[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]




 
                       H.R. 3997, FINANCIAL DATA
                         PROTECTION ACT OF 2005

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
               FINANCIAL INSTITUTIONS AND CONSUMER CREDIT

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                               __________

                            NOVEMBER 9, 2005

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 109-61



                    U.S. GOVERNMENT PRINTING OFFICE
26-758                      WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    MICHAEL G. OXLEY, Ohio, Chairman

JAMES A. LEACH, Iowa                 BARNEY FRANK, Massachusetts
RICHARD H. BAKER, Louisiana          PAUL E. KANJORSKI, Pennsylvania
DEBORAH PRYCE, Ohio                  MAXINE WATERS, California
SPENCER BACHUS, Alabama              CAROLYN B. MALONEY, New York
MICHAEL N. CASTLE, Delaware          LUIS V. GUTIERREZ, Illinois
PETER T. KING, New York              NYDIA M. VELAZQUEZ, New York
EDWARD R. ROYCE, California          MELVIN L. WATT, North Carolina
FRANK D. LUCAS, Oklahoma             GARY L. ACKERMAN, New York
ROBERT W. NEY, Ohio                  DARLENE HOOLEY, Oregon
SUE W. KELLY, New York, Vice Chair   JULIA CARSON, Indiana
RON PAUL, Texas                      BRAD SHERMAN, California
PAUL E. GILLMOR, Ohio                GREGORY W. MEEKS, New York
JIM RYUN, Kansas                     BARBARA LEE, California
STEVEN C. LaTOURETTE, Ohio           DENNIS MOORE, Kansas
DONALD A. MANZULLO, Illinois         MICHAEL E. CAPUANO, Massachusetts
WALTER B. JONES, Jr., North          HAROLD E. FORD, Jr., Tennessee
    Carolina                         RUBEN HINOJOSA, Texas
JUDY BIGGERT, Illinois               JOSEPH CROWLEY, New York
CHRISTOPHER SHAYS, Connecticut       WM. LACY CLAY, Missouri
VITO FOSSELLA, New York              STEVE ISRAEL, New York
GARY G. MILLER, California           CAROLYN McCARTHY, New York
PATRICK J. TIBERI, Ohio              JOE BACA, California
MARK R. KENNEDY, Minnesota           JIM MATHESON, Utah
TOM FEENEY, Florida                  STEPHEN F. LYNCH, Massachusetts
JEB HENSARLING, Texas                BRAD MILLER, North Carolina
SCOTT GARRETT, New Jersey            DAVID SCOTT, Georgia
GINNY BROWN-WAITE, Florida           ARTUR DAVIS, Alabama
J. GRESHAM BARRETT, South Carolina   AL GREEN, Texas
KATHERINE HARRIS, Florida            EMANUEL CLEAVER, Missouri
RICK RENZI, Arizona                  MELISSA L. BEAN, Illinois
JIM GERLACH, Pennsylvania            DEBBIE WASSERMAN SCHULTZ, Florida
STEVAN PEARCE, New Mexico            GWEN MOORE, Wisconsin,
RANDY NEUGEBAUER, Texas               
TOM PRICE, Georgia                   BERNARD SANDERS, Vermont
MICHAEL G. FITZPATRICK, 
    Pennsylvania
GEOFF DAVIS, Kentucky
PATRICK T. McHENRY, North Carolina

                 Robert U. Foster, III, Staff Director
       Subcommittee on Financial Institutions and Consumer Credit

                   SPENCER BACHUS, Alabama, Chairman

WALTER B. JONES, Jr., North          BERNARD SANDERS, Vermont
    Carolina, Vice Chairman          CAROLYN B. MALONEY, New York
RICHARD H. BAKER, Louisiana          MELVIN L. WATT, North Carolina
MICHAEL N. CASTLE, Delaware          GARY L. ACKERMAN, New York
EDWARD R. ROYCE, California          BRAD SHERMAN, California
FRANK D. LUCAS, Oklahoma             GREGORY W. MEEKS, New York
SUE W. KELLY, New York               LUIS V. GUTIERREZ, Illinois
RON PAUL, Texas                      DENNIS MOORE, Kansas
PAUL E. GILLMOR, Ohio                PAUL E. KANJORSKI, Pennsylvania
JIM RYUN, Kansas                     MAXINE WATERS, California
STEVEN C. LaTOURETTE, Ohio           DARLENE HOOLEY, Oregon
JUDY BIGGERT, Illinois               JULIA CARSON, Indiana
VITO FOSSELLA, New York              HAROLD E. FORD, Jr., Tennessee
GARY G. MILLER, California           RUBEN HINOJOSA, Texas
PATRICK J. TIBERI, Ohio              JOSEPH CROWLEY, New York
TOM FEENEY, Florida                  STEVE ISRAEL, New York
JEB HENSARLING, Texas                CAROLYN McCARTHY, New York
SCOTT GARRETT, New Jersey            JOE BACA, California
GINNY BROWN-WAITE, Florida           AL GREEN, Texas
J. GRESHAM BARRETT, South Carolina   GWEN MOORE, Wisconsin
RICK RENZI, Arizona                  WM. LACY CLAY, Missouri
STEVAN PEARCE, New Mexico            JIM MATHESON, Utah
RANDY NEUGEBAUER, Texas              BARNEY FRANK, Massachusetts
TOM PRICE, Georgia
PATRICK T. McHENRY, North Carolina
MICHAEL G. OXLEY, Ohio


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    November 9, 2005.............................................     1
Appendix:
    November 9, 2005.............................................    41

                               WITNESSES
                      Wednesday, November 9, 2005

Bohannon,Mark, General Counsel and Senior Vice President Public 
  Policy, Software and Information Industry Association..........    23
Brill, Julie, Assistant Attorney General, State of Vermont.......    25
Callari, Josie, Senior Vice President, Astoria Federal S&L 
  Association and Chairman, America's Community Bankers 
  Electronic Banking and Payment Systems Committee, on behalf of 
  America's Community Bankers....................................    19
Hendricks, Evan, Publisher, Privacy Times........................    27
Ireland, Oliver I., Partner, Morrison & Foerster LLP, on behalf 
  of Financial Services Coordinating Council.....................    18
Kaufmann, Karl F., Sidley Austin Brown & Wood LLP, on behalf of 
  Chamber of Commerce............................................    28
Lively, H. Randy, President & CEO, American Financial Services 
  Association....................................................    21

                                APPENDIX

Prepared statements:
    Oxley, Hon. Michael G........................................    42
    Ackerman, Hon. Gary L........................................    44
    Baca, Hon. Joe...............................................    46
    Bachus, Hon. Spencer.........................................    47
    Biggert, Hon. Judy...........................................    50
    Clay, Hon. Wm. Lacy..........................................    51
    Ford, Hon. Harold E., Jr.....................................    52
    Gutierrez, Hon. Luis V.......................................    53
    Hinojosa, Hon. Ruben.........................................    55
    Lee, Hon. Barbara............................................    57
    Bohannon,Mark................................................    58
    Brill, Julie.................................................    64
    Callari, Josie...............................................    81
    Hendricks, Evan..............................................    86
    Ireland, Oliver I............................................   100
    Kaufmann, Karl F.............................................   113
    Lively, H. Randy.............................................   119

              Additional Material Submitted for the Record

Bachus, Hon. Spencer:
    ARMA International, prepared statement.......................   122
    ID Analytics Corporation, prepared statement.................   128
    Mortgage Bankers Association, prepared statement.............   139
    National Business Coalition on E-Commerce and Privacy, 
      prepared statement.........................................   145
Frank, Hon. Barney:
    National Association of Attorneys General, letter, October 
      27, 2005...................................................   152
    National Association of Insurance Commissioners, prepared 
      statement..................................................   164
Hinojosa, Hon. Ruben:
    Texas Business & Commerce Code, Definitions, Section 20.01...   168
    Identity Theft Enforcement and Protection Act, Texas State 
      Legislature, May, 28, 2005.................................   171


