b"<html>\n<title> - DATA PROTECTION AND THE CONSUMER: WHO LOSES WHEN YOUR DATA TAKES A HIKE</title>\n<body><pre>[House Hearing, 109 Congress]\n[From the U.S. Government Printing Office]\n\n\n                                                   S. Hrg. 102-000 \n \n  DATA PROTECTION AND THE CONSUMER: WHO LOSES WHEN YOUR DATA TAKES A \n                                 HIKE\n                                   =======================================================================\n\n                                HEARING\n\n                               before the\n\n            SUBCOMMITTEE ON REGULATORY REFORM AND OVERSIGHT\n\n                                 of the\n\n                      COMMITTEE ON SMALL BUSINESS\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                      WASHINGTON, DC, MAY 23, 2006\n\n                               __________\n\n                           Serial No. 109-53\n\n                               __________\n\n         Printed for the use of the Committee on Small Business\n\n\n Available via the World Wide Web: http://www.access.gpo.gov/congress/\n                                 house\n\n\n                                 _____\n\n                 U.S. GOVERNMENT PRINTING OFFICE\n\n28-741 PDF              WASHINGTON : 2006\n_________________________________________________________________\nFor sale by the Superintendent of Documents, U.S. Government \nPrinting  Office Internet: bookstore.gpo.gov  Phone: toll free \n(866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail:\nStop SSOP, Washington, DC 20402-0001\n\n\n\n                      COMMITTEE ON SMALL BUSINESS\n\n                 DONALD A. MANZULLO, Illinois, Chairman\n\nROSCOE BARTLETT, Maryland, Vice      NYDIA VELAZQUEZ, New York\nChairman                             JUANITA MILLENDER-McDONALD,\nSUE KELLY, New York                    California\nSTEVE CHABOT, Ohio                   TOM UDALL, New Mexico\nSAM GRAVES, Missouri                 DANIEL LIPINSKI, Illinois\nTODD AKIN, Missouri                  ENI FALEOMAVAEGA, American Samoa\nBILL SHUSTER, Pennsylvania           DONNA CHRISTENSEN, Virgin Islands\nMARILYN MUSGRAVE, Colorado           DANNY DAVIS, Illinois\nJEB BRADLEY, New Hampshire           ED CASE, Hawaii\nSTEVE KING, Iowa                     MADELEINE BORDALLO, Guam\nTHADDEUS McCOTTER, Michigan          RAUL GRIJALVA, Arizona\nRIC KELLER, Florida                  MICHAEL MICHAUD, Maine\nTED POE, Texas                       LINDA SANCHEZ, California\nMICHAEL SODREL, Indiana              JOHN BARROW, Georgia\nJEFF FORTENBERRY, Nebraska           MELISSA BEAN, Illinois\nMICHAEL FITZPATRICK, Pennsylvania    GWEN MOORE, Wisconsin\nLYNN WESTMORELAND, Georgia\nLOUIE GOHMERT, Texas\n\n                  J. Matthew Szymanski, Chief of Staff\n\n          Phil Eskeland, Deputy Chief of Staff/Policy Director\n\n                  Michael Day, Minority Staff Director\n\n            SUBCOMMITTEE ON REGULATORY REFORM AND OVERSIGHT\n\nW. TODD AKIN, Missouri Chairman      MADELEINE BORDALLO, Guam\nMICHAEL SODREL, Indiana              ENI F. H. FALEOMAVAEGA, American \nLYNN WESTMORELAND, Georgia           Samoa\nLOUIE GOHMERT, Texas                 DONNA CHRISTENSEN, Virgin Islands\nSUE KELLY, New York                  ED CASE, Hawaii\nSTEVE KING, Iowa                     LINDA SANCHEZ, California\nTED POE, Texas                       GWEN MOORE, Wisconsin\n\n               Christopher Szymanski, Professional Staff\n\n                                  (ii)\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                               Witnesses\n\n                                                                   Page\nKurtz, Mr. Paul, Executive Director, Cyber Security Industry \n  Alliance.......................................................     3\nSotto, Ms. Lisa J., Partner, Hunton & Williams LLP...............     4\nMacCarthy, Mr. Mark, Senior Vice President, Public Policy, Visa \n  U.S.A., Inc....................................................     6\nLenard, Mr. Tomas M., Vice President for Research, Progress and \n  Freedom Foundation.............................................    14\nDelBianco, Mr. Steve, Vice President for Public Policy, \n  Association for Competitive Technology.........................    16\nDinham, Mr. Harry, President-elect, National Association of \n  Mortgage Brokers...............................................    18\n\n                                Appendix\n\nOpening statements:\n    Akin, Hon. W. Todd...........................................    25\nPrepared statements:\n    Kurtz, Mr. Paul, Executive Director, Cyber Security Industry \n      Alliance...................................................    