for those third parties to cooperate with us \nwhen we need information from them. And we have, in fact--since \nthe authority sunsetted, have had instances where we haven\'t \nreceived full and timely cooperation. And so we think it is \nimportant to ask Congress to consider restoring that authority \nfor us.\n    I would also add that I think in the case of other data \nbrokers, nonfinancial data brokers, that it is reasonable for \nCongress to consider whether some of the requirements that \nexist for financial institutions under Gramm-Leach-Bliley and \nthe FACT Act should be imposed on other data brokers as well.\n    Mr. McHenry. So perhaps NCUA and FDIC are doing a pretty \ngood job, and you have pretty much the tools you need aside \nfrom the tools you mentioned, Mr. Fenner. So largely, you are \ntaking on this task already? Yes or no would be fine.\n    Ms. Thompson. Yes.\n    Mr. Fenner. Yes.\n    Mr. McHenry. Great. One of the best answers you can give \nCongress, yes or no.\n    A follow-up to Ms. Thompson. You mentioned interagency \nguidelines and the new implementation of those guidelines, and \none thing that you have brought about is that the one-size-\nfits-all categorization for financial institutions does not \nwork. And one of those areas is subjecting a small community \nbank to the same regulations you subject an international bank \nthat has billions of dollars of assets when it comes to data \nsecurity. And can you outline just a few examples of why that \nis the best approach?\n    Ms. Thompson. We, again, believe that it is inappropriate \nto require the same security procedures for small institutions \nthat we expect for large institutions. And I think an example \nwould be that a small community bank might just offer Internet \nbanking services to small businesses or retail customers, and a \nlarge institution would have more sophisticated transactions. \nThey would probably have very extensive Internet access, and \nthe size of the transaction would be greater.\n    We take a look at the risk profile of each of our \ninstitutions. We conduct technology examinations based on the \nrisk profile that is attributed to those specific institutions. \nAnd we think it is very important that the controls that are in \nplace are commensurate with the risk.\n    Small institutions may have a noncomplex technology \noperation, or they may outsource to a service provider. And we \nwant to make sure that our expectations are reasonable for \nfinancial institutions because we do not want to increase any \nburden.\n    Mr. McHenry. Thank you.\n    And thank you, Mr. Chairman.\n    Chairman Bachus. Thank you.\n    Ms. Moore. \n    Ms. Moore of Wisconsin. Well, thank you, Mr. Chairman, and \nthank you, panel, for this very important hearing.\n    Congressman McHenry really raised the questions that I had, \nand I appreciate his doing that. So I was prepared to pass but \nfor the fact that I really didn\'t get--I don\'t feel that we \nhave really gotten a full response to his question as to \nwhether or not we think it is appropriate to have some sort of \nczar or something look at data security for those other \nindustries outside of financial institutions.\n    I point specifically to the testimony of you, Mrs. Parnes, \non pages 4 and 5, where you go through this laundry list of \ninformation the data brokers can secure. And, you know, stuff \nlike child support payments, finding potential organ donors, \nlocating witnesses and defendants, so on and so forth, that \ndon\'t seem to come under the--and you say in the testimony that \nit does not come under the jurisdiction of the Fair Credit \nReporting Act. And I don\'t get the sense that it comes under \nany sort of regulatory authority that the FDIC has, and \ncertainly none under which the NCUA is governed.\n    Secondly, I would--so I would like you respond to that.\n    I would also like to address a question to you, Ms. \nThompson, relating to your insight that encrypting \ninformation--and I don\'t know if this is just from magnetic \ntapes or whether this would work for Internet services as \nwell--that encrypting information would provide a much more \nsecure environment for this information but for the cost.