                       H.R. 3997, FINANCIAL DATA
                         PROTECTION ACT OF 2005

                              ----------                              


                      Wednesday, November 9, 2005

             U.S. House of Representatives,
             Subcommittee on Financial Institutions
                               and Consumer Credit,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 10:00 a.m., in 
Room 2128, Rayburn House Office Building, Hon. Spencer Bachus 
[chairman of the subcommittee] Presiding.
    Present: Representatives Bachus, Castle, Kelly, LaTourette, 
Biggert, Tiberi, Hensarling, Pearce, Neugebauer, Price of 
Georgia, McHenry, Sanders, Maloney, Ackerman, Moore of Kansas, 
Frank, Hooley, Ford, Hinojosa, Crowley, Baca, Green, Moore, 
Clay, and Matheson.
    Also Present: Representatives Oxley, Pryce of Ohio, and 
Bean.
    Chairman Bachus. Good morning. There was a Republican 
conference this morning. And it is just now concluding. So I do 
expect some Republican members to be arriving in the next few 
minutes.
    Today's hearing is on H.R. 3997, the Financial Data 
Protection Act of 2005. This is the fourth committee hearing 
this year on improving data security for consumers.
    During the past several years, this committee has passed 
various pieces of legislation addressing the identity theft 
issue. Most importantly, the Fair and Accurate Transaction Act, 
or FACT Act, contained provisions not only preventing identity 
theft, but giving victims added protections and remedies, 
particularly restoring an accurate credit report if they were 
victims of identity theft.
    This morning, we will consider data security legislation 
which will give Americans, American consumers, further 
protections against credit card fraud, identify theft, and the 
release of confidential information.
    H.R. 3997 was introduced by Mr. LaTourette, Ms. Hooley, 
Chairman Castle, Chairman Pryce, and Mr. Moore. So it is a 
bipartisan piece of legislation. It seeks to expand the data 
safeguard requirements of Gramm-Leach-Bliley Act and the Fair 
Credit Reporting Act by establishing uniform standards for all 
businesses that possess or maintain sensitive financial or 
identity information about consumers.
    H.R. 3997 would prevent data breaches by mandating a strong 
national standard for the protection of sensitive information 
on consumers, require institutions to notify consumers of data 
security breaches involving sensitive information that might be 
used to commit financial fraud against them, and require 
institutions to provide consumers with a free 6-months 
nationwide credit monitoring service upon notification of a 
breach.
    Over the past several months, there have been numerous news 
reports describing potentially serious breaches of information 
security. These breaches have generally involved sensitive 
personal information such as individuals' names, Social 
Security numbers, or payment card information. Although the 
reports of subsequent fraud associated with these breaches have 
been relatively few, protecting customers and consumers after 
such data breaches obviously remains of primary concern.
    Furthermore, data breaches, even if relatively uncommon and 
limited in scope, undermine consumer confidence. For instance, 
surveys suggests that the growth of online commerce is 
restrained due to fears about information security.
    Our fundamental goal is to ensure that companies protect 
sensitive consumer information to avoid potential security 
breaches. Unfortunately, no data protection program is perfect. 
Therefore, we need to make sure that companies take reasonable 
steps to protect consumers in the event that there is a breach.
    This morning, we will have a discussion about providing 
notices to consumers who are affected by data breach in 
addition to other ways of mitigating consumer harm. These 
notices should only be sent out when appropriate so as to avoid 
overnotification of consumers, or customers. In addition, 
Congress should establish a national uniform standard to 
protect all Americans from data breaches.
    Lastly, data security legislation should distinguish 
between identity theft and credit card fraud.
    H.R. 3997 goes a long way toward achieving these 
objectives. And I look forward to moving this bill in the near 
future.
    As I mentioned earlier, the sponsors of 3997 should be 
commended for drafting bipartisan data security legislation.
    I also want to recognize the work of Ms. Bean, Mr. Frank, 
and Mr. Davis on H.R. 3140, the Consumer Data Security and 
Notification Act of 2005. Like them, I think the time is ripe 
for Congress to act on data security legislation and our work 
with the sponsors of 3997 and with the sponsors of 3140, as 
well as any other members of this committee, on this important 
legislative initiative.
    Let me close by--well, at this point, I will recognize Mr. 
Sanders, the ranking member, for any opening statement he would 
like to make and then we will introduce our panel of witnesses, 
and some of my colleagues wish to introduce certain panelists 
from their States.
    Thank you, Mr. Sanders.
    [The prepared statement of Hon. Spencer Bachus can be found 
on page 47 in the appendix.]
    Mr. Sanders. Thank you very much, Mr. Chairman, and I thank 
you for holding this important hearing and I am especially 
pleased that Julie Brill, the assistant attorney general for 
the State of Vermont, can be with us this morning, and I will 
be looking forward to her testimony and I will be introducing 
her in a moment.
    Mr. Chairman, identify theft and security breaches at some 
of our Nation's largest companies are huge issues that this 
committee has got to deal with. According to the Federal Trade 
Commission, 27.3 million Americans have been victims of 
identity theft in the past 5 years, costing businesses, 
financial institutions, and consumers over $50 billion per 
year. Victims of identity theft pay an average of about $1,400, 
not including attorney fees, and spend an average of 600 hours 
to clear their credit reports.
    In addition, Mr. Chairman, over the past year, there have 
been over 100 security breaches and data leaks at some of the 
biggest companies in this country, threatening the financial 
privacy of tens of millions of Americans.
    The largest one became public in May of 2005 with Card 
Systems Solutions, Incorporated, reported a major security 
breach, potentially compromising over 40 million credit card 
account numbers. And in February of 2003, the FBI announced a 
nationwide investigation of a computer database security breach 
containing roughly 8 million Visa, MasterCard, and American 
Express credit card numbers. This breach forced many financial 
institutions to reissue thousands of Visa and MasterCards as a 
precaution against potential fraud. But we are not just talking 
about credit card companies. We are talking about Time Warner, 
Lowes stores, T-Mobile USA, ChoicePoint, Lexis-Nexis, Wells 
Fargo, Bank of America, and on and on.
    For a variety of reasons, Social Security numbers, debit 
and check credit, check card information, driver's license 
numbers, e-mails, personal computer files, and information 
about student loans and mortgages are being stolen by computer 
hackers and other scam artists.
    Mr. Chairman, this has got to stop. We must make sure that 
hackers and others are protected to the fullest extent of the 
law, but we must also make sure that the largest and most 
profitable multi-national companies in this country do 
everything they can to make sure that identity thieves don't 
succeed in the first place.
    Today we will be discussing one bill that deals with the 
subject, H.R. 3995, the so-called Financial Data Protection Act 
of 2005. Mr. Chairman, I have serious concerns about this 
legislation. As I understand it, this legislation would preempt 
security breach notification laws in the 21 States that have 
enacted them to date and would also overturn the consumer 
credit report freeze provisions enacted by 12 States, including 
my own State of Vermont. That is wrong.
    Mr. Chairman, if Vermont or Alabama want to pass laws that 
are stronger than the Federal Government's, we should give 
States that right. That is what Federalism is all about.
    The States are laboratories of democracy. If there is a 
particular identity theft crisis in Colorado and the Colorado 
State legislature passes a law to correct this problem and it 
works, what happens? Pretty soon, Maryland may pass the same 
law, then Nebraska, then Ohio. We learn from each other. And 
that is one of the very exciting and positive aspects of our 
system of Government.
    But if this legislation is signed into law, we would 
permanently prevent the States from taking this action.
    We hear a lot of talk from our conservative friends about 
protecting the States and the American people against the big 
bad and intrusive Federal Government.
    And I would hope that today and in this legislation, our 
conservative friends would honor the mantra that they preach 
very, very often. Instead of preempting State consumer 
protection laws, there is another bill that has been introduced 
by Ms. Bean, H.R. 3140, the Consumer Data Security and 
Notification Act, that I believe this committee should also 
seriously consider. As I understand it, this legislation would 
provide strong consumer protections and enforcements against 
credit card fraud and identity theft.
    H.R. 3140 would strengthen Federal protections against 
improper collection and sale of sensitive consumer information 
and provide consumers with advance warning when their personal 
financial information is at risk.
    In addition, the bill contains tough enforcement provisions 
to protect consumer from identity theft. Most importantly, in 
my view, this legislation does not preempt States and 
localities from passing stronger consumer protection laws.
    Finally, Mr. Chairman, I strongly believe that this 
committee should focus on how the outsourcing of financial jobs 
to China, India, and other cheap foreign labor markets also 
threatens the privacy of our citizens. According to one study, 
more than 500,000 financial service jobs in the United States 
representing 8 percent of all jobs in banking, brokerage, and 
insurance firms, will move offshore in the next 5 years. This 
is not just an issue of protecting the working people of this 
country. It is also an issue of privacy rights.
    It seems to me that no financial services firm or credit 
bureau agency is immune to overseas outsourcing. And this is an 
issue we have got to focus on.
    Mr. Chairman, with growing problems in identity theft and 
with no domestic legal protection for the privacy of the 
personal records of American citizens, the situation is 
unhappily ripe for abuse and the evidence is mounting.
    That is why I am supportive of legislation introduced by 
Congressman Markey that would make it illegal for companies in 
the U.S. to send financial data abroad without the express 
written consent of their customers.
    Mr. Chairman, thank you again for holding this hearing, and 
I look forward to working with you on this issue.
    Chairman Bachus. I thank the ranking member. At this time, 
I recognize the chairman of the full committee, Mr. Oxley.
    Mr. Oxley. Thank you, Mr. Chairman. This morning, the 
committee meets to hear from a number of leading business and 
consumer groups on H.R. 3997, the Financial Data Protection 
Act. This bipartisan bill is a product of the hard work and 
leadership of Representatives LaTourette, Hooley, Castle, 
Pryce, and Mr. Moore of Kansas. And I congratulate them on 
their accomplishment. And also I thank the subcommittee Chair, 
Mr. Bachus, and Ranking Member Sanders for spotlighting this 
issue in their hearings. This issue will be a priority for the 
committee when we return early next year. And I look forward to 
working with the sponsors as well as the chairman and the 
ranking member.
    In recent years, criminals in the United States and abroad 
have become increasingly inventive in finding ways to access 
and exploit information systems in order to commit identity 
theft. According to the Federal Trade Commission estimate, 10 
million Americans are victimized by identity thieves each year, 
costing consumers and businesses over $55 billion per year. 
Several recent high profile security breaches have focused 
public attention as never before on the vulnerabilities of 
companies' data security systems. This year alone, we have seen 
nearly 75 breaches impacting over 50 million Americans.
    As a result of these numerous breaches, Congress needs to 
review how information is handled, and what happens when it is 
mishandled. The Financial Services Committee has worked 
tirelessly over the past several years to identify and enact 
solutions to improve data security protections. In 1999, many 
of the senior members of this committee helped enact the first 
data security laws in the Gramm-Leach-Bliley Act applying to 
financial firms.
    In 2003, the gentleman from Alabama, Mr. Bachus, led the 
committee in expanding on this effort by securing the passage 
of the Fair and Accurate Credit Transactions Act, or FACT Act, 
which generally expanded consumer idea identity theft 
protections.
    A number of other committees in the House and in the Senate 
are also working on legislation to address data security 
protections. This committee must do its due diligence by 
producing legislation that sets national protection for 
consumers and supports the financial services marketplace.
    We can build on the work we did on the FACT Act to achieve 
a unified product coming from this committee.
    We have a great deal of expertise on this committee on 
these issues. And I expect that our legislation will be a 
significant portion of any final House product. We seek to 
achieve a uniform national standard that protects consumers to 
a greater overall degree than they are protected now.
    H.R. 3997 requires all businesses with sensitive 
information on consumers to adopt data security, policies and 
procedures, investigate data security breaches, make uniform 
notification, and provide mitigation to consumers where there 
is a likelihood of harm to the consumer.
    I applaud the bipartisan cosponsors for putting together a 
balanced, fair, and reasonable approach for our committee and 
looking forward to further consideration of this legislation 
going forward.
    Mr. Chairman, again, thank you for your leadership, and I 
yield back.
    [The prepared statement of Hon. Michael G. Oxley can be 
found on page 42 in the appendix.]
    Chairman Bachus. I thank the chairman and now recognize the 
ranking member of the full committee, Mr. Frank, who is one of 
the cosponsors of 3140.
    Mr. Frank. Thank you, Mr. Chairman, and thank you for your 
opening statement in which you noted that there are a variety 
of bills because I must say that I am very disappointed with 
the very version of H.R. 3997 that is now before us. And I 
would ask you ask unanimous consent at this point to put into 
the record some explanation of my disappointment. One is a 
letter from the National Association of Insurance 
Commissioners, which we just received. Let me read their 
summary--
    Chairman Bachus. Yes, and without objection, it will be 
entered into the record.
    Mr. Frank. In short, H.R. 3997 would take away existing 
State consumer privacy laws, market conduct enforcement 
authority, and data security safeguards for the purpose of 
establishing a Federal system that limits consumer protection 
to being notified under certain circumstances when a breach of 
data security occurs.
    The attorneys general--nearly all of them--I keep trying to 
count. Sometimes I get 47. Sometimes I get 48. I don't think 
they have changed. I think my counting changed. But nearly all 
of the attorneys general have sent a letter, too, to the 
leaderships basically opposing 3997 in that they talk about a 
lot of things they want to see in the bill that aren't in 3997. 
And they have said--and the letters from the attorneys general 
ought to be included in the record as well. The point they 
make, and it is a point that I have made and others here have 
made that governed our activity when we passed the FACT Act 
dealing with credit. They say on page 2, we call on Congress to 
enact a national security breach notification law that will 
provide meaningful information to consumers. If Congress is not 
able to extract a strong notice law, it should read be issued 
to State law which is responding strongly.
    3997 cuts back on Federal law, interestingly. I was 
particularly disappointed to see that it would weaken Title V 
of Gramm-Leach-Bliley. And in many ways, consumers would be 
worse off than they were before. And what it then does is to 
undercut, to preempt a lot of State laws. The standard for 
notification is less. We had a situation with Bank of America, 
an important institution of my own State in part--I guess in 
every State. So big deal for me.
    But they had a breach. And they had to notify customers 
because of a California law. Had it not been for the California 
law, they would not have had to notify anybody. Understand that 
if this bill passes, 3997, which I do not expect it to, I don't 
think Bank of America would have had to notify. Now I note some 
of my friends in the financial service industry have argued 
that they don't want to too quickly notify people when there 
has been a breach of the security of the data because of a very 
new-found concern for the capacity of people's mailboxes.
    I have a rule I will tell my friends in the financial 
services community; try in political debate to avoid saying 
something that no one will believe. It may seem useful to you 
in the spur of the moment, but it rarely works. For the 
financial service industry, which keeps my mailbox quite full 
with various solicitations for credit cards, mortgages, and all 
other matter of products, to suddenly decide that the one thing 
they don't want to send me is a notification that my data has 
been breached really doesn't persuade anybody.
    So we, I think, have to--and the bill that we have filed, 
and I appreciate your noticing it, Mr. Chairman, when we get to 
the mark up, I hope it will be obviously considering the 
subject, not a particular bill, what we try to do is to give an 
incentive to encrypt the requirement to notify consumers in the 
bill we have filed, on our side, as most of the Democrats, 
would decrease the requirement to notify to the extent that the 
data has been encrypted.
    That is, we don't try to put a burden of proof on you to 
show that--we don't say that it is only to be--there is only to 
be notification if it is pretty clear that there is going to be 
a breach, but the more you have done things to protect the 
security of the data, the less likely you are to have to 
notify.
    Similarly, while it is not in our bill, I think a consensus 
is now developing for a credit freeze. And I will serve notice 
now that whenever we consider this, there will be an amendment 
offered to provide for a credit freeze, and I notice, for 
instance, in the 3997, there is some restriction on liability 
for the holders of the data.
    I would be willing to do that if, in fact, there was a 
right of a credit freeze and if people would exercise--have the 
right to have exercise a credit freeze it would limit 
liability. Otherwise it is too broad. So there are a number of 
areas where, as I said, I am disappointed in 3997. It weakens 
Title V, which would seem to me entirely unnecessary to this 
purpose. It cancels a lot of State laws and puts inadequate 
Federal laws in their place. So we look forward to the 
opportunity to work on this.
    This committee has been able on most pieces of major 
legislation to arrive at a pretty good bipartisan consensus. I 
just want to serve notice today we ain't there yet. And 3997 
certainly isn't there. But we hope that we can get there. Thank 
you, Mr. Chairman.
    Chairman Bachus. Thank you. Let me say this as we move 
forward and I think, Mr. Frank, and we have had discussions and 
the chairman and I know the sponsors of the bill, and it is all 
our intention to work together.
    Mr. Frank. I appreciate that, Mr. Chairman, you have always 
done that.
    Chairman Bachus. And I think that there is at least some 
consensus that we will not mark up a bill until January or 
February.
    And one of the reasons for that is we do not have a 
consensus at this point.
    Mr. Frank. Thank you, Mr. Chairman. Let me say, I think I 
speak for a very strong bipartisan consensus when I say that 
this is a very important subject; we hope it is February and 
not January.
    Chairman Bachus. I think that Chairman Castle and Chairman 
Pryce and Mr. LaTourette probably agree.
    So, thank you. At this time, Chairman Castle?
    Mr. Castle. Thank you, Mr. Chairman. I also, Mr. Chairman, 
appreciate the hearing you are holding today on this very 
important piece of legislation.
    We have worked very hard over the past few months, those of 
us who are involved in this, to develop a comprehensive 
approach to securing information. In today's hearing, while the 
fourth in a series on this topic, it is the first that really 
focuses on this particular legislation. I think each one of us 
as individuals will agree that we enjoy the convenience that 
comes with the ability to pay bills online or the ability to 
apply for a mortgage, car loan, or home equity loan via the 
Internet. And businesses certainly enjoy greater sales and 
increased productivity as a result of high speed computer 
technology that captures vast amounts of consumer information.
    But at the same time, we worry about compromising 
sensitive, personal, and financial information. And we worry 
about consumers' willingness to share that information 
especially because in 2005 alone there have been 75 corporate 
data security breaches involving sensitive information, an 
estimated 75 million consumers.
    The goal of H.R. 3997, the Financial Data Protection Act, 
is simple, to treat data that is valuable to businesses and 
consumers with care and to safeguard it from abuse or misuse.
    Many States have different standards for the protection of 
sensitive consumer information and notification in place 
already. But this patchwork approach to consumer data 
protection is not ideal. Therefore, I look forward to hearing 
from our distinguished panelists today about the need for 
uniform, comprehensive data security requirements to protect 
sensitive personal information that may be used to commit 
fraud--especially the crime of identity theft.
    I am hopeful that your testimony will shed light on why 
such a standard is critical for businesses and consumers. Thank 
you, Mr. Chairman. I yield back.
    Chairman Bachus. Thank you. Ms. Maloney.
    Mrs. Maloney. Thank you, Mr. Chairman. And I welcome all of 
the participants today as well as all of the witnesses on this 
important issue. And I would particularly like to welcome Ms. 
Josie Callari from Astoria Federal Savings, a New York 
community bank that is located in the district that I am 
honored to represent.
    Our colleagues in Energy and Commerce have started their 
work, and so it is high time that we do the same. In 
considering how to address the issue for financial services 
institutions, we start from a forward position. Since those 
entities are already subject to the data security and privacy 
protections in the Gramm-Leach-Bliley Act. Title V of that Act 
already requires financial service institutions to implement 
data security safeguards, a customer response program, and a 
comprehensive privacy policy.
    I am sure if you ask the institutions here today that they 
would be able to describe how they are implementing these 
programs in detail in their own institutions.
    I would say, particularly smaller institutions have paid 
the price to address data security breaches for their 
customers, even when the data was lost by a data broker or 
merchant, because the customer is a bank client and customer 
relations are important and because they believe in taking care 
of their clients. And I have heard such stories from the 
constituents that I represent.
    In my view, to the extent that we impose additional 
national standards, we should be very cautious in how we 
disrupt the newly settled system of regulations that has been 
put in place under Gramm-Leach-Bliley. On the other hand, we 
need to make sure that our financial institutions aren't paying 
the price for other less well regulated. It makes no sense to 
have a national system that provides different consumer 
protections to the same sensitive financial information 
depending on who lost it.
    For example, data brokers who lose information should bear 
the burden of compensating for those losses and protecting 
consumers in the future.
    There are several issues, however, that the implementation 
of Gramm-Leach-Bliley has shown up as a weakness in the data 
protection according to our financial institutions. And one of 
those issues that my constituents are extremely concerned 
about--and I am sure that this is probably true across the 
Nation--is what protections do consumers have when their data 
is sent overseas to be processed?
    Many countries don't have data security protections that 
are as robust as those that we have in this Nation. Yet 
financial services companies routinely use data processing 
services to process sensitive financial information.
    So I will definitely be offering the Markey bill and the 
proposal that strengthens the oversight of data that is sent 
overseas. And I feel that should be strongly addressed in this 
legislation.
    I would also like and request the chairman to place in the 
record a letter that has come to me and probably many others 
from the attorneys General across this Nation. And they argue 
that States should have the ability to enforce any national 
security breach notification laws and that State laws should be 
left to govern entities not covered by the Federal law or the 
consequences of security breaches. Their letter was signed by 
many attorneys general, including New York's Attorney General, 
Eliot Spitzer.
    On the other hand, some of my industry representatives have 
argued that only if State laws are completely preempted will 
financial institutions be able to cope with the compliance 
issues that data security presents and that functional 
regulators are best equipped to enforce regulations governing 
the entities with which they are familiar.
    So in your comments, I wish that the panelists would 
address the letter from the attorneys general and your 
interpretation and advice on it. I thank the chairman. I have 
been--I have learned over many years that many contentious 
issues I think will never ever be in agreement. But often you 
have bent over backwards to listen to the democratic side and 
we have come forward with a bipartisan agreement on what is 
fundamentally important to all Americans and that is a strong 
safety and soundness in our financial system, and I feel 
confident we will be able to do that and I thank you for your 
