[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]


                                                   S. Hrg. 102-000 
 
  DATA PROTECTION AND THE CONSUMER: WHO LOSES WHEN YOUR DATA TAKES A 
                                 HIKE
                                   =======================================================================

                                HEARING

                               before the

            SUBCOMMITTEE ON REGULATORY REFORM AND OVERSIGHT

                                 of the

                      COMMITTEE ON SMALL BUSINESS
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                               __________

                      WASHINGTON, DC, MAY 23, 2006

                               __________

                           Serial No. 109-53

                               __________

         Printed for the use of the Committee on Small Business


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 house


                                 _____

                 U.S. GOVERNMENT PRINTING OFFICE

28-741 PDF              WASHINGTON : 2006
_________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government 
Printing  Office Internet: bookstore.gpo.gov  Phone: toll free 
(866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail:
Stop SSOP, Washington, DC 20402-0001



                      COMMITTEE ON SMALL BUSINESS

                 DONALD A. MANZULLO, Illinois, Chairman

ROSCOE BARTLETT, Maryland, Vice      NYDIA VELAZQUEZ, New York
Chairman                             JUANITA MILLENDER-McDONALD,
SUE KELLY, New York                    California
STEVE CHABOT, Ohio                   TOM UDALL, New Mexico
SAM GRAVES, Missouri                 DANIEL LIPINSKI, Illinois
TODD AKIN, Missouri                  ENI FALEOMAVAEGA, American Samoa
BILL SHUSTER, Pennsylvania           DONNA CHRISTENSEN, Virgin Islands
MARILYN MUSGRAVE, Colorado           DANNY DAVIS, Illinois
JEB BRADLEY, New Hampshire           ED CASE, Hawaii
STEVE KING, Iowa                     MADELEINE BORDALLO, Guam
THADDEUS McCOTTER, Michigan          RAUL GRIJALVA, Arizona
RIC KELLER, Florida                  MICHAEL MICHAUD, Maine
TED POE, Texas                       LINDA SANCHEZ, California
MICHAEL SODREL, Indiana              JOHN BARROW, Georgia
JEFF FORTENBERRY, Nebraska           MELISSA BEAN, Illinois
MICHAEL FITZPATRICK, Pennsylvania    GWEN MOORE, Wisconsin
LYNN WESTMORELAND, Georgia
LOUIE GOHMERT, Texas

                  J. Matthew Szymanski, Chief of Staff

          Phil Eskeland, Deputy Chief of Staff/Policy Director

                  Michael Day, Minority Staff Director

            SUBCOMMITTEE ON REGULATORY REFORM AND OVERSIGHT

W. TODD AKIN, Missouri Chairman      MADELEINE BORDALLO, Guam
MICHAEL SODREL, Indiana              ENI F. H. FALEOMAVAEGA, American 
LYNN WESTMORELAND, Georgia           Samoa
LOUIE GOHMERT, Texas                 DONNA CHRISTENSEN, Virgin Islands
SUE KELLY, New York                  ED CASE, Hawaii
STEVE KING, Iowa                     LINDA SANCHEZ, California
TED POE, Texas                       GWEN MOORE, Wisconsin

               Christopher Szymanski, Professional Staff

                                  (ii)


                            C O N T E N T S

                              ----------                              

                               Witnesses

                                                                   Page
Kurtz, Mr. Paul, Executive Director, Cyber Security Industry 
  Alliance.......................................................     3
Sotto, Ms. Lisa J., Partner, Hunton & Williams LLP...............     4
MacCarthy, Mr. Mark, Senior Vice President, Public Policy, Visa 
  U.S.A., Inc....................................................     6
Lenard, Mr. Tomas M., Vice President for Research, Progress and 
  Freedom Foundation.............................................    14
DelBianco, Mr. Steve, Vice President for Public Policy, 
  Association for Competitive Technology.........................    16
Dinham, Mr. Harry, President-elect, National Association of 
  Mortgage Brokers...............................................    18

                                Appendix

Opening statements:
    Akin, Hon. W. Todd...........................................    25
Prepared statements:
    Kurtz, Mr. Paul, Executive Director, Cyber Security Industry 
      Alliance...................................................    27
    Sotto, Ms. Lisa J., Partner, Hunton & Williams LLP...........    34
    MacCarthy, Mr. Mark, Senior Vice President, Public Policy, 
      Visa U.S.A., Inc...........................................    38
    Lenard, Mr. Tomas M., Vice President for Research, Progress 
      and Freedom Foundation.....................................    43
    DelBianco, Mr. Steve, Vice President for Public Policy, 
      Association for Competitive Technology.....................    70
    Dinham, Mr. Harry, President-elect, National Association of 
      Mortgage Brokers...........................................    88

                                 (iii)
      



  DATA PROTECTION AND THE CONSUMER: WHO LOSES WHEN YOUR DATA TAKES A 
                                 HIKE?

                              ----------                              


                         TUESDAY, MAY 23, 2006

                   House of Representatives
    Subcommittee on Regulatory Reform and Oversight
                                Committee on Small Business
                                                     Washington, DC
    The Subcommittee met, pursuant to call, at 10:00 a.m., in 
Room 2360 Rayburn House Office Building, Hon. W. Todd Akin 
[Chairman of the Subcommittee] presiding.
    Present: Representatives Akin, Sodrel, Westmoreland, and 
Musgrave.
    Chairman Akin. Good morning, everybody, and thank you so 
much for coming to join us for the hearing this morning before 
the Regulatory Reform and Oversight Subcommittee of the Small 
Business Committee. And I am also pleased that some of you came 
some distance to be able to testify, and we are very thankful 
for that commitment.
    We are going to be talking about who loses when your data 
takes a hike, and I want to especially thank all of you for the 
time you have taken to participate in this hearing.
    We live in an age where information is as valuable as 
currency. It is now a commodity shared widely among different 
organizations in order to generate revenue. Data mining, data 
collection and targeted marketing are now very big businesses. 
These practices greatly affect small business because they 
improve the speed and accuracy of business transactions. 
Unfortunately consumers and businesses alike increasingly face 
many risks dues to information loss. These risks stem from the 
negligence of the firm, unethical practices of the firm's 
employees, and outside criminal activities.
    A firm is said to be negligent when they do not employ good 
practices in handling consumer data. The most common form of 
data loss results in data being mistakenly lost, such as the 
loss of a laptop computer, blackberry, cell phone, or some 
other type of portable electronic device.
    In most cases, this form of data loss does not result in 
any harm to the individual to whom the data belongs.
    Another form of risk arises from employees of a firm using 
consumer data for their own gain. This is commonly referred to 
as ``insider crime.'' A common example of insider crime is an 
employee stealing consumers' credit car information and making 
purchases for themselves.
    Finally, risk stems from criminals who operate outside the 
boundaries of the company and steal consumers' identity to make 
money. In the old days a criminal would have to gain physical 
access to paper files in order to steal consumers' identity or 
commit fraud. Today, because of greater information sharing, 
criminals can now gain access to the same information from the 
other side of the world. Although this is the least probable 
form of data loss for a company to incur, it is the most widely 
portrayed example by the media.
    As incidents of large data security breaches pervade the 
newspaper headlines, states are moving quickly to protect the 
rights of their citizens. Twenty-nine states have passed data 
breach notification laws and many more are considering 
legislation requiring companies to notify consumers of a 
possible loss of their personally identifiable information. 
These regulations affect many companies that store or transmit 
personally identifiable consumer information.
    Currently companies that sell across state borders are 
forced to understand and comply with these various state laws. 
This can be particularly onerous for small businesses. As 
Congress seeks to address the protection of consumers' personal 
information through legislation, lawmakers must consider the 
degree to which compliance is encouraged relative to the amount 
of economic burden placed on businesses.
    We are here today to better understand the cost of 
complying with current state and federal law not only in the 
formulation of a data security policy, but in managing the 
necessary paper trail to prove compliance.
    In addition, the Subcommittee seeks to understand the 
effect any new overriding federal law will have on data 
security compliance costs for small businesses.
    Finally, we hope to determine whether special consideration 
for small businesses in the formulation of baseline provisions 
in a data security bill is appropriate. I look forward to 
hearing the testimony of the witnesses to learn more about how 
data security regulations can affect small business.
    I would normally yield to the gentlelady from Guam, Madame 
Bordallo. However, she is not here today and will not be able 
to join us. So we will go directly to our witnesses. As I think 
the comments I just read state, our concern is that if Congress 
rushes too quickly on things, many times we overreact. An 
example of this is a bill called Sarbanes-Oxley. Many of us 
came to Congress because we hated red tape, and we ended up 
finding out that the enemy was us and we just made it worse, 
and that is the primary concern of this Subcommittee. We are 
concerned personally about identity theft, but we are also 
concerned that we making the regulations that are much, much 
more extreme than small businesses can afford. So that is the 
balance and the debate.
    I am going to start by calling our first witness. Paul 
Kurtz, you have joined us before, sir, and we are glad to have 
you again. Paul is the Executive Director of Cyber Security 
Industry Alliance out of Arlington, Virginia.
    Paul, you know the rules around here. We go by five minute 
intervals. At the five minute mark, the light turns red and the 
seat goes through the floor. You know the drill. We have a 
total of six witnesses today. We will do two panels of three. 
It gives me a chance to ask some questions, than other people 
come in, and they can ask questions. Then we will bring the 
next panel of witnesses up.
    Paul, please proceed.
    [Chairman Akin's opening statement may be found in the 
appendix.]

