b'<html>\n<title> - H.R. 3997, FINANCIAL DATA PROTECTION ACT OF 2005</title>\n<body><pre>[House Hearing, 109 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n \n                       H.R. 3997, FINANCIAL DATA\n                         PROTECTION ACT OF 2005\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n               FINANCIAL INSTITUTIONS AND CONSUMER CREDIT\n\n                                 OF THE\n\n                    COMMITTEE ON FINANCIAL SERVICES\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            NOVEMBER 9, 2005\n\n                               __________\n\n       Printed for the use of the Committee on Financial Services\n\n                           Serial No. 109-61\n\n\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n26-758                      WASHINGTON : 2006\n_____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n                 HOUSE COMMITTEE ON FINANCIAL SERVICES\n\n                    MICHAEL G. OXLEY, Ohio, Chairman\n\nJAMES A. LEACH, Iowa                 BARNEY FRANK, Massachusetts\nRICHARD H. BAKER, Louisiana          PAUL E. KANJORSKI, Pennsylvania\nDEBORAH PRYCE, Ohio                  MAXINE WATERS, California\nSPENCER BACHUS, Alabama              CAROLYN B. MALONEY, New York\nMICHAEL N. CASTLE, Delaware          LUIS V. GUTIERREZ, Illinois\nPETER T. KING, New York              NYDIA M. VELAZQUEZ, New York\nEDWARD R. ROYCE, California          MELVIN L. WATT, North Carolina\nFRANK D. LUCAS, Oklahoma             GARY L. ACKERMAN, New York\nROBERT W. NEY, Ohio                  DARLENE HOOLEY, Oregon\nSUE W. KELLY, New York, Vice Chair   JULIA CARSON, Indiana\nRON PAUL, Texas                      BRAD SHERMAN, California\nPAUL E. GILLMOR, Ohio                GREGORY W. MEEKS, New York\nJIM RYUN, Kansas                     BARBARA LEE, California\nSTEVEN C. LaTOURETTE, Ohio           DENNIS MOORE, Kansas\nDONALD A. MANZULLO, Illinois         MICHAEL E. CAPUANO, Massachusetts\nWALTER B. JONES, Jr., North          HAROLD E. FORD, Jr., Tennessee\n    Carolina                         RUBEN HINOJOSA, Texas\nJUDY BIGGERT, Illinois               JOSEPH CROWLEY, New York\nCHRISTOPHER SHAYS, Connecticut       WM. LACY CLAY, Missouri\nVITO FOSSELLA, New York              STEVE ISRAEL, New York\nGARY G. MILLER, California           CAROLYN McCARTHY, New York\nPATRICK J. TIBERI, Ohio              JOE BACA, California\nMARK R. KENNEDY, Minnesota           JIM MATHESON, Utah\nTOM FEENEY, Florida                  STEPHEN F. LYNCH, Massachusetts\nJEB HENSARLING, Texas                BRAD MILLER, North Carolina\nSCOTT GARRETT, New Jersey            DAVID SCOTT, Georgia\nGINNY BROWN-WAITE, Florida           ARTUR DAVIS, Alabama\nJ. GRESHAM BARRETT, South Carolina   AL GREEN, Texas\nKATHERINE HARRIS, Florida            EMANUEL CLEAVER, Missouri\nRICK RENZI, Arizona                  MELISSA L. BEAN, Illinois\nJIM GERLACH, Pennsylvania            DEBBIE WASSERMAN SCHULTZ, Florida\nSTEVAN PEARCE, New Mexico            GWEN MOORE, Wisconsin,\nRANDY NEUGEBAUER, Texas               \nTOM PRICE, Georgia                   BERNARD SANDERS, Vermont\nMICHAEL G. FITZPATRICK, \n    Pennsylvania\nGEOFF DAVIS, Kentucky\nPATRICK T. McHENRY, North Carolina\n\n                 Robert U. Foster, III, Staff Director\n       Subcommittee on Financial Institutions and Consumer Credit\n\n                   SPENCER BACHUS, Alabama, Chairman\n\nWALTER B. JONES, Jr., North          BERNARD SANDERS, Vermont\n    Carolina, Vice Chairman          CAROLYN B. MALONEY, New York\nRICHARD H. BAKER, Louisiana          MELVIN L. WATT, North Carolina\nMICHAEL N. CASTLE, Delaware          GARY L. ACKERMAN, New York\nEDWARD R. ROYCE, California          BRAD SHERMAN, California\nFRANK D. LUCAS, Oklahoma             GREGORY W. MEEKS, New York\nSUE W. KELLY, New York               LUIS V. GUTIERREZ, Illinois\nRON PAUL, Texas                      DENNIS MOORE, Kansas\nPAUL E. GILLMOR, Ohio                PAUL E. KANJORSKI, Pennsylvania\nJIM RYUN, Kansas                     MAXINE WATERS, California\nSTEVEN C. LaTOURETTE, Ohio           DARLENE HOOLEY, Oregon\nJUDY BIGGERT, Illinois               JULIA CARSON, Indiana\nVITO FOSSELLA, New York              HAROLD E. FORD, Jr., Tennessee\nGARY G. MILLER, California           RUBEN HINOJOSA, Texas\nPATRICK J. TIBERI, Ohio              JOSEPH CROWLEY, New York\nTOM FEENEY, Florida                  STEVE ISRAEL, New York\nJEB HENSARLING, Texas                CAROLYN McCARTHY, New York\nSCOTT GARRETT, New Jersey            JOE BACA, California\nGINNY BROWN-WAITE, Florida           AL GREEN, Texas\nJ. GRESHAM BARRETT, South Carolina   GWEN MOORE, Wisconsin\nRICK RENZI, Arizona                  WM. LACY CLAY, Missouri\nSTEVAN PEARCE, New Mexico            JIM MATHESON, Utah\nRANDY NEUGEBAUER, Texas              BARNEY FRANK, Massachusetts\nTOM PRICE, Georgia\nPATRICK T. McHENRY, North Carolina\nMICHAEL G. OXLEY, Ohio\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on:\n    November 9, 2005.............................................     1\nAppendix:\n    November 9, 2005.............................................    41\n\n                               WITNESSES\n                      Wednesday, November 9, 2005\n\nBohannon,Mark, General Counsel and Senior Vice President Public \n  Policy, Software and Information Industry Association..........    23\nBrill, Julie, Assistant Attorney General, State of Vermont.......    25\nCallari, Josie, Senior Vice President, Astoria Federal S&L \n  Association and Chairman, America\'s Community Bankers \n  Electronic Banking and Payment Systems Committee, on behalf of \n  America\'s Community Bankers....................................    19\nHendricks, Evan, Publisher, Privacy Times........................    27\nIreland, Oliver I., Partner, Morrison & Foerster LLP, on behalf \n  of Financial Services Coordinating Council.....................    18\nKaufmann, Karl F., Sidley Austin Brown & Wood LLP, on behalf of \n  Chamber of Commerce............................................    28\nLively, H. Randy, President & CEO, American Financial Services \n  Association....................................................    21\n\n                                APPENDIX\n\nPrepared statements:\n    Oxley, Hon. Michael G........................................    42\n    Ackerman, Hon. Gary L........................................    44\n    Baca, Hon. Joe...............................................    46\n    Bachus, Hon. Spencer.........................................    47\n    Biggert, Hon. Judy...........................................    50\n    Clay, Hon. Wm. Lacy..........................................    51\n    Ford, Hon. Harold E., Jr.....................................    52\n    Gutierrez, Hon. Luis V.......................................    53\n    Hinojosa, Hon. Ruben.........................................    55\n    Lee, Hon. Barbara............................................    57\n    Bohannon,Mark................................................    58\n    Brill, Julie.................................................    64\n    Callari, Josie...............................................    81\n    Hendricks, Evan..............................................    86\n    Ireland, Oliver I............................................   100\n    Kaufmann, Karl F.............................................   113\n    Lively, H. Randy.............................................   119\n\n              Additional Material Submitted for the Record\n\nBachus, Hon. Spencer:\n    ARMA International, prepared statement.......................   122\n    ID Analytics Corporation, prepared statement.................   128\n    Mortgage Bankers Association, prepared statement.............   139\n    National Business Coalition on E-Commerce and Privacy, \n      prepared statement.........................................   145\nFrank, Hon. Barney:\n    National Association of Attorneys General, letter, October \n      27, 2005...................................................   152\n    National Association of Insurance Commissioners, prepared \n      statement..................................................   164\nHinojosa, Hon. Ruben:\n    Texas Business & Commerce Code, Definitions, Section 20.01...   168\n    Identity Theft Enforcement and Protection Act, Texas State \n      Legislature, May, 28, 2005.................................   171\n\n\n                       H.R. 3997, FINANCIAL DATA\n                         PROTECTION ACT OF 2005\n\n                              ----------                              \n\n\n                      Wednesday, November 9, 2005\n\n             U.S. House of Representatives,\n             Subcommittee on Financial Institutions\n                               and Consumer Credit,\n                           Committee on Financial Services,\n                                                   Washington, D.C.\n    The subcommittee met, pursuant to call, at 10:00 a.m., in \nRoom 2128, Rayburn House Office Building, Hon. Spencer Bachus \n[chairman of the subcommittee] Presiding.\n    Present: Representatives Bachus, Castle, Kelly, LaTourette, \nBiggert, Tiberi, Hensarling, Pearce, Neugebauer, Price of \nGeorgia, McHenry, Sanders, Maloney, Ackerman, Moore of Kansas, \nFrank, Hooley, Ford, Hinojosa, Crowley, Baca, Green, Moore, \nClay, and Matheson.\n    Also Present: Representatives Oxley, Pryce of Ohio, and \nBean.\n    Chairman Bachus. Good morning. There was a Republican \nconference this morning. And it is just now concluding. So I do \nexpect some Republican members to be arriving in the next few \nminutes.\n    Today\'s hearing is on H.R. 3997, the Financial Data \nProtection Act of 2005. This is the fourth committee hearing \nthis year on improving data security for consumers.\n    During the past several years, this committee has passed \nvarious pieces of legislation addressing the identity theft \nissue. Most importantly, the Fair and Accurate Transaction Act, \nor FACT Act, contained provisions not only preventing identity \ntheft, but giving victims added protections and remedies, \nparticularly restoring an accurate credit report if they were \nvictims of identity theft.\n    This morning, we will consider data security legislation \nwhich will give Americans, American consumers, further \nprotections against credit card fraud, identify theft, and the \nrelease of confidential information.\n    H.R. 3997 was introduced by Mr. LaTourette, Ms. Hooley, \nChairman Castle, Chairman Pryce, and Mr. Moore. So it is a \nbipartisan piece of legislation. It seeks to expand the data \nsafeguard requirements of Gramm-Leach-Bliley Act and the Fair \nCredit Reporting Act by establishing uniform standards for all \nbusinesses that possess or maintain sensitive financial or \nidentity information about consumers.\n    H.R. 3997 would prevent data breaches by mandating a strong \nnational standard for the protection of sensitive information \non consumers, require institutions to notify consumers of data \nsecurity breaches involving sensitive information that might be \nused to commit financial fraud against them, and require \ninstitutions to provide consumers with a free 6-months \nnationwide credit monitoring service upon notification of a \nbreach.\n    Over the past several months, there have been numerous news \nreports describing potentially serious breaches of information \nsecurity. These breaches have generally involved sensitive \npersonal information such as individuals\' names, Social \nSecurity numbers, or payment card information. Although the \nreports of subsequent fraud associated with these breaches have \nbeen relatively few, protecting customers and consumers after \nsuch data breaches obviously remains of primary concern.\n    Furthermore, data breaches, even if relatively uncommon and \nlimited in scope, undermine consumer confidence. For instance, \nsurveys suggests that the growth of online commerce is \nrestrained due to fears about information security.\n    Our fundamental goal is to ensure that companies protect \nsensitive consumer information to avoid potential security \nbreaches. Unfortunately, no data protection program is perfect. \nTherefore, we need to make sure that companies take reasonable \nsteps to protect consumers in the event that there is a breach.\n    This morning, we will have a discussion about providing \nnotices to consumers who are affected by data breach in \naddition to other ways of mitigating consumer harm. These \nnotices should only be sent out when appropriate so as to avoid \novernotification of consumers, or customers. In addition, \nCongress should establish a national uniform standard to \nprotect all Americans from data breaches.\n    Lastly, data security legislation should distinguish \nbetween identity theft and credit card fraud.\n    H.R. 3997 goes a long way toward achieving these \nobjectives. And I look forward to moving this bill in the near \nfuture.\n    As I mentioned earlier, the sponsors of 3997 should be \ncommended for drafting bipartisan data security legislation.\n    I also want to recognize the work of Ms. Bean, Mr. Frank, \nand Mr. Davis on H.R. 3140, the Consumer Data Security and \nNotification Act of 2005. Like them, I think the time is ripe \nfor Congress to act on data security legislation and our work \nwith the sponsors of 3997 and with the sponsors of 3140, as \nwell as any other members of this committee, on this important \nlegislative initiative.\n    Let me close by--well, at this point, I will recognize Mr. \nSanders, the ranking member, for any opening statement he would \nlike to make and then we will introduce our panel of witnesses, \nand some of my colleagues wish to introduce certain panelists \nfrom their States.\n    Thank you, Mr. Sanders.\n    [The prepared statement of Hon. Spencer Bachus can be found \non page 47 in the appendix.]\n    Mr. Sanders. Thank you very much, Mr. Chairman, and I thank \nyou for holding this important hearing and I am especially \npleased that Julie Brill, the assistant attorney general for \nthe State of Vermont, can be with us this morning, and I will \nbe looking forward to her testimony and I will be introducing \nher in a moment.\n    Mr. Chairman, identify theft and security breaches at some \nof our Nation\'s largest companies are huge issues that this \ncommittee has got to deal with. According to the Federal Trade \nCommission, 27.3 million Americans have been victims of \nidentity theft in the past 5 years, costing businesses, \nfinancial institutions, and consumers over $50 billion per \nyear. Victims of identity theft pay an average of about $1,400, \nnot including attorney fees, and spend an average of 600 hours \nto clear their credit reports.\n    In addition, Mr. Chairman, over the past year, there have \nbeen over 100 security breaches and data leaks at some of the \nbiggest companies in this country, threatening the financial \nprivacy of tens of millions of Americans.\n    The largest one became public in May of 2005 with Card \nSystems Solutions, Incorporated, reported a major security \nbreach, potentially compromising over 40 million credit card \naccount numbers. And in February of 2003, the FBI announced a \nnationwide investigation of a computer database security breach \ncontaining roughly 8 million Visa, MasterCard, and American \nExpress credit card numbers. This breach forced many financial \ninstitutions to reissue thousands of Visa and MasterCards as a \nprecaution against potential fraud. But we are not just talking \nabout credit card companies. We are talking about Time Warner, \nLowes stores, T-Mobile USA, ChoicePoint, Lexis-Nexis, Wells \nFargo, Bank of America, and on and on.\n    For a variety of reasons, Social Security numbers, debit \nand check credit, check card information, driver\'s license \nnumbers, e-mails, personal computer files, and information \nabout student loans and mortgages are being stolen by computer \nhackers and other scam artists.\n    Mr. Chairman, this has got to stop. We must make sure that \nhackers and others are protected to the fullest extent of the \nlaw, but we must also make sure that the largest and most \nprofitable multi-national companies in this country do \neverything they can to make sure that identity thieves don\'t \nsucceed in the first place.\n    Today we will be discussing one bill that deals with the \nsubject, H.R. 3995, the so-called Financial Data Protection Act \nof 2005. Mr. Chairman, I have serious concerns about this \nlegislation. As I understand it, this legislation would preempt \nsecurity breach notification laws in the 21 States that have \nenacted them to date and would also overturn the consumer \ncredit report freeze provisions enacted by 12 States, including \nmy own State of Vermont. That is wrong.\n    Mr. Chairman, if Vermont or Alabama want to pass laws that \nare stronger than the Federal Government\'s, we should give \nStates that right. That is what Federalism is all about.\n    The States are laboratories of democracy. If there is a \nparticular identity theft crisis in Colorado and the Colorado \nState legislature passes a law to correct this problem and it \nworks, what happens? Pretty soon, Maryland may pass the same \nlaw, then Nebraska, then Ohio. We learn from each other. And \nthat is one of the very exciting and positive aspects of our \nsystem of Government.