accommodation in the past and look forward to working with you 
on this bill.
    Chairman Bachus. Thank you. And one thing that Chairman 
Oxley wanted me to stress and Ranking Member Frank, and I know 
they have talked, and I believe I speak for both of them when 
they say that addressing this issue is a top priority of the 
committee.
    And as Mr. Frank said, if he thinks that February is more 
appropriate for beginning to mark up a bill, then February it 
will be, because we need some consensus and agreement going 
forward.
    At this time, I recognize Mr. LaTourette, who is a lead 
sponsor of the bill.
    Mr. LaTourette. Thank you very much, Chairman Bachus, and I 
would ask unanimous consent to include a rather lengthy 
statement into the record. I want to thank the cosponsors of 
this legislation, Mike Castle and Debbie Pryce and Dennis Moore 
and Darlene Hooley. And I was sitting next to Mr. Hensarling 
when the distinguished ranking member of the committee, Mr. 
Frank, was talking. And he said to Darlene and to Debbie and to 
Mike and to Dennis it is like he called our child ugly. And 
that is too bad. But we worked hard on this legislation.
    We recognize that there are competing opinions. But 
clearly, this is an important issue. The great thing about this 
committee is it does work together well on most issues in a 
bipartisan fashion. And as I read the testimony of those who 
are testifying today, I know that some of you are going to be 
critical of the bill and some of you are going to be very 
critical of the bill.
    And I just want you to know that if we are going to get 
this right, we do need the input of everybody. And so we 
appreciate your being here to offer your observations because I 
think the one thing that we would like to see at the end of the 
day is a piece of legislation that, in fact, addresses this 
rather serious problem.
    And while we often debate the issue of preemption and 
whether or not the 50 States are great laboratories of 
democracy, and I agree and with the system of Federalism, but I 
would also suggest that there are times when we need to look at 
the great ideas that are going on in some of the 50 States and 
apply them, in some instances, in a limited basis to a national 
problem.
    Mr. Sanders. Would my friend yield on that?
    Mr. LaTourette. I would be happy to yield.
    Mr. Sanders. I agree with him. The point is we should take 
the best ideas at the State level and apply them at the Federal 
level. But we shouldn't preempt the States from continuing to 
go forward. That is the main point that I would make.
    Mr. LaTourette. The appreciate the gentleman's observation, 
and I know that he holds that clearly and on some issues I 
agree with him and some I don't agree with him. And we can move 
that forward as we debate this legislation. But I think that 
the prime--with all of its warts and flaws, H.R. 3997 is, in 
fact, a collaborative effort. It is a bipartisan effort. It was 
an attempt to be thoughtful. And I'm proud of the product and I 
am very thankful to my co sponsors and Mr. Chairman--
    Mr. Frank. Would the gentleman yield?
    Mr. LaTourette. I would be happy to yield.
    Chairman Bachus. We probably need to restrict this to 
opening statements. I will let the ranking member--
    Mr. Frank. Just briefly. The gentleman said that I called a 
child ugly. And I would just plead guilty and say that it seems 
to me the obligation to declare all children beautiful should 
not be construed as extending beyond the boundaries of your own 
district.
    Chairman Bachus. We are obviously building a consensus 
already. We are off to a good start.
    Mr. LaTourette. And I thank the gentleman very much and 
perhaps we will put braces on the child as we move forward in 
this process. But I look forward to a rather spirited debate. 
And Mr. Chairman, I thank you for your leadership and--your 
committed leadership in not only this issue, but identity 
theft, not only as we move forward, but in the past. And I 
yield back my time.
    Chairman Bachus. Mr. Ackerman.
    Mr. Ackerman. Thank you, Mr. Chairman, and thank Mr. 
Sanders as well for introducing this legislation at today's 
hearing. I think it is as good as any of a stepping off point. 
I do have some very grave concerns about the bill as it has 
been thus presented. Many of which have been expressed here. I 
am concerned that in our rush to do something that must indeed 
be addressed as expeditiously as we can, that we do get it 
right.
    And citing those things in my opening statement, that have 
already been expressed, as well as some others with the Chair's 
assurance that he has given, and true to form that he has 
always worked and listened to all members of the committee--
some of whom might be uglier than others, I am not sure and I 
don't want to get into that--I would ask unanimous consent to 
put the entire statement in.
    And with the Chair's permission, as I have a markup down 
the hall at this time, I would like to just say a word of 
introduction to a constituent who is on today's panel and--
    Chairman Bachus. Yes, that would be fine.
    Mr. Ackerman. Thank you, Mr. Chairman, very much. I would 
like to give a special welcome to Josie Callari of Astoria 
Federal Savings, who is also mentioned by Ms. Maloney, who said 
that she had their banks in her district, and indeed she does.
    It should be noted that there are 18 Members of Congress 
who represent parts of our city, New York City, or Long Island, 
and indeed I think if you asked almost any of us, we do have 
branches of that bank in our district. But I am proud to say 
that their headquarters in Lake Success is indeed in my 
district.
    Mr. Callari has 30 years of experience in the banking 
industry and is currently a senior vice-president and the 
director of banking operations at Astoria Federal savings. She 
also serves as the vice chairman of the America's Community 
Bankers Electronic Banking and Payments Committee. And she is 
ideally suited to provide testimony before the subcommittee 
today.
    And finally, she has been very active as a volunteer and as 
a supporter of so many community organizations in my district 
and throughout our region that I would like to thank her 
personally for that volunteer service as well.
    And thank you for coming down. And thank you for 
participating in this panel. And don't be nervous.
    [The prepared statement of Hon. Gary L. Ackerman can be 
found on page 44 in the appendix.]
    Chairman Bachus. Thank you.
    Several opening statements have referenced the attorney 
general's letter and the attorney general or assistant attorney 
general; Ms. Brill from Vermont, has actually attached that to 
her testimony. So it will come in as part of that testimony.
    At this time, I recognize Ms. Pryce.
    Ms. Pryce of Ohio. There is two. I will just submit my 
statement for the record.
    Chairman Bachus. Mr. Hensarling.
    Mr. Hensarling. Thank you, Mr. Chairman, and I certainly 
thank you for holding this important hearing. I want to thank 
my colleagues on this committee, particularly Mr. LaTourette, 
who collaborated to introduce H.R. 3997.
    As we all know, this year there have been numerous widely 
reported breaches of security in several companies involved in 
the collection and dissemination of consumer data. This is 
clearly troublesome.
    There is no doubt that companies should have data security 
policies and procedures in place to protect against fraudulent 
activity, especially identity theft, the fastest growing white 
collar crime in America.
    In fact, the Federal Trade Commission has estimated that 
about 10 million Americans fall victim to identity theft every 
year. I have been one of them. It costs consumers and 
businesses more than $55 billion in the aggregate.
    But, Mr. Chairman, many regulations are already in place 
that work to protect the personal information of individuals. 
And we all know that financial institutions in particular are 
highly regulated under Gramm-Leach-Bliley when it comes to the 
collection of consumer data. We also know that the Fair Credit 
Reporting Act, as amended by the FACT Act, helps consumers 
improve the accuracy of information about them while 
restricting the disclosure of that same information.
    While regulation clearly helps to direct financial 
institutions' response to identity theft, the actions taken by 
financial institutions on their own should not be dismissed.
    The overwhelming majority of institutions already offer 
their customers information on how to prevent identity theft 
and what to do about it, and they train their employees to 
protect the security of customer information and to assist 
victims. It is in their interest to do so.
    Who wants to tell prospective customers, please allow me to 
handle your sensitive consumer data; we only had 14 data 
security breaches last month. Markets can work. They can punish 
bad or negligent behavior. Just ask anyone who used to work for 
Arthur Andersen. Ask an investor in ChoicePoint who saw their 
stock fall almost 10 percent. As Chairman Greenspan told this 
committee back in July, "the self interest of people who handle 
data is so extraordinarily high, I just balk at the notion that 
anyone has to tell them what their self interest is. I cannot 
believe that we need regulations to tell people how to make a 
profit."
    I do think we need to make sure as a body that we are 
always cautious not to create a remedy that proves worse than 
the disease. And, unfortunately, Congress has on occasion 
excelled at the art of unintended consequences.
    So I hope, Mr. Chairman, as we consider this important data 
security legislation, that we keep Chairman Greenspan's words 
in mind. We know that data security is a serious subject. We 
also need to ensure we take no action that would needlessly 
stifle competition or impose unreasonable costs on participants 
that ultimately will be borne by the consumers. Thank you, and 
I yield back.
    Chairman Bachus. Thank you, Mr. Hensarling. At this time I 
recognize one of the cosponsors of the 3997, Mr. Moore.
    Mr. Moore. Thank you, Mr. Chairman. I would like to thank 
you for holding today's hearings, and I introduced this 
legislation with Mr. LaTourette, Deborah Pryce, Mike Castle, 
and Jeb Hensarling, and I want to thank each of my cosponsors. 
We have all seen this year that breaches of data security are 
serious and ongoing problem in our country.
    The testimony of Vermont's assistant attorney general, 
Julie Brill, notes that there have been reports of over 118 
data leaks this year, which all together have affected 57 
million consumers in the United States.
    Today 23 States have enacted breach notification laws. Just 
2 weeks ago, 47 State attorneys general sent a letter to 
Congress on the issue of breach notification legislation. I 
don't agree with all of the statement's recommendations in the 
letter, but I do appreciate the fact that the attorney 
general's recommendations that Congress enact a national 
security breach notification law that will provide meaningful 
information to consumers.
    Unfortunately the State of Kansas has not considered or 
enacted consumer notification legislation. And our attorney 
general did not sign the attorneys general's letter. A Federal 
law that sets a uniform national standard will benefit I 
believe both consumers and businesses that operate in the State 
of Kansas.
    Further, the passage of notification laws by nearly half 
the States is a strong indication that there is a problem which 
does not recognize State lines, and it is in need of a national 
solution. I believe that solution is embodied in H.R. 3997.
    H.R. 3997 would, for the first time, in Federal law, create 
a uniform consumer notification standard and require companies 
to notify consumers when their sensitive personal information 
has been accessed in a way that could lead to substantial harm.
    It seeks, I believe, to strike a reasonable balance that 
requires breached entities to notify but not over-notify 
consumers when sensitive personal information has been 
compromised. Believe it or not, I know some of you won't 
believe this, but sometimes Congress overreacts to certain 
problems that are presented to Congress. As Congress considers 
data security legislation, we need to react to a very real 
problem without overreacting. And I hope that this is contained 
within 3997.
    The bill sponsors, and I believe there should be a few 
guiding principles behind any data security legislation or bill 
that is passed by Congress. Number one, companies should be 
required to safeguard their data. Number two, breached 
businesses should be required to notify consumers, law 
enforcement regulators, and relevant third parties when 
sensitive personal data is compromised, Number three, breached 
entities need to ensure that consumers are protected after 
their data is compromised, Number four Federal preemption is 
necessary, I believe, to create a meaningful uniform national 
standard. Our legislation embodies each of these guiding 
principles.
    I am proud of this committee's bipartisan work in drafting 
H.R. 3997. Protecting data and consumers is not a partisan 
issue, should not be a partisan issue, and the process of 
drafting and passing data security legislation should and will 
be bipartisan. Thank you, Mr. Chairman.
    Chairman Bachus. Thank you, Mr. Moore. And I appreciate 
your work and Ms. Hooley's work on the legislation.
    At this time, I recognize Ms. Kelly for her opening 
statement, and I will also commend your work on oversight 
committee in this regard.
    Mrs. Kelly. Thank you, Chairman Bachus. I appreciate your 
holding this important hearing.
    America demands that its data be secure. The horror stories 
of recent data leaks weaken the confidence in the security of 
transaction data and electronic payment systems.
    Small businesses, in particular, suffer when they lose 
access to credit card systems and they are forced to invest in 
ever more complex and expensive security because of failures at 
some of the largest companies in the Nation.
    The Oversight and Investigations Subcommittee that I chair 
looked into several of these cases and found that while all 
involved sought to do the best of their ability to protect 
consumer data, very few considered the impact on our nationwide 
economy and small businesses when their best efforts weren't 
good enough.
    I am pleased that the legislation before us protects small 
businesses while providing clear standards on data protection 
and loss notification all companies can use.
    National standards combined with small businesses 
flexibility are the hallmarks of this legislation, and they 
should be a portion of any data security legislation that is 
considered by the House of Representatives in this Congress.
    I am very interested in hearing the comments of our panel 
today. I thank you and yield back the balance of my time.
    Chairman Bachus. I thank you. Ms. Hooley, at this time, you 
are recognized for an opening statement as one of the 
cosponsors.
    Ms. Hooley. Thank you, Chairman Bachus and Ranking Member 
Sanders, for holding this subcommittee hearing on H.R. 3997, 
the Financial Data Protection Act of 2005. I would also like to 
thank Chairman Oxley and Mr. Frank for their leadership on this 
issue.
    It is imperative that Congress act to make certain that 
sensitive personal information is protected by adequate 
safeguards. And I look forward to working with my colleagues on 
the committee to move this process forward.
    Identity theft represents a fundamental threat to e-
commerce, to our overall economy, and our homeland security.
    No longer are we facing just hobbiest hackers looking to 
create a nuisance. Increasingly, these attacks are driven by 
skilled criminals. ID theft is big business.
    Since drafting my first identity theft bill with 
Representative LaTourette in 2000, the number of incidents 
reported to FTC has increased by eight-fold
    Congress made progress from protecting consumers from ID 
theft in the 108th Congress with the passage of the FACT Act, 
which provided landmark consumer protections, including free 
annual access to credit reports from all three major credit 
bureaus so that consumers could closely monitor their own 
credit.
    I believe this is a great opportunity for this committee to 
build on that success.
    While our free credit report law has helped consumers spot 
fraud, this new legislation will help stop fraud. For nearly a 
year now, the sponsors of this legislation, Mr. LaTourette, Mr. 
Castle, Ms. Pryce, Mr. Moore, have worked with other members of 
this committee, industry leaders, consumer groups, and victims 
to write legislation that safeguards sensitive consumer 
information, fight ID theft, and create uniform standards for 
notifying consumers.
    What this bill does is very simple. If a business has a 
sensitive financial information of a consumer, they have a duty 
to protect that information. Businesses have a duty to 
investigate, even if they only think there might have been a 
breach. If that breach might have occurred, they have to notify 
Secret Service; they notify their regulator if that data is 
lost or stolen and the consumer is placed at any risk of either 
account fraud or ID theft, the businesses have to notify the 
consumer.
    This bill requires that there is a single standard easy-to-
recognize notice so that consumers won't treat this as junk 
mail. This bill also requires that notices contain meaningful, 
useful information to help consumers respond and protect 
themselves, including the toll free number. And finally, if a 
consumer is at risk of ID theft, this bill requires that 
businesses provide those consumers with 6 months of free credit 
monitoring service so the consumers know that they are victim 
of ID theft.
    This bill will help stop fraud. And I look forward to 
working with my colleagues to move the process forward. And I 
thank you and I yield back. Thank you, Mr. Chair.
    Chairman Bachus. Any other members on the Republican side 
that have opening statements?
    Any members? Mr. Green? Mr. Clay.
    Mr. Clay. Thank you, Mr. Chairman, for holding today's 
hearing on proposed legislation intended to stem the increasing 
number of identity theft cases and data security breaches that 
are threatening our Nation's economy.
    I am hopeful that our efforts to develop a meaningful and 
measured response will provide assurance to all consumers that 
their information will be protected from those with impure 
motives and criminal intent.
    The cost associated with identity theft and security 
breaches are staggering when accounting for both economic and 
personal damages. In addition to approximately $55 billion in 
annual losses among both individuals and industry, consumers 
are often subject to legal and financial obstacles while 
attempting to reestablish their credit worthiness.
    As we develop an appropriate legislative response to these 
threats, I hope we can build off the model of strengthening 
data security requirements contained in Gramm-Leach-Bliley for 
industry members that remain unregulated.
    Furthermore, I believe that a uniform Federal standard for 
security will ensure that both industry and consumers are 
operating within one set of standards without ambiguity and 
variances from State to State.
    If we want to preserve the optimal benefits of our growing 
e-commerce sector, then we must create an environment that 
protects the personal information of consumers in all 
circumstances while weeding out predatory industry 
participants.
    Thank you, Mr. Chairman. And I yield back the balance of my 
time.
    [The prepared statement of Hon. Wm. Lacy Clay can be found 
on page 51 in the appendix.]
    Chairman Bachus. Thank you. Mr. Green.
    Mr. Green. Thank you, Mr. Chairman, and I thank the ranking 
member as well for hosting these hearings. Mr. Chairman, I am 
hopeful today that we will get some questions answered that are 
of concern. Our questions, such as who should determine whether 
the harm element is met, should it be the consumer reporter as 
defined in H.R. 3997? Or should it be the breached entity in 
concert with law enforcement, as the attorneys general 
recommend? Should this harm element be a trigger to give 
consumer notice of breach or should consumers always be given 
notice unless there is no risk of harm resulting from the 
breach?
    And finally, if the breached notification system is overly 
broad, do we run the risk of inundating consumers with notices 
and having them ignore important information they may need to 
protect themselves? I yield back the balance of my time.
    Chairman Bachus. And I apologize. I had a list of members 
that I thought wanted to make opening statements. Mr. Crowley, 
Mr. Baca, so.
    Mr. Crowley. I thank the chairman. I am going to be very 
brief. I just want to thank the Chairman and the ranking 
member, Mr. Sanders, for holding this hearing and I look 
forward to the testimony of all the expert witnesses that are 
before us today. I want to thank my colleagues on both sides 
who are conducting I think once again the spirit of this 
committee, a bipartisan effort to bring about legislation out 
of this committee. Once again, I hope when legislation that is 
passed in this committee in a bipartisan effort makes its way 
to the floor that it is not too diminished by outsiders that 
make it more difficult for members of this committee to support 
something on the floor of the House once it gets there from 
this committee.
    But I, too, am looking for a uniform Federal standard, 
Federal preemption, one that protects the consumer as well as 
the institutions, one that moves towards--institutions towards 
encryption and the use of modern technology to help secure the 
data of consumers in this Nation, one that will maintain or 
strengthen consumer confidence, a defined trigger and 
assignment of responsibility where it truly belongs.
    And again, I thank all my colleagues, especially Ms. 
Hooley, who has been very, very engaged in this because of 
personal experience in her own life. So I do appreciate her 
involvement and all my colleagues for working in a bipartisan 
spirit. And with that I yield back.
    Chairman Bachus. Mr. Baca.
    Mr. Baca. Thank you very much, Mr. Chairman. I have a 
prepared statement I would like to enter for the record and 
suspend with reading it other than just stating that I am very 
much concerned that H.R. 3997 preempts the State law and 
ignores the lessons we have learned from the State of 
California and, of course, like everyone else, has indicated we 
need a national standard that protects personal information and 
ensures the consumers receive notices when their personal 
information is breached. And with that, then, I will submit my 
statement for the record.
    [The prepared statement of Hon. Joe Baca can be found on 
page 46 in the appendix.]
    Chairman Bachus. Thank you. Are there any other members of 
the minority? Ms. Bean.
    Ms. Bean. Thank you, Mr. Chairman. I appreciate the 
opportunity to speak. I would like to thank Chairman Bachus and 
Mr. Sanders for holding today's important hearing to consider 
how to best improve data security for consumers.
    There is no doubt that as the volume of personal 
information held by corporations, data brokers, and businesses 
continues to increase, the issue of data security and 
protecting Americans' personal information takes on particular 
importance.
    While I am interested, like my colleagues, to hear the 
testimony and insights from this distinguished panel today and 
to how Government and industry can work together to better 
ensure that our consumers' personal information is adequately 
protected, I would like to take this opportunity to highlight 
the fact that in addition to H.R. 3997, other pieces of 
legislation addressing data security have been introduced in 
the 109th Congress and are pending before this subcommittee. In 
particular, in June, I joined with Mr. Davis and Mr. Frank in 
introducing H.R. 3140, the Consumer Data Security and 
Notification Act of 2005. I believe by considering multiple 
proposals and approaches, we will ultimately arrive at stronger 
final product to improve data security.
    For example, on controversial issues such as the 
notification trigger, I look forward to working with my 
colleagues to accomplish that task. Thank you, Mr. Chairman. 
And I yield back the balance of my time.
    Chairman Bachus. Thank you. Mr. Matheson, did you--oh, 
okay. You don't have an opening statement.
    If there are no more opening statements, I will say this, 
Ms. Bean. In my opening statement I did recognize that you and 
Mr. Frank and Mr. Davis have introduced H.R. 3140, and it is 
the committee's intent to work with you and with all members to 
construct a comprehensive approach. So we will be doing that. 
And you have my assurances that we will work with you.
    At this time, I would like to introduce all the panelists. 
Ms. Callari has already been introduced. I will skip over her 
and when we get on the attorney general--assistant attorney 
general, Mr. Sanders will introduce her.
    We have with us today Mr. Oliver Ireland, partner of 
Morrison and Foerster, on behalf of the Financial Services 
Coordinating Council. Mr. Randy Lively, president and CEO of 
the American Financial Services Association, welcome you back 
before the committee; Mr. Mark Bohannon, general counsel and 
senior vice president of policy of the Software and Information 
Association; Evan Hendricks, publisher of Privacy Times; and 
Karl Kaufmann, Sidley--is that Sidley.
    Mr. Kaufmann. Yes, sir.
    Chairman Bachus. Sidley Austin Brown & Wood, LLP on behalf 
of the Chamber of Commerce.
    Mr. Sanders.
    Mr. Sanders. Thank you very much Mr. Chairman.
    I am delighted to welcome Julie Brill to be a panelist with 
us today. She has been an assistant attorney general for the 
State of Vermont since 1988. She is co-chair of the National 
Association of Attorneys General Privacy Working Group. Ms. 
Grill has spearheaded Vermont's legislative efforts in a wide 
variety of areas affecting consumers, including privacy, fair 
credit recording, tobacco, and antitrust. In 2001, she received 
the Brandeis Award from Privacy International for her work in 
Vermont and nationally promoting consumers interests in privacy 
issues. We are glad that she is with us today.
    Chairman Bachus. Thank you. We look forward to hearing from 
all of witnesses, and I thank them for taking time from their 
busy schedules. We do anticipate votes on the House floor 
sometime between 12:15 and 12:45, so if you are wondering about 
a break, that is apparently the first time we will break unless 
there is a need to prior to that. If you would just advise us 
of that, we will be glad to take a short break or excuse you 
for a minute from the hearing.
    At this time, I recognize Mr. Oliver Ireland, and as Mr. 
Ireland begins his testimony, I am going to have to be excused 
for a vote in Judiciary. Mr. Hensarling is going to take my 
place in the Chair. But I have read the testimony.