   STATEMENT OF PAUL KURTZ, CYBER SECURITY INDUSTRY ALLIANCE

    Mr. Kurtz. Great. Given my voice today, I think the five 
minute rule should not be much of a problem
    First of all, thank you for calling this hearing. I think 
it is important, and I want to commend you for holding the town 
hall meeting you had in St. Louis last month, which I think is 
a vital part of outreach to small businesses in helping them 
increase awareness.
    Laura, with me today is putting up a couple of slides from 
a survey that we are releasing today at the Cyber Security 
Industry Alliance, which I think is germane to the topic at 
hand: consumer confidence or voter confidence in the overall 
Internet. We have a substantial number of the population that 
are concerned about making online purchases, and a slide down 
below that you will see talks about the number of folks who 
think we ought to have new laws passed on the order of 60 to 70 
percent when a population wants to see new laws passed to 
protect sensitive personal information.
    In turning to small businesses, the Internet has enabled 
small businesses to compete with large business enterprises 
because of the accessibility and ease in communication the 
Internet offers, but this accessibility has also created new 
challenges by increasing threats to small businesses.
    There are several reasons why or there are several things 
we think government can do to help improve the security of 
small businesses. First of all, the Congress can pass a 
national data security bill. We think that is very important 
for a number of reasons.
    First and foremost, as you mentioned in your opening 
statement, at least 29 states have passed laws already 
requiring notification to consumers in the case of a breach of 
certain personal information. Four of those states have also 
included provisions that require security, reasonable security 
measures. What the Congress is contemplating is if you will 
both. It is putting in place those reasonable security measures 
across the board basically. All of the bills contemplated 
include that measure, and secondly, the notification piece. In 
the absence of a national bill, small businesses will be left 
to comply with the myriad of laws and regulations.
    For example, if you have a small business in Missouri and 
you are on line, and you would subsequently have to comply with 
all of those state laws that have notification requirements or 
security requirements; so while it might be contrary to 
national thinking, having a national standard that applies to 
large enterprises, as well as small enterprises is important.
    You might be tempted to, if you will, delay bringing in 
small enterprises into compliance with such a law. I would urge 
you not do so, that you support a national law right up front 
because if you delay the exemption, you are still going to be 
left with having to comply with the state laws that are on the 
books.
    What will be important in any national law that is passed 
is obviously preemption, that it preempts all of the state laws 
that are in place, that the security measures that are put in 
place are strong, and as the data breach yesterday brings to 
light with 26.5 million names coming out or potentially exposed 
to identity theft, that we use encryption, not that the 
government must mandate the adoption of encryption, but the 
encryption as the best practice.
    We are pleased to note that several of the bills on the 
Hill include encryption related provisions, in other words, as 
a best practice. We would urge that Congress swiftly move 
forward to pass a bill this year that includes reasonable 
security measures, preemption of state law with a risk based 
notification threshold and voluntary encryption measures.
    Before I close, in the last 30 seconds I also want to note 
that the Executive Branch can take action as well. The Small 
Business Administration can do more. That is not to say that 
they have not done anything, but they can show a leadership 
role. They can form an advisory committee comprised with people 
from small businesses and others in the security industry and 
the private sector to advise SBA on where the gaps are and 
where the problems are.
    They can also initiate a survey among small businesses to 
understand what their problems are, specifically what is 
inherent to exactly their problems.
    And the final area that I would highlight that they can do 
is just as you started: more outreach. Engage in those local 
outreach efforts, those townhalls across the country. They have 
done some very valuable work with InfoGuard already. InfoGuard 
has chapters across the United States. They are built in. SBA 
with a new office could engage Infoguard more thoroughly and 
much more could be done.
    And I will close. thank you.
    [Mr. Kurtz's testimony may be found in the appendix.]
    Chairman Akin. Thank you, Paul.
    I think that your comments were helpful, particularly in 
that you were quite specific of some things that need to be 
done. I appreciate that.
    Lisa Sotto is a partner with Hunton & Williams, LLP from 
New York, and I think noted as one of the foremost experts on 
data security. We are just delighted to have you here, Lisa.

         STATEMENT OF LISA SOTTO, HUNTON & WILLIAMS LLP

    Ms. Sotto. Thank you very much, sir.
    This morning I will address three topics: first, state 
security bridge notification laws; second, information security 
requirements applicable to U.S. businesses; and, third, my 
recommendations for a federal security bridge notification law.
    In 2002, California enacted SB 1386. It is because of this 
law that we know of the many information security breaches that 
have occurred during the past several years. The law requires 
organizations that own or license unencrypted computerized 
personal information about California residents to notify those 
individuals if the security of their data was compromised.
    Since the spate of publicized security breaches in 2005, 29 
other states have passed breach notification laws, and similar 
legislation is pending in 11 states. While the various state 
breach laws are similar in many respects, there are significant 
differences. In 15 states, for example, there is a harm 
threshold for notification. An entity that suffers a breach is 
not required to notify individuals if the entity determines 
that there has been no misuse of the information.
    Another difference is in the definition of personal 
information. Typically personal information is defined in these 
laws as an individual's name plus Social Security number, 
driver's license number, state ID card number or credit/debit 
or financial account number.
    In some states the definition is broader, for example, 
including date of birth. While most state breach laws cover 
only computerized data, some state laws also cover information 
in hard copy paper format.
    Some state breach laws contain additional notification 
requirements, like the requirement to notify state agencies or 
credit reporting agencies of a breach.
    Needless to say, the variations in the 30 state laws make 
compliance on a nationwide basis a complex matter.
    I will now briefly outline the information security 
requirements applicable to U.S. businesses. First, Gramm-Leach-
Bliley Act's safeguards rule requires that financial 
institutions maintain a comprehensive written information 
security program that contains administrative, technical, and 
physical safeguards to protect customer information. These 
safeguards should be appropriate to the size and complexity of 
the entity, the nature and scope of the entity's activities, 
and the sensitivity of the customer information.
    Another law that requires a formal comprehensive 
information security program is HIPAA. Like GLB, HIPAA adopts a 
flexible, scalable approach to information security. In 
deciding which security measures to use, a covered entity must 
take into account its size and complexity, its technical 
infrastructure, cost, and the probability of potential risks to 
the data.
    A third information security requirement is found in 
California's AB 1950 and its state analogues. AB 1950 requires 
businesses that own or license personal information about 
California residents to implement reasonable security 
procedures to protect the information from unauthorized access.
    Pursuant to the Fair and Accurate Credit Transactions Act, 
the FTC promulgated a rule in 2004 that requires businesses to 
take reasonable steps to guard against unauthorized access to 
consumer report information in connection with its disposal. 
Several states have even broader data disposition laws.
    In addition, other laws create security obligations 
indirectly. For example, the FTC has applies Section 5 of the 
FTC Act to sanction what it believes to be inadequate security 
as an unfair business practice. Given the panoply of breach 
notification laws and information security requirements, a 
federal law that would preempt similar state laws is critical. 
Because data often flows beyond state boundaries, a federal law 
would insure that personal information is subject to security 
requirements that are uniform throughout the nation and that 
affected residents of every state would be notified of a 
breach.
    Such a federal law should require businesses that store 
sensitive consumer data to maintain reasonable security 
procedures to safeguard that data. With respect to breach 
notification requirements, I would advocate use of the 
California definition of personal information rather than an 
expanded definition. The California definition is narrowly 
crafted to include only information most commonly used by 
fraudsters to commit ID theft.
    Since the purpose of breach notification is to inform 
individuals of events that might cause them harm, there is no 
need to expand the definition.
    In addition, any federal law should contain a harm 
threshold requiring notification only if there is real risk of 
harm.
    Finally, I would suggest that any federal law focus on 
computerized data. Only information maintained in electronic 
format could be subject to the high volume of harm these laws 
are specifically intended to combat.
    With that I will end, and I would be glad to answer any 
questions. Thank you.
    [Ms. Sotto's testimony may be found in the appendix.]
    Chairman Akin. Thank you, Lisa, and I appreciate your 
comments.
    And next is Mark MacCarthy, Senior Vice President, Public 
Policy, with Visa U.S.A. from Washington, D.C.
    Mark, thank you.