\n    But if this legislation is signed into law, we would \npermanently prevent the States from taking this action.\n    We hear a lot of talk from our conservative friends about \nprotecting the States and the American people against the big \nbad and intrusive Federal Government.\n    And I would hope that today and in this legislation, our \nconservative friends would honor the mantra that they preach \nvery, very often. Instead of preempting State consumer \nprotection laws, there is another bill that has been introduced \nby Ms. Bean, H.R. 3140, the Consumer Data Security and \nNotification Act, that I believe this committee should also \nseriously consider. As I understand it, this legislation would \nprovide strong consumer protections and enforcements against \ncredit card fraud and identity theft.\n    H.R. 3140 would strengthen Federal protections against \nimproper collection and sale of sensitive consumer information \nand provide consumers with advance warning when their personal \nfinancial information is at risk.\n    In addition, the bill contains tough enforcement provisions \nto protect consumer from identity theft. Most importantly, in \nmy view, this legislation does not preempt States and \nlocalities from passing stronger consumer protection laws.\n    Finally, Mr. Chairman, I strongly believe that this \ncommittee should focus on how the outsourcing of financial jobs \nto China, India, and other cheap foreign labor markets also \nthreatens the privacy of our citizens. According to one study, \nmore than 500,000 financial service jobs in the United States \nrepresenting 8 percent of all jobs in banking, brokerage, and \ninsurance firms, will move offshore in the next 5 years. This \nis not just an issue of protecting the working people of this \ncountry. It is also an issue of privacy rights.\n    It seems to me that no financial services firm or credit \nbureau agency is immune to overseas outsourcing. And this is an \nissue we have got to focus on.\n    Mr. Chairman, with growing problems in identity theft and \nwith no domestic legal protection for the privacy of the \npersonal records of American citizens, the situation is \nunhappily ripe for abuse and the evidence is mounting.\n    That is why I am supportive of legislation introduced by \nCongressman Markey that would make it illegal for companies in \nthe U.S. to send financial data abroad without the express \nwritten consent of their customers.\n    Mr. Chairman, thank you again for holding this hearing, and \nI look forward to working with you on this issue.\n    Chairman Bachus. I thank the ranking member. At this time, \nI recognize the chairman of the full committee, Mr. Oxley.\n    Mr. Oxley. Thank you, Mr. Chairman. This morning, the \ncommittee meets to hear from a number of leading business and \nconsumer groups on H.R. 3997, the Financial Data Protection \nAct. This bipartisan bill is a product of the hard work and \nleadership of Representatives LaTourette, Hooley, Castle, \nPryce, and Mr. Moore of Kansas. And I congratulate them on \ntheir accomplishment. And also I thank the subcommittee Chair, \nMr. Bachus, and Ranking Member Sanders for spotlighting this \nissue in their hearings. This issue will be a priority for the \ncommittee when we return early next year. And I look forward to \nworking with the sponsors as well as the chairman and the \nranking member.\n    In recent years, criminals in the United States and abroad \nhave become increasingly inventive in finding ways to access \nand exploit information systems in order to commit identity \ntheft. According to the Federal Trade Commission estimate, 10 \nmillion Americans are victimized by identity thieves each year, \ncosting consumers and businesses over $55 billion per year. \nSeveral recent high profile security breaches have focused \npublic attention as never before on the vulnerabilities of \ncompanies\' data security systems. This year alone, we have seen \nnearly 75 breaches impacting over 50 million Americans.\n    As a result of these numerous breaches, Congress needs to \nreview how information is handled, and what happens when it is \nmishandled. The Financial Services Committee has worked \ntirelessly over the past several years to identify and enact \nsolutions to improve data security protections. In 1999, many \nof the senior members of this committee helped enact the first \ndata security laws in the Gramm-Leach-Bliley Act applying to \nfinancial firms.\n    In 2003, the gentleman from Alabama, Mr. Bachus, led the \ncommittee in expanding on this effort by securing the passage \nof the Fair and Accurate Credit Transactions Act, or FACT Act, \nwhich generally expanded consumer idea identity theft \nprotections.\n    A number of other committees in the House and in the Senate \nare also working on legislation to address data security \nprotections. This committee must do its due diligence by \nproducing legislation that sets national protection for \nconsumers and supports the financial services marketplace.\n    We can build on the work we did on the FACT Act to achieve \na unified product coming from this committee.\n    We have a great deal of expertise on this committee on \nthese issues. And I expect that our legislation will be a \nsignificant portion of any final House product. We seek to \nachieve a uniform national standard that protects consumers to \na greater overall degree than they are protected now.\n    H.R. 3997 requires all businesses with sensitive \ninformation on consumers to adopt data security, policies and \nprocedures, investigate data security breaches, make uniform \nnotification, and provide mitigation to consumers where there \nis a likelihood of harm to the consumer.\n    I applaud the bipartisan cosponsors for putting together a \nbalanced, fair, and reasonable approach for our committee and \nlooking forward to further consideration of this legislation \ngoing forward.\n    Mr. Chairman, again, thank you for your leadership, and I \nyield back.\n    [The prepared statement of Hon. Michael G. Oxley can be \nfound on page 42 in the appendix.]\n    Chairman Bachus. I thank the chairman and now recognize the \nranking member of the full committee, Mr. Frank, who is one of \nthe cosponsors of 3140.\n    Mr. Frank. Thank you, Mr. Chairman, and thank you for your \nopening statement in which you noted that there are a variety \nof bills because I must say that I am very disappointed with \nthe very version of H.R. 3997 that is now before us. And I \nwould ask you ask unanimous consent at this point to put into \nthe record some explanation of my disappointment. One is a \nletter from the National Association of Insurance \nCommissioners, which we just received. Let me read their \nsummary--\n    Chairman Bachus. Yes, and without objection, it will be \nentered into the record.\n    Mr. Frank. In short, H.R. 3997 would take away existing \nState consumer privacy laws, market conduct enforcement \nauthority, and data security safeguards for the purpose of \nestablishing a Federal system that limits consumer protection \nto being notified under certain circumstances when a breach of \ndata security occurs.\n    The attorneys general--nearly all of them--I keep trying to \ncount. Sometimes I get 47. Sometimes I get 48. I don\'t think \nthey have changed. I think my counting changed. But nearly all \nof the attorneys general have sent a letter, too, to the \nleaderships basically opposing 3997 in that they talk about a \nlot of things they want to see in the bill that aren\'t in 3997. \nAnd they have said--and the letters from the attorneys general \nought to be included in the record as well. The point they \nmake, and it is a point that I have made and others here have \nmade that governed our activity when we passed the FACT Act \ndealing with credit. They say on page 2, we call on Congress to \nenact a national security breach notification law that will \nprovide meaningful information to consumers. If Congress is not \nable to extract a strong notice law, it should read be issued \nto State law which is responding strongly.\n    3997 cuts back on Federal law, interestingly. I was \nparticularly disappointed to see that it would weaken Title V \nof Gramm-Leach-Bliley. And in many ways, consumers would be \nworse off than they were before. And what it then does is to \nundercut, to preempt a lot of State laws. The standard for \nnotification is less. We had a situation with Bank of America, \nan important institution of my own State in part--I guess in \nevery State. So big deal for me.\n    But they had a breach. And they had to notify customers \nbecause of a California law. Had it not been for the California \nlaw, they would not have had to notify anybody. Understand that \nif this bill passes, 3997, which I do not expect it to, I don\'t \nthink Bank of America would have had to notify. Now I note some \nof my friends in the financial service industry have argued \nthat they don\'t want to too quickly notify people when there \nhas been a breach of the security of the data because of a very \nnew-found concern for the capacity of people\'s mailboxes.\n    I have a rule I will tell my friends in the financial \nservices community; try in political debate to avoid saying \nsomething that no one will believe. It may seem useful to you \nin the spur of the moment, but it rarely works. For the \nfinancial service industry, which keeps my mailbox quite full \nwith various solicitations for credit cards, mortgages, and all \nother matter of products, to suddenly decide that the one thing \nthey don\'t want to send me is a notification that my data has \nbeen breached really doesn\'t persuade anybody.\n    So we, I think, have to--and the bill that we have filed, \nand I appreciate your noticing it, Mr. Chairman, when we get to \nthe mark up, I hope it will be obviously considering the \nsubject, not a particular bill, what we try to do is to give an \nincentive to encrypt the requirement to notify consumers in the \nbill we have filed, on our side, as most of the Democrats, \nwould decrease the requirement to notify to the extent that the \ndata has been encrypted.\n    That is, we don\'t try to put a burden of proof on you to \nshow that--we don\'t say that it is only to be--there is only to \nbe notification if it is pretty clear that there is going to be \na breach, but the more you have done things to protect the \nsecurity of the data, the less likely you are to have to \nnotify.\n    Similarly, while it is not in our bill, I think a consensus \nis now developing for a credit freeze. And I will serve notice \nnow that whenever we consider this, there will be an amendment \noffered to provide for a credit freeze, and I notice, for \ninstance, in the 3997, there is some restriction on liability \nfor the holders of the data.\n    I would be willing to do that if, in fact, there was a \nright of a credit freeze and if people would exercise--have the \nright to have exercise a credit freeze it would limit \nliability. Otherwise it is too broad. So there are a number of \nareas where, as I said, I am disappointed in 3997. It weakens \nTitle V, which would seem to me entirely unnecessary to this \npurpose. It cancels a lot of State laws and puts inadequate \nFederal laws in their place. So we look forward to the \nopportunity to work on this.\n    This committee has been able on most pieces of major \nlegislation to arrive at a pretty good bipartisan consensus. I \njust want to serve notice today we ain\'t there yet. And 3997 \ncertainly isn\'t there. But we hope that we can get there. Thank \nyou, Mr. Chairman.\n    Chairman Bachus. Thank you. Let me say this as we move \nforward and I think, Mr. Frank, and we have had discussions and \nthe chairman and I know the sponsors of the bill, and it is all \nour intention to work together.\n    Mr. Frank. I appreciate that, Mr. Chairman, you have always \ndone that.\n    Chairman Bachus. And I think that there is at least some \nconsensus that we will not mark up a bill until January or \nFebruary.\n    And one of the reasons for that is we do not have a \nconsensus at this point.\n    Mr. Frank. Thank you, Mr. Chairman. Let me say, I think I \nspeak for a very strong bipartisan consensus when I say that \nthis is a very important subject; we hope it is February and \nnot January.\n    Chairman Bachus. I think that Chairman Castle and Chairman \nPryce and Mr. LaTourette probably agree.\n    So, thank you. At this time, Chairman Castle?\n    Mr. Castle. Thank you, Mr. Chairman. I also, Mr. Chairman, \nappreciate the hearing you are holding today on this very \nimportant piece of legislation.\n    We have worked very hard over the past few months, those of \nus who are involved in this, to develop a comprehensive \napproach to securing information. In today\'s hearing, while the \nfourth in a series on this topic, it is the first that really \nfocuses on this particular legislation. I think each one of us \nas individuals will agree that we enjoy the convenience that \ncomes with the ability to pay bills online or the ability to \napply for a mortgage, car loan, or home equity loan via the \nInternet. And businesses certainly enjoy greater sales and \nincreased productivity as a result of high speed computer \ntechnology that captures vast amounts of consumer information.\n    But at the same time, we worry about compromising \nsensitive, personal, and financial information. And we worry \nabout consumers\' willingness to share that information \nespecially because in 2005 alone there have been 75 corporate \ndata security breaches involving sensitive information, an \nestimated 75 million consumers.\n    The goal of H.R. 3997, the Financial Data Protection Act, \nis simple, to treat data that is valuable to businesses and \nconsumers with care and to safeguard it from abuse or misuse.\n    Many States have different standards for the protection of \nsensitive consumer information and notification in place \nalready. But this patchwork approach to consumer data \nprotection is not ideal. Therefore, I look forward to hearing \nfrom our distinguished panelists today about the need for \nuniform, comprehensive data security requirements to protect \nsensitive personal information that may be used to commit \nfraud--especially the crime of identity theft.\n    I am hopeful that your testimony will shed light on why \nsuch a standard is critical for businesses and consumers. Thank \nyou, Mr. Chairman. I yield back.\n    Chairman Bachus. Thank you. Ms. Maloney.\n    Mrs. Maloney. Thank you, Mr. Chairman. And I welcome all of \nthe participants today as well as all of the witnesses on this \nimportant issue. And I would particularly like to welcome Ms. \nJosie Callari from Astoria Federal Savings, a New York \ncommunity bank that is located in the district that I am \nhonored to represent.\n    Our colleagues in Energy and Commerce have started their \nwork, and so it is high time that we do the same. In \nconsidering how to address the issue for financial services \ninstitutions, we start from a forward position. Since those \nentities are already subject to the data security and privacy \nprotections in the Gramm-Leach-Bliley Act. Title V of that Act \nalready requires financial service institutions to implement \ndata security safeguards, a customer response program, and a \ncomprehensive privacy policy.\n    I am sure if you ask the institutions here today that they \nwould be able to describe how they are implementing these \nprograms in detail in their own institutions.\n    I would say, particularly smaller institutions have paid \nthe price to address data security breaches for their \ncustomers, even when the data was lost by a data broker or \nmerchant, because the customer is a bank client and customer \nrelations are important and because they believe in taking care \nof their clients. And I have heard such stories from the \nconstituents that I represent.\n    In my view, to the extent that we impose additional \nnational standards, we should be very cautious in how we \ndisrupt the newly settled system of regulations that has been \nput in place under Gramm-Leach-Bliley. On the other hand, we \nneed to make sure that our financial institutions aren\'t paying \nthe price for other less well regulated. It makes no sense to \nhave a national system that provides different consumer \nprotections to the same sensitive financial information \ndepending on who lost it.\n    For example, data brokers who lose information should bear \nthe burden of compensating for those losses and protecting \nconsumers in the future.\n    There are several issues, however, that the implementation \nof Gramm-Leach-Bliley has shown up as a weakness in the data \nprotection according to our financial institutions. And one of \nthose issues that my constituents are extremely concerned \nabout--and I am sure that this is probably true across the \nNation--is what protections do consumers have when their data \nis sent overseas to be processed?\n    Many countries don\'t have data security protections that \nare as robust as those that we have in this Nation. Yet \nfinancial services companies routinely use data processing \nservices to process sensitive financial information.