\n    I mean, is it just down to--is it just about the money in \nterms of protecting data?\n     And to Mr. Fenner I would just like to say, I would love \nto give you the authority.\n    Mr. Fenner. Thank you.\n    Ms. Moore of Wisconsin. Thank you. So please respond.\n    Ms. Parnes. I actually haven\'t given any thought to whether \nthere should be a kind of information security czar in the \nFederal Government. My initial response is that the agencies \nthat have jurisdiction in this area, I think we actually work \nvery closely together.\n    And so my inclination would be to say if you--\n    Ms. Moore of Wisconsin. Excuse me. Let me interrupt because \nthey have clocks in this institution. I am not used to that \nfrom State senate.\n    You specifically mentioned stuff like HIPAA, who has \njurisdiction over that kind of information? Not you. You \nspecifically said that you don\'t have jurisdiction over that \nkind of information. So I am convinced that you do a good job \nas it relates to the information for which you have \njurisdiction. I am talking about other stuff.\n    Ms. Parnes. Right. So, for example, in HIPAA, HHS has \njurisdiction there.\n    In the driver\'s license laws that I think we mentioned, \nthere are States that enforce those.\n    And I think that what you are pointing out is really how \ncomplex this area is. There is information that is collected \nand used, you know, on so many different levels. Much of the \ninformation is public record information, and it is compiled by \ndata brokers.\n    I am not certain, frankly, what, you know, a kind of \ncentralized office would add to enforcement efforts here. I \nthink that, you know, if Congress wants those of us on the \nFederal level to work more closely together, we certainly have \nwith the banking regulators under the guidance of this \ncommittee--you know, give us that direction, and we will do \nthat.\n    You know, I think we do. But as I have said, I am just not \ncertain what, you know, a centralized point, what that will \nadd.\n    Ms. Thompson. I would like to respond to your question \nabout encryption. The agencies really tend to shy away from \nprescribing specific standards such as encryption because we \nwant to have a flexible approach, and we want our institutions \nto use a flexible approach when they address this issue.\n    What works for one institution may not work for another \ninstitution. What works for the larger institutions may be \ncost-prohibitive for the smaller institutions. So we try to not \nprescribe specific tools to accommodate certain standards. We \ntry to establish the standard, and we try to have a flexible \napproach.\n    Encryption is something that many institutions use and many \nGovernment agencies use to protect and secure confidential \ndata, but there are other methods to secure that data as well.\n    Ms. Moore of Wisconsin. But it is costly. It costs. It \ncosts a lot of money, right?\n    Ms. Thompson. It can.\n    Ms. Moore of Wisconsin. But were it not for the cost, that \nwould go a long way. Would you say it would go a long way in \nprotecting information?\n    Ms. Thompson. Well, I think that any, including encryption, \nand that is--\n    Ms. Moore of Wisconsin. And would the Internet as well, \nwould that help?\n    Ms. Thompson. Well, any time you take steps to protect and \nsecure your information, I think that goes a long way to \nenhancing data security. Any additional steps that people or \npotential criminals have to take in order to access information \nis helpful. We want to make sure, again, that there is a \nbalance, there is a cost implication, and there is also an ease \nof use implication as well, and we want to make sure that \npeople have the option to select the appropriate tool that fits \ntheir particular circumstance.\n    Chairman Bachus. Thank you, Ms. Moore.\n    Mr. Pearce?