         STATEMENT OF MARK MacCARTHY, VISA U.S.A., INC.

    Mr. MacCarthy. Thank you very much, Chairman Akin.
    Visa appreciates the opportunity to testify at today's 
hearing on the important issue of information security in small 
businesses.
    Visa is a leading consumer payment system and plays a 
pivotal role in the development of new payment technologies and 
services, including initiatives for protecting personal 
information and preventing identity theft and other kinds of 
fraud.
    Visa commends the Subcommittee for focusing on the issue of 
information security and the incentives for small businesses to 
provide increased information security practices. Visa has long 
recognized the importance of strict procedures to protect 
cardholder information. Cardholder security is never just an 
afterthought at Visa. For Visa it is about trust. Our goal is 
to prevent fraud from taking place in the first place.
    This commitment to fighting fraud includes Visa's zero 
liability policy. This protects Visa's cardholders from any 
liability for fraudulent purchases. Because the financial 
institutions that are Visa members do not impose losses for 
fraudulent transactions on the cardholders, these institutions 
incur costs when fraudulent transactions take place. These 
costs are primarily in the form of direct dollar losses, but 
hey also include card replacement costs, fraud monitoring 
costs, and incremental customer service costs.
    Typically fraud losses are borne by the card issuer. 
However, rarely, if the merchant fails to follow proper 
authorization procedures for face-to-face transactions, these 
costs may be passed back to the acquiring bank or to the 
merchant.
    For Internet, telephone, and mail order transactions, 
merchants are generally responsible for unauthorized 
transactions. However, Visa provides merchants with a number of 
tools to prevent fraud and by using one of those fraud tools 
called ``Verified by Visa,'' merchants can shift these fraud 
losses back to the card issuing bank.
    Visa has implemented a comprehensive and aggressive 
customer information security program. It is called the 
Cardholder Information Security Program, CISP. This security 
program applies to all entities, including telephone orders, 
Internet brick and mortar, whether operating through the 
Internet or through any other channel of commerce. It includes 
not only data security standards, but also provisions from 
monitoring compliance and sanctions for failure to comply.
    Visa has been able to integrate CISP into the common set of 
data security requirements that are used by all of the credit 
card companies, which is known as the payment card industry 
data security standard, or the PCI standard.
    Visa also provides sophisticated neural networks that flag 
unusual spending patterns for fraud, and these neural networks 
enable our members to block transactions where fraud is 
suspected. When cardholder information is compromised, Visa 
notifies the issuing financial institution and puts the 
affected card numbers on a special monitoring status. If Visa 
detects any unusual activity in these cards, we again notify 
the issuers, and they begin a process of investigation and 
evaluation to determine the need for any card reissuance.
    In addition to CISP and these neural networks, Visa has 
implemented a variety of additional security measures that are 
designed to detect and prevent fraud transactions, Visa's 
address verification service. It matches shipping and billing 
addresses. Visa maintains an exception file comprised of 
account numbers of lost or stolen cards, and we check account 
numbers against this exception file at the time of a 
transaction.
    We have a card verification value, which is a unique three-
digit value that is in the magnetic stripe of every single 
credit card and debit card. It insures that a valid card is 
present when you have a face-to-face transaction.
    The CDV-2 is a unique three-digit code on the back of the 
credit card. It helps online merchants and telephone merchants 
verify that the card is really in the possession of the person 
who is conducting the transaction.
     And Verified by Visa, which I mentioned before, allows 
merchants to avoid charge-back costs by having cardholders 
authenticate themselves while they're shopping online.
    Advanced authorization is a new service that we are 
providing. It provides an instantaneous analysis of the 
potential for fraud at the time of the transaction itself. As a 
result of these measures, fraud within the Visa system is at an 
all time low of five cents for every $100 worth of 
transactions.
    In addition, Visa and the U.S. Chamber of Commerce have 
announced a nationwide data security education campaign that 
will involve both the payment industry and merchants in the 
fight to protect cardholder data. We believe that everyone who 
is involved in the payment system, Visa, financial 
institutions, processors, and merchants, have a shared 
responsibility to protect cardholder data.
    On legislation, let me quickly summarize many of the things 
that Lisa mentioned we are in favor of as well. We do want a 
national notification standard. It has to be risk based. We do 
believe that there should be national requirements for 
reasonable security procedures. We think that there should be 
sufficient flexibility built into those national standards to 
allow for the needs of small business to be accommodated.
    In particular, we think the size of the business needs to 
be taken into account whenever a federal agency forces these 
rules, as well as the nature of the risks involved. That kind 
of flexibility can insure that small businesses would be 
covered by the standard, but would be in a position where they 
could be afforded sufficient flexibility to come into 
compliance in an appropriate time and fashion.
    [Mr. MacCarthy's testimony may be found in the appendix.]
    Chairman Akin. Thank you so much, Mark, for your testimony.
    We have been joined by two of my good friends, Ms. Musgrave 
from Colorado to my immediate right, Mr. Sodrel from Indiana.
    And we have been talking about, in a sense, a balance here 
for small business regarding the cost of overhead for small 
business relative to the questions of data security, and 
specifically two things. One is the reporting if you lose some 
data, and then second of all, what are the procedures you have 
to do to protect your data.
    We have a total of six witnesses. The witnesses so far are 
making a strong case for the fact that a national standard 
would be helpful because each state has their own different 
separate rules and it would make it easier for business and 
commerce to comply with a national standard.
    Mark, hearing what Visa is doing, and I have a Visa card in 
my wallet and appreciate it and everything; on the other hand, 
that does not strike me as small business. I do think about 
some guy that has got a cleaners or whatever it happens to be, 
the local store corner, and he needs a data security officer, 
and he needs a computer system that is approved by this and 
that. You know, we could just basically kill the poor small 
business guy with some of these rules and regulations. So that 
is a tension.
    Mr. MacCarthy. Can I comment?
    Chairman Akin. Yes, you can. This is a question and answer. 
So go ahead.
    Mr. MacCarthy. The local dry cleaner, you know, accepts 
Visa cards, but there is a fact about his system which is 
important and which limits his exposure to data security 
problems. Most of the small businesses, your local dry cleaner, 
for example, do not link their point of sale terminal to their 
cash register, and when of the factors that means that they 
typically do not save the data in the transaction after the 
transaction has taken place.
    So they do not have the kind of large cardholder databases 
that are an attractive target for data hackers. Now, they still 
have to keep their information secure.
    Chairman Akin. Could you just clarify that a little bit 
from a systems point of view? When I go to the local cleaner 
down here at the bottom of the Longworth Building, you know, 
they get your phone number or something or other, but if you 
want to pay it, I usually pay cash, but if you pay it with a 
credit card or something, you are saying they do not maintain 
that credit card number connected with my name?
    Mr. MacCarthy. They typically do not record that credit 
card number containing your name. Now, your bank will.
    Chairman Akin. So in that regard it is almost like a cash 
type business and, therefore, they would have very little 
liability. Is that what you are saying?
    Mr. MacCarthy. Yes. The information is typically not stored 
at the merchant level. It moves through the system. The bank 
that works with the merchant will typically store the 
information. The bank that works with you as the cardholder 
will typically the information, but the small merchant 
typically does not.
    Chairman Akin. Okay.
    Mr. MacCarthy. Now, if they do save the information, then 
all of the Visa security standards do apply, and as some small 
businesses get larger and they move from the small business to 
a medium size business, they tend to link their point of sale 
terminal and their cash register, and then they save the 
transaction information along with the cardholder information.
    Chairman Akin. This is when those kinds of laws would kick 
in then.
    Mr. MacCarthy. That is when it would kick in. It is at that 
stage. The vast--
    Chairman Akin. You see, in our congressional office, I am 
going to get personal about this. There are people who make 
contributions to my account using a Visa card, Visa numbers or 
Mastercard or whatever it is. What you are saying is as long as 
we destroy those numbers after that transaction goes through, 
it would not affect us.
    Mr. MacCarthy. The risks involved for the merchant at that 
point are minimal, and most of the small businesses in the 
country, we have five and a half million merchants, most of 
those small businesses are not in the position where they save 
the information after the transaction has taken place.
    Now, the rules do apply, and if they do become larger, they 
will have to take the appropriate security steps to make sure 
the information is kept safe and secure, but we do not think 
that the burden on the small business that does not save the 
information is exorbitant at this point, and we would hope that 
national information as it moved forward would allow the 
Federal Trade Commission or whatever other national entity is 
involved in this sufficient flexibility to say that is a small 
business. The risks are not very large. They do not save the 
information. We do not need to have them hire a security 
officer. We do not need to have them do a security scan every 
year. They should not have to pay $100,000 for an expensive 
security audit.
    And our private sector system already allows for that kind 
of flexibility right now.
    Chairman Akin. And then the other thing I think I heard all 
of you make the comment that the reporting requirement should 
be proportional to what the level of risk is. So if your 
computer falls in the ocean when you are going across something 
like that, you do not need to worry about that particularly, 
whereas if somebody has come in and literally stolen that 
information, then you would have a more onerous reporting 
requirement.
    Now, the reporting requirement, so what? I happen to be one 
of those 26 million people in the veterans' thing. Okay? And I 
find out that they have my name and Social Security number and 
birthday or whatever it is. What do I do? Does it do me any 
good to know that somebody stole it? Can I take any precautions 
as a consumer?
    Mr. Kurtz. Again, may I?
    Chairman Akin. Whoever wants, yes.
    Mr. Kurtz. In the first place, I would go back to the point 
that to me there is a realization that we need to come to in 
our society about the portability of vast amounts of 
information, and the need to take security more seriously in 
the recognized tools that exist today, including encryption. 
They have a laptop or the disk. The disk involved in the event 
involving VA, if it was encrypted, you would not be having the 
flash of news that we have today because VA could report that 
do not worry; it was stolen, but it is encrypted and the 
chances are incredibly low that--
    Chairman Akin. Is encryption pretty expensive or not 
really?
    Mr. Kurtz. In fact, encryption technologies have changed 
over the past several years. So they are, if you will, more 
seamless and easier to apply. Under the PCI standard, PCI 
standard that Mark made reference to, they encourage encryption 