27\n    Sotto, Ms. Lisa J., Partner, Hunton & Williams LLP...........    34\n    MacCarthy, Mr. Mark, Senior Vice President, Public Policy, \n      Visa U.S.A., Inc...........................................    38\n    Lenard, Mr. Tomas M., Vice President for Research, Progress \n      and Freedom Foundation.....................................    43\n    DelBianco, Mr. Steve, Vice President for Public Policy, \n      Association for Competitive Technology.....................    70\n    Dinham, Mr. Harry, President-elect, National Association of \n      Mortgage Brokers...........................................    88\n\n                                 (iii)\n      \n\n\n\n  DATA PROTECTION AND THE CONSUMER: WHO LOSES WHEN YOUR DATA TAKES A \n                                 HIKE?\n\n                              ----------                              \n\n\n                         TUESDAY, MAY 23, 2006\n\n                   House of Representatives\n    Subcommittee on Regulatory Reform and Oversight\n                                Committee on Small Business\n                                                     Washington, DC\n    The Subcommittee met, pursuant to call, at 10:00 a.m., in \nRoom 2360 Rayburn House Office Building, Hon. W. Todd Akin \n[Chairman of the Subcommittee] presiding.\n    Present: Representatives Akin, Sodrel, Westmoreland, and \nMusgrave.\n    Chairman Akin. Good morning, everybody, and thank you so \nmuch for coming to join us for the hearing this morning before \nthe Regulatory Reform and Oversight Subcommittee of the Small \nBusiness Committee. And I am also pleased that some of you came \nsome distance to be able to testify, and we are very thankful \nfor that commitment.\n    We are going to be talking about who loses when your data \ntakes a hike, and I want to especially thank all of you for the \ntime you have taken to participate in this hearing.\n    We live in an age where information is as valuable as \ncurrency. It is now a commodity shared widely among different \norganizations in order to generate revenue. Data mining, data \ncollection and targeted marketing are now very big businesses. \nThese practices greatly affect small business because they \nimprove the speed and accuracy of business transactions. \nUnfortunately consumers and businesses alike increasingly face \nmany risks dues to information loss. These risks stem from the \nnegligence of the firm, unethical practices of the firm's \nemployees, and outside criminal activities.\n    A firm is said to be negligent when they do not employ good \npractices in handling consumer data. The most common form of \ndata loss results in data being mistakenly lost, such as the \nloss of a laptop computer, blackberry, cell phone, or some \nother type of portable electronic device.\n    In most cases, this form of data loss does not result in \nany harm to the individual to whom the data belongs.\n    Another form of risk arises from employees of a firm using \nconsumer data for their own gain. This is commonly referred to \nas ``insider crime.'' A common example of insider crime is an \nemployee stealing consumers' credit car information and making \npurchases for themselves.\n    Finally, risk stems from criminals who operate outside the \nboundaries of the company and steal consumers' identity to make \nmoney. In the old days a criminal would have to gain physical \naccess to paper files in order to steal consumers' identity or \ncommit fraud. Today, because of greater information sharing, \ncriminals can now gain access to the same information from the \nother side of the world. Although this is the least probable \nform of data loss for a company to incur, it is the most widely \nportrayed example by the media.\n    As incidents of large data security breaches pervade the \nnewspaper headlines, states are moving quickly to protect the \nrights of their citizens. Twenty-nine states have passed data \nbreach notification laws and many more are considering \nlegislation requiring companies to notify consumers of a \npossible loss of their personally identifiable information. \nThese regulations affect many companies that store or transmit \npersonally identifiable consumer information.\n    Currently companies that sell across state borders are \nforced to understand and comply with these various state laws. \nThis can be particularly onerous for small businesses. As \nCongress seeks to address the protection of consumers' personal \ninformation through legislation, lawmakers must consider the \ndegree to which compliance is encouraged relative to the amount \nof economic burden placed on businesses.