\n    Mr. Pearce. Thank you, Mr. Chairman. I would like to \nassociate my comments myself with Mr. Green\'s comments. I have \nthe same feeling toward the high-tech thugs. I think maybe the \nbest punishment--locking them away in a cell maybe is not much \ndifferent than some of them live already. So maybe we should \nlock them away and not give them access to the Internet or \nmaybe make them write on a yellow pad and a pencil instead of \ngiving them a computer. Maybe the best punishment might be to \nsentence them to use a 286 for the rest of their lives. I don\'t \nknow. We need to figure out some way to redirect their creative \nenergies.\n    Ms. Parnes, you noted in your testimony that the FTC holds \nroundtable discussions talking about steps that we can do, and \nif you were to characterize the outcome of your meetings the \nlast year, what actual things have gone into practice of things \nthat we can do, or what suggestions have you made into the \nsystem that come out of the roundtable discussions during the \nlast year?\n    Ms. Parnes. Well, the last year has actually been a \nparticularly productive one for us as we have been adopting the \nrules that are required under FACTA. And we have adopted \nalready, I believe, seven or eight of the required regulations, \nand all of them--in working on all of those rules, we have had \nvery productive discussions with industry, consumer groups, you \nknow, all of the stakeholders on these issues.\n    If you would like, I could go through the rules that we \nhave accomplished thus far.\n    Mr. Pearce. I suspect that the thing that I would like to \nunderstand, without going through the entire list, is are we \nkeeping up with the technology on the other side? In other \nwords, are the processes to steal information developing faster \nthan the process to defend against stealing of information?\n    Ms. Parnes. Keeping up with technology is always a \ndifficult issue.\n    Mr. Pearce. Is that a no?\n    Ms. Parnes. No, but--\n    Mr. Pearce. Is that a no, no or--\n    Ms. Parnes. Well, it is hard to. And particularly when you \nare talking about technology in the hands of people who are \nengaged in fraud, you know, they try and stay a step ahead of \nus. We try to stay a step ahead of them.\n    Mr. Pearce. Would you recommend that we make the entire \nconcept, that is, that we have speeding violations in order \nthat people not hit innocent bystanders, so the speeding itself \nbecomes the criminal act?\n    Would you make even the prospect of sending out blanket e-\nmails intended to attract, even if we don\'t tie it down-- would \nyou make that a penalty?\n    Ms. Parnes. Well, you know, one of the things that we have \ndone--\n    Mr. Pearce. Would you make that a penalty, yes or no? We \nneed to get a sense of where we can go here. The technology is \ndeveloping faster than we are. We have got no tools. They are \ncausing tremendous chaos in people\'s lives and financial \ndistress in the system. What do we do?\n    Ms. Parnes. Well, I don\'t think that I would make that a \ncrime. I think that what we are hoping happens, and we are \nworking with industry on this, we had one of our workshops was \non authentication under the Canned Spam Act, and what we are \nencouraging industry to develop is technology that \nauthenticates the domain that an e-mail comes from. And I think \nthat that would go a long way towards addressing the kind of \nphishing and pharming--\n    Mr. Pearce. Except technology is developing faster, so that \nsomebody is going to beat that.\n    Ms. Thompson, would you have a different answer? And I will \nask Mr. Fenner, too. Would you have a different answer? Would \nyou--maybe the entire process of even going out and trying to \nelicit information that is not going to be used in a productive \nfashion, would you make that illegal?\n    Ms. Thompson. Well, I think that we should work with \nindustry, because technology is being developed to do good \nthings as well. And to the extent that we have a misuse of \ntechnology, we need to be working with industry to make sure \nthat we have solutions.\n    And I can\'t stress enough the collaboration that needs to \ntake place between the Government and the private sector to \naddress this issue because this isn\'t, as we heard today, just \nan issue for banks or financial institutions.