  STATEMENT OF OLIVER I. IRELAND, MORRISON & FOERSTER LLP, ON 
       BEHALF OF FINANCIAL SERVICES COORDINATING COUNCIL

    Mr. Ireland. Thank you, Chairman Bachus, and members of the 
committee. My name is Oliver Ireland, a partner in the D.C. 
Office of Morrison & Forester, and I am here today on behalf of 
the Financial Services Coordinating Council, which consists of 
the American Bankers Association, the American Council of Life 
Insurers, the American Insurance Association, and the 
Securities Industry Association. Together these associations 
represent a broad spectrum of financial services providers, 
including banks, insurance companies, and securities firms. Our 
members have a strong interest in protecting our customers from 
identity theft and account fraud. Identity theft occurs when a 
criminal uses information relating to another person to open a 
new account in that person's name. In addition, in some cases, 
information relating to a customer's account can be used to 
initiate unauthorized charges to those accounts. The issues of 
identity theft and account fraud and related concerns about 
data security are of paramount importance to financial 
institutions and the customers that they serve.
    In my testimony, I would like to emphasize three key 
points. Financial institutions have a vested interest in 
protecting customer information and are highly regulated in 
this area already. A uniform national approach to information 
security is critical, and security breach notification 
requirements should be risk-based.
    Financial institutions have long recognized the importance 
of protecting customer information. Financial institutions 
incur significant costs from identity theft and account fraud. 
Accordingly, financial institutions aggressively protect 
sensitive information relating to consumers. Among those that 
handle and process consumer information, financial institutions 
are among the most highly regulated. The Federal banking 
agencies and the Securities and Exchange Commission have 
established regulations or guidance covering the security of 
customer information under Title V of the Gramm-Leach-Bliley 
Act. In addition, 34 States have established standards for 
insurance companies with respect to safeguarding customer 
information.
    We believe that a uniform national approach to security and 
security breach notification that applies to all financial 
institutions and non-financial institutions alike but 
recognizes existing Federal Gramm-Leach-Bliley requirements is 
critical to preserving efficient national markets and providing 
consistent protection for consumers. A number of State 
legislatures have passed security breach notification laws. 
While these State laws have similarities, they also have 
important differences. State laws that are inconsistent result 
in both higher costs and uneven consumer protection and, in 
some cases, could lead to delays in providing notices. 
Moreover, an individual State requirement or an individual 
State's failure to recognize a key provision can effectively 
nullify the policy choices of other States.
    Finally, notification requirements should be risk-based. 
While it is important to protect all sensitive customer 
information from unauthorized use, it is most critical to 
protect consumers from identity theft and account fraud. 
Security breach notification requirements should be limited to 
those cases where the consumer needs to act to avoid 
substantial harm.
    Security breach notification requirements should provide 
clear triggers for notice and should be tailored to the 
circumstances and to the threat presented. We are pleased that 
H.R. 3997 is consistent with these goals. H.R. 3997 seeks to 
establish uniform national standards that apply broadly to 
virtually all entities that maintain sensitive information. At 
the same time, it recognizes that financial institutions must 
comply with existing Gramm-Leach-Bliley Act requirements and 
attempts to ensure that these requirements are consistent 
across the financial holding company structure. Finally, H.R. 
3997 provides an effective risk-based notification scheme that 
does not require unnecessary notices to consumers. While we 
believe that some issues raised by H.R. 3997 still require 
further resolution, we will be happy to work with the 
subcommittee to resolve these issues so that this important 
legislation can move forward. Thank you. I will be happy to 
answer any questions that you may have.
    [The prepared statement of Oliver I. Ireland can be found 
on page 100 in the appendix.]
    Mr. Hensarling. [presiding.] Thank you for your testimony, 
Mr. Ireland, and thank you for staying within 5 minutes.
    Ms. Callari, you are now recognized.