\n    So I will definitely be offering the Markey bill and the \nproposal that strengthens the oversight of data that is sent \noverseas. And I feel that should be strongly addressed in this \nlegislation.\n    I would also like and request the chairman to place in the \nrecord a letter that has come to me and probably many others \nfrom the attorneys General across this Nation. And they argue \nthat States should have the ability to enforce any national \nsecurity breach notification laws and that State laws should be \nleft to govern entities not covered by the Federal law or the \nconsequences of security breaches. Their letter was signed by \nmany attorneys general, including New York\'s Attorney General, \nEliot Spitzer.\n    On the other hand, some of my industry representatives have \nargued that only if State laws are completely preempted will \nfinancial institutions be able to cope with the compliance \nissues that data security presents and that functional \nregulators are best equipped to enforce regulations governing \nthe entities with which they are familiar.\n    So in your comments, I wish that the panelists would \naddress the letter from the attorneys general and your \ninterpretation and advice on it. I thank the chairman. I have \nbeen--I have learned over many years that many contentious \nissues I think will never ever be in agreement. But often you \nhave bent over backwards to listen to the democratic side and \nwe have come forward with a bipartisan agreement on what is \nfundamentally important to all Americans and that is a strong \nsafety and soundness in our financial system, and I feel \nconfident we will be able to do that and I thank you for your \naccommodation in the past and look forward to working with you \non this bill.\n    Chairman Bachus. Thank you. And one thing that Chairman \nOxley wanted me to stress and Ranking Member Frank, and I know \nthey have talked, and I believe I speak for both of them when \nthey say that addressing this issue is a top priority of the \ncommittee.\n    And as Mr. Frank said, if he thinks that February is more \nappropriate for beginning to mark up a bill, then February it \nwill be, because we need some consensus and agreement going \nforward.\n    At this time, I recognize Mr. LaTourette, who is a lead \nsponsor of the bill.\n    Mr. LaTourette. Thank you very much, Chairman Bachus, and I \nwould ask unanimous consent to include a rather lengthy \nstatement into the record. I want to thank the cosponsors of \nthis legislation, Mike Castle and Debbie Pryce and Dennis Moore \nand Darlene Hooley. And I was sitting next to Mr. Hensarling \nwhen the distinguished ranking member of the committee, Mr. \nFrank, was talking. And he said to Darlene and to Debbie and to \nMike and to Dennis it is like he called our child ugly. And \nthat is too bad. But we worked hard on this legislation.\n    We recognize that there are competing opinions. But \nclearly, this is an important issue. The great thing about this \ncommittee is it does work together well on most issues in a \nbipartisan fashion. And as I read the testimony of those who \nare testifying today, I know that some of you are going to be \ncritical of the bill and some of you are going to be very \ncritical of the bill.\n    And I just want you to know that if we are going to get \nthis right, we do need the input of everybody. And so we \nappreciate your being here to offer your observations because I \nthink the one thing that we would like to see at the end of the \nday is a piece of legislation that, in fact, addresses this \nrather serious problem.\n    And while we often debate the issue of preemption and \nwhether or not the 50 States are great laboratories of \ndemocracy, and I agree and with the system of Federalism, but I \nwould also suggest that there are times when we need to look at \nthe great ideas that are going on in some of the 50 States and \napply them, in some instances, in a limited basis to a national \nproblem.\n    Mr. Sanders. Would my friend yield on that?\n    Mr. LaTourette. I would be happy to yield.\n    Mr. Sanders. I agree with him. The point is we should take \nthe best ideas at the State level and apply them at the Federal \nlevel. But we shouldn\'t preempt the States from continuing to \ngo forward. That is the main point that I would make.\n    Mr. LaTourette. The appreciate the gentleman\'s observation, \nand I know that he holds that clearly and on some issues I \nagree with him and some I don\'t agree with him. And we can move \nthat forward as we debate this legislation. But I think that \nthe prime--with all of its warts and flaws, H.R. 3997 is, in \nfact, a collaborative effort. It is a bipartisan effort. It was \nan attempt to be thoughtful. And I\'m proud of the product and I \nam very thankful to my co sponsors and Mr. Chairman--\n    Mr. Frank. Would the gentleman yield?\n    Mr. LaTourette. I would be happy to yield.\n    Chairman Bachus. We probably need to restrict this to \nopening statements. I will let the ranking member--\n    Mr. Frank. Just briefly. The gentleman said that I called a \nchild ugly. And I would just plead guilty and say that it seems \nto me the obligation to declare all children beautiful should \nnot be construed as extending beyond the boundaries of your own \ndistrict.\n    Chairman Bachus. We are obviously building a consensus \nalready. We are off to a good start.\n    Mr. LaTourette. And I thank the gentleman very much and \nperhaps we will put braces on the child as we move forward in \nthis process. But I look forward to a rather spirited debate. \nAnd Mr. Chairman, I thank you for your leadership and--your \ncommitted leadership in not only this issue, but identity \ntheft, not only as we move forward, but in the past. And I \nyield back my time.\n    Chairman Bachus. Mr. Ackerman.\n    Mr. Ackerman. Thank you, Mr. Chairman, and thank Mr. \nSanders as well for introducing this legislation at today\'s \nhearing. I think it is as good as any of a stepping off point. \nI do have some very grave concerns about the bill as it has \nbeen thus presented. Many of which have been expressed here. I \nam concerned that in our rush to do something that must indeed \nbe addressed as expeditiously as we can, that we do get it \nright.\n    And citing those things in my opening statement, that have \nalready been expressed, as well as some others with the Chair\'s \nassurance that he has given, and true to form that he has \nalways worked and listened to all members of the committee--\nsome of whom might be uglier than others, I am not sure and I \ndon\'t want to get into that--I would ask unanimous consent to \nput the entire statement in.\n    And with the Chair\'s permission, as I have a markup down \nthe hall at this time, I would like to just say a word of \nintroduction to a constituent who is on today\'s panel and--\n    Chairman Bachus. Yes, that would be fine.\n    Mr. Ackerman. Thank you, Mr. Chairman, very much. I would \nlike to give a special welcome to Josie Callari of Astoria \nFederal Savings, who is also mentioned by Ms. Maloney, who said \nthat she had their banks in her district, and indeed she does.\n    It should be noted that there are 18 Members of Congress \nwho represent parts of our city, New York City, or Long Island, \nand indeed I think if you asked almost any of us, we do have \nbranches of that bank in our district. But I am proud to say \nthat their headquarters in Lake Success is indeed in my \ndistrict.\n    Mr. Callari has 30 years of experience in the banking \nindustry and is currently a senior vice-president and the \ndirector of banking operations at Astoria Federal savings. She \nalso serves as the vice chairman of the America\'s Community \nBankers Electronic Banking and Payments Committee. And she is \nideally suited to provide testimony before the subcommittee \ntoday.\n    And finally, she has been very active as a volunteer and as \na supporter of so many community organizations in my district \nand throughout our region that I would like to thank her \npersonally for that volunteer service as well.\n    And thank you for coming down. And thank you for \nparticipating in this panel. And don\'t be nervous.\n    [The prepared statement of Hon. Gary L. Ackerman can be \nfound on page 44 in the appendix.]\n    Chairman Bachus. Thank you.\n    Several opening statements have referenced the attorney \ngeneral\'s letter and the attorney general or assistant attorney \ngeneral; Ms. Brill from Vermont, has actually attached that to \nher testimony. So it will come in as part of that testimony.\n    At this time, I recognize Ms. Pryce.\n    Ms. Pryce of Ohio. There is two. I will just submit my \nstatement for the record.\n    Chairman Bachus. Mr. Hensarling.\n    Mr. Hensarling. Thank you, Mr. Chairman, and I certainly \nthank you for holding this important hearing. I want to thank \nmy colleagues on this committee, particularly Mr. LaTourette, \nwho collaborated to introduce H.R. 3997.\n    As we all know, this year there have been numerous widely \nreported breaches of security in several companies involved in \nthe collection and dissemination of consumer data. This is \nclearly troublesome.\n    There is no doubt that companies should have data security \npolicies and procedures in place to protect against fraudulent \nactivity, especially identity theft, the fastest growing white \ncollar crime in America.\n    In fact, the Federal Trade Commission has estimated that \nabout 10 million Americans fall victim to identity theft every \nyear. I have been one of them. It costs consumers and \nbusinesses more than $55 billion in the aggregate.\n    But, Mr. Chairman, many regulations are already in place \nthat work to protect the personal information of individuals. \nAnd we all know that financial institutions in particular are \nhighly regulated under Gramm-Leach-Bliley when it comes to the \ncollection of consumer data. We also know that the Fair Credit \nReporting Act, as amended by the FACT Act, helps consumers \nimprove the accuracy of information about them while \nrestricting the disclosure of that same information.\n    While regulation clearly helps to direct financial \ninstitutions\' response to identity theft, the actions taken by \nfinancial institutions on their own should not be dismissed.\n    The overwhelming majority of institutions already offer \ntheir customers information on how to prevent identity theft \nand what to do about it, and they train their employees to \nprotect the security of customer information and to assist \nvictims. It is in their interest to do so.\n    Who wants to tell prospective customers, please allow me to \nhandle your sensitive consumer data; we only had 14 data \nsecurity breaches last month. Markets can work. They can punish \nbad or negligent behavior. Just ask anyone who used to work for \nArthur Andersen. Ask an investor in ChoicePoint who saw their \nstock fall almost 10 percent. As Chairman Greenspan told this \ncommittee back in July, "the self interest of people who handle \ndata is so extraordinarily high, I just balk at the notion that \nanyone has to tell them what their self interest is. I cannot \nbelieve that we need regulations to tell people how to make a \nprofit."\n    I do think we need to make sure as a body that we are \nalways cautious not to create a remedy that proves worse than \nthe disease. And, unfortunately, Congress has on occasion \nexcelled at the art of unintended consequences.\n    So I hope, Mr. Chairman, as we consider this important data \nsecurity legislation, that we keep Chairman Greenspan\'s words \nin mind. We know that data security is a serious subject. We \nalso need to ensure we take no action that would needlessly \nstifle competition or impose unreasonable costs on participants \nthat ultimately will be borne by the consumers. Thank you, and \nI yield back.\n    Chairman Bachus. Thank you, Mr. Hensarling. At this time I \nrecognize one of the cosponsors of the 3997, Mr. Moore.\n    Mr. Moore. Thank you, Mr. Chairman. I would like to thank \nyou for holding today\'s hearings, and I introduced this \nlegislation with Mr. LaTourette, Deborah Pryce, Mike Castle, \nand Jeb Hensarling, and I want to thank each of my cosponsors. \nWe have all seen this year that breaches of data security are \nserious and ongoing problem in our country.\n    The testimony of Vermont\'s assistant attorney general, \nJulie Brill, notes that there have been reports of over 118 \ndata leaks this year, which all together have affected 57 \nmillion consumers in the United States.\n    Today 23 States have enacted breach notification laws. Just \n2 weeks ago, 47 State attorneys general sent a letter to \nCongress on the issue of breach notification legislation. I \ndon\'t agree with all of the statement\'s recommendations in the \nletter, but I do appreciate the fact that the attorney \ngeneral\'s recommendations that Congress enact a national \nsecurity breach notification law that will provide meaningful \ninformation to consumers.\n    Unfortunately the State of Kansas has not considered or \nenacted consumer notification legislation. And our attorney \ngeneral did not sign the attorneys general\'s letter. A Federal \nlaw that sets a uniform national standard will benefit I \nbelieve both consumers and businesses that operate in the State \nof Kansas.\n    Further, the passage of notification laws by nearly half \nthe States is a strong indication that there is a problem which \ndoes not recognize State lines, and it is in need of a national \nsolution. I believe that solution is embodied in H.R. 3997.\n    H.R. 3997 would, for the first time, in Federal law, create \na uniform consumer notification standard and require companies \nto notify consumers when their sensitive personal information \nhas been accessed in a way that could lead to substantial harm.\n    It seeks, I believe, to strike a reasonable balance that \nrequires breached entities to notify but not over-notify \nconsumers when sensitive personal information has been \ncompromised. Believe it or not, I know some of you won\'t \nbelieve this, but sometimes Congress overreacts to certain \nproblems that are presented to Congress. As Congress considers \ndata security legislation, we need to react to a very real \nproblem without overreacting. And I hope that this is contained \nwithin 3997.\n    The bill sponsors, and I believe there should be a few \nguiding principles behind any data security legislation or bill \nthat is passed by Congress. Number one, companies should be \nrequired to safeguard their data. Number two, breached \nbusinesses should be required to notify consumers, law \nenforcement regulators, and relevant third parties when \nsensitive personal data is compromised, Number three, breached \nentities need to ensure that consumers are protected after \ntheir data is compromised, Number four Federal preemption is \nnecessary, I believe, to create a meaningful uniform national \nstandard. Our legislation embodies each of these guiding \nprinciples.\n    I am proud of this committee\'s bipartisan work in drafting \nH.R. 3997. Protecting data and consumers is not a partisan \nissue, should not be a partisan issue, and the process of \ndrafting and passing data security legislation should and will \nbe bipartisan. Thank you, Mr. Chairman.\n    Chairman Bachus. Thank you, Mr. Moore. And I appreciate \nyour work and Ms. Hooley\'s work on the legislation.\n    At this time, I recognize Ms. Kelly for her opening \nstatement, and I will also commend your work on oversight \ncommittee in this regard.\n    Mrs. Kelly. Thank you, Chairman Bachus. I appreciate your \nholding this important hearing.\n    America demands that its data be secure. The horror stories \nof recent data leaks weaken the confidence in the security of \ntransaction data and electronic payment systems.\n    Small businesses, in particular, suffer when they lose \naccess to credit card systems and they are forced to invest in \never more complex and expensive security because of failures at \nsome of the largest companies in the Nation.\n    The Oversight and Investigations Subcommittee that I chair \nlooked into several of these cases and found that while all \ninvolved sought to do the best of their ability to protect \nconsumer data, very few considered the impact on our nationwide \neconomy and small businesses when their best efforts weren\'t \ngood enough.\n    I am pleased that the legislation before us protects small \nbusinesses while providing clear standards on data protection \nand loss notification all companies can use.\n    National standards combined with small businesses \nflexibility are the hallmarks of this legislation, and they \nshould be a portion of any data security legislation that is \nconsidered by the House of Representatives in this Congress.\n    I am very interested in hearing the comments of our panel \ntoday. I thank you and yield back the balance of my time.\n    Chairman Bachus. I thank you. Ms. Hooley, at this time, you \nare recognized for an opening statement as one of the \ncosponsors.