\n    Mr. Pearce. Mr. Fenner, the red light is about to come on. \nMr. Fenner, do you have an opinion?\n    Mr. Fenner. I don\'t have any problem with making it a crime \nto solicit information for purposes that are fraudulent or to \nfurther a criminal enterprise.\n    Mr. Pearce. Yes, but while we are sitting here having these \npatient, long discussions, someone else is developing a \ntechnology this morning that is going to get around anything \nthat we develop. And at some point the concept of developing \nthe technology to get around other technology in order to hurt \npeople should be something that we concentrate on. We are going \nto have to make some tough, tough decisions somewhere down the \nroad.\n    Thank you, Mr. Chairman.\n    Chairman Bachus. Thank you.\n    Mr. Clay.\n    Wait a minute. I am sorry. Mrs. Maloney.\n    Mrs. Maloney. First of all, this hearing makes it apparent \nthat data security today is regulated by a confusing patchwork \nof laws and regulations that have obvious gaps and conflicts. \nThe same personally identifiable data is subject to different \nprotections, and its loss is subject to different remedies \ndepending on who has it, and this doesn\'t make sense. So I hope \nthat we will be moving towards a more unified approach or \ntheory of data protection that will provide the same protection \nand remedies to the same sets of data no matter who has them.\n    And I want to note that there has been some guidance on \nthis issue from the regulators involved, not just the banking \nregulators, but also NCUA has come out with some guidelines. \nBut the FTC has not followed suit and come out with any \nguidelines. And I think at the least we need to encourage our \nregulators to come forward with consistent guidance.\n    So my first question is to Ms. Parnes from the FTC. Do you \nthink guidance like that put out by the banking regulators and \nthe NCUA is necessary for the institutions that you supervise? \nAnd if the not, why not?\n    Ms. Parnes. Congresswoman, we have a different relationship \nwith industries that are subject to the FTC\'s jurisdiction. The \nFDIC is, and the bank regulators are, involved in an \nexamination process. There is--it is a discrete industry that \nthey are dealing with. There are a set number of members, a lot \nof members of the industry, but they have a very close \nrelationship with the members of the industry. And as I said, \nthey are--it is an examination type of relationship.\n    That is not what the FTC does. Our jurisdiction is \nextremely broad. We regulate all sectors of the economy with, \nyou know, very specific exemptions. So, I think that the \nspecific type of guidance that has been issued by the bank \nregulators would not necessarily be appropriate for the FTC.\n    However, the Commission issues guidance to the industries \nthat it regulates in a different fashion. We have rules that we \nhave adopted and implemented. Under Gramm-Leach-Bliley we have \na safeguards rule, and we provide business education on how to \nimplement that rule.\n    We brought a number of cases under section 5 dealing with \ninformation security, and we think that our law enforcement \nsets standards that industry should follow. And, again, right \nnow, we are conducting nonpublic investigations in this area. \nWe are learning more about this industry. And I think that it \nwould be likely that at some point we would put out more \ngeneral business guidance in this area. But, again, I think it \nwould be a bit different from what the bank regulators do.\n    Mrs. Maloney. So basically are you saying the FTC can\'t \nregulate the industry as carefully as the bank regulators?\n    I mean, they have their oversight. Why in the world can\'t \nthe FTC have the same type of regulation? I don\'t get it. If \nyou can\'t come out with it, then possibly we need to come \nforward with some legislation on it.\n    Ms. Parnes. Well, I think that--I certainly don\'t mean to \nsuggest that the FTC can\'t give guidance to industries that \nfall within our jurisdiction. I think we can. We are primarily \na law enforcement agency, and, for example--\n    Mrs. Maloney. You can give guidance. And the FDIC has given \nguidance, and NCUA, they have all come forward trying to set \nmore uniform guidance. Why don\'t you step in and give some \nguidance, too? This is a tremendous challenge.