as well. I think if we were to ask this question of ourselves, 
you know, four or five years ago, it would be more difficult. 
It would have been difficult to implement.
    To answer your question more specifically about, you know, 
all right, so I am notified; how does that help me? Well, one, 
you know, it allows you to at least understand and to look into 
your credit report, and now as a citizen you are entitled to 
free access to your credit report, I believe it is, once or 
twice a year. So you can at least put a flag out and look at 
your financial statements more clearly than you would in the 
past.
    There are also other services that are out there. The 
people that organizations are supplying that help with ID theft 
assistance that come with home mortgages and all of those kinds 
of things. So the market is, if you will, coming to the problem 
and providing solutions for people and providing guidance.
    And the final point I would make is, you know, 
organizations like the National Cyber Security Alliance who I 
believe testified here a month or ago has tips out there for 
what people can do if they think they are a victim of identity 
theft.
    Chairman Akin. Okay. I have run out of time. I have got to 
follow my own rules, but we have got time for other questions. 
I think, Mr. Sodrel you were here first and slightly edged out 
Ms. Musgrave, yes, if you would like to proceed.
    Mr. Sodrel. Thank you, Mr. Chairman.
    Mark, you were say that if the law was sufficiently 
flexible, it would give the regulators an opportunity not to 
regulate. It has been my experience that bureaucrats have a 
tendency to err on the side of more regulation, not less 
regulation. It is called job security, you know, more people, 
more budget, bigger building.
    So I would probably be inclined to work something that is 
relatively inflexible so that they do not have that opportunity 
to grow their business, if you will, and the business of 
regulating. I mean, I do not want small business to be put at 
the whim, if you will, of a regulator by passing something that 
has enough elasticity that they can overreach. So I would like 
to think in terms of how do we prevent over regulation.
    If you have any comments along those lines because I think 
that is a bigger risk than not enough regulation.
    Mr. MacCarthy. There are two ways. If it is the Federal 
Trade Commission, there are a couple of ways in which I think 
they can be prevented from engaging in over regulation, but, 
frankly, I think the danger that they would reach down to the 
local dry cleaner is pretty minimal.
    I mean, there are five and a half million merchants out 
there who accept Visa cards. They cannot go after every one for 
trivial violations of some rules. What they have done in their 
current actions is they have found the cases where it is large 
companies who have clearly violated the most minimal, basic 
security rules. they have not encrypted the data or otherwise 
protected it. They have saved security codes that they should 
not have saved. They have not had passwords, they do not 
monitor their systems. They do not do scans of their systems, 
and they have lost large amounts of data and millions of people 
have been adversely affected.
    They focused their scarce resources on those kind of cases. 
So I think that should continue, and if there is any questions 
about the overreaching of their authority to affect small 
businesses in a way that does not make any sense from the 
public point of view, then I think there are two ways of 
getting at them. One is oversight hearings. I mean, the 
committees that have authority over these people should bring 
them in and say, ``What are you doing? Why don't you do a 
better job of administrating your own scarce resources?''
    And the other is the Appropriations Committee where you can 
say to them, you know, if you want to spend money on this stuff 
in this area, spend it on places where the risks are real and 
not on the areas where the risks are minimal. My sense is that 
you have to write it into the national standard that they have 
to take into account the size of the business and the nature of 
the risks. That has got to be in the national standard, and 
that gives you enough statutory flexibility to go after them in 
an oversight sense to make sure they do not overreach.
    Ms. Sotto. If I can add to Mark's comments, traditionally 
we have seen in privacy and security legislation in this 
country a requirement that standards are flexible and scalable 
to the size and the complexity of the entity and the 
sensitivity of the data that the entity maintains.
    The FTC and HHS in enacting regulations under GLB and HIPAA 
have been very careful to make sure that they're not imposing 
specific security requirements on an entity, but are in fact 
asking the entity to assess its own systems and determine what 
is right for that size of entity given the data that is 
maintained.
    I would expect that same sort of standard would follow in a 
new law.
    Mr. Kurtz. I do not disagree with any of what has been said 
by the panelists. I think when you talk about how a statute is 
eventually crafted, one other point I would just add to the mix 
to keep in mind is that technology is changing so swiftly today 
that you want to build flexibility into the statute that allows 
technology to change because if you are too specific, then we 
have new mean available to people in order to secure 
themselves. Then if it is stuck in statute, then that inhibits 
innovation. It inhibits flexibility of small businesses even to 
perhaps deploy more efficient and cost effective security 
technologies for companies in the future.
    Mr. Sodrel. Thank you, Mr. Chairman.
    Chairman Akin. Thank you. Good questions.
    Marilyn, have you got a question?
    Ms. Musgrave. Well, I apologize that I have not been here 
for the entire testimony. Could someone give me an idea when we 
talk about national standards? You know, we talk about how 
states vary, and I would like to hear some examples of where 
you think states have gone too far. Whether you name the state 
or not, I do not care, but in trying to find that happy medium 
when we are at a time where people have a very heightened 
concern about identity theft.
     The Chairman mentioned, you know, the story about the 
veterans today. You know, in Colorado there was the Department 
of Motor Vehicle issue where, you know, information was sold. 
People were just incredulous, very angry.
    So tell me when a consumer advocate group would look at 
this situation what would be a national standard that you think 
would be appropriate or national standards that would be 
appropriate?
    Ms. Sotto. If I may, some of the distinctions are 
problematic. I represent companies that need to notify 
individuals when they have breaches, and a breach, by the way, 
could mean a stolen laptop. IT could mean a laptop stolen from 
a home that has been burglarized, as has happened recently, 
yesterday. It was reported yesterday with respect to the VA.
    A couple of distinctions that make it difficult to 
determine how to comply on a nationwide basis. First, the 
definition of personal information varies from state to state. 
There is a typical definition that follows the California 
definition, but there are a few states that include items like 
date of birth, and I can tell you that it is very difficult to 
steal somebody's identity with their name and date of birth, 
and in fact, that is very much public record information.
    Other states include employee ID number, not meaningful 
when it comes to stealing somebody's identity, and by the way, 
when we talk about identify theft, that is a very broad range. 
It can mean account fraud where you get into somebody's 
financial information either through their bank account or 
credit card and do an unauthorized transaction or it can mean 
actually stealing somebody else's identity, taking the place of 
that person and taking out a loan, for example, or mortgage. So 
that is a very broad term.
    Other distinctions. In some states you need to report to 
state agencies about the breach. So you have to deal with some 
states on a very specific and robust level. Other states could 
not care less about reporting specifically to them.
    Another difference is that some states contain a specific 
number of days by which you need to notify individuals. That is 
a very difficult standard to meet when you are continuing to 
investigate and you cannot even quite pin down what happened.
    So these distinctions make it very difficult when you are 
notified of a breach to figure out exactly how to comply with 
all 30, and it would really be enormously helpful to businesses 
of any size to have a national standard, and it would be very 
helpful, I think, to consumers as well, who would not be 
subject to the vagaries of these various state laws.
    Ms. Musgrave. Thank you very much.
    Either one of you gentlemen like to comment on that?
     Mr. MacCarthy. Let me just jump in. I do think the reason 
to have a national standard has been explained by Lisa in 
pretty comprehensive terms. We support that.
    The one item I would like to emphasize is this difference 
between account fraud and ID theft that she mentioned. In the 
VA incident, the Social Security number was taken. The name was 
taken. I do not think the address was taken, but I am not sure 
of that, and I do not know all of the details, but the risk 
there when your Social Security number, your name, your 
address, your date of birth, if all of that information has 
been compromised, the risk there is that someone can become 
you, can open up a cell phone account in your name or a bank 
account in your name or get a credit card in your name. They 
can become you and unbeknownst to you run up enormous amounts 
of debt in your name, which then will be reported to a credit 
bureau and you are going to have trouble clearing that up. That 
is a substantial risk.
    When data is compromised from one of these cardholder 
databases which I talked about before, typically they get the 
cardholder number, the 16 digit number in the case of the Visa 
card. They probably get the expiration date, and they will also 
get the security code that allows them to make a counterfeit 
card.
    With that they cannot become you. They cannot open up a new 
account in your name. What they can do is commit fraud, and so 
the risk there is not that someone will become you and open up 
an account to cause you indefinitely financial harm. The risk 
there is that someone will use your card to commit fraud.
    We have zero liability. So the cardholder is protected in 
that circumstance. So what does this mean for policy? It means 
that in one case you might think carefully about the need to 
notify individuals that there is a problem and encourage them 
to do things like under federal law they have a right to put a 
fraud alert on their credit bureau account when they think that 
they have been a victim of identity theft. That is already in 
federal law, and probably they should do something like that to 
make sure that the people who use those credit bureaus know 
that there might be a problem here.
    In the case of account fraud, our neutral networks will 
find that before they even know what is going on, will stop the 
transactions associated with that card, reissue a new card. 
That is not a good thing for the consumer. It is a bad thing, 
but it is a different kind of bad thing that full identity 
theft.
    Chairman Akin. Those were good questions, Marilyn, and 
thank you for clarifying the distinction there because that is 
a question I had as we were going into this hearing. You know 
exactly what they are going to do with that data and what the 
uses are of it.
    I assume the most common thing is to just rip somebody off, 
over the phone, give them a credit card number and buy a bunch 
of stuff, simple theft. Whereas you start getting more 
sophisticated when you go out and take a loan for a house or 
something.
    Okay. We have got two panels. We have got three more 
witnesses. So I think what we will need to do is to move on to 
the next three witnesses.
    Thank you, Paul, Lisa, and Mark, for joining us. If you 
would like to stick around, that would be good. Sometimes the 
members want to talk after the hearing, but I would like to 
kind of keep things on schedule.
    Our next witness I believe is Tomas Lenard, Vice President 
for Research for the Progress & Freedom Foundation, Washington, 
D.C.
    And, Tomas, I think we are going to get the new placards up 
there. We will go ahead with the same set of rules. You have 
got five minutes, and then we'll proceed to the other two 
witnesses and do questions.