  STATEMENT OF JOSIE CALLARI, SENIOR VICE PRESIDENT, ASTORIA 
   FEDERAL S&L ASSOCIATION AND CHAIRMAN, AMERICA'S COMMUNITY 
 BANKERS ELECTRONIC BANKING AND PAYMENT SYSTEMS COMMITTEE, ON 
             BEHALF OF AMERICA'S COMMUNITY BANKERS

    Ms. Callari. Thank you.
    Thank you, Mr. Chairman, Ranking Member Sanders, and 
members of the committee.
    My name is Josie Callari, senior vice president of Astoria 
Federal Savings in Lake Success, New York. I am here today 
testifying on behalf of America's Community Bankers, where I 
serve as chairman of the ACB Committee on Electronic Banking 
and Payment Systems. ACB appreciates having the opportunity to 
testify before the subcommittee on H.R. 3997, the Financial 
Data Protection Act.
    The issue of data security is critical for community banks. 
While banks have had the mandate to safeguard sensitive 
customer information for years, the growth of the internet and 
electronic commerce has made compiling and selling sensitive 
information easier for a multitude of companies. That is why 
ACB supports H.R. 3997, which we believe focuses on stopping 
the misuse of consumer information and creates an incentive for 
companies to make securing customer data a priority.
    Earlier this year, ACB board of directors laid out its top 
priorities for any data security legislation that may be 
considered in Congress. ACB is pleased to see that this bill 
addresses several of our top priorities and begins to deal with 
the difficult issues of reimbursement.
    Having a national standard is critical for any legislation 
addressing data of security and consumer notices. Adding 
another layer of regulation to a rapidly growing patchwork of 
State and local laws hurts consumers, hurts the economy, and 
will not provide effective protection. A patchwork of State 
laws that provide protection that stop and start at State lines 
will not provide meaningful full protection for consumers in a 
national marketplace. Additionally, ACB believes that Congress 
should recognize that the GLBA already requires financial 
services companies to have in place much of what is being 
considered in most data security legislation. Title V of GLBA 
requires financial services companies to implement data 
security safeguards, a customer response program, and a 
comprehensive privacy policy.
    This spring, banking regulators issued guidance extending 
Title V to require customer notices in case of a breach that 
puts consumers at risk. To layer a duplicative regulatory 
system on top of this robust framework would only increase 
costs for financial institutions and ultimately their 
customers. Likewise, financial institutions have an incredibly 
robust regulatory framework under which they operate. This is 
particularly true for depository institutions. ACB applauds the 
legislation for embracing this existing framework by vesting 
enforcement with functional regulators.
    Finally, ACB supports efforts to ensure that banks have the 
ability to be part of an investigation into possible breaches. 
Furthermore, requiring that contracts between companies and 
third parties specify who is responsible for sending notices is 
very important. Community banks are proud of the relationship 
they have with their customers and generally would prefer to be 
responsible for sending those notices.
    Mr. Chairman, there are two areas where ACB members have 
concerns, and we look forward to working with the committee and 
the bill sponsors to address them. First and foremost, ACB 
believes that those who are responsible for data breaches must 
be responsible for the costs of protecting consumers from risks 
arising from those breaches. One of the biggest costs 
associated with the breach is that of reissuing credit and 
debit cards and closing accounts that are placed at risk. These 
costs can mount quickly, and community banks end up bearing all 
of them. Community banks are doing this now because they are 
dedicated to protecting their customers. However, those 
responsible for breaches should bear these costs.
    Finally, ACB's members have expressed concern that there is 
no limit on how long investigations required under the bill can 
take. ACB members are concerned that without guidance the 
investigation could take an excessively long time, leaving 
consumers at risk. We believe the bill should require that 
regulators give guidance on the appropriate length of an 
investigation.
    In conclusion, ACB supports H.R. 3997 and urges the 
committee to consider it soon. ACB urges that the bill be 
passed with constructive modifications such as those suggested 
but without adding provisions that take the bill's focus away 
from stopping the misuse of consumer information. We look 
forward to working with you as the committee crafts legislation 
that best addresses the problems of data security breaches. 
Thank you.
    [The prepared statement of Josie Callari can be found on 
page 81 in the appendix.]
    Mr. Hensarling. Thank you, Ms. Callari.
    Mr. Lively, you are now recognized for 5 minutes.

    STATEMENT OF H. RANDY LIVELY, PRESIDENT & CEO, AMERICAN 
                 FINANCIAL SERVICES ASSOCIATION

    Mr. Lively. Thank you, Mr. Chairman, ranking members.
    Mr. Hensarling. You need to press the button there, please.
    Mr. Lively. Ranking member and members of the subcommittee. 
I am Randy Lively, the president and CEO of the American 
Financial Services Association here in Washington, D.C. It is 
my honor and pleasure to be here this morning to testify in 
support of H.R. 3997, the Financial Data Protection Act of 
2005, introduced by Representatives LaTourette, Hooley, Price, 
Castle, and Moore and co-sponsored by a broad bipartisan array 
of this distinguished committee.
    The American Financial Services Association represents the 
Nation's market rate lenders providing access to credit for 
millions of Americans. AFSA's 300 member companies include 
commercial and financial companies, auto finance companies, 
credit card issuers, mortgage lenders, and other financial 
services firms that lend to consumers and small businesses.
    I am proud to say that, next year, AFSA will celebrate its 
90th birthday as the Nation's premier consumer and commercial 
credit association. As I mentioned at the outset, I am pleased 
to be here this morning to speak in support of the Financial 
Data Protection Act and ask you, Mr. Chairman, to have the 
committee give it expedited consideration. AFSA and its members 
believe that well informed, proactive consumers are our best 
defense and our first line of attack in protecting all of us 
from the dangers of identity theft.
    According to the Federal Trade Commission, as we have heard 
earlier today, identity theft robs the Nation of more than $50 
billion annually. Consumer losses account for about $5 billion 
of the total, and business absorbs the remaining $45 billion. 
Yet, in addition to the immediate monetary loss suffered, AFSA 
companies are more concerned about losing the trust of 
treasured customers, and mishandling of a security breach can 
cost us customers. Obviously, the best way to protect our 
customers' information is to prevent a security breach from 
occurring in the first instance.
    Toward that end, AFSA member companies are focusing on 
training our own employees in the handling of sensitive 
personal information and are scrutinizing the practices of 
third party vendors who store or dispose of data which may 
contain personal financial information. There is no doubt that 
the industry needs to regularly upgrade and improve the 
practices and procedures of our own companies and our storage 
and disposal vendors to prevent security breaches from ever 
occurring in the first place.
    AFSA member companies share this committee's goal of 
wanting to assure American consumers that their personal 
information is safely protected. To accomplish this goal, AFSA 
members are regularly improving their security measures and 
procedures to prevent thefts to their information systems. H.R. 
3997 provides a clear and concise framework for AFSA member 
companies and other financial services providers to follow in 
the event of a data breach.
    The authors of the Financial Data Protection Act of 2005 
clearly understand that an effective breach notification and 
reaction system must be based on a substantial risk to the 
customer as well as the businesses that rely on the integrity 
of the data. If the breach notification system is overly broad, 
we run the risk of inundating our customers with notices and 
having them ignore important information they may need to 
protect themselves. H.R. 3997 establishes a reasonable and 
balanced approach for businesses and regulators to protect 
potential breaches of data security as well as uniform 
procedures to follow if one does occur.
    The legislation appropriately anticipates that some 
breaches may pose a significant risk or harm or inconvenience 
to consumers whereas other breaches may not create a 
significant risk for the consumer. This distinction will enable 
businesses to maximize their vigilance over consumer data, 
apply law enforcement and regulatory resources where they are 
most needed, and focus consumers attention to take steps to 
protect themselves when they are truly at risk.
    The Financial Data Protection Act of 2005 calls for--calls 
on business to conduct an immediate investigation to assess the 
nature and scope of the breach when it learns that a breach has 
occurred. The investigation will determine whether the breach 
has created a substantial risk for the customers personal 
financial information. The determination will take into account 
what information has been exposed and whether the information 
was encrypted, redacted or requires technology that is not 
commercially available. AFSA believes that the committee should 
direct the functional regulators to treat the breach of 
encrypted information as not creating a potential substantial 
harm unless an actual harm can be demonstrated. In other words, 
there should be a presumption that the acquisition of encrypted 
information does not create a substantial risk for consumers to 
whom information relates. Should a business determine that a 
substantial breach has occurred, H.R. 3997 directs a company to 
notify the Secret Service and the appropriate functional 
regulators as well as third parties that might be affected by 
the breach. This type of coordinated framework will ensure that 
ongoing law enforcement investigations are not compromised by 
premature publication of breaches. At the same time, the 
legislation provides reasonable parameters so that a delay in 
notifying consumers does not unnecessarily extend their 
exposure to risk of harm. H.R. 3997 directs that breach notices 
to consumers must be done in a clear and conspicuous manner 
that describes the nature of the breach, when the breach 
occurred, the relationship between the consumer and the entity 
who suffered the breach, and actions that the business is 
taking to restore the security and confidentiality of the 
breached information.
    AFSA wholeheartedly agrees with the sponsors of H.R. 3997 
and directing Federal regulators to work together to create 
uniform security standards and policies for each business to 
implement and to maintain to protect sensitive information. 
Moreover, a uniform national standard replacing the patchwork 
of varied and numerous State and local requirements will avoid 
needless duplication that could lead to confusion and divert 
resources from the actual problem.
    Finally, I want to compliment the authors of H.R. 3997 for 
their foresight in determining that a company is in compliance 
with data security policies anticipated under this act if it is 
in compliance with parallel policies established by its 
functional regulator in accord with the Gramm-Leach-Bliley Act. 
This important determination will enable regulators to avoid 
imposing needless duplication upon the Nation's financial 
services companies. I appreciate the opportunity to be here 
today and would be happy to answer any questions you may have.
    [The prepared statement of H. Randy Lively can be found on 
page 119 in the appendix.]
    Mr. Hensarling. Thank you.
    Mr. Bohannon, you are now recognized for 5 minutes.

  STATEMENT OF MARK BOHANNON, GENERAL COUNSEL AND SENIOR VICE 
 PRESIDENT OF PUBLIC POLICY, SOFTWARE AND INFORMATION INDUSTRY 
                          ASSOCIATION

    Mr. Bohannon. Thank you, Mr. Chairman, members of the 
subcommittee. I appreciate this opportunity to appear before 
you today and testify on why we need a national framework for 
data security. As the principal trade association of the 
software and digital content industry, many of whose members 
are leaders in high tech, SIIA was one of the first voices 
urging Federal action to address the myriad and inconsistent 
State laws that have emerged since California's first went into 
effect in 2003. In working with all the stakeholders on this 
issue on both sides of the Capitol, we have argued that that 
national framework should be premised on the track record of 
the safeguards rule under the Gramm-Leach-Bliley Act, which 
many members and staff of this committee were instrumental in 
constructing. As a comprehensive yet adaptable model, the 
safeguards rule emphasizes ongoing security plans to prevent, 
and I emphasize prevent, what we all know are the pernicious 
effects of identity theft.
    Our perspective on today's panel is probably a bit unique, 
and we especially want to thank Chairman Bachus for including 
us in today's panel and his leadership on so many issues of 
importance to our industry. While some of our members are 
regulated as financial institutions under existing laws, most 
of the members are software, e-businesses, and information 
content companies that are subject to the jurisdiction of the 
Federal Trade Commission and its section 5 authority. It is the 
effect of H.R. 3997 on these companies that we ask the 
committee to carefully consider and work with us as the bill 
moves through this process. In our written statement--Mr. 
Chairman, if it has not been introduced in the record in full, 
I ask that it do so now--we note that H.R. 3997 is consistent 
with several of our key goals in achieving a national 
framework. In particular, it recognizes the need to address the 
conflicts in the more than 21 States that have already enacted 
laws. We also in our written statement offer several important 
improvements to make the bill more workable and effective, 
notably in the areas of streamlining the obligations on data 
security procedures, establishing a meaningful threshold for 
breach notification much along the lines recommended by the 
Federal Trade Commission, and ensuring a meaningful definition 
of sensitive personal information.
    But I want to make clear that we urge this committee to 
continue its work on this important bill. We especially commend 
the cosponsors on both sides of the aisle for coming together 
to produce this product, and we ask this committee to work with 
other relevant committees so that, in the end, when the 
Congress does act, and we hope they do, there is a coherent 
national approach achieved by this Congress.
    In the remaining time available to me, let me focus on one 
aspect of H.R. 3997, and that is the framework of the Fair 
Credit Reporting Act, a vitally important consumer protection 
statute. As a means for establishing an enforceable framework, 
we request the following should be carefully considered by the 
committee, as many of our members today are not today within 
its scope. First, as I pointed out earlier in my testimony, 
most of our members are right now subject to the FTC's 
enforcement authority under section 5, which is today building 
on the safeguards rule of the Gramm-Leach-Bliley Act. Through 
cases that are being brought now under section 5, the FTC has 
found a variety of unfair practices ranging from failure to 
implement appropriate security programs to deceptive security 
claims made by companies. We think the FTC is headed in the 
right direction on this, and we want to encourage them to 
continue the direction of the policy under section 5. However, 
while H.R. 3997 has dealt with a number of laws that already 
exist, it is our impression in the bill, and we believe that it 
leaves those companies that are currently subject to section 5 
enforcement open to possibly duplicative and even contradictory 
requirements. As we read H.R. 3997, nothing in the bill 
addresses this potentially confusing enforcement action.
    The second issue that we would like to work with the 
committee and the sponsors on is that H.R. 3997 defines a 
financial institution as essentially any company that maintains 
the Social Security numbers of its employees or maintains a 
taxpayer ID number of its customers. Just this morning, it was 
pointed out to me that it may also include any person 
maintaining or communicating information on an ongoing basis 
even if they are mere conduits or hosts.
    We are deeply concerned that this definition extends the 
concept of financial institution well beyond that used to date 
and potentially brings in a wide range of companies into the 
purview of the FCRA, which concerns, as you might imagine, a 
number of our members.
    We also share the bill's goal and the cosponsors' goal of 
effectively dealing with the myriad of State laws. We are 
cognizant that a number of circuits are reviewing what in fact 
falls in the scope of the FCRA. We note, to date, no State 
enacting a data breach security law including those with 
safeguard provisions has limited the scope of its law to the 
financial sector or to specifically regulated financial 
information. This is especially true of first State law enacted 
in California.
    Mr. Chairman, to ensure a coherent policy approach, we once 
again urge this committee to continue its work on this bill, 
and we also ask that this committee work with other relevant 
committees as this process unfolds. It is our sincere hope that 
all stakeholders working together will be able to enact 
legislation in this Congress. It is a high priority for our 
association. We appreciate the opportunity to appear before you 
today, and I will be glad to take any questions that you may 
have.
    [The prepared statement of Mark Bohannon can be found on 
page 58 in the appendix.]
    Mr. Hensarling. Thank you.
    Ms. Brill, you are now recognized for 5 minutes.