\n    Ms. Parnes. Well, you know, the issues that we are looking \nat right now on notice in particular, we are learning a lot \nabout this. As we conduct these investigations, we have had \nmany meetings with members of the industry and with consumer \nadvocates.\n    The issues are complex. We are learning about them. But I \nwould expect that we will seriously consider issuing guidance \nwhen we feel as if we have a better sense of what that should \nbe.\n    Ms. Maloney. My time is up. Thank you.\n    Chairman Bachus. Thank you.\n    I would say this to the panel and to the members that are \nstill here. As far as financial institutions and credit unions \nare concerned, there is a standard of care in Gramm-Leach-\nBliley. It is called a privacy obligation. But it is a standard \nof care, and it is very precise.\n    There are also safeguards listed, and there are three of \nthem, and the regulators under those have a right to issue \nregulations, and you all are doing that. And they are pretty \ncomprehensive as far as what those safeguards are to ensure the \nsecurity and confidentiality of the customer records \ninformation, to protect against any anticipated threats or \nhazard to security or integrity of such records, and to protect \nagainst unauthorized access to or use of such records or \ninformation which could result in substantial harm or \ninconvenience to any customer. So there is no lack of law when \nit comes to financial institutions or credit bureaus.\n    And the regulations are coming out. I think, as I see the \nproblems, Mr. Fenner, you said that NCUA doesn\'t have the right \nto inspect third-party vendors, and, of course, you know CUNA \nand NAFCU are opposed to giving you that right so that you \ndon\'t have that examination right.\n    So you have raised that today, and I think you raised a \ngood issue. But I think the problem comes, and if I am hearing, \nyour testimony is your data brokers aren\'t regulated by, they \ndon\'t fall under this standard. They don\'t follow any of these \nsafeguards. Is that right?\n    Ms. Parnes. Well, Chairman, data brokers could fall under \nthe laws, and so, for example, if a data broker is a financial \ninstitution, it would fall within their, the GLB, standard.\n    Chairman Bachus. Were ChoicePoint and LexisNexis--are \nthey--were they financial institutions? Part of their operation \nwere financial institutions. Is that correct?\n    Ms. Parnes. Chairman, these are--with respect to the \nnonpublic investigations that we have pending, these are issues \nthat are kind of at the heart of these investigations, and they \nare nonpublic.\n    Chairman Bachus. Okay. But I guess I will just say this, \nthen: If part of those operations are financial institutions, \nthey fall under Gramm-Leach-Bliley.\n    Ms. Parnes. That is correct.\n    Chairman Bachus. If determined not to be, they would not.\n    Ms. Parnes. That is correct. And if they act as consumer \nreporting agencies, and some of them do, they would fall \nunder--\n    Chairman Bachus. A credit reporting agency.\n    Ms. Parnes. Exactly. The FCRA.\n    Chairman Bachus. I actually am the author of the FACT Act, \nand it did give a lot of new rights and empowered consumers \nwho--you know, after the fact. Now, also, by letting them see \ntheir credit reports, it protects them from actually ongoing \nfraud, but--and it did give them certain rights.\n    My question, I guess, would be under--from reading section \n501 of Gramm-Leach-Bliley and the FACT Act, the regulators are \nalready empowered, in my mind, to establish a uniform notice as \na part of this, because, you know, statutorily you are asked to \nensure these things and to safeguard and protect consumers. And \nI would think that you could come out with a uniform notice \nand, as far as financial institutions, you could preempt a \nhodgepodge of State laws where we are getting, you know, \nmultiple notices.