  STATEMENT OF TOMAS M. LENARD, PROGRESS & FREEDOM FOUNDATION

    Mr. Lenard. Thank you very much, Chairman Akin. Thanks for 
the opportunity to testify today.
    I am Senior Vice President for Research at the Progress and 
Freedom Foundation, and our mission at PFF is to study public 
policy issues that affect the information economy, and data 
security is surely one of the most important of those.
    As has been mentioned earlier today, there are about 30 
states now with data security laws and federal bills are moving 
through both houses of Congress. These new regulatory programs, 
like regulatory programs generally, should in my view be 
evaluated by weighing their benefits as against their costs.
    To illustrate the benefit-cost approach to these issues, 
the testimony that I have submitted briefly summarizes an 
economic analysis of notification requirements for data 
security breaches that I recently did with Paul Rubin who is a 
professor of law and economics at Emory University, as well as 
an adjunct of PFF Fellow, and I have attached that to my 
testimony.
    Very briefly, the major conclusions of the study are, 
first, that the annual cost of identity theft and related 
frauds are primarily borne by businesses, which gives them 
strong incentives to spend money on data security, and I think 
that was indicated by Mr. MacCarthy's testimony.
    Second, the expected benefits to consumers of the 
notification requirement are extremely small and likely to be 
outweighed by the costs.
    And because the notification mandate is dubious on benefit-
cost plans, it should be targeted carefully.
    And finally, federal preemption of state notification laws 
will reduce compliance costs and improve the benefit cost 
balance.
    The effect of data security regulations on small businesses 
should be an important part of the benefit-cost calculus. These 
regulations impose a per unit burden that is generally 
inversely related to the size of the company, which means that 
it is less likely that they will pass a benefit cost test when 
they are applied to small firms.
    In addition, the added cost could have an adverse effect on 
competition because they make it more difficult for firms to 
enter markets in which the use of personal information is 
important.
    There are a number of ways in which data security 
regulation disproportionately affects small firms. First, the 
requirement to establish a data security program involves 
costs, for example, specialized computer and legal expertise 
that are likely to be relatively invariant with the size of the 
firm and, therefore, hirer per unit of output for small than 
for large firms.
    Second, establishing a safe harbor, for example, for 
companies that encrypt their data is also likely to disfavor 
small businesses because encryption is often quite expensive 
and its costs may not be sensitive to firm size.
    Third, many of the costs of a notification program are also 
likely to be relatively fixed. Costs of some methods of 
notification, for example, posting a notice on the company's 
website or using the mass media may totally invariant with 
respect to the size of the breach, and this bias against small 
businesses is exacerbated by provisions that allow alternative 
notice if individual notice exceeds a size trigger.
    And, fourth, without federal preemption, companies must 
familiarize themselves with numerous different state laws to 
make sure that they are in compliance, and the costs of this 
also do not vary much with firm size. So federal preemption, if 
enacted, will eliminate these costs and work to the advantage 
of small firms.
    Finally, it is important to note that any regulation of the 
information sector that raises the costs of targeted 
advertising and obtaining accurate customer lists has a greater 
adverse effect on new entrants and small firms than it does on 
large, established firms. Established firms have lists of their 
own customers and visitors to their websites, but new firms 
must purchase such lists. As long as there is a healthy, robust 
market for customer lists and other such information, entrants 
can begin competing relatively easily.
    All of this does not imply that data security regulations 
are necessarily a bad thing, but what I want to emphasize is 
the need subject then to rigorous benefit-cost analysis to 
assure that if they are adopted their benefits will be 
sufficient to outweigh their costs.
    Thank you.
    [Mr. Lenard's testimony may be found in the appendix.]
    Chairman Akin. Thank you very much for your testimony 
there, Tomas.
    Our next witness is Steve DelBianco; is that correct?
    Mr. DelBianco. DelBianco.
    Chairman Akin. DelBianco. Okay.
    And, Steve, you are the Vice President of Public Policy for 
the Association of Competitive Technology from Washington, 
D.C.; is that correct?
    Mr. DelBianco. Yes, if is, Mr. Chairman.
    Chairman Akin. Okay, and you know the drill and what the 
little lights indicate. When you get to the second one, that's 
a 30 second mark, right? Okay. Proceed, please, Steve.