\n    Ms. Hooley. Thank you, Chairman Bachus and Ranking Member \nSanders, for holding this subcommittee hearing on H.R. 3997, \nthe Financial Data Protection Act of 2005. I would also like to \nthank Chairman Oxley and Mr. Frank for their leadership on this \nissue.\n    It is imperative that Congress act to make certain that \nsensitive personal information is protected by adequate \nsafeguards. And I look forward to working with my colleagues on \nthe committee to move this process forward.\n    Identity theft represents a fundamental threat to e-\ncommerce, to our overall economy, and our homeland security.\n    No longer are we facing just hobbiest hackers looking to \ncreate a nuisance. Increasingly, these attacks are driven by \nskilled criminals. ID theft is big business.\n    Since drafting my first identity theft bill with \nRepresentative LaTourette in 2000, the number of incidents \nreported to FTC has increased by eight-fold\n    Congress made progress from protecting consumers from ID \ntheft in the 108th Congress with the passage of the FACT Act, \nwhich provided landmark consumer protections, including free \nannual access to credit reports from all three major credit \nbureaus so that consumers could closely monitor their own \ncredit.\n    I believe this is a great opportunity for this committee to \nbuild on that success.\n    While our free credit report law has helped consumers spot \nfraud, this new legislation will help stop fraud. For nearly a \nyear now, the sponsors of this legislation, Mr. LaTourette, Mr. \nCastle, Ms. Pryce, Mr. Moore, have worked with other members of \nthis committee, industry leaders, consumer groups, and victims \nto write legislation that safeguards sensitive consumer \ninformation, fight ID theft, and create uniform standards for \nnotifying consumers.\n    What this bill does is very simple. If a business has a \nsensitive financial information of a consumer, they have a duty \nto protect that information. Businesses have a duty to \ninvestigate, even if they only think there might have been a \nbreach. If that breach might have occurred, they have to notify \nSecret Service; they notify their regulator if that data is \nlost or stolen and the consumer is placed at any risk of either \naccount fraud or ID theft, the businesses have to notify the \nconsumer.\n    This bill requires that there is a single standard easy-to-\nrecognize notice so that consumers won\'t treat this as junk \nmail. This bill also requires that notices contain meaningful, \nuseful information to help consumers respond and protect \nthemselves, including the toll free number. And finally, if a \nconsumer is at risk of ID theft, this bill requires that \nbusinesses provide those consumers with 6 months of free credit \nmonitoring service so the consumers know that they are victim \nof ID theft.\n    This bill will help stop fraud. And I look forward to \nworking with my colleagues to move the process forward. And I \nthank you and I yield back. Thank you, Mr. Chair.\n    Chairman Bachus. Any other members on the Republican side \nthat have opening statements?\n    Any members? Mr. Green? Mr. Clay.\n    Mr. Clay. Thank you, Mr. Chairman, for holding today\'s \nhearing on proposed legislation intended to stem the increasing \nnumber of identity theft cases and data security breaches that \nare threatening our Nation\'s economy.\n    I am hopeful that our efforts to develop a meaningful and \nmeasured response will provide assurance to all consumers that \ntheir information will be protected from those with impure \nmotives and criminal intent.\n    The cost associated with identity theft and security \nbreaches are staggering when accounting for both economic and \npersonal damages. In addition to approximately $55 billion in \nannual losses among both individuals and industry, consumers \nare often subject to legal and financial obstacles while \nattempting to reestablish their credit worthiness.\n    As we develop an appropriate legislative response to these \nthreats, I hope we can build off the model of strengthening \ndata security requirements contained in Gramm-Leach-Bliley for \nindustry members that remain unregulated.\n    Furthermore, I believe that a uniform Federal standard for \nsecurity will ensure that both industry and consumers are \noperating within one set of standards without ambiguity and \nvariances from State to State.\n    If we want to preserve the optimal benefits of our growing \ne-commerce sector, then we must create an environment that \nprotects the personal information of consumers in all \ncircumstances while weeding out predatory industry \nparticipants.\n    Thank you, Mr. Chairman. And I yield back the balance of my \ntime.\n    [The prepared statement of Hon. Wm. Lacy Clay can be found \non page 51 in the appendix.]\n    Chairman Bachus. Thank you. Mr. Green.\n    Mr. Green. Thank you, Mr. Chairman, and I thank the ranking \nmember as well for hosting these hearings. Mr. Chairman, I am \nhopeful today that we will get some questions answered that are \nof concern. Our questions, such as who should determine whether \nthe harm element is met, should it be the consumer reporter as \ndefined in H.R. 3997? Or should it be the breached entity in \nconcert with law enforcement, as the attorneys general \nrecommend? Should this harm element be a trigger to give \nconsumer notice of breach or should consumers always be given \nnotice unless there is no risk of harm resulting from the \nbreach?\n    And finally, if the breached notification system is overly \nbroad, do we run the risk of inundating consumers with notices \nand having them ignore important information they may need to \nprotect themselves? I yield back the balance of my time.\n    Chairman Bachus. And I apologize. I had a list of members \nthat I thought wanted to make opening statements. Mr. Crowley, \nMr. Baca, so.\n    Mr. Crowley. I thank the chairman. I am going to be very \nbrief. I just want to thank the Chairman and the ranking \nmember, Mr. Sanders, for holding this hearing and I look \nforward to the testimony of all the expert witnesses that are \nbefore us today. I want to thank my colleagues on both sides \nwho are conducting I think once again the spirit of this \ncommittee, a bipartisan effort to bring about legislation out \nof this committee. Once again, I hope when legislation that is \npassed in this committee in a bipartisan effort makes its way \nto the floor that it is not too diminished by outsiders that \nmake it more difficult for members of this committee to support \nsomething on the floor of the House once it gets there from \nthis committee.\n    But I, too, am looking for a uniform Federal standard, \nFederal preemption, one that protects the consumer as well as \nthe institutions, one that moves towards--institutions towards \nencryption and the use of modern technology to help secure the \ndata of consumers in this Nation, one that will maintain or \nstrengthen consumer confidence, a defined trigger and \nassignment of responsibility where it truly belongs.\n    And again, I thank all my colleagues, especially Ms. \nHooley, who has been very, very engaged in this because of \npersonal experience in her own life. So I do appreciate her \ninvolvement and all my colleagues for working in a bipartisan \nspirit. And with that I yield back.\n    Chairman Bachus. Mr. Baca.\n    Mr. Baca. Thank you very much, Mr. Chairman. I have a \nprepared statement I would like to enter for the record and \nsuspend with reading it other than just stating that I am very \nmuch concerned that H.R. 3997 preempts the State law and \nignores the lessons we have learned from the State of \nCalifornia and, of course, like everyone else, has indicated we \nneed a national standard that protects personal information and \nensures the consumers receive notices when their personal \ninformation is breached. And with that, then, I will submit my \nstatement for the record.\n    [The prepared statement of Hon. Joe Baca can be found on \npage 46 in the appendix.]\n    Chairman Bachus. Thank you. Are there any other members of \nthe minority? Ms. Bean.\n    Ms. Bean. Thank you, Mr. Chairman. I appreciate the \nopportunity to speak. I would like to thank Chairman Bachus and \nMr. Sanders for holding today\'s important hearing to consider \nhow to best improve data security for consumers.\n    There is no doubt that as the volume of personal \ninformation held by corporations, data brokers, and businesses \ncontinues to increase, the issue of data security and \nprotecting Americans\' personal information takes on particular \nimportance.\n    While I am interested, like my colleagues, to hear the \ntestimony and insights from this distinguished panel today and \nto how Government and industry can work together to better \nensure that our consumers\' personal information is adequately \nprotected, I would like to take this opportunity to highlight \nthe fact that in addition to H.R. 3997, other pieces of \nlegislation addressing data security have been introduced in \nthe 109th Congress and are pending before this subcommittee. In \nparticular, in June, I joined with Mr. Davis and Mr. Frank in \nintroducing H.R. 3140, the Consumer Data Security and \nNotification Act of 2005. I believe by considering multiple \nproposals and approaches, we will ultimately arrive at stronger \nfinal product to improve data security.\n    For example, on controversial issues such as the \nnotification trigger, I look forward to working with my \ncolleagues to accomplish that task. Thank you, Mr. Chairman. \nAnd I yield back the balance of my time.\n    Chairman Bachus. Thank you. Mr. Matheson, did you--oh, \nokay. You don\'t have an opening statement.\n    If there are no more opening statements, I will say this, \nMs. Bean. In my opening statement I did recognize that you and \nMr. Frank and Mr. Davis have introduced H.R. 3140, and it is \nthe committee\'s intent to work with you and with all members to \nconstruct a comprehensive approach. So we will be doing that. \nAnd you have my assurances that we will work with you.\n    At this time, I would like to introduce all the panelists. \nMs. Callari has already been introduced. I will skip over her \nand when we get on the attorney general--assistant attorney \ngeneral, Mr. Sanders will introduce her.\n    We have with us today Mr. Oliver Ireland, partner of \nMorrison and Foerster, on behalf of the Financial Services \nCoordinating Council. Mr. Randy Lively, president and CEO of \nthe American Financial Services Association, welcome you back \nbefore the committee; Mr. Mark Bohannon, general counsel and \nsenior vice president of policy of the Software and Information \nAssociation; Evan Hendricks, publisher of Privacy Times; and \nKarl Kaufmann, Sidley--is that Sidley.\n    Mr. Kaufmann. Yes, sir.\n    Chairman Bachus. Sidley Austin Brown & Wood, LLP on behalf \nof the Chamber of Commerce.\n    Mr. Sanders.\n    Mr. Sanders. Thank you very much Mr. Chairman.\n    I am delighted to welcome Julie Brill to be a panelist with \nus today. She has been an assistant attorney general for the \nState of Vermont since 1988. She is co-chair of the National \nAssociation of Attorneys General Privacy Working Group. Ms. \nGrill has spearheaded Vermont\'s legislative efforts in a wide \nvariety of areas affecting consumers, including privacy, fair \ncredit recording, tobacco, and antitrust. In 2001, she received \nthe Brandeis Award from Privacy International for her work in \nVermont and nationally promoting consumers interests in privacy \nissues. We are glad that she is with us today.\n    Chairman Bachus. Thank you. We look forward to hearing from \nall of witnesses, and I thank them for taking time from their \nbusy schedules. We do anticipate votes on the House floor \nsometime between 12:15 and 12:45, so if you are wondering about \na break, that is apparently the first time we will break unless \nthere is a need to prior to that. If you would just advise us \nof that, we will be glad to take a short break or excuse you \nfor a minute from the hearing.\n    At this time, I recognize Mr. Oliver Ireland, and as Mr. \nIreland begins his testimony, I am going to have to be excused \nfor a vote in Judiciary. Mr. Hensarling is going to take my \nplace in the Chair. But I have read the testimony.\n\n  STATEMENT OF OLIVER I. IRELAND, MORRISON & FOERSTER LLP, ON \n       BEHALF OF FINANCIAL SERVICES COORDINATING COUNCIL\n\n    Mr. Ireland. Thank you, Chairman Bachus, and members of the \ncommittee. My name is Oliver Ireland, a partner in the D.C. \nOffice of Morrison & Forester, and I am here today on behalf of \nthe Financial Services Coordinating Council, which consists of \nthe American Bankers Association, the American Council of Life \nInsurers, the American Insurance Association, and the \nSecurities Industry Association. Together these associations \nrepresent a broad spectrum of financial services providers, \nincluding banks, insurance companies, and securities firms. Our \nmembers have a strong interest in protecting our customers from \nidentity theft and account fraud. Identity theft occurs when a \ncriminal uses information relating to another person to open a \nnew account in that person\'s name. In addition, in some cases, \ninformation relating to a customer\'s account can be used to \ninitiate unauthorized charges to those accounts. The issues of \nidentity theft and account fraud and related concerns about \ndata security are of paramount importance to financial \ninstitutions and the customers that they serve.\n    In my testimony, I would like to emphasize three key \npoints. Financial institutions have a vested interest in \nprotecting customer information and are highly regulated in \nthis area already. A uniform national approach to information \nsecurity is critical, and security breach notification \nrequirements should be risk-based.\n    Financial institutions have long recognized the importance \nof protecting customer information. Financial institutions \nincur significant costs from identity theft and account fraud. \nAccordingly, financial institutions aggressively protect \nsensitive information relating to consumers. Among those that \nhandle and process consumer information, financial institutions \nare among the most highly regulated. The Federal banking \nagencies and the Securities and Exchange Commission have \nestablished regulations or guidance covering the security of \ncustomer information under Title V of the Gramm-Leach-Bliley \nAct. In addition, 34 States have established standards for \ninsurance companies with respect to safeguarding customer \ninformation.\n    We believe that a uniform national approach to security and \nsecurity breach notification that applies to all financial \ninstitutions and non-financial institutions alike but \nrecognizes existing Federal Gramm-Leach-Bliley requirements is \ncritical to preserving efficient national markets and providing \nconsistent protection for consumers. A number of State \nlegislatures have passed security breach notification laws. \nWhile these State laws have similarities, they also have \nimportant differences. State laws that are inconsistent result \nin both higher costs and uneven consumer protection and, in \nsome cases, could lead to delays in providing notices. \nMoreover, an individual State requirement or an individual \nState\'s failure to recognize a key provision can effectively \nnullify the policy choices of other States.\n    Finally, notification requirements should be risk-based. \nWhile it is important to protect all sensitive customer \ninformation from unauthorized use, it is most critical to \nprotect consumers from identity theft and account fraud. \nSecurity breach notification requirements should be limited to \nthose cases where the consumer needs to act to avoid \nsubstantial harm.\n    Security breach notification requirements should provide \nclear triggers for notice and should be tailored to the \ncircumstances and to the threat presented. We are pleased that \nH.R. 3997 is consistent with these goals. H.R. 3997 seeks to \nestablish uniform national standards that apply broadly to \nvirtually all entities that maintain sensitive information. At \nthe same time, it recognizes that financial institutions must \ncomply with existing Gramm-Leach-Bliley Act requirements and \nattempts to ensure that these requirements are consistent \nacross the financial holding company structure. Finally, H.R. \n3997 provides an effective risk-based notification scheme that \ndoes not require unnecessary notices to consumers. While we \nbelieve that some issues raised by H.R. 3997 still require \nfurther resolution, we will be happy to work with the \nsubcommittee to resolve these issues so that this important \nlegislation can move forward. Thank you. I will be happy to \nanswer any questions that you may have.\n    [The prepared statement of Oliver I. Ireland can be found \non page 100 in the appendix.]\n    Mr. Hensarling. [presiding.] Thank you for your testimony, \nMr. Ireland, and thank you for staying within 5 minutes.\n    Ms. Callari, you are now recognized.\n\n  STATEMENT OF JOSIE CALLARI, SENIOR VICE PRESIDENT, ASTORIA \n   FEDERAL S&L ASSOCIATION AND CHAIRMAN, AMERICA\'S COMMUNITY \n BANKERS ELECTRONIC BANKING AND PAYMENT SYSTEMS COMMITTEE, ON \n             BEHALF OF AMERICA\'S COMMUNITY BANKERS\n\n    Ms. Callari. Thank you.