\n    Our financial institutions are having to send really 12- \nand 14-page notices because they have to comply with all these \ndifferent States, and the end result is that the consumer \ndoesn\'t know what he is getting.\n    But I guess I would ask you this: Do you think you have the \nauthority presently? And if not, would you like that authority, \nto issue uniform notices in case of a--and, if we do, what \ncriteria do we--we have always--this Congress, this committee, \nhas always established as far as when a notice is required; it \nhas gone back to the common-law definition of a significant \nthreat or significant, as opposed to insignificant, and used \nthat standard. Would that be the standard you would recommend? \nI will ask Ms. Parnes.\n    Ms. Parnes. Yeah. We--I think that looking at the risk of \nharm to consumers is absolutely an essential component of a \ntrigger for notice.\n    Chairman Bachus. And significant is the one that has been \nused for 300 years. Is there any reason to depart from that? If \nit was insignificant, you wouldn\'t, and you could have \nguidelines to what was considered significant.\n    Ms. Parnes. That is absolutely right. And this would be \nsomething that the Commission would certainly want to flesh out \nin guidelines or in rules. But, you know, again, I mean, I \nthink, as you have indicated, you know, it is a balance on \nnotice. And we certainly think that that is the consumer \ninterest there.\n    Chairman Bachus. And the only reason I am saying the use is \nsignificant, you have got years and years of case law as to \nwhat is significant and insignificant. And it can be--you know, \nthere is a history there. If you came up with some new criteria \nor new standard, it would be--it would take literally years and \ncourt cases to establish what that meant.\n    Any comment on that? Ms. Thompson?\n    Ms. Thompson. Well, the FDIC has not made an official \npolicy statement on this particular issue, but I believe that \nwe will need specific Federal authority to preempt State laws. \nBut with regard to the--\n    Chairman Bachus. That is right, because there is no \npreemption in Gramm-Leach-Bliley. You are right. You are \nabsolutely right. So when I said you could, you couldn\'t, \nbecause Senator Sarbanes added a provision in the Senate which \ndid not allow for it. It didn\'t preempt State law. That is \ncorrect. So any legislation with a uniform standard would have \nto--I suppose it would have to negate the provision in Gramm-\nLeach-Bliley.\n    Ms. Thompson. I mentioned that in the interagency guidance \nin the customer notice response, there are some principles that \nthe financial institutions have to adhere to. The notice has to \nbe clear and conspicuous, and it also has to have a telephone \nnumber for people to call to get information.\n    Chairman Bachus. In the FACT Act, we established what the \nnotice was, and in Gramm-Leach-Bliley, the only thing we don\'t \nestablish probably is when, what the trigger is.\n    And I guess I am asking you, is significant risk of \nsignificant harm is what has been used in other notices and \nother areas, and in other industries, and other statutes. I \nthink that is the most common one. Probably 90 percent of your \nnotices are required in that case, you know, when you are \ntrying to minimize some damage or notice.\n    Ms. Thompson. With the interagency guidance, there is a \nthreshold to send the notice. The threshold was again very \ndifficult for the agencies to come up with, but it specifically \nstates that if there has been misuse, or if there is a \nreasonable possibility that misuse will occur, then the notice \nis sent to the customers or the consumers.\n    Chairman Bachus. You would have to probably go--you know, \nthat is the reasonableness notice, but you would have to--would \nyou distinguish between significant and insignificant?\n    Ms. Thompson. I think we have to because we want to make \nsure that customers and consumers are not receiving just \nnotices that maybe over time become meaningless.\n    We want to make sure that when consumers receive notices \nthat they pay attention, and that they understand the \nconsequences of not paying attention, and that they take \nappropriate steps to make sure that their identities are \nprotected. It is just a balance.