\n    We are here today to better understand the cost of \ncomplying with current state and federal law not only in the \nformulation of a data security policy, but in managing the \nnecessary paper trail to prove compliance.\n    In addition, the Subcommittee seeks to understand the \neffect any new overriding federal law will have on data \nsecurity compliance costs for small businesses.\n    Finally, we hope to determine whether special consideration \nfor small businesses in the formulation of baseline provisions \nin a data security bill is appropriate. I look forward to \nhearing the testimony of the witnesses to learn more about how \ndata security regulations can affect small business.\n    I would normally yield to the gentlelady from Guam, Madame \nBordallo. However, she is not here today and will not be able \nto join us. So we will go directly to our witnesses. As I think \nthe comments I just read state, our concern is that if Congress \nrushes too quickly on things, many times we overreact. An \nexample of this is a bill called Sarbanes-Oxley. Many of us \ncame to Congress because we hated red tape, and we ended up \nfinding out that the enemy was us and we just made it worse, \nand that is the primary concern of this Subcommittee. We are \nconcerned personally about identity theft, but we are also \nconcerned that we making the regulations that are much, much \nmore extreme than small businesses can afford. So that is the \nbalance and the debate.\n    I am going to start by calling our first witness. Paul \nKurtz, you have joined us before, sir, and we are glad to have \nyou again. Paul is the Executive Director of Cyber Security \nIndustry Alliance out of Arlington, Virginia.\n    Paul, you know the rules around here. We go by five minute \nintervals. At the five minute mark, the light turns red and the \nseat goes through the floor. You know the drill. We have a \ntotal of six witnesses today. We will do two panels of three. \nIt gives me a chance to ask some questions, than other people \ncome in, and they can ask questions. Then we will bring the \nnext panel of witnesses up.\n    Paul, please proceed.\n    [Chairman Akin's opening statement may be found in the \nappendix.]\n\n   STATEMENT OF PAUL KURTZ, CYBER SECURITY INDUSTRY ALLIANCE\n\n    Mr. Kurtz. Great. Given my voice today, I think the five \nminute rule should not be much of a problem\n    First of all, thank you for calling this hearing. I think \nit is important, and I want to commend you for holding the town \nhall meeting you had in St. Louis last month, which I think is \na vital part of outreach to small businesses in helping them \nincrease awareness.\n    Laura, with me today is putting up a couple of slides from \na survey that we are releasing today at the Cyber Security \nIndustry Alliance, which I think is germane to the topic at \nhand: consumer confidence or voter confidence in the overall \nInternet. We have a substantial number of the population that \nare concerned about making online purchases, and a slide down \nbelow that you will see talks about the number of folks who \nthink we ought to have new laws passed on the order of 60 to 70 \npercent when a population wants to see new laws passed to \nprotect sensitive personal information.\n    In turning to small businesses, the Internet has enabled \nsmall businesses to compete with large business enterprises \nbecause of the accessibility and ease in communication the \nInternet offers, but this accessibility has also created new \nchallenges by increasing threats to small businesses.\n    There are several reasons why or there are several things \nwe think government can do to help improve the security of \nsmall businesses. First of all, the Congress can pass a \nnational data security bill. We think that is very important \nfor a number of reasons.\n    First and foremost, as you mentioned in your opening \nstatement, at least 29 states have passed laws already \nrequiring notification to consumers in the case of a breach of \ncertain personal information. Four of those states have also \nincluded provisions that require security, reasonable security \nmeasures. What the Congress is contemplating is if you will \nboth. It is putting in place those reasonable security measures \nacross the board basically. All of the bills contemplated \ninclude that measure, and secondly, the notification piece. In \nthe absence of a national bill, small businesses will be left \nto comply with the myriad of laws and regulations.\n    For example, if you have a small business in Missouri and \nyou are on line, and you would subsequently have to comply with \nall of those state laws that have notification requirements or \nsecurity requirements; so while it might be contrary to \nnational thinking, having a national standard that applies to \nlarge enterprises, as well as small enterprises is important.