\n    Thank you, Mr. Chairman, Ranking Member Sanders, and \nmembers of the committee.\n    My name is Josie Callari, senior vice president of Astoria \nFederal Savings in Lake Success, New York. I am here today \ntestifying on behalf of America\'s Community Bankers, where I \nserve as chairman of the ACB Committee on Electronic Banking \nand Payment Systems. ACB appreciates having the opportunity to \ntestify before the subcommittee on H.R. 3997, the Financial \nData Protection Act.\n    The issue of data security is critical for community banks. \nWhile banks have had the mandate to safeguard sensitive \ncustomer information for years, the growth of the internet and \nelectronic commerce has made compiling and selling sensitive \ninformation easier for a multitude of companies. That is why \nACB supports H.R. 3997, which we believe focuses on stopping \nthe misuse of consumer information and creates an incentive for \ncompanies to make securing customer data a priority.\n    Earlier this year, ACB board of directors laid out its top \npriorities for any data security legislation that may be \nconsidered in Congress. ACB is pleased to see that this bill \naddresses several of our top priorities and begins to deal with \nthe difficult issues of reimbursement.\n    Having a national standard is critical for any legislation \naddressing data of security and consumer notices. Adding \nanother layer of regulation to a rapidly growing patchwork of \nState and local laws hurts consumers, hurts the economy, and \nwill not provide effective protection. A patchwork of State \nlaws that provide protection that stop and start at State lines \nwill not provide meaningful full protection for consumers in a \nnational marketplace. Additionally, ACB believes that Congress \nshould recognize that the GLBA already requires financial \nservices companies to have in place much of what is being \nconsidered in most data security legislation. Title V of GLBA \nrequires financial services companies to implement data \nsecurity safeguards, a customer response program, and a \ncomprehensive privacy policy.\n    This spring, banking regulators issued guidance extending \nTitle V to require customer notices in case of a breach that \nputs consumers at risk. To layer a duplicative regulatory \nsystem on top of this robust framework would only increase \ncosts for financial institutions and ultimately their \ncustomers. Likewise, financial institutions have an incredibly \nrobust regulatory framework under which they operate. This is \nparticularly true for depository institutions. ACB applauds the \nlegislation for embracing this existing framework by vesting \nenforcement with functional regulators.\n    Finally, ACB supports efforts to ensure that banks have the \nability to be part of an investigation into possible breaches. \nFurthermore, requiring that contracts between companies and \nthird parties specify who is responsible for sending notices is \nvery important. Community banks are proud of the relationship \nthey have with their customers and generally would prefer to be \nresponsible for sending those notices.\n    Mr. Chairman, there are two areas where ACB members have \nconcerns, and we look forward to working with the committee and \nthe bill sponsors to address them. First and foremost, ACB \nbelieves that those who are responsible for data breaches must \nbe responsible for the costs of protecting consumers from risks \narising from those breaches. One of the biggest costs \nassociated with the breach is that of reissuing credit and \ndebit cards and closing accounts that are placed at risk. These \ncosts can mount quickly, and community banks end up bearing all \nof them. Community banks are doing this now because they are \ndedicated to protecting their customers. However, those \nresponsible for breaches should bear these costs.\n    Finally, ACB\'s members have expressed concern that there is \nno limit on how long investigations required under the bill can \ntake. ACB members are concerned that without guidance the \ninvestigation could take an excessively long time, leaving \nconsumers at risk. We believe the bill should require that \nregulators give guidance on the appropriate length of an \ninvestigation.\n    In conclusion, ACB supports H.R. 3997 and urges the \ncommittee to consider it soon. ACB urges that the bill be \npassed with constructive modifications such as those suggested \nbut without adding provisions that take the bill\'s focus away \nfrom stopping the misuse of consumer information. We look \nforward to working with you as the committee crafts legislation \nthat best addresses the problems of data security breaches. \nThank you.\n    [The prepared statement of Josie Callari can be found on \npage 81 in the appendix.]\n    Mr. Hensarling. Thank you, Ms. Callari.\n    Mr. Lively, you are now recognized for 5 minutes.\n\n    STATEMENT OF H. RANDY LIVELY, PRESIDENT & CEO, AMERICAN \n                 FINANCIAL SERVICES ASSOCIATION\n\n    Mr. Lively. Thank you, Mr. Chairman, ranking members.\n    Mr. Hensarling. You need to press the button there, please.\n    Mr. Lively. Ranking member and members of the subcommittee. \nI am Randy Lively, the president and CEO of the American \nFinancial Services Association here in Washington, D.C. It is \nmy honor and pleasure to be here this morning to testify in \nsupport of H.R. 3997, the Financial Data Protection Act of \n2005, introduced by Representatives LaTourette, Hooley, Price, \nCastle, and Moore and co-sponsored by a broad bipartisan array \nof this distinguished committee.\n    The American Financial Services Association represents the \nNation\'s market rate lenders providing access to credit for \nmillions of Americans. AFSA\'s 300 member companies include \ncommercial and financial companies, auto finance companies, \ncredit card issuers, mortgage lenders, and other financial \nservices firms that lend to consumers and small businesses.\n    I am proud to say that, next year, AFSA will celebrate its \n90th birthday as the Nation\'s premier consumer and commercial \ncredit association. As I mentioned at the outset, I am pleased \nto be here this morning to speak in support of the Financial \nData Protection Act and ask you, Mr. Chairman, to have the \ncommittee give it expedited consideration. AFSA and its members \nbelieve that well informed, proactive consumers are our best \ndefense and our first line of attack in protecting all of us \nfrom the dangers of identity theft.\n    According to the Federal Trade Commission, as we have heard \nearlier today, identity theft robs the Nation of more than $50 \nbillion annually. Consumer losses account for about $5 billion \nof the total, and business absorbs the remaining $45 billion. \nYet, in addition to the immediate monetary loss suffered, AFSA \ncompanies are more concerned about losing the trust of \ntreasured customers, and mishandling of a security breach can \ncost us customers. Obviously, the best way to protect our \ncustomers\' information is to prevent a security breach from \noccurring in the first instance.\n    Toward that end, AFSA member companies are focusing on \ntraining our own employees in the handling of sensitive \npersonal information and are scrutinizing the practices of \nthird party vendors who store or dispose of data which may \ncontain personal financial information. There is no doubt that \nthe industry needs to regularly upgrade and improve the \npractices and procedures of our own companies and our storage \nand disposal vendors to prevent security breaches from ever \noccurring in the first place.\n    AFSA member companies share this committee\'s goal of \nwanting to assure American consumers that their personal \ninformation is safely protected. To accomplish this goal, AFSA \nmembers are regularly improving their security measures and \nprocedures to prevent thefts to their information systems. H.R. \n3997 provides a clear and concise framework for AFSA member \ncompanies and other financial services providers to follow in \nthe event of a data breach.\n    The authors of the Financial Data Protection Act of 2005 \nclearly understand that an effective breach notification and \nreaction system must be based on a substantial risk to the \ncustomer as well as the businesses that rely on the integrity \nof the data. If the breach notification system is overly broad, \nwe run the risk of inundating our customers with notices and \nhaving them ignore important information they may need to \nprotect themselves. H.R. 3997 establishes a reasonable and \nbalanced approach for businesses and regulators to protect \npotential breaches of data security as well as uniform \nprocedures to follow if one does occur.\n    The legislation appropriately anticipates that some \nbreaches may pose a significant risk or harm or inconvenience \nto consumers whereas other breaches may not create a \nsignificant risk for the consumer. This distinction will enable \nbusinesses to maximize their vigilance over consumer data, \napply law enforcement and regulatory resources where they are \nmost needed, and focus consumers attention to take steps to \nprotect themselves when they are truly at risk.\n    The Financial Data Protection Act of 2005 calls for--calls \non business to conduct an immediate investigation to assess the \nnature and scope of the breach when it learns that a breach has \noccurred. The investigation will determine whether the breach \nhas created a substantial risk for the customers personal \nfinancial information. The determination will take into account \nwhat information has been exposed and whether the information \nwas encrypted, redacted or requires technology that is not \ncommercially available. AFSA believes that the committee should \ndirect the functional regulators to treat the breach of \nencrypted information as not creating a potential substantial \nharm unless an actual harm can be demonstrated. In other words, \nthere should be a presumption that the acquisition of encrypted \ninformation does not create a substantial risk for consumers to \nwhom information relates. Should a business determine that a \nsubstantial breach has occurred, H.R. 3997 directs a company to \nnotify the Secret Service and the appropriate functional \nregulators as well as third parties that might be affected by \nthe breach. This type of coordinated framework will ensure that \nongoing law enforcement investigations are not compromised by \npremature publication of breaches. At the same time, the \nlegislation provides reasonable parameters so that a delay in \nnotifying consumers does not unnecessarily extend their \nexposure to risk of harm. H.R. 3997 directs that breach notices \nto consumers must be done in a clear and conspicuous manner \nthat describes the nature of the breach, when the breach \noccurred, the relationship between the consumer and the entity \nwho suffered the breach, and actions that the business is \ntaking to restore the security and confidentiality of the \nbreached information.\n    AFSA wholeheartedly agrees with the sponsors of H.R. 3997 \nand directing Federal regulators to work together to create \nuniform security standards and policies for each business to \nimplement and to maintain to protect sensitive information. \nMoreover, a uniform national standard replacing the patchwork \nof varied and numerous State and local requirements will avoid \nneedless duplication that could lead to confusion and divert \nresources from the actual problem.\n    Finally, I want to compliment the authors of H.R. 3997 for \ntheir foresight in determining that a company is in compliance \nwith data security policies anticipated under this act if it is \nin compliance with parallel policies established by its \nfunctional regulator in accord with the Gramm-Leach-Bliley Act. \nThis important determination will enable regulators to avoid \nimposing needless duplication upon the Nation\'s financial \nservices companies. I appreciate the opportunity to be here \ntoday and would be happy to answer any questions you may have.\n    [The prepared statement of H. Randy Lively can be found on \npage 119 in the appendix.]\n    Mr. Hensarling. Thank you.\n    Mr. Bohannon, you are now recognized for 5 minutes.\n\n  STATEMENT OF MARK BOHANNON, GENERAL COUNSEL AND SENIOR VICE \n PRESIDENT OF PUBLIC POLICY, SOFTWARE AND INFORMATION INDUSTRY \n                          ASSOCIATION\n\n    Mr. Bohannon. Thank you, Mr. Chairman, members of the \nsubcommittee. I appreciate this opportunity to appear before \nyou today and testify on why we need a national framework for \ndata security. As the principal trade association of the \nsoftware and digital content industry, many of whose members \nare leaders in high tech, SIIA was one of the first voices \nurging Federal action to address the myriad and inconsistent \nState laws that have emerged since California\'s first went into \neffect in 2003. In working with all the stakeholders on this \nissue on both sides of the Capitol, we have argued that that \nnational framework should be premised on the track record of \nthe safeguards rule under the Gramm-Leach-Bliley Act, which \nmany members and staff of this committee were instrumental in \nconstructing. As a comprehensive yet adaptable model, the \nsafeguards rule emphasizes ongoing security plans to prevent, \nand I emphasize prevent, what we all know are the pernicious \neffects of identity theft.\n    Our perspective on today\'s panel is probably a bit unique, \nand we especially want to thank Chairman Bachus for including \nus in today\'s panel and his leadership on so many issues of \nimportance to our industry. While some of our members are \nregulated as financial institutions under existing laws, most \nof the members are software, e-businesses, and information \ncontent companies that are subject to the jurisdiction of the \nFederal Trade Commission and its section 5 authority. It is the \neffect of H.R. 3997 on these companies that we ask the \ncommittee to carefully consider and work with us as the bill \nmoves through this process. In our written statement--Mr. \nChairman, if it has not been introduced in the record in full, \nI ask that it do so now--we note that H.R. 3997 is consistent \nwith several of our key goals in achieving a national \nframework. In particular, it recognizes the need to address the \nconflicts in the more than 21 States that have already enacted \nlaws. We also in our written statement offer several important \nimprovements to make the bill more workable and effective, \nnotably in the areas of streamlining the obligations on data \nsecurity procedures, establishing a meaningful threshold for \nbreach notification much along the lines recommended by the \nFederal Trade Commission, and ensuring a meaningful definition \nof sensitive personal information.\n    But I want to make clear that we urge this committee to \ncontinue its work on this important bill. We especially commend \nthe cosponsors on both sides of the aisle for coming together \nto produce this product, and we ask this committee to work with \nother relevant committees so that, in the end, when the \nCongress does act, and we hope they do, there is a coherent \nnational approach achieved by this Congress.\n    In the remaining time available to me, let me focus on one \naspect of H.R. 3997, and that is the framework of the Fair \nCredit Reporting Act, a vitally important consumer protection \nstatute. As a means for establishing an enforceable framework, \nwe request the following should be carefully considered by the \ncommittee, as many of our members today are not today within \nits scope. First, as I pointed out earlier in my testimony, \nmost of our members are right now subject to the FTC\'s \nenforcement authority under section 5, which is today building \non the safeguards rule of the Gramm-Leach-Bliley Act. Through \ncases that are being brought now under section 5, the FTC has \nfound a variety of unfair practices ranging from failure to \nimplement appropriate security programs to deceptive security \nclaims made by companies. We think the FTC is headed in the \nright direction on this, and we want to encourage them to \ncontinue the direction of the policy under section 5. However, \nwhile H.R. 3997 has dealt with a number of laws that already \nexist, it is our impression in the bill, and we believe that it \nleaves those companies that are currently subject to section 5 \nenforcement open to possibly duplicative and even contradictory \nrequirements. As we read H.R. 3997, nothing in the bill \naddresses this potentially confusing enforcement action.\n    The second issue that we would like to work with the \ncommittee and the sponsors on is that H.R. 3997 defines a \nfinancial institution as essentially any company that maintains \nthe Social Security numbers of its employees or maintains a \ntaxpayer ID number of its customers. Just this morning, it was \npointed out to me that it may also include any person \nmaintaining or communicating information on an ongoing basis \neven if they are mere conduits or hosts.\n    We are deeply concerned that this definition extends the \nconcept of financial institution well beyond that used to date \nand potentially brings in a wide range of companies into the \npurview of the FCRA, which concerns, as you might imagine, a \nnumber of our members.