\n    Ms. Parnes. And I would add, I think that is exactly the \nbalance that we are looking at. And I think as we move forward \non this, we will be looking at what we think is exactly the \nappropriate trigger for notice. I think we have to--\n    Chairman Bachus. But you know the "reasonableness" is in \nalmost all--you don\'t even need to put the word in normally \nbecause I think it is the reasonable man standard, but I think \nyou ought to put the word in. Maybe what you do there is you \nsay a "reasonable anticipation of significant harm to the \nconsumer".\n    Ms. Parnes. I think that we would want to certainly on an \nissue--on an issue like this, if we were implementing rules on \nthis or advising this Subcommittee, I think that we would want \nto give thought to the issues so that we could really identify \nan appropriate trigger and what appropriate language would be.\n    Chairman Bachus. Thank you.\n    Mr. Sanders. Thank you very much. We have a vote on the \nfloor.\n    Mr. Sanders. I wanted to ask one question. I apologize for \nnot being here for the whole hearing. I think there is an area, \nthough, a very important area, that has not been discussed, and \nthat is assuming that we do everything that we can to protect \nthe American people, we all work together, there is a huge gap \nin this discussion, and that is what happens if a company \noffshores and that work is being done in India or it is being \ndone in China? My feeling is that everything that you have told \nus doesn\'t really matter terribly much to a hill of beans.\n    My question would be in the event that an offshore company \naffiliated with a person subject to your jurisdiction violated \nany of the privacy provisions of GLBA, what authorities would \nyour agency have to bring legal action against such persons? \nWhat authority would you have to bring an enforcement action \nagainst a rogue employee of such a company for violations \ncommitted in foreign countries?\n    Ms. Thompson. I would agree with you that prosecution of \nworkers and employees overseas for data theft is difficult, but \nwe do have existing data protection legislation and regulations \nin Gramm-Leach-Bliley in the implementing security guidelines. \nBanks have to choose their service providers carefully, and \nthey have to make sure that they have access to the \ninformation, and they also have to continually monitor how \ntheir service providers are doing.\n    Mr. Sanders. But having said that, Ms. Thompson, you would \nagree that--\n    Ms. Thompson. Yes. There is difficulty. Yes, I do agree \nwith that.\n    Chairman Bachus. What she is referring to is section 501.\n    Ms. Thompson. That is correct.\n    Ms. Parnes. And our position is that institutions that fall \nwithin our jurisdiction would be responsible for any data \nbreaches that occur, even if they occur outside of our borders. \nOur kind of issue is one on enforcement and kind of tracking \nthe violation, and there is legislation that was introduced in \nthe last session of Congress, the International Consumer \nProtection Act, that was not passed, but that would be very \nuseful in helping us with enforcement.\n    Mr. Sanders. So you think we do need legislation, though?\n    Ms. Parnes. I think that piece of legislation would help \nthis issue, yes.\n    Chairman Bachus. Thank you.\n    Mr. Sanders. Thank you very much.\n    Thank you, Mr. Chairman.\n    Chairman Bachus. Just for the record, she is referring to \nthe legislation introduced by Mr. Stearns in the Commerce \nCommittee, I think, which we also have concurrent jurisdiction \nover. We actually--because we thought that was a good piece of \nlegislation, we waived our jurisdiction. But it did not--I \ndon\'t think it got out of the Commerce Committee.\n    Mr. Markey has a different piece of legislation, which is \ndifferent. I will just leave it at that.\n    But I, too, believe that the International Consumer \nProtection Act would go a long way towards solving the problem \nyou have talked about.