   STATEMENT OF STEVE DELBIANCO, ASSOCIATION FOR COMPETITIVE 
                           TECHNOLOGY

    Mr. DelBianco. Chairman Akin, members of the Subcommittee, 
thank you for discussing the impact of data security threats 
and the impact of data security regulation on small business.
    ACT, our group, is an advocacy group of more than 3,000 
tech firms, small tech firms and E-commerce businesses, 
including many who handle the sensitive financial data 
associated with billing applications, but also those who handle 
payroll application. It is not just about billing customer 
credit cards. If you handle payroll information, you have got 
Social Security numbers as well.
    I am also here before you today after making my own small 
business Odyssey. In 1984, I started an IT consulting firm in 
Northern Virginia, grew it to $20 million and 200 employees, 
and then sold the business before helping to start ACT. So I am 
a small business survivor.
    Mr. Chairman and members of the Committee, I hope that you 
had a chance to see the new crime series, ``CSI: Identity 
Theft.'' The premier episode featured a gang called shadow 
crew, and they made a science out of ID theft. They have got 
4,000 gang members around the world working in an online 
marketplace to trade in stolen credit card, stolen document 
information, and personal data.
    We meet the leader in this first episode who is an American 
business student and a few of his managers, who is a moderator 
who helps design convincing fishing E-mails to dupe people into 
giving up their personal information. There is another guy who 
designs spyware to get onto people's computers.
    You meet these reviewers who take a look at the information 
they have stolen and figure out how they are going to charge 
for it or how they are going to sell it. Everyone on this 
episode, they talk fast, they move fast because they have got 
to use this stolen credit card information quickly before Visa 
or the card member cancers the credit card account.
    Then in this episode they cut to a nighttime scene in 
downtown Washington where Secret Service agents are conducting 
a sophisticated surveillance of a gang member meeting. Well, 
the chief agent gives the go order and armed agents break down 
the doors, encounter some weapons. One of the perpetrators 
leaps out of the second story window only to be caught by an 
agent on the ground.
    Well, as the credits roll in that first episode, you hear 
the narrator say, ``The events you have seen are true,'' 
because this shadow crew bust really happened in October of 
2004. The episode reminds us of something we have all lost 
sight of, I believe; that if a laptop is left in an airport or 
I leave one of these in the laundry, no ID theft has yet been 
committed. It takes a thief to commit identity theft. By using 
your card and fraudulently you're opening new credit accounts 
in your name. ID theft already has multiple victims, the 
consumers who have to go through great drama to get their 
credit cleared in the case of bad account, retailers and 
lenders. We heard Mark MacCarthy talk about the burdens on 
them, and the businesses who are pilloried for being sloppy 
with the data or, in the case of a disgruntled employee, takes 
off with a Rolodex. The business still is going to be pilloried 
for not having security provisions in place.
    I would encourage you, please, let's not create a new set 
of victims by piling heavy regulation onto the backs of small 
business. Everyone knows, as Dr. Lenard said, that fixed costs 
disproportionately impacts small business, but there are some 
more subtle ways that small business is vulnerable, I think, to 
the regulation we're considering today.
    One is that an owner's attention is stretched so thin. I 
was always far too busy fighting fires to spend any time 
preventing fires, although today you can bet that small 
business owners around the country are asking all of their 
employees what kind of data is on that laptop they take home. 
So fortunately they are paying attention to it today.
    It is also very rare, as Dr. Lenard said, for a small 
business to have any in-house expertise in legal and IT 
security, and that means it is a very difficult for them to 
solicit, select, and then manage IT vendors and our source 
vendors to get the security implemented.
    As this Committee well knows, this makes compliance awfully 
expensive for small business, as we saw in the case of 
Sarbanes-Oxley. I'm not as convinced as my fellow panelists 
today that we absolutely need new data protection regulation in 
order to make small business care about security, and I'm not 
actually convinced that that would actually reduce the 
incidence of ID theft.
    But I am clear regulation is coming. You can feel the 
momentum coming, and there are some good reasons. Consumers can 
take measures to protect themselves if they receive notice of a 
breach just like we discussed with the Chairman, and also since 
states have created a patchwork of notice laws, we have got to 
have preemption for reasons others have discussed.
    But Congress is looking not just at notice preemption. 
They're also eager to expand the data protection requirements, 
and that has made this a two-part discussion today. It's not 
just notice. It is data protection.
    Now, the anticipated legislation could expand it to 
businesses that aren't even covered today, businesses that use 
any information for interstate commerce. Now, in regulating 
data protection flexibility is always better than a 
prescriptive solution, but flexibility does not mean that it is 
optional. A small business will not know where they are in 
terms of security unless they hire a consultant and pay for an 
assessment, and they probably cannot understand where they need 
to arrive even in a flexible standard because there is a range 
of different risk mitigation levels you can arrive at.
    Small businesses, what they need are road maps. We need 
road maps to get from where we are to where we need to be under 
a flexible standard. Regulators should evaluate best practices 
in industry to decide which road maps can work for a small 
business. We could look to currently regulated industry for 
best practices, such as Mark MacCarthy described with the PCI 
data standard, and we can look to IT vendor, members of my 
group and Paul's group, to come up with best vendor solutions.
    In closing, Mr. Chairman, I would say please remember who 
are the real criminals behind identity theft, and please don't 
overburden small businesses. Perhaps it is best to come right 
out of the gate with the kind of small business protection that 
was being considered down the stretch on Sarbanes-Oxley, and 
that is please consider giving small businesses a delayed 
implementation date for new data protection laws.
    Go ahead and preempt notice immediately, but give a delay 
on data protection laws. Until there are enough approved road 
maps in place to get us from where we are to where we need to 
be.
    Thank you, and I look forward to your questions.
    [Mr. DelBianco's testimony may be found in the appendix.]
    Chairman Akin. Thank you very much, and I appreciate your 
perspective, Steve, as the guy who started your own business 
that way. The things that you articulated are very much the 
concerns of this Committee.
    There are other committees that are working on these bills, 
but we're particularly concerned with the regulation's effect 
on small businesses.
    We have been joined also by my good friend Congressman 
Westmoreland from Georgia. Welcome, and this is our second 
panel. We have one more testimony and then we will get around 
to some questions.
    Our last witness is Harry Dinham, President-elect, National 
Association of Mortgage Brokers, Washington, D.C.
    Harry, welcome to the hearing.