STATEMENT OF JULIE BRILL, ASSISTANT ATTORNEY GENERAL, STATE OF 
                            VERMONT

    Ms. Brill. Thank you very much.
    Thank you, Chairman Bachus, Ranking Member Sanders, for 
inviting me here today. I am very pleased to speak here on 
behalf of the National Association of Attorneys General.
    My name is Julie Brill, and I am an assistant attorney 
general for the State of Vermont. As has been mentioned by 
several members so far this morning, there have been 48 
attorneys general out in the States who have written a letter 
to Congress calling on Congress to enact a strong Federal 
security breach notification law modeled on the 22 State laws 
that are already in existence. Unfortunately, I am here today 
to tell you that the AGs' believe that H.R. 3997 fails to meet 
the standards of a strong Federal law. I wouldn't call it an 
ugly child, as had been mentioned earlier, but this child is 
failing in school and needs significant remedial help.
    First, the AGs call on a law that would have a standard for 
providing notice to consumers that would ensure the consumers 
would receive notice whenever there is unauthorized access of 
personal information. We do not believe there should be an 
additional requirement of actual harm or risk of harm, and 
there is a very simple reason for this. The breached entity 
simply does not, in the vast majority of cases, know what use 
will be made of the information that it has lost. It just 
doesn't know. If Congress does want to incorporate some sort of 
concept of harm or risk of harm then the AGs strongly believe 
that notice should be given unless there is no risk of harm. 
What that means in simple terms is that the benefit of the 
doubt should be given to the consumer and to notice. If the 
breached entity does not know what will happen with that 
information that was lost or stolen, then notice should be 
given to consumers. Again, the benefit of the doubt going to 
the consumer.
    H.R. 3997 fails to meet the attorneys generals' standards 
for providing notice. It imposes complex and high barriers to 
consumer notice. Many of the incidences, as was mentioned by 
Representative Frank earlier, that have been reported under the 
State laws to date would not be subject to notice under 3997. 
As had been mentioned by Representative Hensarling, it is 
important to promote competition in security systems. H.R. 3997 
would stifle competition in security systems because it would 
stop information from flowing to consumers about the harm that 
is occurring, that businesses are not having secure systems, 
and consumers would not be able to choose companies based upon 
their security systems because they wouldn't be receiving 
notices. We believe H.R. 3997 would place many consumers at 
risk because they would be unable to protect themselves from 
potential harm. The notion that consumers will ignore warnings 
because they will be getting so many of them, frankly, we think 
that is a red herring. Our experience in the trenches of 
identity theft war is actually the opposite. That numerous 
notices that consumers have been receiving over the past year 
have served as an important educational tool for consumers. 
Consumers are now much more aware of the risks that having 
their information out there can pose to them, and they are 
starting to take precautions. Thus, this notion that numerous 
notices would be harmful, we believe, is just simply not true.
    Second, the AGs want to see their ability to enforce any 
Federal law that is enacted, and we are disappointed to note 
that H.R. 3997 does not allow for State attorney general 
enforcement. This is rather inexplicable because H.R. 3997 uses 
the Fair Credit Reporting Act as its construct, and the rest of 
the Fair Credit Reporting Act is, as most people are aware, 
enforceable by the State attorneys general.
    Third, with respect to preemption, it should be noted that 
we wouldn't be here, this committee would not be considering 
this issue if it were not for State laws that were on the books 
now that provided for notice going to consumers and made the 
public aware of the massive problems associated with security 
of information. We think that preemption is a mistake. H.R. 
3997 has broad preemption not only of security breach notice 
laws but also has apparent preemption for security freeze laws. 
In fact, this committee and Congress just 2 years ago gave the 
States the freedom to enact State laws on breach notification 
and security freezes. If this committee and Congress cannot 
provide adequate protections to consumers, we respectfully 
request that this committee take no action at all. The States 
listened to you 2 years ago; we started to enact laws. We are 
protecting consumers, and we will continue to do so. In the 
event that the law you enact is not strong, we think we would 
be better off without any law. Thank very much.
    [The prepared statement of Julie Brill can be found on page 
64 in the appendix.]
    Mr. Hensarling. Thank you.
    Mr. Hendricks, you are now recognized for 5 minutes.

     STATEMENT OF EVAN HENDRICKS, PUBLISHER, PRIVACY TIMES

    Mr. Hendricks. Thank you. I am Evans Hendricks. I am in my 
25th year of publishing Privacy Times and the author of the 
book, Credit Scores and Credit Reports. The book describes how, 
in part, because of the leadership of this subcommittee and the 
committee and its counterpart in the Senate and because the 
constructive bipartisan approach taken by the members and the 
stakeholders willing to work together, in 2003, we passed 
important and complex legislation, the FACT Act, which 
represented a major step forward for consumers and improved 
protections for identity theft.
    As a housekeeping matter, I need to mention in addition to 
the eight groups that have signed on to my testimony subsequent 
to me turning in the testimony, Consumer Action, the National 
Consumer League, identity consultant Maury Frank, and five 
additional groups have signed onto the legislation--excuse me, 
to my testimony. To get this very simple message to the 
committee, this bill would represent a serious weakening of 
current standards and represents a step backwards. There are 
children, and then there are pets. If you could sum it up that 
way, we would say this dog don't hunt.
    In 2003, I testified before this subcommittee thanks to 
Chairwoman Kelly, who held the first breach hearing on the 
breaches of credit card data. At that time, I said I 
recommended that the subcommittee move legislation based on the 
California breach notification law. It is very important to 
understand that if you are going to have Federal law, you need 
to start from a high level of protection and preferably get out 
in front of the issue. Now things are more difficult when 
States have to move to protect their citizens because of 
Congress not being able to do it and get out in front of the 
issue. The Supreme Court has defined privacy. To begin with, 
both the common law and literal understandings of privacy 
encompass the individual's control of information concerning 
his or her person. If there is a breach, you lose control of 
the information. If you can't get access to your records, you 
lose control of the information. If you can't correct errors, 
you lose control of your information. On top of that, we had a 
hundred data breaches this year; 50 million people whose data 
has been potentially exposed which, by the way, is about the 
number of people that have signed up for the do not call list. 
Americans care about privacy. A month ago, the New York Times 
and the CBS News released a poll showing that 89 percent of the 
public was concerned about identity theft. More interesting was 
3 percent were not concerned at all. I would like to interview 
those people and find out what's up. But more importantly, for 
today's purposes, they said this was a very bipartisan issue: 
68 percent of conservatives and 69 percent of liberals would 
like to see the Government do more to address personal privacy 
issues. And that is why there is cutting edge companies like 
ING Direct and E-loan, financial services companies that we see 
are supporting stronger consumer protections for privacy. The 
problem with this bill, as luckily Julie Brill went first to 
give the more detailed analysis, it dramatically weakens breach 
notification standards through its harm trigger. It dangerously 
would weaken the very straightforward security standards of 
Gramm-Leach-Bliley. It would preempt State laws and possibly 
preempt freeze laws without even using the word freeze. We need 
to go the other way and enact Federal freeze law based on the 
best State standards.
    It is very silent on a very important issue. This year, we 
have had breaches of ChoicePoint and Lexis-Nexis and a great 
opportunity to move forward and extend FCRA style rights to the 
data brokers like ChoicePoint and Lexis-Nexis. The bill is 
silent on that. There is other legislation that would 
accomplish this.
    I think basically privacy is nothing new; privacy is always 
challenged. You might have seen the Washington Post article 
from Sunday showing how national security letters are being 
used for sweeping investigations that include getting all sorts 
of transactional data on Americans, including their credit 
reports. That is why I think that we have to be very cautious 
in causing no harm and preferably would do something bold but 
given the problems we face and Americans' strong desire for 
privacy, we don't want to enact a law that can be characterized 
as the Titanic deck chair reorganization act. We need to really 
get out and move forward to protect Americans.
    In considering this legislation, I think you have to keep 
in mind that privacy signifies the tension between individuals' 
desire for control over their information and large 
organizations' desires to use that information for their own 
purposes, whether it is business or governmental. I think you 
should remember that since consumer confidence and consumer 
spending is an important part of our economy and our future and 
that those people, the taxpayers that underwrite our 
Government, that when we come to close calls that we should 
tilt in favoring the individual's right to privacy.
    Thank you very much.
    [The prepared statement of Evan Hendricks can be found on 
page 86 in the appendix.]
    Mr. Hensarling. Thank you, Mr. Hendricks.
    Last but not least, Mr. Kaufmann, you are recognized for 5 
minutes.