\n    We very much appreciate your testimony here today. We have \nvotes on the floor, and I think they come at a time when this \nhearing would conclude. So we appreciate your testimony, and \nyou have been very helpful. And this hearing is concluded.\n    Ms. Parnes. Thank you.\n    [Whereupon, at 11:50 a.m., the subcommittee was adjourned.]\n\n\n                            A P P E N D I X\n\n\n\n                              July 8, 2005\n\n\n[GRAPHIC] [TIFF OMITTED] T5573.001\n\n[GRAPHIC] [TIFF OMITTED] T5573.002\n\n[GRAPHIC] [TIFF OMITTED] T5573.003\n\n[GRAPHIC] [TIFF OMITTED] T5573.004\n\n[GRAPHIC] [TIFF OMITTED] T5573.005\n\n[GRAPHIC] [TIFF OMITTED] T5573.006\n\n[GRAPHIC] [TIFF OMITTED] T5573.007\n\n[GRAPHIC] [TIFF OMITTED] T5573.008\n\n[GRAPHIC] [TIFF OMITTED] T5573.009\n\n[GRAPHIC] [TIFF OMITTED] T5573.010\n\n[GRAPHIC] [TIFF OMITTED] T5573.011\n\n[GRAPHIC] [TIFF OMITTED] T5573.012\n\n[GRAPHIC] [TIFF OMITTED] T5573.013\n\n[GRAPHIC] [TIFF OMITTED] T5573.014\n\n[GRAPHIC] [TIFF OMITTED] T5573.015\n\n[GRAPHIC] [TIFF OMITTED] T5573.016\n\n[GRAPHIC] [TIFF OMITTED] T5573.017\n\n[GRAPHIC] [TIFF OMITTED] T5573.018\n\n[GRAPHIC] [TIFF OMITTED] T5573.019\n\n[GRAPHIC] [TIFF OMITTED] T5573.020\n\n[GRAPHIC] [TIFF OMITTED] T5573.021\n\n[GRAPHIC] [TIFF OMITTED] T5573.022\n\n[GRAPHIC] [TIFF OMITTED] T5573.023\n\n[GRAPHIC] [TIFF OMITTED] T5573.024\n\n[GRAPHIC] [TIFF OMITTED] T5573.025\n\n[GRAPHIC] [TIFF OMITTED] T5573.026\n\n[GRAPHIC] [TIFF OMITTED] T5573.027\n\n[GRAPHIC] [TIFF OMITTED] T5573.028\n\n[GRAPHIC] [TIFF OMITTED] T5573.029\n\n[GRAPHIC] [TIFF OMITTED] T5573.030\n\n[GRAPHIC] [TIFF OMITTED] T5573.031\n\n[GRAPHIC] [TIFF OMITTED] T5573.032\n\n[GRAPHIC] [TIFF OMITTED] T5573.033\n\n[GRAPHIC] [TIFF OMITTED] T5573.034\n\n[GRAPHIC] [TIFF OMITTED] T5573.035\n\n[GRAPHIC] [TIFF OMITTED] T5573.036\n\n[GRAPHIC] [TIFF OMITTED] T5573.037\n\n[GRAPHIC] [TIFF OMITTED] T5573.038\n\n[GRAPHIC] [TIFF OMITTED] T5573.039\n\n[GRAPHIC] [TIFF OMITTED] T5573.040\n\n[GRAPHIC] [TIFF OMITTED] T5573.041\n\n[GRAPHIC] [TIFF OMITTED] T5573.042\n\n[GRAPHIC] [TIFF OMITTED] T5573.043\n\n[GRAPHIC] [TIFF OMITTED] T5573.044\n\n[GRAPHIC] [TIFF OMITTED] T5573.045\n\n[GRAPHIC] [TIFF OMITTED] T5573.046\n\n[GRAPHIC] [TIFF OMITTED] T5573.047\n\n[GRAPHIC] [TIFF OMITTED] T5573.048\n\n[GRAPHIC] [TIFF OMITTED] T5573.049\n\n[GRAPHIC] [TIFF OMITTED] T5573.050\n\n[GRAPHIC] [TIFF OMITTED] T5573.051\n\n[GRAPHIC] [TIFF OMITTED] T5573.052\n\n[GRAPHIC] [TIFF OMITTED] T5573.053\n\n[GRAPHIC] [TIFF OMITTED] T5573.054\n\n[GRAPHIC] [TIFF OMITTED] T5573.055\n\n[GRAPHIC] [TIFF OMITTED] T5573.056\n\n[GRAPHIC] [TIFF OMITTED] T5573.057\n\n[GRAPHIC] [TIFF OMITTED] T5573.058\n\n[GRAPHIC] [TIFF OMITTED] T5573.059\n\n[GRAPHIC] [TIFF OMITTED] T5573.060\n\n[GRAPHIC] [TIFF OMITTED] T5573.061\n\n[GRAPHIC] [TIFF OMITTED] T5573.062\n\n[GRAPHIC] [TIFF OMITTED] T5573.063\n\n[GRAPHIC] [TIFF OMITTED] T5573.064\n\n[GRAPHIC] [TIFF OMITTED] T5573.065\n\n[GRAPHIC] [TIFF OMITTED] T5573.066\n\n[GRAPHIC] [TIFF OMITTED] T5573.067\n\n[GRAPHIC] [TIFF OMITTED] T5573.068\n\n[GRAPHIC] [TIFF OMITTED] T5573.069\n\n[GRAPHIC] [TIFF OMITTED] T5573.070\n\n[GRAPHIC] [TIFF OMITTED] T5573.071\n\n[GRAPHIC] [TIFF OMITTED] T5573.072\n\n[GRAPHIC] [TIFF OMITTED] T5573.073\n\n[GRAPHIC] [TIFF OMITTED] T5573.074\n\n[GRAPHIC] [TIFF OMITTED] T5573.075\n\n[GRAPHIC] [TIFF OMITTED] T5573.076\n\n[GRAPHIC] [TIFF OMITTED] T5573.077\n\n[GRAPHIC] [TIFF OMITTED] T5573.078\n\n[GRAPHIC] [TIFF OMITTED] T5573.079\n\n[GRAPHIC] [TIFF OMITTED] T5573.080\n\n[GRAPHIC] [TIFF OMITTED] T5573.081\n\n[GRAPHIC] [TIFF OMITTED] T5573.082\n\n[GRAPHIC] [TIFF OMITTED] T5573.083\n\n[GRAPHIC] [TIFF OMITTED] T5573.084\n\n[GRAPHIC] [TIFF OMITTED] T5573.085\n\n[GRAPHIC] [TIFF OMITTED] T5573.086\n\n[GRAPHIC] [TIFF OMITTED] T5573.087\n\n[GRAPHIC] [TIFF OMITTED] T5573.088\n\n[GRAPHIC] [TIFF OMITTED] T5573.089\n\n[GRAPHIC] [TIFF OMITTED] T5573.090\n\n[GRAPHIC] [TIFF OMITTED] T5573.091\n\n[GRAPHIC] [TIFF OMITTED] T5573.092\n\n[GRAPHIC] [TIFF OMITTED] T5573.093\n\n[GRAPHIC] [TIFF OMITTED] T5573.094\n\n[GRAPHIC] [TIFF OMITTED] T5573.095\n\n[GRAPHIC] [TIFF OMITTED] T5573.096\n\n[GRAPHIC] [TIFF OMITTED] T5573.097\n\n[GRAPHIC] [TIFF OMITTED] T5573.098\n\n[GRAPHIC] [TIFF OMITTED] T5573.099\n\n\x1a\n</pre></body></html>\n'