  STATEMENT OF HARRY DINHAM, NATIONAL ASSOCIATION OF MORTGAGE 
                            BROKERS

    Mr. Dinham. Thank you, Mr. Chairman.
    Thank you for inviting NAMB to testify today on the 
potential burdens placed on small businesses by proposed data 
security legislation. As the voice of mortgage brokers NAMB 
speaks on behalf of more than 25,000 members in all 50 states.
    Identity theft remains one of the fastest growing crimes in 
America. Clearly, efforts to protect against identity theft are 
necessary and we commend Congress for taking action on this 
issue.
    Equally important, however, is the awareness that proposed 
measures should not result in unintended harm to small 
businesses of America. I would like to discuss the lack of 
uniformity and clarity caused by the current patchwork of laws, 
credit freeze provisions, and the time and cost burdens placed 
on small businesses by any final monitoring provisions.
    Today at least 30 states have enacted security breach 
notification laws. These multiple state laws create a 
regulatory framework that is unduly burdensome, costly and 
complicated for mortgage brokers that have limited resources 
and time, especially for those who operate in tri-state areas. 
NAMB believes that a uniform national standard will help small 
businesses protect their consumers' sensitive personal 
information effectively in a cost efficient manner.
    Adding to the issues raised by this patchwork of state 
security branch laws is the recent trend of enabling consumers 
to lock their credit files, often referred to as credit freeze 
laws. Credit freeze laws are especially burdensome to small 
businesses. A credit freeze eliminates any point of sale 
transaction because it can take as many as three days to remove 
the freeze once the consumer has notified the consumer 
reporting agency to thaw the file.
    Proposed legislation should not include a credit freeze 
provision because it inhibits small business mortgage brokers 
from accessing borrowers' credit report in time sensitive 
transactions. Moreover, an unintended consequence with these 
credit freeze laws is that small businesses are placed at a 
competitive disadvantage compared to financial institutions 
where the consumers have preexisting accounts. This is because 
preexisting business relationships are exempt from credit 
freeze.
    For example, the mortgage division of a bank that the 
consumer already has a relationship with can still access 
consumer's credit file. This preexisting business relation 
exemption inhibits comparison shopping and reducing competition 
by limiting consumer choice to their existing bank.
    Lastly, proposed legislation should not require small 
businesses to offer file monitoring. NAMB supports legislative 
proposals that would permit functional regulatory agency to 
exempt small businesses in a fair manner while at the same time 
protecting consumer interest. To aid the agency, Congress 
should incorporate statutory factors or guidelines that must be 
considered by the agency.
    For an example, the legislation can provide that an 
exemption from the file monitoring required for mortgage 
brokers that are under certain size or have a limited volume of 
loans per year. At a minimum, NAMB recommends the file 
monitoring services be provided only if the consumer has 
already exercised their right to obtain their free credit 
report from each credit reporting agency for the calendar year.
    Congress should also provide regulatory authority to place 
price gaps on the fees that small business mortgage brokers 
must pay to provide the service. In short, any proposed file 
monitoring provisions should be crafted so that it does not 
provide costly and unduly burdensome for the small businesses. 
To do otherwise would only increase consumer costs 
significantly.
     NAMB supports federal legislation that establishes a 
uniform national standard for investigation and notification of 
data security breaches, but which is cognizant of the time and 
costs limitations that small businesses face.
    NAMB believes that any proposed legislation must complement 
but not otherwise duplicate or override existing legislative 
and regulatory schemes that safeguard sensitive consumer 
information against identity theft.
    NAMB looks forward to working with Congress to insure that 
any such proposed legislation balances the need of both 
consumers and small business. NAMB appreciates the opportunity 
to offer our views on the impact of current legislative 
proposals may have on small businesses.
    [Mr. Dinham's testimony may be found in the appendix.]
    Chairman Akin. Thank you, Harry. I think you are one of the 
few that brought it in 30 seconds ahead of time. So good job.
    I have got a question. Steve, if you were to take a look at 
from a small business point of view, which is a bigger threat, 
the reporting piece or the procedure piece, from a cost point 
of view for a small business.
    Mr. DelBianco. Mr. Chairman, by ``reporting'' I think you 
mean the mandatory notice, right? In the case where there is a 
risk based trigger and there is an opportunity to provide the 
notice in a way that I am most customarily communicating with 
my customers, I believe that cost is far less than the 
procedural requirements for what we have been calling data 
protection requirements that would be imposed on small 
business.
    Chairman Akin. I guess it does vary. It probably depends on 
what the laws say and also what the situation is because the 
guy that lost the laptop with 26 million people on it, that 
reporting cost is going to be hefty, I would think; is that 
correct?
    Mr. DelBianco. Yes, it would. Most, if not all, of the 29 
states that have adopted notice laws though have provisions in 
there that if the cost or quantity of notice exceeds certain 
thresholds--I think it was half a million dollars in 
California--that there are alternative means of notification 
through public press releases, website announcements, newspaper 
postings.
    Chairman Akin. So you do not have to literally send direct 
mail to every single person.
    Mr. DelBianco. You would if the numbers are below the 
thresholds. But when the numbers exceed the thresholds, there 
are alternative forms of notice.
    Chairman Akin. Okay. One of the issues that receives at 
least passing attention here in Congress is the question of 
immigration. If you are trying to establish one of the things 
that we have passed a bill in the House regarding a prospective 
employer, what he is supposed to do is to check when somebody 
comes the Social Security number against the name and the 
birthday. If you have those three things, basically you have 
established your identity for the purposes of that bill as a 
legal immigrant in order to work in this country.
    What are the key pieces of information that are most 
necessary to misuse in terms of identify theft? What are the 
key pieces of data?
    Mr. DelBianco. Mr. Chairman, as Lisa Sotto has indicated, 
if you got the Social Security number, full name and address 
record, you are in probably pretty good shape to begin to open 
a cell phone account, a credit account and begin to assume the 
identity.
    Chairman Akin. Do you need a birthday or not? Is birthday 
critical information? No, it is not. If it were critical, we 
would have an extra panel here.
    Mr. DelBianco. If it were critical, you could look it up. 
It is part of the public records.
    Chairman Akin. Oh, that is right. Yes, because we do those 
automatic--I mean some politicians do birthday cards to people. 
So that is all public. That is right. Okay. Yes, so you do not 
even need the birthday. All you have got to do is get Social 
Security number and the right name, and then you are in 
business then. Okay. Good.
    Let's see. Other questions? I think Mr. Sodrel is next.
    Mr. Sodrel. Well, I am only 16 months out of what I call 
real life. This is the first public office I have ever held, 
and I spent my life either being on the payroll or making the 
payroll. So I tend to have a little bit different perspective.
    I do not know if you heard earlier when I talked about 
mission creep. When you build in too much flexibility in the 
law, the regulators tend to over regulate. They always want to 
err on the side of too much regulation rather than too little. 
I watched in our company. In my granddad's time, you had to 
have a truck and a license plate, and you were in the trucking 
business. Now you have to have an EEOC officer, an EPA officer, 
an OSHA officer, and ADA officer and a federal DOT compliance 
officer, and this officer and that officer which is not really 
practical for a small business.
    So I am kind of concerned here that we are going to crate 
now information security officer in addition to all of the 
other officers for a five-person business. Particularly 
Internet businesses tend to be short on employees, maybe big on 
data, but small on people.
    So any suggestion that you have to try to come up with 
something that is common sense, you know. I understand 
interstate commerce is difficult for a business to comply with 
30 state laws. It may be appropriate to have federal preemption 
since we are in interstate commerce, but we need to do it in a 
fashion that does not overburden small business.
    I am from Southern Indiana. We often call small business 
your seed corn. I mean if you follow the string back far enough 
every business was a small business whether it was Bill Gates 
or Microsoft or Lewis Chevrolet. So we do not want to 
completely stifle the growth of small business while we are 
trying to fix this problem.
    So if you have got suggestions on how we keep it simply, 
how we do it in a fashion that makes sense and still small 
businesses can still survive, and Sarbanes-Oxley was a good 
example.
    Mr. Lenard. I think I agree with everything you said, and I 
think you do point up kind of a tension there. It seems to me 
you do want to have some flexibility because you do not want to 
lock in procedures that really may not make sense, you know, 
that may make people spend a lot of money addressing problems 
where, you know, the risk is minimal or use technologies, you 
know, when they become outdated or when other technologies that 
are better or cheaper.
    So I think you want to try to do both things. It is a 
challenge. You want to have flexibility to do something that 
really does make sense, but also, you know, limit the law so 
that it is not susceptible to regulatory creep of the type that 
you are concerned about because I think that is very 
legitimate.
    I think, you know, the primary rationale at this stage for 
passing a law probably is federal preemption to get one law 
that you are going to have laws anyway. So you might as well 
have one, and then to try to put in sensible procedures that 
really do target, are precisely targeted as possible to address 
the situations where there is a real risk so that you really 
can get some benefits out of the law and not spend money where 
the benefits are minimal.
    Mr. DelBianco. The Representative is also one who has 
signed the front of the paycheck before. I can sympathize with 
your prior life.
    There are two issues to consider on preemption. The notice 
laws, the notification requirements, I believe it is a slam 
dunk, Representative, to make that a federal preemption. But on 
data protection, I think we have to be careful to watch for the 
trap that you describe, the trap of flexibility coming out of 
Congress, turning into too much regulation by the regulator.
    But I would point to GLB and the regulation pursuant to it 
as perhaps a better example than ones you have experienced 
before. Congress was very flexible in the instructions it gave 
to the FTC on GLB, and FTC, I think, has done an admirable job 
of coming up with equally flexible requirements that business 
can then meet.
    However, I want you to be clear. Having been in the 
business myself, I know what happens when a vendor, a 
consultant, a systems integrator has an opportunity to tell a 
business whether and how it is compliant with something that is 
very flexible, and then after telling the business where your 
risk lies in your data protection practices, it is then up to 
me to adapt all of your business procedures, the scale of your 
operation and your business model to say, ``Here is a solution 
that I can deliver for you that will meet the requirements of 
the law.''
    Now, a consultant might be inclined as I was to over 
engineer things, but again, both of us are going to be inclined 
to eliminate the risk not just manage the risk, but to 
eliminate the risk, and in that sense the solutions become very 
expensive. So flexibility from Congress to the regulators, 
flexibility from the regulators to industry is all working 
pretty well in GLB, but what I believe has happened is that the 
industry has only begun to deliver solutions that are compliant 
with that. We need more time for those solutions to be cooked 
down into road maps and best practices that are affordable and 
digestible for small businesses.
    Chairman Akin. I think that was a good set of questions. 
Just before I go to Congressman Musgrave, one of the comments 
that was made is I do not think the government is going to go 
after all of those different dry cleaners and small people. You 
know, the government doesn't have to go after all of them. They 
just have to ream one of them out and they have everybody 
scared to death and adding tremendous overhead to their cost of 
operations.
    We see numerous examples in Congress. People, our 
constituents, complain to us about excessive regulation from 
the federal government and I have seen some really amazing 
examples. I think the recent one was where we have people that 
are building subdivisions in our area, and the drainage ditches 
in the subdivisions are being viewed as navigable waterways. 
Wasn't that innovative? I do not know who thought of that, but 
anyway, we have those difficulties.
    Well, we now have my good friend, Marilyn Musgrave from 
Colorado.
    Ms. Musgrave. I was just looking over the section, Mr. 
Chairman, about file monitoring, and you know, certain 
presumptions there that reporting occurs, but then say, you 
know, that there are bad actors that don't do that, and I'm 
looking down here and my ears kind of perk up when you talk 
about price control and asking for more regulatory oversight 
from the SBA. So I assume it would fare better there.
    So you actually want a price cap on what the mortgage 
broker can be charged for monitoring services. Could you 
comment on that, please?
    Mr. Dinham. Well, yes, ma'am. We really feel that, you 
know, we need to maintain our cost controls because we are in a 
small business. One to five people is our normal membership of 
our association, and anything we can do to hold our cost down 
is just a benefit to the consumer because everything that we 
have to do outside of that is going to add to the cost that we 
are going to have. It is going to be passed on to the consumer 
eventually. So anything we can do to control what it is going 
to cost us to do this monitoring would definitely be a benefit 
to the consumer.
    Ms. Musgrave. Do you think that changes in technology will 
affect the price of the monitoring, the cost of the monitoring?
    Mr. Dinham. I really do not know that it would change that, 
but you know, we have just seen things that would start out at 
a low price and they tend to edge up as it becomes more and 
more popular, and that is a real concern to us. We are very 
cost conscious as small business people.
    Chairman Akin. Lisa, you have been kind enough to stay 
around. If you would like to jump in on any of these questions 
just pretend like you are part of the immediate panel if you 
would like to. If you want to, yes.
    Ms. Sotto. The cost of credit monitoring actually varies 
quite dramatically depending on the leverage of the company, 
and I have worked with some companies that pay one price and 
other companies that pay a dramatically different price because 
they are big enough so that they have negotiating power, and 
they also have more leverage based on the number of enrollees 
who are anticipated in the credit monitoring.
    Typically I have found that about five to ten percent of 
the number of names that have been breached will, in fact, 
enroll in credit monitoring. So the cost that the credit 
bureaus charge for the monitoring tends to be based on the 
volume and on the leverage that the particular company has with 
the credit bureau.
    Ms. Musgrave. That is why I was trying to figure out how a 
price cap would work. It seems very complicated to me.
    Thank you.
    Chairman Akin. Does that conclude your questions?
    Ms. Musgrave. It does, and thank you, Mr. Chairman.
    Chairman Akin. Okay. Let's see. I had one more I was just 
thinking of. I am trying to remember what it was.
    Does it make sense from a passing point of view to do the 
reporting piece of the bill separate from the other part of the 
bill? Does that seem like that it logically fits into two 
pieces from a legislative point of view?
    Mr. DelBianco. Mr. Chairman, I would agree with that 
approach.
    Mr. Dinham. I would also.
    Ms. Sotto. Thank you.
    It is interesting to me that California passed SB 1386 
before AB 1950. It is backwards in a way. I think if you pass 
legislation that requires that you have a security program in 
place first, you would prevent the need to have notification 
requirements in at least some measure because if there are 
security fixes in place with respect to a particular database, 
there is less likelihood that that database will be vulnerable 
to attack and, therefore, less likelihood that you will need 
to, in fact, notify individuals whose data might have been 
breached.
    Chairman Akin. I see the logic of what you are saying, but 
it also sounds like the predominance of testimony here this 
morning was because of the patchwork of various state laws, 
that there is almost a more practical sense a need for a 
federal standardization kind of procedure. That almost might be 
a simpler question and less expensive question than the second.
    Ms. Sotto. I think it is simpler, yes, but I don't think it 
really solves the problem. I think there really is a need for 
federal legislation. There is a dire need in the breach 
notification arena because of the patchwork of state laws, but 
I think I am dealing with a company right now that has 
encrypted all of its laptops. So they have done the right 
thing, but prior to encryption, which is, by the way, about 
$100 a laptop depending on the type of encryption technology 
you use; prior to encryption they had a dozen or so incidents 
of stolen or lost laptops that now need reporting.
    So after the first one they knew to go ahead and encrypt, 
but they still had many more. I think if you impose security 
requirements, then you wouldn't have these multiple incidents 
of breaches that would require notification.
    Chairman Akin. Well, anybody want a last word on that? 
Maybe Steve.
    Mr. DelBianco. Thank you, Mr. Chairman. While security 
requirements if enforced and affordable would reduce the 
incident of breaches, you can still be sure breaches would 
occur, and the state patchwork of laws would apply. We are 
dealing with laws that are inconsistent with each other.
    Illinois, for instance, does not permit the delay of notice 
if you are working with law enforcement. So you might have 
Illinois residents in your database. That means that they have 
got to know right away, whereas the other states have allowed 
you to delay while you try to set up a sting operation to catch 
the bad guys.
    In the case of New Hampshire, if you missed by a day the 
15-day notice deadline to 1,000 customers, you are liable for a 
million dollar private right of action from the plaintiff's 
bar, and that is for a technical failure. We have a lot of 
concerns and need to solve it in the states right now, and even 
if we had data protection mandates that were followed, things 
happen. Laptops get lost, and we cannot pass a state patchwork 
of notice laws for much longer.
    Thank you, Mr. Chairman.
    Chairman Akin. With that, the hearing is concluded. Thank 
you all very much for your testimony.
    [Whereupon, at 11:14 a.m., the hearing was adjourned.]
    [GRAPHIC] [TIFF OMITTED] 28741.001
    