\n    You might be tempted to, if you will, delay bringing in \nsmall enterprises into compliance with such a law. I would urge \nyou not do so, that you support a national law right up front \nbecause if you delay the exemption, you are still going to be \nleft with having to comply with the state laws that are on the \nbooks.\n    What will be important in any national law that is passed \nis obviously preemption, that it preempts all of the state laws \nthat are in place, that the security measures that are put in \nplace are strong, and as the data breach yesterday brings to \nlight with 26.5 million names coming out or potentially exposed \nto identity theft, that we use encryption, not that the \ngovernment must mandate the adoption of encryption, but the \nencryption as the best practice.\n    We are pleased to note that several of the bills on the \nHill include encryption related provisions, in other words, as \na best practice. We would urge that Congress swiftly move \nforward to pass a bill this year that includes reasonable \nsecurity measures, preemption of state law with a risk based \nnotification threshold and voluntary encryption measures.\n    Before I close, in the last 30 seconds I also want to note \nthat the Executive Branch can take action as well. The Small \nBusiness Administration can do more. That is not to say that \nthey have not done anything, but they can show a leadership \nrole. They can form an advisory committee comprised with people \nfrom small businesses and others in the security industry and \nthe private sector to advise SBA on where the gaps are and \nwhere the problems are.\n    They can also initiate a survey among small businesses to \nunderstand what their problems are, specifically what is \ninherent to exactly their problems.\n    And the final area that I would highlight that they can do \nis just as you started: more outreach. Engage in those local \noutreach efforts, those townhalls across the country. They have \ndone some very valuable work with InfoGuard already. InfoGuard \nhas chapters across the United States. They are built in. SBA \nwith a new office could engage Infoguard more thoroughly and \nmuch more could be done.\n    And I will close. thank you.\n    [Mr. Kurtz's testimony may be found in the appendix.]\n    Chairman Akin. Thank you, Paul.\n    I think that your comments were helpful, particularly in \nthat you were quite specific of some things that need to be \ndone. I appreciate that.\n    Lisa Sotto is a partner with Hunton & Williams, LLP from \nNew York, and I think noted as one of the foremost experts on \ndata security. We are just delighted to have you here, Lisa.\n\n         STATEMENT OF LISA SOTTO, HUNTON & WILLIAMS LLP\n\n    Ms. Sotto. Thank you very much, sir.\n    This morning I will address three topics: first, state \nsecurity bridge notification laws; second, information security \nrequirements applicable to U.S. businesses; and, third, my \nrecommendations for a federal security bridge notification law.\n    In 2002, California enacted SB 1386. It is because of this \nlaw that we know of the many information security breaches that \nhave occurred during the past several years. The law requires \norganizations that own or license unencrypted computerized \npersonal information about California residents to notify those \nindividuals if the security of their data was compromised.\n    Since the spate of publicized security breaches in 2005, 29 \nother states have passed breach notification laws, and similar \nlegislation is pending in 11 states. While the various state \nbreach laws are similar in many respects, there are significant \ndifferences. In 15 states, for example, there is a harm \nthreshold for notification. An entity that suffers a breach is \nnot required to notify individuals if the entity determines \nthat there has been no misuse of the information.\n    Another difference is in the definition of personal \ninformation. Typically personal information is defined in these \nlaws as an individual's name plus Social Security number, \ndriver's license number, state ID card number or credit/debit \nor financial account number.\n    In some states the definition is broader, for example, \nincluding date of birth. While most state breach laws cover \nonly computerized data, some state laws also cover information \nin hard copy paper format.\n    Some state breach laws contain additional notification \nrequirements, like the requirement to notify state agencies or \ncredit reporting agencies of a breach.\n    Needless to say, the variations in the 30 state laws make \ncompliance on a nationwide basis a complex matter.