\n    We also share the bill\'s goal and the cosponsors\' goal of \neffectively dealing with the myriad of State laws. We are \ncognizant that a number of circuits are reviewing what in fact \nfalls in the scope of the FCRA. We note, to date, no State \nenacting a data breach security law including those with \nsafeguard provisions has limited the scope of its law to the \nfinancial sector or to specifically regulated financial \ninformation. This is especially true of first State law enacted \nin California.\n    Mr. Chairman, to ensure a coherent policy approach, we once \nagain urge this committee to continue its work on this bill, \nand we also ask that this committee work with other relevant \ncommittees as this process unfolds. It is our sincere hope that \nall stakeholders working together will be able to enact \nlegislation in this Congress. It is a high priority for our \nassociation. We appreciate the opportunity to appear before you \ntoday, and I will be glad to take any questions that you may \nhave.\n    [The prepared statement of Mark Bohannon can be found on \npage 58 in the appendix.]\n    Mr. Hensarling. Thank you.\n    Ms. Brill, you are now recognized for 5 minutes.\n\nSTATEMENT OF JULIE BRILL, ASSISTANT ATTORNEY GENERAL, STATE OF \n                            VERMONT\n\n    Ms. Brill. Thank you very much.\n    Thank you, Chairman Bachus, Ranking Member Sanders, for \ninviting me here today. I am very pleased to speak here on \nbehalf of the National Association of Attorneys General.\n    My name is Julie Brill, and I am an assistant attorney \ngeneral for the State of Vermont. As has been mentioned by \nseveral members so far this morning, there have been 48 \nattorneys general out in the States who have written a letter \nto Congress calling on Congress to enact a strong Federal \nsecurity breach notification law modeled on the 22 State laws \nthat are already in existence. Unfortunately, I am here today \nto tell you that the AGs\' believe that H.R. 3997 fails to meet \nthe standards of a strong Federal law. I wouldn\'t call it an \nugly child, as had been mentioned earlier, but this child is \nfailing in school and needs significant remedial help.\n    First, the AGs call on a law that would have a standard for \nproviding notice to consumers that would ensure the consumers \nwould receive notice whenever there is unauthorized access of \npersonal information. We do not believe there should be an \nadditional requirement of actual harm or risk of harm, and \nthere is a very simple reason for this. The breached entity \nsimply does not, in the vast majority of cases, know what use \nwill be made of the information that it has lost. It just \ndoesn\'t know. If Congress does want to incorporate some sort of \nconcept of harm or risk of harm then the AGs strongly believe \nthat notice should be given unless there is no risk of harm. \nWhat that means in simple terms is that the benefit of the \ndoubt should be given to the consumer and to notice. If the \nbreached entity does not know what will happen with that \ninformation that was lost or stolen, then notice should be \ngiven to consumers. Again, the benefit of the doubt going to \nthe consumer.\n    H.R. 3997 fails to meet the attorneys generals\' standards \nfor providing notice. It imposes complex and high barriers to \nconsumer notice. Many of the incidences, as was mentioned by \nRepresentative Frank earlier, that have been reported under the \nState laws to date would not be subject to notice under 3997. \nAs had been mentioned by Representative Hensarling, it is \nimportant to promote competition in security systems. H.R. 3997 \nwould stifle competition in security systems because it would \nstop information from flowing to consumers about the harm that \nis occurring, that businesses are not having secure systems, \nand consumers would not be able to choose companies based upon \ntheir security systems because they wouldn\'t be receiving \nnotices. We believe H.R. 3997 would place many consumers at \nrisk because they would be unable to protect themselves from \npotential harm. The notion that consumers will ignore warnings \nbecause they will be getting so many of them, frankly, we think \nthat is a red herring. Our experience in the trenches of \nidentity theft war is actually the opposite. That numerous \nnotices that consumers have been receiving over the past year \nhave served as an important educational tool for consumers. \nConsumers are now much more aware of the risks that having \ntheir information out there can pose to them, and they are \nstarting to take precautions. Thus, this notion that numerous \nnotices would be harmful, we believe, is just simply not true.\n    Second, the AGs want to see their ability to enforce any \nFederal law that is enacted, and we are disappointed to note \nthat H.R. 3997 does not allow for State attorney general \nenforcement. This is rather inexplicable because H.R. 3997 uses \nthe Fair Credit Reporting Act as its construct, and the rest of \nthe Fair Credit Reporting Act is, as most people are aware, \nenforceable by the State attorneys general.\n    Third, with respect to preemption, it should be noted that \nwe wouldn\'t be here, this committee would not be considering \nthis issue if it were not for State laws that were on the books \nnow that provided for notice going to consumers and made the \npublic aware of the massive problems associated with security \nof information. We think that preemption is a mistake. H.R. \n3997 has broad preemption not only of security breach notice \nlaws but also has apparent preemption for security freeze laws. \nIn fact, this committee and Congress just 2 years ago gave the \nStates the freedom to enact State laws on breach notification \nand security freezes. If this committee and Congress cannot \nprovide adequate protections to consumers, we respectfully \nrequest that this committee take no action at all. The States \nlistened to you 2 years ago; we started to enact laws. We are \nprotecting consumers, and we will continue to do so. In the \nevent that the law you enact is not strong, we think we would \nbe better off without any law. Thank very much.\n    [The prepared statement of Julie Brill can be found on page \n64 in the appendix.]\n    Mr. Hensarling. Thank you.\n    Mr. Hendricks, you are now recognized for 5 minutes.\n\n     STATEMENT OF EVAN HENDRICKS, PUBLISHER, PRIVACY TIMES\n\n    Mr. Hendricks. Thank you. I am Evans Hendricks. I am in my \n25th year of publishing Privacy Times and the author of the \nbook, Credit Scores and Credit Reports. The book describes how, \nin part, because of the leadership of this subcommittee and the \ncommittee and its counterpart in the Senate and because the \nconstructive bipartisan approach taken by the members and the \nstakeholders willing to work together, in 2003, we passed \nimportant and complex legislation, the FACT Act, which \nrepresented a major step forward for consumers and improved \nprotections for identity theft.\n    As a housekeeping matter, I need to mention in addition to \nthe eight groups that have signed on to my testimony subsequent \nto me turning in the testimony, Consumer Action, the National \nConsumer League, identity consultant Maury Frank, and five \nadditional groups have signed onto the legislation--excuse me, \nto my testimony. To get this very simple message to the \ncommittee, this bill would represent a serious weakening of \ncurrent standards and represents a step backwards. There are \nchildren, and then there are pets. If you could sum it up that \nway, we would say this dog don\'t hunt.\n    In 2003, I testified before this subcommittee thanks to \nChairwoman Kelly, who held the first breach hearing on the \nbreaches of credit card data. At that time, I said I \nrecommended that the subcommittee move legislation based on the \nCalifornia breach notification law. It is very important to \nunderstand that if you are going to have Federal law, you need \nto start from a high level of protection and preferably get out \nin front of the issue. Now things are more difficult when \nStates have to move to protect their citizens because of \nCongress not being able to do it and get out in front of the \nissue. The Supreme Court has defined privacy. To begin with, \nboth the common law and literal understandings of privacy \nencompass the individual\'s control of information concerning \nhis or her person. If there is a breach, you lose control of \nthe information. If you can\'t get access to your records, you \nlose control of the information. If you can\'t correct errors, \nyou lose control of your information. On top of that, we had a \nhundred data breaches this year; 50 million people whose data \nhas been potentially exposed which, by the way, is about the \nnumber of people that have signed up for the do not call list. \nAmericans care about privacy. A month ago, the New York Times \nand the CBS News released a poll showing that 89 percent of the \npublic was concerned about identity theft. More interesting was \n3 percent were not concerned at all. I would like to interview \nthose people and find out what\'s up. But more importantly, for \ntoday\'s purposes, they said this was a very bipartisan issue: \n68 percent of conservatives and 69 percent of liberals would \nlike to see the Government do more to address personal privacy \nissues. And that is why there is cutting edge companies like \nING Direct and E-loan, financial services companies that we see \nare supporting stronger consumer protections for privacy. The \nproblem with this bill, as luckily Julie Brill went first to \ngive the more detailed analysis, it dramatically weakens breach \nnotification standards through its harm trigger. It dangerously \nwould weaken the very straightforward security standards of \nGramm-Leach-Bliley. It would preempt State laws and possibly \npreempt freeze laws without even using the word freeze. We need \nto go the other way and enact Federal freeze law based on the \nbest State standards.\n    It is very silent on a very important issue. This year, we \nhave had breaches of ChoicePoint and Lexis-Nexis and a great \nopportunity to move forward and extend FCRA style rights to the \ndata brokers like ChoicePoint and Lexis-Nexis. The bill is \nsilent on that. There is other legislation that would \naccomplish this.\n    I think basically privacy is nothing new; privacy is always \nchallenged. You might have seen the Washington Post article \nfrom Sunday showing how national security letters are being \nused for sweeping investigations that include getting all sorts \nof transactional data on Americans, including their credit \nreports. That is why I think that we have to be very cautious \nin causing no harm and preferably would do something bold but \ngiven the problems we face and Americans\' strong desire for \nprivacy, we don\'t want to enact a law that can be characterized \nas the Titanic deck chair reorganization act. We need to really \nget out and move forward to protect Americans.\n    In considering this legislation, I think you have to keep \nin mind that privacy signifies the tension between individuals\' \ndesire for control over their information and large \norganizations\' desires to use that information for their own \npurposes, whether it is business or governmental. I think you \nshould remember that since consumer confidence and consumer \nspending is an important part of our economy and our future and \nthat those people, the taxpayers that underwrite our \nGovernment, that when we come to close calls that we should \ntilt in favoring the individual\'s right to privacy.\n    Thank you very much.\n    [The prepared statement of Evan Hendricks can be found on \npage 86 in the appendix.]\n    Mr. Hensarling. Thank you, Mr. Hendricks.\n    Last but not least, Mr. Kaufmann, you are recognized for 5 \nminutes.\n\nSTATEMENT OF KARL F. KAUFMANN, SIDLEY AUSTIN BROWN & WOOD LLP, \n                ON BEHALF OF CHAMBER OF COMMERCE\n\n    Mr. Kaufmann. Thank you. Good morning. Good morning to the \nchairman and ranking member of the subcommittee. I\'m Karl \nKaufmann, and I am an attorney here in the Washington, D.C., \noffice of the law firm of Sidley Austin Brown & Wood. I am \npleased to appear before you today on behalf of the United \nStates Chamber of Commerce. The Chamber is the world\'s largest \nbusiness federation representing more than 3 million companies \nof all sizes and across all sectors of the economy. Mr. \nChairman, the Chamber supports your effort and the efforts of \nothers on this subcommittee to develop legislation to protect \nthe sensitive information of consumers. The Chamber believes \nthe vast majority of companies who possess sensitive personal \ninformation take reasonable procedures to safeguard that \ninformation. However, it takes only a few mistakes by a few \ncompanies to damage consumer confidence in the ability of all \ncompanies to protect sensitive personal information. Therefore, \nwe believe that Congress should require the companies have \nreasonable programs to safeguard consumers personal \ninformation, and this concept is, in fact, a fundamental part \nof the Financial Data Protection Act.\n    The Chamber also believes it is appropriate for a company \nupon discovery of a data breach to notify its customers if \ntheir sensitive personal information has been subject to the \nbreach. However, it is important that Congress require the \nnotices only when the sensitive personal information is \nacquired by an unauthorized person in a manner that presents \nsignificant risk of harm to consumers. Otherwise, we believe \nthe consumers may find these types of notices to be \nmeaningless, and consumers may then begin to ignore such \nsecurity breach notices. If this occurs, the goal of using \nthese notices to notify customers of their rights and notify \nthem of the breach is undermined. If breach notices are limited \nto circumstances when the consumer is at risk of harm, it is \nmore likely the consumer will be aware it contains important \ninformation and that it should be read.\n    We applaud the fact that the sponsors of the Financial Data \nProtection Act agree with the Chamber\'s view on this key issue, \nand given some of the testimony, I would like to spend a little \nbit more time on this. It seems odd to require a notice be \ngiven to consumers just because there has been a data breach. I \ncan imagine situations where a breach occurs, but, in fact, \nthere is no way that the data could be misused. Perhaps it was \na breach of numbers that are so-called disposable credit card \nnumbers used for online shopping. Maybe it is information that \nis highly encrypted, password protected and has other \nprotections that make it essentially unusable. It would be \nunusual to provide a consumer with a notice in that \ncircumstance that says the information has been accessed, but \ndon\'t worry; there is nothing that you can do about it because \nyou are protected. The consumer is going to ask, why am I \ngetting this notice if I\'m not supposed to do anything? Our \nbelief is consumers should get notice when they have actually \nsomething that they can do to protect themselves.\n    Perhaps most importantly, any law passed by Congress must \nestablish a national uniform standard with respect to \ninformation security, consumer notification, and other related \nissues. The consumer protections envisioned by Congress will be \nundermined if States can establish different schemes pertaining \nto data security. The Chamber is pleased the Financial \nProtection Data Act includes provisions to provided for \nnational uniformity. Again, this is another issue that has \ndrawn some interest today, and I would like to go a little bit \nmore in depth.\n    Providing a uniform national standard with respect to data \nsecurity is an absolutely essential consumer protection. The \nproliferation of similar but ultimately different State laws \nwith respect to information security issues is not in \nconsumers\' best interest. Varying notification standards can \nresult in consumer confusion and inconsistent compliance with \nthe law.\n    Furthermore, the net result is that the States that require \nthe notices in the most instances with respect to data breach \nnotification requirements will essentially set the national \nstandard. Companies that operate in all 50 States cannot \nefficiently design compliance programs to take into account the \ndifferences among the 50 State laws. Therefore, those companies \nare more likely to establish regimes under which they will find \nthe most onerous State law and make that their standard. If \nthey comply with that, they will comply with other State laws \nas well. The net result is we end up, again, perhaps with \nnotices sent when they are not necessary, and that is a concept \nagain that is included in this bill. And if people believe in \nthe fact that consumers should be notified only when it is \nmeaningful to that consumer, allowing for States to undermine \nthat important protection does not seem to make a whole lot of \nsense.