    [GRAPHIC] [TIFF OMITTED] 28741.002
    
    [GRAPHIC] [TIFF OMITTED] 28741.003
    
    [GRAPHIC] [TIFF OMITTED] 28741.004
    
    [GRAPHIC] [TIFF OMITTED] 28741.005
    
    [GRAPHIC] [TIFF OMITTED] 28741.006
    
    [GRAPHIC] [TIFF OMITTED] 28741.007
    
    [GRAPHIC] [TIFF OMITTED] 28741.008
    
    [GRAPHIC] [TIFF OMITTED] 28741.009
    
    [GRAPHIC] [TIFF OMITTED] 28741.010
    
    [GRAPHIC] [TIFF OMITTED] 28741.011
    
    [GRAPHIC] [TIFF OMITTED] 28741.012
    
    [GRAPHIC] [TIFF OMITTED] 28741.013
    
    [GRAPHIC] [TIFF OMITTED] 28741.014
    
    [GRAPHIC] [TIFF OMITTED] 28741.015
    
    [GRAPHIC] [TIFF OMITTED] 28741.016
    
    [GRAPHIC] [TIFF OMITTED] 28741.017
    
    [GRAPHIC] [TIFF OMITTED] 28741.018
    
    [GRAPHIC] [TIFF OMITTED] 28741.019
    
    [GRAPHIC] [TIFF OMITTED] 28741.020
    
    [GRAPHIC] [TIFF OMITTED] 28741.021
    
    [GRAPHIC] [TIFF OMITTED] 28741.022
    
    [GRAPHIC] [TIFF OMITTED] 28741.023
    
    [GRAPHIC] [TIFF OMITTED] 28741.024
    
    [GRAPHIC] [TIFF OMITTED] 28741.025
    
    [GRAPHIC] [TIFF OMITTED] 28741.026
    
    [GRAPHIC] [TIFF OMITTED] 28741.027
    
    [GRAPHIC] [TIFF OMITTED] 28741.028
    
    [GRAPHIC] [TIFF OMITTED] 28741.029
    
    [GRAPHIC] [TIFF OMITTED] 28741.030
    
    [GRAPHIC] [TIFF OMITTED] 28741.031
    
    [GRAPHIC] [TIFF OMITTED] 28741.032
    
    [GRAPHIC] [TIFF OMITTED] 28741.033
    
    [GRAPHIC] [TIFF OMITTED] 28741.034
    
    [GRAPHIC] [TIFF OMITTED] 28741.035
    
    [GRAPHIC] [TIFF OMITTED] 28741.036
    
    [GRAPHIC] [TIFF OMITTED] 28741.037
    
    [GRAPHIC] [TIFF OMITTED] 28741.038
    
    [GRAPHIC] [TIFF OMITTED] 28741.039
    
    [GRAPHIC] [TIFF OMITTED] 28741.040
    
    [GRAPHIC] [TIFF OMITTED] 28741.041
    
    [GRAPHIC] [TIFF OMITTED] 28741.042
    
    [GRAPHIC] [TIFF OMITTED] 28741.043
    
    [GRAPHIC] [TIFF OMITTED] 28741.044
    
    [GRAPHIC] [TIFF OMITTED] 28741.045
    
    [GRAPHIC] [TIFF OMITTED] 28741.046
    
    [GRAPHIC] [TIFF OMITTED] 28741.047
    
    [GRAPHIC] [TIFF OMITTED] 28741.048
    
    [GRAPHIC] [TIFF OMITTED] 28741.049
    
    [GRAPHIC] [TIFF OMITTED] 28741.050
    
    [GRAPHIC] [TIFF OMITTED] 28741.051
    
    [GRAPHIC] [TIFF OMITTED] 28741.052
    
    [GRAPHIC] [TIFF OMITTED] 28741.053
    
    [GRAPHIC] [TIFF OMITTED] 28741.054
    
    [GRAPHIC] [TIFF OMITTED] 28741.055
    
    [GRAPHIC] [TIFF OMITTED] 28741.056
    
    [GRAPHIC] [TIFF OMITTED] 28741.057
    
    [GRAPHIC] [TIFF OMITTED] 28741.058
    
    [GRAPHIC] [TIFF OMITTED] 28741.059
    
    [GRAPHIC] [TIFF OMITTED] 28741.060
    
    [GRAPHIC] [TIFF OMITTED] 28741.061
    
    [GRAPHIC] [TIFF OMITTED] 28741.062
    
    [GRAPHIC] [TIFF OMITTED] 28741.063
    
    [GRAPHIC] [TIFF OMITTED] 28741.064
    
    [GRAPHIC] [TIFF OMITTED] 28741.065
    
    [GRAPHIC] [TIFF OMITTED] 28741.066
    
    [GRAPHIC] [TIFF OMITTED] 28741.067
    
    [GRAPHIC] [TIFF OMITTED] 28741.068
    
    [GRAPHIC] [TIFF OMITTED] 28741.069
    
      

                                 