STATEMENT OF KARL F. KAUFMANN, SIDLEY AUSTIN BROWN & WOOD LLP, 
                ON BEHALF OF CHAMBER OF COMMERCE

    Mr. Kaufmann. Thank you. Good morning. Good morning to the 
chairman and ranking member of the subcommittee. I'm Karl 
Kaufmann, and I am an attorney here in the Washington, D.C., 
office of the law firm of Sidley Austin Brown & Wood. I am 
pleased to appear before you today on behalf of the United 
States Chamber of Commerce. The Chamber is the world's largest 
business federation representing more than 3 million companies 
of all sizes and across all sectors of the economy. Mr. 
Chairman, the Chamber supports your effort and the efforts of 
others on this subcommittee to develop legislation to protect 
the sensitive information of consumers. The Chamber believes 
the vast majority of companies who possess sensitive personal 
information take reasonable procedures to safeguard that 
information. However, it takes only a few mistakes by a few 
companies to damage consumer confidence in the ability of all 
companies to protect sensitive personal information. Therefore, 
we believe that Congress should require the companies have 
reasonable programs to safeguard consumers personal 
information, and this concept is, in fact, a fundamental part 
of the Financial Data Protection Act.
    The Chamber also believes it is appropriate for a company 
upon discovery of a data breach to notify its customers if 
their sensitive personal information has been subject to the 
breach. However, it is important that Congress require the 
notices only when the sensitive personal information is 
acquired by an unauthorized person in a manner that presents 
significant risk of harm to consumers. Otherwise, we believe 
the consumers may find these types of notices to be 
meaningless, and consumers may then begin to ignore such 
security breach notices. If this occurs, the goal of using 
these notices to notify customers of their rights and notify 
them of the breach is undermined. If breach notices are limited 
to circumstances when the consumer is at risk of harm, it is 
more likely the consumer will be aware it contains important 
information and that it should be read.
    We applaud the fact that the sponsors of the Financial Data 
Protection Act agree with the Chamber's view on this key issue, 
and given some of the testimony, I would like to spend a little 
bit more time on this. It seems odd to require a notice be 
given to consumers just because there has been a data breach. I 
can imagine situations where a breach occurs, but, in fact, 
there is no way that the data could be misused. Perhaps it was 
a breach of numbers that are so-called disposable credit card 
numbers used for online shopping. Maybe it is information that 
is highly encrypted, password protected and has other 
protections that make it essentially unusable. It would be 
unusual to provide a consumer with a notice in that 
circumstance that says the information has been accessed, but 
don't worry; there is nothing that you can do about it because 
you are protected. The consumer is going to ask, why am I 
getting this notice if I'm not supposed to do anything? Our 
belief is consumers should get notice when they have actually 
something that they can do to protect themselves.
    Perhaps most importantly, any law passed by Congress must 
establish a national uniform standard with respect to 
information security, consumer notification, and other related 
issues. The consumer protections envisioned by Congress will be 
undermined if States can establish different schemes pertaining 
to data security. The Chamber is pleased the Financial 
Protection Data Act includes provisions to provided for 
national uniformity. Again, this is another issue that has 
drawn some interest today, and I would like to go a little bit 
more in depth.
    Providing a uniform national standard with respect to data 
security is an absolutely essential consumer protection. The 
proliferation of similar but ultimately different State laws 
with respect to information security issues is not in 
consumers' best interest. Varying notification standards can 
result in consumer confusion and inconsistent compliance with 
the law.
    Furthermore, the net result is that the States that require 
the notices in the most instances with respect to data breach 
notification requirements will essentially set the national 
standard. Companies that operate in all 50 States cannot 
efficiently design compliance programs to take into account the 
differences among the 50 State laws. Therefore, those companies 
are more likely to establish regimes under which they will find 
the most onerous State law and make that their standard. If 
they comply with that, they will comply with other State laws 
as well. The net result is we end up, again, perhaps with 
notices sent when they are not necessary, and that is a concept 
again that is included in this bill. And if people believe in 
the fact that consumers should be notified only when it is 
meaningful to that consumer, allowing for States to undermine 
that important protection does not seem to make a whole lot of 
sense.
    Now having said that, as you can see, the Chamber supports 
many of the concepts addressed in the Financial Data Protection 
Act. We believe these concepts will provide a sound framework 
for strong consumer protections if they are properly 
implemented. We also understand that the legislation continues 
to evolve and that it may require additional refinement. 
Indeed, the discussion that happened this morning suggested 
that that is the case. The Chamber looks forward to continuing 
to work with you, Mr. Chairman, and others to continue to shape 
this complex bill as it moves through the legislative process. 
The Chamber appreciates the opportunity to present its views 
this morning, and I would be happy to answer any questions that 
you may have.
    [The prepared statement of Karl F. Kaufmann can be found on 
page 113 in the appendix.]
    Chairman Bachus. Thank you.
    At this time, we will ask the members to address the panel.
    Mr. Hensarling, am I catching you off guard by asking you 
to go at this time.
    Mr. Hensarling. No more than usual, Mr. Chairman.
    Chairman Bachus. I just thought I would let you all go 
ahead because I am not sure how long we have got before we go 
to the floor.
    Mr. Hensarling. Mr. Kaufmann, since you are already warmed 
up, perhaps I will start with you. You may have heard in my 
opening statement I quoted Chairman Greenspan who said 
something along the lines that I cannot believe we need 
regulations to tell people how to make a profit. Can you tell 
me what your opinion is of the incentive structure that private 
companies have today to protect personal data?
    Mr. Kaufmann. The incentive structure is quite strong if 
you look at the market forces that are out there. Regardless of 
whether the direct consumer relationship, say, is a bank or 
whether you are a service provider, lets say a card processor, 
in any circumstance, you face significant penalties in the 
marketplace if you do not protect consumers' data. Your name 
ends up on the front page of the newspaper. Your stock drops, 
as you mentioned. And I can assure you that some of the folks 
at ChoicePoint and Card Systems have had better days than the 
day the data breach was announced. Not only that, but people in 
the market place pay attention. I can almost be certain that 
every card processor out there looked at what happened to Card 
Systems and said, I don't want to be that company. I can assure 
you a lot of the data management companies looked at 
ChoicePoint and said that can't happen to us, that will not 
happen to us, and we must make sure that that does not happen. 
So the market forces are there in virtually all aspects.
    Mr. Hensarling. In your testimony, you mentioned how 
important it is to come up with, for lack of a better term, 
permit me to be redundant, a very definitive definition of 
security breach. Can you tell us why it is so critical that the 
definition be sharp, solid, and what would happen if we created 
an overly broad definition of security breach?
    Mr. Kaufmann. If you end up with an overly broad 
definition, then you even up with situations where it may or 
may not be the fact the data has been accessed by somebody who 
is not authorized to access that information. We need to talk 
about a situation where somebody actually obtains the 
information; the fact that they may have hacked into a computer 
system and bragged to their friends about the fact they were 
able to hack in, but they in fact didn't take any information 
out, and there is no evidence to suggest they were there long 
enough to write any information down, suggest that that 
information is not going to be misused and, therefore, to send 
out a notice seems redundant and perhaps counterproductive. And 
so what we need to focus on are situations where the 
information is accessed in an unauthorized manner a way that 
can present significant harm to the consumer and that way they 
are notified and not in other circumstances.
    Mr. Hensarling. Let me share the wealth here. Mr. Ireland, 
a related question. Many financial institutions have stated 
that they feel that the interagency guidance strikes a correct 
balance with respect to the notice trigger when there is a 
likelihood of harm to the consumer. Do you believe that a 
national notifying standard similar to that is warranted and 
indeed strikes the right balance?
    Mr. Ireland. I do believe a national notification system 
that applies to all institutions that is basically the same 
standard or a similar standard to the banking agency guidance 
for notification is appropriate. I would point out that that 
guidance works with the benefit of a dialog between the banks 
and their bank examiners as to figuring out when a breach has 
occurred and if it requires notice. And as Mr. Kaufmann 
indicated and your prior questions indicated, in a statute that 
is going to be self-operative and not benefit from that dialog, 
you need a crisp standard that people will understand from the 
language of the statute so you might not use the same language, 
but the basic model I think is a sound model.
    Mr. Hensarling. Can you share with the committee your 
opinion on the interplay of the form and the frequency of 
consumer notifications and how that impacts their 
effectiveness?
    Mr. Ireland. Well, the problem is that information in terms 
of--what could be characterized as a security breach may or may 
not be due to foul play and I don't want to go into individual 
institutions' problems, but I have seen many circumstances 
where information has been moved from one institution to 
another so that they could--for competitive purposes--so that 
you could solicit customers, for example. And there is no risk 
of identity theft or account fraud. This bill goes to great 
lengths to make sure the customers who get notices open the 
notices and read them when the notices are important. If we 
inundate them with notices when they don't need them, they may 
read the first two or three where there is no issue and the 
fourth notice where they do need to check the credit report to 
see if identity theft is going on, they may simply have failed 
to open because they think it is the same as the first three. 
That is the problem we are concerned about, and we think the 
system--the notices will be much more effective if they are 
targeted to those situations where consumers themselves need to 
act to deal with the problem.
    Mr. Hensarling. Thank you.
    I am out of time, Mr. Chairman.
    Chairman Bachus. Thank you.
    Mr. Sanders.
    Mr. Sanders. Thank you, Mr. Chairman.
    Let me ask Ms. Brill a few questions, if I might. Ms. 
Brill, since 2003, the Fair Credit Reporting Act through FACT 
allowed States to create a right for consumers to impose a 
security freeze on their credit report. Do you believe that 
H.R. 3997 would reverse course and remove the ability of States 
to create a right to security freeze? Why is it important to 
have a security freeze right for consumers? What has been 
Vermont's experience with security freezes?
    Ms. Brill. Thank you.
    The security freeze provisions that States have enacted 
since 2003 really did come out of FACT. FACT's preemption 
provisions did not specifically state that States were unable 
to enact freezes. California enacted the first one; now 12 
States have security freeze laws on the books. These laws are 
highly protective of consumers who may be in an identity theft 
situation. It allows them to place a hold on their credit 
report so that no one can access the credit report unless the 
consumer authorizes that access, and it has been considered to 
be one of the strongest tools available to consumers to help 
prevent identity theft. I will be honest with you; I work in 
the trenches of the State legislature; I am not an inside-the-
beltway person. And when we looked--
    Mr. Sanders. Montpelier is not quite Washington.
    Ms. Brill. No, no. But we looked at FACT. We looked at what 
we were allowed to do based on what this committee told us we 
were allowed to do, and so the States went out and said, okay, 
Congress did certain things to help protect consumers with 
respect to identity theft, we can do other things, and it would 
be very confusing and frankly I think disruptive of the State 
legislative process to now just 2 years later tell State 
legislators and the State AG's that they cannot enact security 
freeze provisions. And where this comes from, frankly, is the 
preemption provisions of 3007 are quite broad and would, I 
believe, or could possibly be interpreted to prevent States 
from enacting--
    Mr. Sanders. Let me just ask one more question. State 
attorney generals have always been able to enforce FACT. Do you 
believe State attorney generals should be able to enforce a 
notice of security breach law and why?
    Ms. Brill. Absolutely. We work very closely with the 
Federal Trade Commission, and we respect their work a 
tremendous amount. We worked together with them on all issues, 
telemarketing, credit reporting. Frankly, they don't have the 
manpower or person power to deal with all the security breaches 
that are out there. They need an additional cop on the beat, 
and the State AG's are that additional cop on the beat.
    Mr. Sanders. Let me ask you a third and last question. 
Would H.R. 3997 preempt States' ability to enact privacy laws 
under GLB? What has Vermont's experience been with respect to 
its opt-in law? Should Congress reverse course on the States on 
this issue?
    Ms. Brill. I do believe that 3997, if read broadly, if its 
preemption provisions are read broadly, would preempt the 
States from enacting opt-in rules and would run contrary to, 
again, what this committee and other committees have said in 
GLB in section 507, which specifically allowed States to enact 
opt-in laws. Vermont has an opt-in law with respect to privacy, 
with respect to information and sharing.
    Mr. Sanders. How many States have opt-in laws?
    Ms. Brill. I believe about four or five. Some of the States 
only have it with respect to certain types of information and 
others it is much broader. But I think again it would be 
disruptive to the State process. We have been working through 
that process; we have submitted our laws to the FTC; we have 
gotten clearance from the FTC that our law is satisfactory 
under 507 because it is more protective of consumers, and now 
to reverse course and say you can't do what we told you you 
could do just 6 years ago, again, I wouldn't even know what to 
begin to tell my State legislative committees.
    Mr. Sanders. The bottom line is taking States out of this 
process would be harmful to consumers.
    Ms. Brill. Absolutely. Congress, I think, works best when 
it enacts a strong floor and allows the States to do more to 
protect consumers.
    Mr. Sanders. I absolutely agree, and I think that is the 
most important point that can be made this morning.
    Thank you very much, Mr. Chairman.
    Thank you, Julie.
    Chairman Bachus. You still have 24 seconds left.
    Mr. Sanders. I will give it to you.
    Chairman Bachus. Mr. LaTourette.
    Mr. LaTourette. Thank you, Mr. Chairman.
    I guess I would throw this open to anybody on the panel 
that wants to respond to it, but it is on the issue of 
encryption. And a lot of people have been pushing this; 
primarily many of the larger national organizations have urged 
us to include it in the bill, a bright line exemption for 
entities that use high-level encryption on their data systems. 
Basically, there are some who are advocating, if you buy the 
latest, cutting-edge equipment for encryption software as set 
forth by a regulator and based on the National Institutes of 
Standards and Technology that you are free and clear of any 
notice obligations to consumers under the bill. While I believe 
that encryption should be a factor that a company looks at when 
assessing a breach, I am wondering, how would your institutions 
or how do you think many of the small community banks in places 
like I represent in northeastern Ohio would manage under a 
bright line test for encryption.
    Ms. Callari. I can speak for our company. We are a 
community bank. We do use high level of encryption on our data. 
The issue remains when our customers' information goes to other 
merchants and vendors and data processors and knowing what kind 
of encryption they use. The other challenge is, we can secure 
data as much as we want until there is another very smart 
hacker out there who can break that encryption. So I think 
encryption is going to safeguard to a certain extent but not 
always.
    Mr. LaTourette. Yes, sir.
    Mr. Bohannon. I appreciate your question. From our 
industry's perspective and by way of background, I used to be 
the NIST chief legal advisor, so I am very familiar with their 
process and what they do. We certainly believe that encryption 
is a very important element in looking at the overall security 
program that an entity has, and from our perspective as 
representing a broader range of companies, we think it is 
useful.
    In the context of specific legislation, let me leave you 
with the following three thoughts. We would be concerned if 
only encryption were ever mentioned. We believe it has got to 
be a range of practices appropriate to the circumstances. 
Encryption, redaction, truncation, access controls all need to 
be recognized.
    Second, in the context of other bills we have actually 
urged, rather than it being a factor that it be a related 
element of whether that actual risk has actually occurred or 
not, that it be a more bright line determination than we 
believe is in H.R. 3997, but we think that that can be changed 
and adjusted in the bill.
    The third issue is whether the standards issued by NIST are 
appropriate. I caution you--and I will be glad to provide the 
committee with more data on this--the standards done by NIST 
were done in the context of Government use. It is important to 
understand that. While there are important lessons and results 
from those tests, we need to recognize that they may not be 
entirely appropriate or recognize other viable tools that are 
out in the private sector, particularly encryption algorithms, 
that may be not be recognized by NIST.
    Mr. LaTourette. Ms. Brill.
    Ms. Brill. Just very, very briefly, I will note that the 
OCC in its guidance in the interagency guidance does not allow 
for any exemption whatsoever with respect to encryption, and we 
find it very interesting that certain pieces of the OCC 
guidance are touted by industry as being quite helpful whereas 
other pieces, for instance, the fact it covers paper records as 
well as electronic records and again this encryption point are 
ignored.
    Mr. LaTourette. Mr. Ireland.
    Mr. Ireland. I would point out in response in part to Ms. 
Brill's comment, most States include an encryption or bright 
line encryption exception without the benefits of a more 
refined definition of what that constitutes.
    The advantage of including such a provision, not in lieu of 
current provisions in the bill but in addition to other 
considerations, such as redaction, would be that you would 
provide a financial incentive in terms of concern about 
notification costs to raise the level of encryption and 
protection of information. And that might be a positive thing. 
So the argument for it I think is the incentive it creates, 
recognizing, as I think has been said, that any encryption 
standard may not be 100 percent impenetrable.
    Mr. LaTourette. Thank you very much.
    Chairman Bachus. Could I suggest that we--we have three 
more members, if each took 3 minutes. Start with Mrs. Maloney, 
and then we will go to Mr. Price. That way, Ms. Hooley, who is 
a sponsor of the bill, would have an opportunity. Unless we 
want to come back. But I am told it is going to be about 12, 
12:45, so, Mrs. Maloney.
    Mrs. Maloney. I would like to ask Mr. Hendricks and Mrs. 
Callari or really any witness to respond. What do you think we 
should do to address the concern over foreign data processing 
and why should we allow consumers to prevent their personal 
data from being sent overseas?
    This bill contains a requirement that foreign data 
processors agree to notify the U.S. company in case of breach 
of conduct and conduct a joint investigation of a possible 
breach.
    But my question is, is that enough? Who can effectively 
enforce this provision? Who can police whether foreign data 
processors fulfill their contracts? And if a breach is defined 
to include, quote, a risk-based factor, that is, so that it 
isn't even a breach unless there is actual harm or significant 
risk of our actual harm, then aren't we allowing foreign 
entities to make a judgment that they have absolutely every 
incentive to make against the consumer's interests?
    And, secondly, I would like to follow up on Ms. Brill, 
since we only have a short time. I would like any panelists to 
respond as to why AGs shouldn't be given the ability to enforce 
the notice of a breach of security, the point that she made of 
the resources not being there, that it is a huge problem in the 
country.
    I thank you all for your very thoughtful testimony today. 
Thank you.
    Mr. Hendricks. Thank you, Congresswoman, for that question. 
Congressman Markey has put the flag in the sand, saying people 
should be able to consent to having or withhold consent for 
having their information going overseas. We spent an hour and a 
half on this on a Brookings panel.
    To me, outsourcing--if privacy is the steak, outsourcing is 
the sizzle because it really shows that there can be a loss in 
the custody and control; it attacks the integrity of the 
security chain of command in the use of the information, and 
there is a lot about the whole accountability and remedy if 
something goes wrong.
    We have to--some of the bottom line things we have to make 
sure is to make sure that privacy protections and 
responsibilities are extended all the way down the chain of 
command. We have to make sure there is transparency so 
consumers always know when there is going to be outsourcing of 
data if we are going not going to require their consent first.
    E-LOAN is the company that does it one way. They say, if 
you come to us during our regular business hours, we have our 
American staff process it. If you want the convenience of going 
after hours, they outsource that data. So through that 
transparency they are at least giving people a choice.
    But, unfortunately, I think most companies are trying to 
hide the fact they are outsourcing.
    Ms. Callari. I would like to add that, as a financial 
institution, we are regulated by GLBA, and we are already 
required to take responsibility for our customer information. 
So regardless where customer information resides, we are 
responsible.
    We do not today outsource any of our customer information 
overseas. But it is also important to note that H.R. 3997 does 
mandate that third parties contractually agree to disclose any 
breaches.
    Mr. Kaufmann. Congresswoman, if I could take a minute to 
clear up what sounds to me like perhaps a misconception that 
once the data is sent to a company that is located overseas or 
an office that is located overseas that the U.S. law doesn't 
apply. In fact, the U.S. law does.
    So just because a bank--let's say where a company chooses 
to use a processor in New York or chooses to use one in Canada 
does not mean they can say, well, we can evade U.S. law by 
sending this data to Canada. In fact, that is not the case. 
Regardless of whether we are talking about financial 
institutions or not, I think just principles of--principal and 
agency law suggests that if your agent--if your service 
provider misbehaves in a certain way, the principal--the 
company that use that agent will be held accountable, and so I 
just wanted to make that clarification.
    Chairman Bachus. All right. Thank you.
    Ms. Hooley.
    Ms. Hooley. Thank you, Mr. Chair.
    I have just a couple questions. I will try to be brief. Let 
me start with Mr. Hendricks.
    You note several--there are several things that you think 
are good about the bill. One of the things you are talking 
about is notification, and you would encourage the committee to 
expand credit monitoring from 6 months to a year. My question 
is, do you have any evidence that it stops ID theft or would 
prevent ID theft if it is monitored for a year versus 6 months?
    The second question is, do you see anything in the notice 
that you would suggest that we add additional information? Is 
there anything missing in that notification?
    Mr. Hendricks. Yes. First of all, on the credit monitoring, 
this is a moving--identity theft evolves, and no one has 
followed it more closely than you. Reflecting that fact is that 
the thieves are getting shrewder and shrewder and the shelf 
life of a social security number is basically for the life of 
the individual. So we are going to see more and more thieves 
are sitting on data to use it later, hoping that now people are 
no longer being careful. So in ChoicePoint they offered it for 
a year. A year seems like a reasonable period of time to get 
people started.
    The monitoring is important because it gives you the 
notice. That is also why the credit freeze is important because 
it is that key moment when the credit reporting agency 
discloses your credit report to the application of the thief 
that that is what allows identity theft to take off.
    Now your second question was about--
    Ms. Hooley. It was about the notification. Do you see if 
there is something missing in that notification?
    Mr. Hendricks. It would be nice if the notification could 
just be robust enough so that the entity could tell the 
individual as much they know about the breaches because what is 
happening, first of all, I think the standard in the State laws 
is working fairly well. And out of all these cases, I have not 
seen a trivial notice go out. But in hearing from people and 
going through each case by case, you see that a lot of 
individuals get the notice and the company actually knows more, 
but they don't include in the notice. So it only comes out in 
subsequent news stories further explaining what was at stake.
    If we want to encourage companies to give as much 
information as they can, that helps consumers make judgments 
about what are the risks here.
    Ms. Hooley. Thank you.
    A very quick question for Ms. Brill. Thank you very much 
for coming today.
    In your testimony, you stated there should be no fraud 
monitoring exception, especially with respect to compromised 
information relating to debt card, bank account, or other 
noncredit account information.
    My question is, what do you mean by fraud monitoring? And 
are you referring to required credit monitoring services when a 
consumer is placed at risk of ID theft? Because I would note 
the bill does require business to monitor for fraud using a 
neutral network or a similar system.
    And if yes, why should business be required to provide 6 
months of free credit monitoring service when the information 
that is lost would not lead to a threat of ID theft? If the 
only change they needed--say, they just had to give you a new 
number or new card. Why would you require them to do 6 months 
of monitoring for that purpose?
    Then the second question--I will get it all out at once--
the second question we talked about freezes, a lot of you 
talked about freezes. Do you think it is better to have--
through Federal legislation to do a freeze or let States do a 
freeze?
    Ms. Brill. I will take those.
    Should I continue? Should I respond to that?
    Ms. Hooley. Sure. We have 5 minutes.
    Chairman Bachus. We will end these questions, but we will 
come back if Mr. Hinojosa and Green want to come back.
    They will pass.
    Ms. Brill. So I will go ahead and respond now.
    Chairman Bachus. And then we will let Mr. Hinojosa ask a 
question.
    Ms. Brill. Thank you very much.
    With respect to fraud monitoring, our concern did deal with 
a neural network issue as you pointed out. It wasn't so much 
relating to the credit monitoring services that were provided.
    But we are concerned that a blanket exception for a company 
that does fraud monitoring is not granular enough. It doesn't 
really go into the details of how good is the system and 
whether or not, in fact, an exception should be given just on a 
blanket basis. And we see some of the same problems in the 
language of 3997.
    With respect to a freeze, the AG's letter does spell out 
what we think would be a robust, good Federal freeze law. 
Again, if Congress were to enact a Federal freeze that contains 
all of those provisions, we think that would be very helpful. 
If Congress cannot enact a law that contains all those 
provisions, then leave it to the States, because the States are 
doing a pretty good job. Twelve are in place so far, and more 
will come on line undoubtedly in the future.
    Chairman Bachus. Thank you.
    Mr. Hinojosa.
    Mr. Hinojosa. Thank you, Mr. Chairman. I will be brief, but 
I do want to say I have a great deal of interest in this 
consumer report and what comes out of our committee.
    I understand that many people do not distinguish between 
data breaches and identity theft and that not all data breaches 
lead to identity theft. I also understand why many are calling 
for a uniform national standard governing data brokers and the 
services they provide, and I will support that. I support the 
idea of such uniform standards only if the statute we enact 
first and foremost protects the consumers and grants them as 
many avenues of recourse as possible if their identity is 
stolen as a result of a data breach.
    Under the Texas credit freeze statute, if I felt my 
identity had been compromised, I would simply send a letter by 
certified mail to the consumer reporting agency requesting that 
it place a security freeze on my consumer file. The consumer 
reporting agency would have 5 business days to comply with my 
request. The agency would be required to send me an explanation 
of how to go about placing, removing, and temporarily lifting 
my security freeze. So if I were to decide to lift that freeze, 
the consumer reporting agency would have to remove the freeze 
no later than the third business day after it received my 
request.
    All in all, I think that Texas has a much tougher 
requirement than what is contained in the proposed law.
    All this to say, Mr. Chairman, that I support a uniform 
standard governing the protection of sensitive consumer 
information and the duty to provide notice when such 
information is compromised. I believe that H.R. 3997 falls 
short of that goal. I would hope that we can fine tune the 
bill's definition of several words as follows: breach, 
sensitive personal information, and the Gramm-Leach-Bliley 
provision.
    Mr. Chairman, I wish we had more time today to ask more 
questions. I believe that there is room to improve this bill, 
and I fully intend to be part of the discussion. I hope that 
this committee holds additional hearings prior to markup. Too 
much is at stake not to proceed deliberaltely.
    With that, Mr. Chairman, I am going to close and ask that 
the Texas statute on data breaches and account freezes be made 
part of the record.
    Chairman Bachus. Sure. In fact, the Chair notes that some 
members may have additional questions for the panel and may 
wish to submit them to the panel in writing. Without objection 
the hearing record will be held open for 30 days for members to 
submit written questions to the witnesses and place their 
responses in the record and, also, if they have their opening 
statement, they are free to submit that.
    I appreciate the panelists' attendance today. As I said at 
the start of this hearing, we expect this to be a long process. 
I am submitting testimony from four witnesses that we didn't 
have room for on the panel: ID Analytics Corporation, Mortgage 
Bankers Association, ARMA International, and the National 
Business Coalition of E-commerce and Privacy. In addition to 
your testimony, we will introduce those.
    I would like to close by saying we have two new staffers on 
the panel, and I would like to welcome them. They have worked 
very hard on this hearing, Danielle English, who is with Mr. 
Boehner and Ms. Biggert previous to joining our subcommittee; 
and Emily Pfeiffer, who is with Mr. Castle, our Chairman 
Castle. We welcome them to the staff and compliment their good 
work.
    So, with that, the hearing is closed, and the record will 
be held open for 30 days.
    Thank you.
    [Whereupon, at 12:14 p.m., the subcommittee was adjourned.]