\n    I will now briefly outline the information security \nrequirements applicable to U.S. businesses. First, Gramm-Leach-\nBliley Act's safeguards rule requires that financial \ninstitutions maintain a comprehensive written information \nsecurity program that contains administrative, technical, and \nphysical safeguards to protect customer information. These \nsafeguards should be appropriate to the size and complexity of \nthe entity, the nature and scope of the entity's activities, \nand the sensitivity of the customer information.\n    Another law that requires a formal comprehensive \ninformation security program is HIPAA. Like GLB, HIPAA adopts a \nflexible, scalable approach to information security. In \ndeciding which security measures to use, a covered entity must \ntake into account its size and complexity, its technical \ninfrastructure, cost, and the probability of potential risks to \nthe data.\n    A third information security requirement is found in \nCalifornia's AB 1950 and its state analogues. AB 1950 requires \nbusinesses that own or license personal information about \nCalifornia residents to implement reasonable security \nprocedures to protect the information from unauthorized access.\n    Pursuant to the Fair and Accurate Credit Transactions Act, \nthe FTC promulgated a rule in 2004 that requires businesses to \ntake reasonable steps to guard against unauthorized access to \nconsumer report information in connection with its disposal. \nSeveral states have even broader data disposition laws.\n    In addition, other laws create security obligations \nindirectly. For example, the FTC has applies Section 5 of the \nFTC Act to sanction what it believes to be inadequate security \nas an unfair business practice. Given the panoply of breach \nnotification laws and information security requirements, a \nfederal law that would preempt similar state laws is critical. \nBecause data often flows beyond state boundaries, a federal law \nwould insure that personal information is subject to security \nrequirements that are uniform throughout the nation and that \naffected residents of every state would be notified of a \nbreach.\n    Such a federal law should require businesses that store \nsensitive consumer data to maintain reasonable security \nprocedures to safeguard that data. With respect to breach \nnotification requirements, I would advocate use of the \nCalifornia definition of personal information rather than an \nexpanded definition. The California definition is narrowly \ncrafted to include only information most commonly used by \nfraudsters to commit ID theft.\n    Since the purpose of breach notification is to inform \nindividuals of events that might cause them harm, there is no \nneed to expand the definition.\n    In addition, any federal law should contain a harm \nthreshold requiring notification only if there is real risk of \nharm.\n    Finally, I would suggest that any federal law focus on \ncomputerized data. Only information maintained in electronic \nformat could be subject to the high volume of harm these laws \nare specifically intended to combat.\n    With that I will end, and I would be glad to answer any \nquestions. Thank you.\n    [Ms. Sotto's testimony may be found in the appendix.]\n    Chairman Akin. Thank you, Lisa, and I appreciate your \ncomments.\n    And next is Mark MacCarthy, Senior Vice President, Public \nPolicy, with Visa U.S.A. from Washington, D.C.\n    Mark, thank you.\n\n         STATEMENT OF MARK MacCARTHY, VISA U.S.A., INC.\n\n    Mr. MacCarthy. Thank you very much, Chairman Akin.\n    Visa appreciates the opportunity to testify at today's \nhearing on the important issue of information security in small \nbusinesses.\n    Visa is a leading consumer payment system and plays a \npivotal role in the development of new payment technologies and \nservices, including initiatives for protecting personal \ninformation and preventing identity theft and other kinds of \nfraud.\n    Visa commends the Subcommittee for focusing on the issue of \ninformation security and the incentives for small businesses to \nprovide increased information security practices. Visa has long \nrecognized the importance of strict procedures to protect \ncardholder information. Cardholder security is never just an \nafterthought at Visa. For Visa it is about trust. Our goal is \nto prevent fraud from taking place in the first place.