\n    Now having said that, as you can see, the Chamber supports \nmany of the concepts addressed in the Financial Data Protection \nAct. We believe these concepts will provide a sound framework \nfor strong consumer protections if they are properly \nimplemented. We also understand that the legislation continues \nto evolve and that it may require additional refinement. \nIndeed, the discussion that happened this morning suggested \nthat that is the case. The Chamber looks forward to continuing \nto work with you, Mr. Chairman, and others to continue to shape \nthis complex bill as it moves through the legislative process. \nThe Chamber appreciates the opportunity to present its views \nthis morning, and I would be happy to answer any questions that \nyou may have.\n    [The prepared statement of Karl F. Kaufmann can be found on \npage 113 in the appendix.]\n    Chairman Bachus. Thank you.\n    At this time, we will ask the members to address the panel.\n    Mr. Hensarling, am I catching you off guard by asking you \nto go at this time.\n    Mr. Hensarling. No more than usual, Mr. Chairman.\n    Chairman Bachus. I just thought I would let you all go \nahead because I am not sure how long we have got before we go \nto the floor.\n    Mr. Hensarling. Mr. Kaufmann, since you are already warmed \nup, perhaps I will start with you. You may have heard in my \nopening statement I quoted Chairman Greenspan who said \nsomething along the lines that I cannot believe we need \nregulations to tell people how to make a profit. Can you tell \nme what your opinion is of the incentive structure that private \ncompanies have today to protect personal data?\n    Mr. Kaufmann. The incentive structure is quite strong if \nyou look at the market forces that are out there. Regardless of \nwhether the direct consumer relationship, say, is a bank or \nwhether you are a service provider, lets say a card processor, \nin any circumstance, you face significant penalties in the \nmarketplace if you do not protect consumers\' data. Your name \nends up on the front page of the newspaper. Your stock drops, \nas you mentioned. And I can assure you that some of the folks \nat ChoicePoint and Card Systems have had better days than the \nday the data breach was announced. Not only that, but people in \nthe market place pay attention. I can almost be certain that \nevery card processor out there looked at what happened to Card \nSystems and said, I don\'t want to be that company. I can assure \nyou a lot of the data management companies looked at \nChoicePoint and said that can\'t happen to us, that will not \nhappen to us, and we must make sure that that does not happen. \nSo the market forces are there in virtually all aspects.\n    Mr. Hensarling. In your testimony, you mentioned how \nimportant it is to come up with, for lack of a better term, \npermit me to be redundant, a very definitive definition of \nsecurity breach. Can you tell us why it is so critical that the \ndefinition be sharp, solid, and what would happen if we created \nan overly broad definition of security breach?\n    Mr. Kaufmann. If you end up with an overly broad \ndefinition, then you even up with situations where it may or \nmay not be the fact the data has been accessed by somebody who \nis not authorized to access that information. We need to talk \nabout a situation where somebody actually obtains the \ninformation; the fact that they may have hacked into a computer \nsystem and bragged to their friends about the fact they were \nable to hack in, but they in fact didn\'t take any information \nout, and there is no evidence to suggest they were there long \nenough to write any information down, suggest that that \ninformation is not going to be misused and, therefore, to send \nout a notice seems redundant and perhaps counterproductive. And \nso what we need to focus on are situations where the \ninformation is accessed in an unauthorized manner a way that \ncan present significant harm to the consumer and that way they \nare notified and not in other circumstances.\n    Mr. Hensarling. Let me share the wealth here. Mr. Ireland, \na related question. Many financial institutions have stated \nthat they feel that the interagency guidance strikes a correct \nbalance with respect to the notice trigger when there is a \nlikelihood of harm to the consumer. Do you believe that a \nnational notifying standard similar to that is warranted and \nindeed strikes the right balance?\n    Mr. Ireland. I do believe a national notification system \nthat applies to all institutions that is basically the same \nstandard or a similar standard to the banking agency guidance \nfor notification is appropriate. I would point out that that \nguidance works with the benefit of a dialog between the banks \nand their bank examiners as to figuring out when a breach has \noccurred and if it requires notice. And as Mr. Kaufmann \nindicated and your prior questions indicated, in a statute that \nis going to be self-operative and not benefit from that dialog, \nyou need a crisp standard that people will understand from the \nlanguage of the statute so you might not use the same language, \nbut the basic model I think is a sound model.\n    Mr. Hensarling. Can you share with the committee your \nopinion on the interplay of the form and the frequency of \nconsumer notifications and how that impacts their \neffectiveness?\n    Mr. Ireland. Well, the problem is that information in terms \nof--what could be characterized as a security breach may or may \nnot be due to foul play and I don\'t want to go into individual \ninstitutions\' problems, but I have seen many circumstances \nwhere information has been moved from one institution to \nanother so that they could--for competitive purposes--so that \nyou could solicit customers, for example. And there is no risk \nof identity theft or account fraud. This bill goes to great \nlengths to make sure the customers who get notices open the \nnotices and read them when the notices are important. If we \ninundate them with notices when they don\'t need them, they may \nread the first two or three where there is no issue and the \nfourth notice where they do need to check the credit report to \nsee if identity theft is going on, they may simply have failed \nto open because they think it is the same as the first three. \nThat is the problem we are concerned about, and we think the \nsystem--the notices will be much more effective if they are \ntargeted to those situations where consumers themselves need to \nact to deal with the problem.\n    Mr. Hensarling. Thank you.\n    I am out of time, Mr. Chairman.\n    Chairman Bachus. Thank you.\n    Mr. Sanders.\n    Mr. Sanders. Thank you, Mr. Chairman.\n    Let me ask Ms. Brill a few questions, if I might. Ms. \nBrill, since 2003, the Fair Credit Reporting Act through FACT \nallowed States to create a right for consumers to impose a \nsecurity freeze on their credit report. Do you believe that \nH.R. 3997 would reverse course and remove the ability of States \nto create a right to security freeze? Why is it important to \nhave a security freeze right for consumers? What has been \nVermont\'s experience with security freezes?\n    Ms. Brill. Thank you.\n    The security freeze provisions that States have enacted \nsince 2003 really did come out of FACT. FACT\'s preemption \nprovisions did not specifically state that States were unable \nto enact freezes. California enacted the first one; now 12 \nStates have security freeze laws on the books. These laws are \nhighly protective of consumers who may be in an identity theft \nsituation. It allows them to place a hold on their credit \nreport so that no one can access the credit report unless the \nconsumer authorizes that access, and it has been considered to \nbe one of the strongest tools available to consumers to help \nprevent identity theft. I will be honest with you; I work in \nthe trenches of the State legislature; I am not an inside-the-\nbeltway person. And when we looked--\n    Mr. Sanders. Montpelier is not quite Washington.\n    Ms. Brill. No, no. But we looked at FACT. We looked at what \nwe were allowed to do based on what this committee told us we \nwere allowed to do, and so the States went out and said, okay, \nCongress did certain things to help protect consumers with \nrespect to identity theft, we can do other things, and it would \nbe very confusing and frankly I think disruptive of the State \nlegislative process to now just 2 years later tell State \nlegislators and the State AG\'s that they cannot enact security \nfreeze provisions. And where this comes from, frankly, is the \npreemption provisions of 3007 are quite broad and would, I \nbelieve, or could possibly be interpreted to prevent States \nfrom enacting--\n    Mr. Sanders. Let me just ask one more question. State \nattorney generals have always been able to enforce FACT. Do you \nbelieve State attorney generals should be able to enforce a \nnotice of security breach law and why?\n    Ms. Brill. Absolutely. We work very closely with the \nFederal Trade Commission, and we respect their work a \ntremendous amount. We worked together with them on all issues, \ntelemarketing, credit reporting. Frankly, they don\'t have the \nmanpower or person power to deal with all the security breaches \nthat are out there. They need an additional cop on the beat, \nand the State AG\'s are that additional cop on the beat.\n    Mr. Sanders. Let me ask you a third and last question. \nWould H.R. 3997 preempt States\' ability to enact privacy laws \nunder GLB? What has Vermont\'s experience been with respect to \nits opt-in law? Should Congress reverse course on the States on \nthis issue?\n    Ms. Brill. I do believe that 3997, if read broadly, if its \npreemption provisions are read broadly, would preempt the \nStates from enacting opt-in rules and would run contrary to, \nagain, what this committee and other committees have said in \nGLB in section 507, which specifically allowed States to enact \nopt-in laws. Vermont has an opt-in law with respect to privacy, \nwith respect to information and sharing.\n    Mr. Sanders. How many States have opt-in laws?\n    Ms. Brill. I believe about four or five. Some of the States \nonly have it with respect to certain types of information and \nothers it is much broader. But I think again it would be \ndisruptive to the State process. We have been working through \nthat process; we have submitted our laws to the FTC; we have \ngotten clearance from the FTC that our law is satisfactory \nunder 507 because it is more protective of consumers, and now \nto reverse course and say you can\'t do what we told you you \ncould do just 6 years ago, again, I wouldn\'t even know what to \nbegin to tell my State legislative committees.\n    Mr. Sanders. The bottom line is taking States out of this \nprocess would be harmful to consumers.\n    Ms. Brill. Absolutely. Congress, I think, works best when \nit enacts a strong floor and allows the States to do more to \nprotect consumers.\n    Mr. Sanders. I absolutely agree, and I think that is the \nmost important point that can be made this morning.\n    Thank you very much, Mr. Chairman.\n    Thank you, Julie.\n    Chairman Bachus. You still have 24 seconds left.\n    Mr. Sanders. I will give it to you.\n    Chairman Bachus. Mr. LaTourette.\n    Mr. LaTourette. Thank you, Mr. Chairman.\n    I guess I would throw this open to anybody on the panel \nthat wants to respond to it, but it is on the issue of \nencryption. And a lot of people have been pushing this; \nprimarily many of the larger national organizations have urged \nus to include it in the bill, a bright line exemption for \nentities that use high-level encryption on their data systems. \nBasically, there are some who are advocating, if you buy the \nlatest, cutting-edge equipment for encryption software as set \nforth by a regulator and based on the National Institutes of \nStandards and Technology that you are free and clear of any \nnotice obligations to consumers under the bill. While I believe \nthat encryption should be a factor that a company looks at when \nassessing a breach, I am wondering, how would your institutions \nor how do you think many of the small community banks in places \nlike I represent in northeastern Ohio would manage under a \nbright line test for encryption.\n    Ms. Callari. I can speak for our company. We are a \ncommunity bank. We do use high level of encryption on our data. \nThe issue remains when our customers\' information goes to other \nmerchants and vendors and data processors and knowing what kind \nof encryption they use. The other challenge is, we can secure \ndata as much as we want until there is another very smart \nhacker out there who can break that encryption. So I think \nencryption is going to safeguard to a certain extent but not \nalways.\n    Mr. LaTourette. Yes, sir.\n    Mr. Bohannon. I appreciate your question. From our \nindustry\'s perspective and by way of background, I used to be \nthe NIST chief legal advisor, so I am very familiar with their \nprocess and what they do. We certainly believe that encryption \nis a very important element in looking at the overall security \nprogram that an entity has, and from our perspective as \nrepresenting a broader range of companies, we think it is \nuseful.\n    In the context of specific legislation, let me leave you \nwith the following three thoughts. We would be concerned if \nonly encryption were ever mentioned. We believe it has got to \nbe a range of practices appropriate to the circumstances. \nEncryption, redaction, truncation, access controls all need to \nbe recognized.\n    Second, in the context of other bills we have actually \nurged, rather than it being a factor that it be a related \nelement of whether that actual risk has actually occurred or \nnot, that it be a more bright line determination than we \nbelieve is in H.R. 3997, but we think that that can be changed \nand adjusted in the bill.\n    The third issue is whether the standards issued by NIST are \nappropriate. I caution you--and I will be glad to provide the \ncommittee with more data on this--the standards done by NIST \nwere done in the context of Government use. It is important to \nunderstand that. While there are important lessons and results \nfrom those tests, we need to recognize that they may not be \nentirely appropriate or recognize other viable tools that are \nout in the private sector, particularly encryption algorithms, \nthat may be not be recognized by NIST.\n    Mr. LaTourette. Ms. Brill.\n    Ms. Brill. Just very, very briefly, I will note that the \nOCC in its guidance in the interagency guidance does not allow \nfor any exemption whatsoever with respect to encryption, and we \nfind it very interesting that certain pieces of the OCC \nguidance are touted by industry as being quite helpful whereas \nother pieces, for instance, the fact it covers paper records as \nwell as electronic records and again this encryption point are \nignored.\n    Mr. LaTourette. Mr. Ireland.\n    Mr. Ireland. I would point out in response in part to Ms. \nBrill\'s comment, most States include an encryption or bright \nline encryption exception without the benefits of a more \nrefined definition of what that constitutes.\n    The advantage of including such a provision, not in lieu of \ncurrent provisions in the bill but in addition to other \nconsiderations, such as redaction, would be that you would \nprovide a financial incentive in terms of concern about \nnotification costs to raise the level of encryption and \nprotection of information. And that might be a positive thing. \nSo the argument for it I think is the incentive it creates, \nrecognizing, as I think has been said, that any encryption \nstandard may not be 100 percent impenetrable.\n    Mr. LaTourette. Thank you very much.\n    Chairman Bachus. Could I suggest that we--we have three \nmore members, if each took 3 minutes. Start with Mrs. Maloney, \nand then we will go to Mr. Price. That way, Ms. Hooley, who is \na sponsor of the bill, would have an opportunity. Unless we \nwant to come back. But I am told it is going to be about 12, \n12:45, so, Mrs. Maloney.\n    Mrs. Maloney. I would like to ask Mr. Hendricks and Mrs. \nCallari or really any witness to respond. What do you think we \nshould do to address the concern over foreign data processing \nand why should we allow consumers to prevent their personal \ndata from being sent overseas?\n    This bill contains a requirement that foreign data \nprocessors agree to notify the U.S. company in case of breach \nof conduct and conduct a joint investigation of a possible \nbreach.\n    But my question is, is that enough? Who can effectively \nenforce this provision? Who can police whether foreign data \nprocessors fulfill their contracts? And if a breach is defined \nto include, quote, a risk-based factor, that is, so that it \nisn\'t even a breach unless there is actual harm or significant \nrisk of our actual harm, then aren\'t we allowing foreign \nentities to make a judgment that they have absolutely every \nincentive to make against the consumer\'s interests?\n    And, secondly, I would like to follow up on Ms. Brill, \nsince we only have a short time. I would like any panelists to \nrespond as to why AGs shouldn\'t be given the ability to enforce \nthe notice of a breach of security, the point that she made of \nthe resources not being there, that it is a huge problem in the \ncountry.