                            A P P E N D I X



                           November 9, 2005 


[GRAPHIC] [TIFF OMITTED] T6758.001

[GRAPHIC] [TIFF OMITTED] T6758.002

[GRAPHIC] [TIFF OMITTED] T6758.003

[GRAPHIC] [TIFF OMITTED] T6758.004

[GRAPHIC] [TIFF OMITTED] T6758.005

[GRAPHIC] [TIFF OMITTED] T6758.006

[GRAPHIC] [TIFF OMITTED] T6758.007

[GRAPHIC] [TIFF OMITTED] T6758.008

[GRAPHIC] [TIFF OMITTED] T6758.009

[GRAPHIC] [TIFF OMITTED] T6758.010

[GRAPHIC] [TIFF OMITTED] T6758.011

[GRAPHIC] [TIFF OMITTED] T6758.012

[GRAPHIC] [TIFF OMITTED] T6758.013

[GRAPHIC] [TIFF OMITTED] T6758.014

[GRAPHIC] [TIFF OMITTED] T6758.015

[GRAPHIC] [TIFF OMITTED] T6758.016

[GRAPHIC] [TIFF OMITTED] T6758.034

[GRAPHIC] [TIFF OMITTED] T6758.035

[GRAPHIC] [TIFF OMITTED] T6758.036

[GRAPHIC] [TIFF OMITTED] T6758.037

[GRAPHIC] [TIFF OMITTED] T6758.038

[GRAPHIC] [TIFF OMITTED] T6758.039

[GRAPHIC] [TIFF OMITTED] T6758.017

[GRAPHIC] [TIFF OMITTED] T6758.018

[GRAPHIC] [TIFF OMITTED] T6758.019

[GRAPHIC] [TIFF OMITTED] T6758.020

[GRAPHIC] [TIFF OMITTED] T6758.021

[GRAPHIC] [TIFF OMITTED] T6758.022

[GRAPHIC] [TIFF OMITTED] T6758.023

[GRAPHIC] [TIFF OMITTED] T6758.024

[GRAPHIC] [TIFF OMITTED] T6758.025

[GRAPHIC] [TIFF OMITTED] T6758.026

[GRAPHIC] [TIFF OMITTED] T6758.027

[GRAPHIC] [TIFF OMITTED] T6758.028

[GRAPHIC] [TIFF OMITTED] T6758.029

[GRAPHIC] [TIFF OMITTED] T6758.030

[GRAPHIC] [TIFF OMITTED] T6758.031

[GRAPHIC] [TIFF OMITTED] T6758.032

[GRAPHIC] [TIFF OMITTED] T6758.033

[GRAPHIC] [TIFF OMITTED] T6758.040

[GRAPHIC] [TIFF OMITTED] T6758.041

[GRAPHIC] [TIFF OMITTED] T6758.042

[GRAPHIC] [TIFF OMITTED] T6758.043

[GRAPHIC] [TIFF OMITTED] T6758.044

[GRAPHIC] [TIFF OMITTED] T6758.045

[GRAPHIC] [TIFF OMITTED] T6758.046

[GRAPHIC] [TIFF OMITTED] T6758.047

[GRAPHIC] [TIFF OMITTED] T6758.048

[GRAPHIC] [TIFF OMITTED] T6758.049

[GRAPHIC] [TIFF OMITTED] T6758.050

[GRAPHIC] [TIFF OMITTED] T6758.051

[GRAPHIC] [TIFF OMITTED] T6758.052

[GRAPHIC] [TIFF OMITTED] T6758.053

[GRAPHIC] [TIFF OMITTED] T6758.054

[GRAPHIC] [TIFF OMITTED] T6758.055

[GRAPHIC] [TIFF OMITTED] T6758.056

[GRAPHIC] [TIFF OMITTED] T6758.057

[GRAPHIC] [TIFF OMITTED] T6758.058

[GRAPHIC] [TIFF OMITTED] T6758.059

[GRAPHIC] [TIFF OMITTED] T6758.060

[GRAPHIC] [TIFF OMITTED] T6758.061

[GRAPHIC] [TIFF OMITTED] T6758.062

[GRAPHIC] [TIFF OMITTED] T6758.063

[GRAPHIC] [TIFF OMITTED] T6758.064

[GRAPHIC] [TIFF OMITTED] T6758.065

[GRAPHIC] [TIFF OMITTED] T6758.066

[GRAPHIC] [TIFF OMITTED] T6758.067

[GRAPHIC] [TIFF OMITTED] T6758.068

[GRAPHIC] [TIFF OMITTED] T6758.069

[GRAPHIC] [TIFF OMITTED] T6758.070

[GRAPHIC] [TIFF OMITTED] T6758.071

[GRAPHIC] [TIFF OMITTED] T6758.072

[GRAPHIC] [TIFF OMITTED] T6758.073

[GRAPHIC] [TIFF OMITTED] T6758.074

[GRAPHIC] [TIFF OMITTED] T6758.075

[GRAPHIC] [TIFF OMITTED] T6758.076

[GRAPHIC] [TIFF OMITTED] T6758.077

[GRAPHIC] [TIFF OMITTED] T6758.078

[GRAPHIC] [TIFF OMITTED] T6758.079

[GRAPHIC] [TIFF OMITTED] T6758.080

[GRAPHIC] [TIFF OMITTED] T6758.081

[GRAPHIC] [TIFF OMITTED] T6758.082

[GRAPHIC] [TIFF OMITTED] T6758.083

[GRAPHIC] [TIFF OMITTED] T6758.084

[GRAPHIC] [TIFF OMITTED] T6758.085

[GRAPHIC] [TIFF OMITTED] T6758.086

[GRAPHIC] [TIFF OMITTED] T6758.087

[GRAPHIC] [TIFF OMITTED] T6758.088

[GRAPHIC] [TIFF OMITTED] T6758.089

[GRAPHIC] [TIFF OMITTED] T6758.090

[GRAPHIC] [TIFF OMITTED] T6758.091

[GRAPHIC] [TIFF OMITTED] T6758.092

[GRAPHIC] [TIFF OMITTED] T6758.093

[GRAPHIC] [TIFF OMITTED] T6758.094

[GRAPHIC] [TIFF OMITTED] T6758.095

[GRAPHIC] [TIFF OMITTED] T6758.096

[GRAPHIC] [TIFF OMITTED] T6758.097

[GRAPHIC] [TIFF OMITTED] T6758.098

[GRAPHIC] [TIFF OMITTED] T6758.099

[GRAPHIC] [TIFF OMITTED] T6758.100

[GRAPHIC] [TIFF OMITTED] T6758.101

[GRAPHIC] [TIFF OMITTED] T6758.102

[GRAPHIC] [TIFF OMITTED] T6758.103

[GRAPHIC] [TIFF OMITTED] T6758.104

[GRAPHIC] [TIFF OMITTED] T6758.105

[GRAPHIC] [TIFF OMITTED] T6758.106

[GRAPHIC] [TIFF OMITTED] T6758.107

[GRAPHIC] [TIFF OMITTED] T6758.108

[GRAPHIC] [TIFF OMITTED] T6758.109

[GRAPHIC] [TIFF OMITTED] T6758.110

[GRAPHIC] [TIFF OMITTED] T6758.111

[GRAPHIC] [TIFF OMITTED] T6758.112

[GRAPHIC] [TIFF OMITTED] T6758.113

[GRAPHIC] [TIFF OMITTED] T6758.114

[GRAPHIC] [TIFF OMITTED] T6758.115

[GRAPHIC] [TIFF OMITTED] T6758.116

[GRAPHIC] [TIFF OMITTED] T6758.117

[GRAPHIC] [TIFF OMITTED] T6758.118

[GRAPHIC] [TIFF OMITTED] T6758.119

[GRAPHIC] [TIFF OMITTED] T6758.120

[GRAPHIC] [TIFF OMITTED] T6758.121

[GRAPHIC] [TIFF OMITTED] T6758.122

[GRAPHIC] [TIFF OMITTED] T6758.123

[GRAPHIC] [TIFF OMITTED] T6758.124

[GRAPHIC] [TIFF OMITTED] T6758.125

[GRAPHIC] [TIFF OMITTED] T6758.126

[GRAPHIC] [TIFF OMITTED] T6758.127

[GRAPHIC] [TIFF OMITTED] T6758.128

[GRAPHIC] [TIFF OMITTED] T6758.129

[GRAPHIC] [TIFF OMITTED] T6758.130

[GRAPHIC] [TIFF OMITTED] T6758.131

[GRAPHIC] [TIFF OMITTED] T6758.132

[GRAPHIC] [TIFF OMITTED] T6758.133

[GRAPHIC] [TIFF OMITTED] T6758.134

[GRAPHIC] [TIFF OMITTED] T6758.135

[GRAPHIC] [TIFF OMITTED] T6758.136

[GRAPHIC] [TIFF OMITTED] T6758.137

[GRAPHIC] [TIFF OMITTED] T6758.138

[GRAPHIC] [TIFF OMITTED] T6758.139

[GRAPHIC] [TIFF OMITTED] T6758.140