\n    This commitment to fighting fraud includes Visa's zero \nliability policy. This protects Visa's cardholders from any \nliability for fraudulent purchases. Because the financial \ninstitutions that are Visa members do not impose losses for \nfraudulent transactions on the cardholders, these institutions \nincur costs when fraudulent transactions take place. These \ncosts are primarily in the form of direct dollar losses, but \nhey also include card replacement costs, fraud monitoring \ncosts, and incremental customer service costs.\n    Typically fraud losses are borne by the card issuer. \nHowever, rarely, if the merchant fails to follow proper \nauthorization procedures for face-to-face transactions, these \ncosts may be passed back to the acquiring bank or to the \nmerchant.\n    For Internet, telephone, and mail order transactions, \nmerchants are generally responsible for unauthorized \ntransactions. However, Visa provides merchants with a number of \ntools to prevent fraud and by using one of those fraud tools \ncalled ``Verified by Visa,'' merchants can shift these fraud \nlosses back to the card issuing bank.\n    Visa has implemented a comprehensive and aggressive \ncustomer information security program. It is called the \nCardholder Information Security Program, CISP. This security \nprogram applies to all entities, including telephone orders, \nInternet brick and mortar, whether operating through the \nInternet or through any other channel of commerce. It includes \nnot only data security standards, but also provisions from \nmonitoring compliance and sanctions for failure to comply.\n    Visa has been able to integrate CISP into the common set of \ndata security requirements that are used by all of the credit \ncard companies, which is known as the payment card industry \ndata security standard, or the PCI standard.\n    Visa also provides sophisticated neural networks that flag \nunusual spending patterns for fraud, and these neural networks \nenable our members to block transactions where fraud is \nsuspected. When cardholder information is compromised, Visa \nnotifies the issuing financial institution and puts the \naffected card numbers on a special monitoring status. If Visa \ndetects any unusual activity in these cards, we again notify \nthe issuers, and they begin a process of investigation and \nevaluation to determine the need for any card reissuance.\n    In addition to CISP and these neural networks, Visa has \nimplemented a variety of additional security measures that are \ndesigned to detect and prevent fraud transactions, Visa's \naddress verification service. It matches shipping and billing \naddresses. Visa maintains an exception file comprised of \naccount numbers of lost or stolen cards, and we check account \nnumbers against this exception file at the time of a \ntransaction.\n    We have a card verification value, which is a unique three-\ndigit value that is in the magnetic stripe of every single \ncredit card and debit card. It insures that a valid card is \npresent when you have a face-to-face transaction.\n    The CDV-2 is a unique three-digit code on the back of the \ncredit card. It helps online merchants and telephone merchants \nverify that the card is really in the possession of the person \nwho is conducting the transaction.\n     And Verified by Visa, which I mentioned before, allows \nmerchants to avoid charge-back costs by having cardholders \nauthenticate themselves while they're shopping online.\n    Advanced authorization is a new service that we are \nproviding. It provides an instantaneous analysis of the \npotential for fraud at the time of the transaction itself. As a \nresult of these measures, fraud within the Visa system is at an \nall time low of five cents for every $100 worth of \ntransactions.\n    In addition, Visa and the U.S. Chamber of Commerce have \nannounced a nationwide data security education campaign that \nwill involve both the payment industry and merchants in the \nfight to protect cardholder data. We believe that everyone who \nis involved in the payment system, Visa, financial \ninstitutions, processors, and merchants, have a shared \nresponsibility to protect cardholder data.\n    On legislation, let me quickly summarize many of the things \nthat Lisa mentioned we are in favor of as well. We do want a \nnational notification standard. It has to be risk based. We do \nbelieve that there should be national requirements for \nreasonable security procedures. We think that there should be \nsufficient flexibility built into those national standards to \nallow for the needs of small business to be accommodated.\n    In particular, we think the size of the business needs to \nbe taken into account whenever a federal agency forces these \nrules, as well as the nature of the risks involved. That kind \nof flexibility can insure that small businesses would be \ncovered by the standard, but would be in a position where they \ncould be afforded sufficient flexibility to come into \ncompliance in an appropriate time and fashion.