\n    I thank you all for your very thoughtful testimony today. \nThank you.\n    Mr. Hendricks. Thank you, Congresswoman, for that question. \nCongressman Markey has put the flag in the sand, saying people \nshould be able to consent to having or withhold consent for \nhaving their information going overseas. We spent an hour and a \nhalf on this on a Brookings panel.\n    To me, outsourcing--if privacy is the steak, outsourcing is \nthe sizzle because it really shows that there can be a loss in \nthe custody and control; it attacks the integrity of the \nsecurity chain of command in the use of the information, and \nthere is a lot about the whole accountability and remedy if \nsomething goes wrong.\n    We have to--some of the bottom line things we have to make \nsure is to make sure that privacy protections and \nresponsibilities are extended all the way down the chain of \ncommand. We have to make sure there is transparency so \nconsumers always know when there is going to be outsourcing of \ndata if we are going not going to require their consent first.\n    E-LOAN is the company that does it one way. They say, if \nyou come to us during our regular business hours, we have our \nAmerican staff process it. If you want the convenience of going \nafter hours, they outsource that data. So through that \ntransparency they are at least giving people a choice.\n    But, unfortunately, I think most companies are trying to \nhide the fact they are outsourcing.\n    Ms. Callari. I would like to add that, as a financial \ninstitution, we are regulated by GLBA, and we are already \nrequired to take responsibility for our customer information. \nSo regardless where customer information resides, we are \nresponsible.\n    We do not today outsource any of our customer information \noverseas. But it is also important to note that H.R. 3997 does \nmandate that third parties contractually agree to disclose any \nbreaches.\n    Mr. Kaufmann. Congresswoman, if I could take a minute to \nclear up what sounds to me like perhaps a misconception that \nonce the data is sent to a company that is located overseas or \nan office that is located overseas that the U.S. law doesn\'t \napply. In fact, the U.S. law does.\n    So just because a bank--let\'s say where a company chooses \nto use a processor in New York or chooses to use one in Canada \ndoes not mean they can say, well, we can evade U.S. law by \nsending this data to Canada. In fact, that is not the case. \nRegardless of whether we are talking about financial \ninstitutions or not, I think just principles of--principal and \nagency law suggests that if your agent--if your service \nprovider misbehaves in a certain way, the principal--the \ncompany that use that agent will be held accountable, and so I \njust wanted to make that clarification.\n    Chairman Bachus. All right. Thank you.\n    Ms. Hooley.\n    Ms. Hooley. Thank you, Mr. Chair.\n    I have just a couple questions. I will try to be brief. Let \nme start with Mr. Hendricks.\n    You note several--there are several things that you think \nare good about the bill. One of the things you are talking \nabout is notification, and you would encourage the committee to \nexpand credit monitoring from 6 months to a year. My question \nis, do you have any evidence that it stops ID theft or would \nprevent ID theft if it is monitored for a year versus 6 months?\n    The second question is, do you see anything in the notice \nthat you would suggest that we add additional information? Is \nthere anything missing in that notification?\n    Mr. Hendricks. Yes. First of all, on the credit monitoring, \nthis is a moving--identity theft evolves, and no one has \nfollowed it more closely than you. Reflecting that fact is that \nthe thieves are getting shrewder and shrewder and the shelf \nlife of a social security number is basically for the life of \nthe individual. So we are going to see more and more thieves \nare sitting on data to use it later, hoping that now people are \nno longer being careful. So in ChoicePoint they offered it for \na year. A year seems like a reasonable period of time to get \npeople started.\n    The monitoring is important because it gives you the \nnotice. That is also why the credit freeze is important because \nit is that key moment when the credit reporting agency \ndiscloses your credit report to the application of the thief \nthat that is what allows identity theft to take off.\n    Now your second question was about--\n    Ms. Hooley. It was about the notification. Do you see if \nthere is something missing in that notification?\n    Mr. Hendricks. It would be nice if the notification could \njust be robust enough so that the entity could tell the \nindividual as much they know about the breaches because what is \nhappening, first of all, I think the standard in the State laws \nis working fairly well. And out of all these cases, I have not \nseen a trivial notice go out. But in hearing from people and \ngoing through each case by case, you see that a lot of \nindividuals get the notice and the company actually knows more, \nbut they don\'t include in the notice. So it only comes out in \nsubsequent news stories further explaining what was at stake.\n    If we want to encourage companies to give as much \ninformation as they can, that helps consumers make judgments \nabout what are the risks here.\n    Ms. Hooley. Thank you.\n    A very quick question for Ms. Brill. Thank you very much \nfor coming today.\n    In your testimony, you stated there should be no fraud \nmonitoring exception, especially with respect to compromised \ninformation relating to debt card, bank account, or other \nnoncredit account information.\n    My question is, what do you mean by fraud monitoring? And \nare you referring to required credit monitoring services when a \nconsumer is placed at risk of ID theft? Because I would note \nthe bill does require business to monitor for fraud using a \nneutral network or a similar system.\n    And if yes, why should business be required to provide 6 \nmonths of free credit monitoring service when the information \nthat is lost would not lead to a threat of ID theft? If the \nonly change they needed--say, they just had to give you a new \nnumber or new card. Why would you require them to do 6 months \nof monitoring for that purpose?\n    Then the second question--I will get it all out at once--\nthe second question we talked about freezes, a lot of you \ntalked about freezes. Do you think it is better to have--\nthrough Federal legislation to do a freeze or let States do a \nfreeze?\n    Ms. Brill. I will take those.\n    Should I continue? Should I respond to that?\n    Ms. Hooley. Sure. We have 5 minutes.\n    Chairman Bachus. We will end these questions, but we will \ncome back if Mr. Hinojosa and Green want to come back.\n    They will pass.\n    Ms. Brill. So I will go ahead and respond now.\n    Chairman Bachus. And then we will let Mr. Hinojosa ask a \nquestion.\n    Ms. Brill. Thank you very much.\n    With respect to fraud monitoring, our concern did deal with \na neural network issue as you pointed out. It wasn\'t so much \nrelating to the credit monitoring services that were provided.\n    But we are concerned that a blanket exception for a company \nthat does fraud monitoring is not granular enough. It doesn\'t \nreally go into the details of how good is the system and \nwhether or not, in fact, an exception should be given just on a \nblanket basis. And we see some of the same problems in the \nlanguage of 3997.\n    With respect to a freeze, the AG\'s letter does spell out \nwhat we think would be a robust, good Federal freeze law. \nAgain, if Congress were to enact a Federal freeze that contains \nall of those provisions, we think that would be very helpful. \nIf Congress cannot enact a law that contains all those \nprovisions, then leave it to the States, because the States are \ndoing a pretty good job. Twelve are in place so far, and more \nwill come on line undoubtedly in the future.\n    Chairman Bachus. Thank you.\n    Mr. Hinojosa.\n    Mr. Hinojosa. Thank you, Mr. Chairman. I will be brief, but \nI do want to say I have a great deal of interest in this \nconsumer report and what comes out of our committee.\n    I understand that many people do not distinguish between \ndata breaches and identity theft and that not all data breaches \nlead to identity theft. I also understand why many are calling \nfor a uniform national standard governing data brokers and the \nservices they provide, and I will support that. I support the \nidea of such uniform standards only if the statute we enact \nfirst and foremost protects the consumers and grants them as \nmany avenues of recourse as possible if their identity is \nstolen as a result of a data breach.\n    Under the Texas credit freeze statute, if I felt my \nidentity had been compromised, I would simply send a letter by \ncertified mail to the consumer reporting agency requesting that \nit place a security freeze on my consumer file. The consumer \nreporting agency would have 5 business days to comply with my \nrequest. The agency would be required to send me an explanation \nof how to go about placing, removing, and temporarily lifting \nmy security freeze. So if I were to decide to lift that freeze, \nthe consumer reporting agency would have to remove the freeze \nno later than the third business day after it received my \nrequest.\n    All in all, I think that Texas has a much tougher \nrequirement than what is contained in the proposed law.\n    All this to say, Mr. Chairman, that I support a uniform \nstandard governing the protection of sensitive consumer \ninformation and the duty to provide notice when such \ninformation is compromised. I believe that H.R. 3997 falls \nshort of that goal. I would hope that we can fine tune the \nbill\'s definition of several words as follows: breach, \nsensitive personal information, and the Gramm-Leach-Bliley \nprovision.\n    Mr. Chairman, I wish we had more time today to ask more \nquestions. I believe that there is room to improve this bill, \nand I fully intend to be part of the discussion. I hope that \nthis committee holds additional hearings prior to markup. Too \nmuch is at stake not to proceed deliberaltely.\n    With that, Mr. Chairman, I am going to close and ask that \nthe Texas statute on data breaches and account freezes be made \npart of the record.\n    Chairman Bachus. Sure. In fact, the Chair notes that some \nmembers may have additional questions for the panel and may \nwish to submit them to the panel in writing. Without objection \nthe hearing record will be held open for 30 days for members to \nsubmit written questions to the witnesses and place their \nresponses in the record and, also, if they have their opening \nstatement, they are free to submit that.\n    I appreciate the panelists\' attendance today. As I said at \nthe start of this hearing, we expect this to be a long process. \nI am submitting testimony from four witnesses that we didn\'t \nhave room for on the panel: ID Analytics Corporation, Mortgage \nBankers Association, ARMA International, and the National \nBusiness Coalition of E-commerce and Privacy. In addition to \nyour testimony, we will introduce those.\n    I would like to close by saying we have two new staffers on \nthe panel, and I would like to welcome them. They have worked \nvery hard on this hearing, Danielle English, who is with Mr. \nBoehner and Ms. Biggert previous to joining our subcommittee; \nand Emily Pfeiffer, who is with Mr. Castle, our Chairman \nCastle. We welcome them to the staff and compliment their good \nwork.\n    So, with that, the hearing is closed, and the record will \nbe held open for 30 days.\n    Thank you.\n    [Whereupon, at 12:14 p.m., the subcommittee was adjourned.]\n\n\n                            A P P E N D I X\n\n\n\n                           November 9, 2005 \n\n\n[GRAPHIC] [TIFF OMITTED] T6758.001\n\n[GRAPHIC] [TIFF OMITTED] T6758.002\n\n[GRAPHIC] [TIFF OMITTED] T6758.003\n\n[GRAPHIC] [TIFF OMITTED] T6758.004\n\n[GRAPHIC] [TIFF OMITTED] T6758.005\n\n[GRAPHIC] [TIFF OMITTED] T6758.006\n\n[GRAPHIC] [TIFF OMITTED] T6758.007\n\n[GRAPHIC] [TIFF OMITTED] T6758.008\n\n[GRAPHIC] [TIFF OMITTED] T6758.009\n\n[GRAPHIC] [TIFF OMITTED] T6758.010\n\n[GRAPHIC] [TIFF OMITTED] T6758.011\n\n[GRAPHIC] [TIFF OMITTED] T6758.012\n\n[GRAPHIC] [TIFF OMITTED] T6758.013\n\n[GRAPHIC] [TIFF OMITTED] T6758.014\n\n[GRAPHIC] [TIFF OMITTED] T6758.015\n\n[GRAPHIC] [TIFF OMITTED] T6758.016\n\n[GRAPHIC] [TIFF OMITTED] T6758.034\n\n[GRAPHIC] [TIFF OMITTED] T6758.035\n\n[GRAPHIC] [TIFF OMITTED] T6758.036\n\n[GRAPHIC] [TIFF OMITTED] T6758.037\n\n[GRAPHIC] [TIFF OMITTED] T6758.038\n\n[GRAPHIC] [TIFF OMITTED] T6758.039\n\n[GRAPHIC] [TIFF OMITTED] T6758.017\n\n[GRAPHIC] [TIFF OMITTED] T6758.018\n\n[GRAPHIC] [TIFF OMITTED] T6758.019\n\n[GRAPHIC] [TIFF OMITTED] T6758.020\n\n[GRAPHIC] [TIFF OMITTED] T6758.021\n\n[GRAPHIC] [TIFF OMITTED] T6758.022\n\n[GRAPHIC] [TIFF OMITTED] T6758.023\n\n[GRAPHIC] [TIFF OMITTED] T6758.024\n\n[GRAPHIC] [TIFF OMITTED] T6758.025\n\n[GRAPHIC] [TIFF OMITTED] T6758.026\n\n[GRAPHIC] [TIFF OMITTED] T6758.027\n\n[GRAPHIC] [TIFF OMITTED] T6758.028\n\n[GRAPHIC] [TIFF OMITTED] T6758.029\n\n[GRAPHIC] [TIFF OMITTED] T6758.030\n\n[GRAPHIC] [TIFF OMITTED] T6758.031\n\n[GRAPHIC] [TIFF OMITTED] T6758.032\n\n[GRAPHIC] [TIFF OMITTED] T6758.033\n\n[GRAPHIC] [TIFF OMITTED] T6758.040\n\n[GRAPHIC] [TIFF OMITTED] T6758.041\n\n[GRAPHIC] [TIFF OMITTED] T6758.042\n\n[GRAPHIC] [TIFF OMITTED] T6758.043\n\n[GRAPHIC] [TIFF OMITTED] T6758.044\n\n[GRAPHIC] [TIFF OMITTED] T6758.045\n\n[GRAPHIC] [TIFF OMITTED] T6758.046\n\n[GRAPHIC] [TIFF OMITTED] T6758.047\n\n[GRAPHIC] [TIFF OMITTED] T6758.048\n\n[GRAPHIC] [TIFF OMITTED] T6758.049\n\n[GRAPHIC] [TIFF OMITTED] T6758.050\n\n[GRAPHIC] [TIFF OMITTED] T6758.051\n\n[GRAPHIC] [TIFF OMITTED] T6758.052\n\n[GRAPHIC] [TIFF OMITTED] T6758.053\n\n[GRAPHIC] [TIFF OMITTED] T6758.054\n\n[GRAPHIC] [TIFF OMITTED] T6758.055\n\n[GRAPHIC] [TIFF OMITTED] T6758.056\n\n[GRAPHIC] [TIFF OMITTED] T6758.057\n\n[GRAPHIC] [TIFF OMITTED] T6758.058\n\n[GRAPHIC] [TIFF OMITTED] T6758.059\n\n[GRAPHIC] [TIFF OMITTED] T6758.060\n\n[GRAPHIC] [TIFF OMITTED] T6758.061\n\n[GRAPHIC] [TIFF OMITTED] T6758.062\n\n[GRAPHIC] [TIFF OMITTED] T6758.063\n\n[GRAPHIC] [TIFF OMITTED] T6758.064\n\n[GRAPHIC] [TIFF OMITTED] T6758.065\n\n[GRAPHIC] [TIFF OMITTED] T6758.066\n\n[GRAPHIC] [TIFF OMITTED] T6758.067\n\n[GRAPHIC] [TIFF OMITTED] T6758.068\n\n[GRAPHIC] [TIFF OMITTED] T6758.069\n\n[GRAPHIC] [TIFF OMITTED] T6758.070\n\n[GRAPHIC] [TIFF OMITTED] T6758.071\n\n[GRAPHIC] [TIFF OMITTED] T6758.072\n\n[GRAPHIC] [TIFF OMITTED] T6758.073\n\n[GRAPHIC] [TIFF OMITTED] T6758.074\n\n[GRAPHIC] [TIFF OMITTED] T6758.075\n\n[GRAPHIC] [TIFF OMITTED] T6758.076\n\n[GRAPHIC] [TIFF OMITTED] T6758.077\n\n[GRAPHIC] [TIFF OMITTED] T6758.078\n\n[GRAPHIC] [TIFF OMITTED] T6758.079\n\n[GRAPHIC] [TIFF OMITTED] T6758.080\n\n[GRAPHIC] [TIFF OMITTED] T6758.081\n\n[GRAPHIC] [TIFF OMITTED] T6758.082\n\n[GRAPHIC] [TIFF OMITTED] T6758.083\n\n[GRAPHIC] [TIFF OMITTED] T6758.084\n\n[GRAPHIC] [TIFF OMITTED] T6758.085\n\n[GRAPHIC] [TIFF OMITTED] T6758.086\n\n[GRAPHIC] [TIFF OMITTED] T6758.087\n\n[GRAPHIC] [TIFF OMITTED] T6758.088\n\n[GRAPHIC] [TIFF OMITTED] T6758.089\n\n[GRAPHIC] [TIFF OMITTED] T6758.090\n\n[GRAPHIC] [TIFF OMITTED] T6758.091\n\n[GRAPHIC] [TIFF OMITTED] T6758.092\n\n[GRAPHIC] [TIFF OMITTED] T6758.093\n\n[GRAPHIC] [TIFF OMITTED] T6758.094\n\n[GRAPHIC] [TIFF OMITTED] T6758.095\n\n[GRAPHIC] [TIFF OMITTED] T6758.096\n\n[GRAPHIC] [TIFF OMITTED] T6758.097\n\n[GRAPHIC] [TIFF OMITTED] T6758.098\n\n[GRAPHIC] [TIFF OMITTED] T6758.099\n\n[GRAPHIC] [TIFF OMITTED] T6758.100\n\n[GRAPHIC] [TIFF OMITTED] T6758.101\n\n[GRAPHIC] [TIFF OMITTED] T6758.102\n\n[GRAPHIC] [TIFF OMITTED] T6758.103\n\n[GRAPHIC] [TIFF OMITTED] T6758.104\n\n[GRAPHIC] [TIFF OMITTED] T6758.105\n\n[GRAPHIC] [TIFF OMITTED] T6758.106\n\n[GRAPHIC] [TIFF OMITTED] T6758.107\n\n[GRAPHIC] [TIFF OMITTED] T6758.108\n\n[GRAPHIC] [TIFF OMITTED] T6758.109\n\n[GRAPHIC] [TIFF OMITTED] T6758.110\n\n[GRAPHIC] [TIFF OMITTED] T6758.111\n\n[GRAPHIC] [TIFF OMITTED] T6758.112\n\n[GRAPHIC] [TIFF OMITTED] T6758.113\n\n[GRAPHIC] [TIFF OMITTED] T6758.114\n\n[GRAPHIC] [TIFF OMITTED] T6758.115\n\n[GRAPHIC] [TIFF OMITTED] T6758.116\n\n[GRAPHIC] [TIFF OMITTED] T6758.117\n\n[GRAPHIC] [TIFF OMITTED] T6758.118\n\n[GRAPHIC] [TIFF OMITTED] T6758.119\n\n[GRAPHIC] [TIFF OMITTED] T6758.120\n\n[GRAPHIC] [TIFF OMITTED] T6758.121\n\n[GRAPHIC] [TIFF OMITTED] T6758.122\n\n[GRAPHIC] [TIFF OMITTED] T6758.123\n\n[GRAPHIC] [TIFF OMITTED] T6758.124\n\n[GRAPHIC] [TIFF OMITTED] T6758.125\n\n[GRAPHIC] [TIFF OMITTED] T6758.126\n\n[GRAPHIC] [TIFF OMITTED] T6758.127\n\n[GRAPHIC] [TIFF OMITTED] T6758.128\n\n[GRAPHIC] [TIFF OMITTED] T6758.129\n\n[GRAPHIC] [TIFF OMITTED] T6758.130\n\n[GRAPHIC] [TIFF OMITTED] T6758.131\n\n[GRAPHIC] [TIFF OMITTED] T6758.132\n\n[GRAPHIC] [TIFF OMITTED] T6758.133\n\n[GRAPHIC] [TIFF OMITTED] T6758.134\n\n[GRAPHIC] [TIFF OMITTED] T6758.135\n\n[GRAPHIC] [TIFF OMITTED] T6758.136\n\n[GRAPHIC] [TIFF OMITTED] T6758.137\n\n[GRAPHIC] [TIFF OMITTED] T6758.138\n\n[GRAPHIC] [TIFF OMITTED] T6758.139\n\n[GRAPHIC] [TIFF OMITTED] T6758.140\n\n\x1a\n</pre></body></html>\n'