\n    [Mr. MacCarthy's testimony may be found in the appendix.]\n    Chairman Akin. Thank you so much, Mark, for your testimony.\n    We have been joined by two of my good friends, Ms. Musgrave \nfrom Colorado to my immediate right, Mr. Sodrel from Indiana.\n    And we have been talking about, in a sense, a balance here \nfor small business regarding the cost of overhead for small \nbusiness relative to the questions of data security, and \nspecifically two things. One is the reporting if you lose some \ndata, and then second of all, what are the procedures you have \nto do to protect your data.\n    We have a total of six witnesses. The witnesses so far are \nmaking a strong case for the fact that a national standard \nwould be helpful because each state has their own different \nseparate rules and it would make it easier for business and \ncommerce to comply with a national standard.\n    Mark, hearing what Visa is doing, and I have a Visa card in \nmy wallet and appreciate it and everything; on the other hand, \nthat does not strike me as small business. I do think about \nsome guy that has got a cleaners or whatever it happens to be, \nthe local store corner, and he needs a data security officer, \nand he needs a computer system that is approved by this and \nthat. You know, we could just basically kill the poor small \nbusiness guy with some of these rules and regulations. So that \nis a tension.\n    Mr. MacCarthy. Can I comment?\n    Chairman Akin. Yes, you can. This is a question and answer. \nSo go ahead.\n    Mr. MacCarthy. The local dry cleaner, you know, accepts \nVisa cards, but there is a fact about his system which is \nimportant and which limits his exposure to data security \nproblems. Most of the small businesses, your local dry cleaner, \nfor example, do not link their point of sale terminal to their \ncash register, and when of the factors that means that they \ntypically do not save the data in the transaction after the \ntransaction has taken place.\n    So they do not have the kind of large cardholder databases \nthat are an attractive target for data hackers. Now, they still \nhave to keep their information secure.\n    Chairman Akin. Could you just clarify that a little bit \nfrom a systems point of view? When I go to the local cleaner \ndown here at the bottom of the Longworth Building, you know, \nthey get your phone number or something or other, but if you \nwant to pay it, I usually pay cash, but if you pay it with a \ncredit card or something, you are saying they do not maintain \nthat credit card number connected with my name?\n    Mr. MacCarthy. They typically do not record that credit \ncard number containing your name. Now, your bank will.\n    Chairman Akin. So in that regard it is almost like a cash \ntype business and, therefore, they would have very little \nliability. Is that what you are saying?\n    Mr. MacCarthy. Yes. The information is typically not stored \nat the merchant level. It moves through the system. The bank \nthat works with the merchant will typically store the \ninformation. The bank that works with you as the cardholder \nwill typically the information, but the small merchant \ntypically does not.\n    Chairman Akin. Okay.\n    Mr. MacCarthy. Now, if they do save the information, then \nall of the Visa security standards do apply, and as some small \nbusinesses get larger and they move from the small business to \na medium size business, they tend to link their point of sale \nterminal and their cash register, and then they save the \ntransaction information along with the cardholder information.\n    Chairman Akin. This is when those kinds of laws would kick \nin then.\n    Mr. MacCarthy. That is when it would kick in. It is at that \nstage. The vast--\n    Chairman Akin. You see, in our congressional office, I am \ngoing to get personal about this. There are people who make \ncontributions to my account using a Visa card, Visa numbers or \nMastercard or whatever it is. What you are saying is as long as \nwe destroy those numbers after that transaction goes through, \nit would not affect us.\n    Mr. MacCarthy. The risks involved for the merchant at that \npoint are minimal, and most of the small businesses in the \ncountry, we have five and a half million merchants, most of \nthose small businesses are not in the position where they save \nthe information after the transaction has taken place.\n    Now, the rules do apply, and if they do become larger, they \nwill have to take the appropriate security steps to make sure \nthe information is kept safe and secure, but we do not think \nthat the burden on the small business that does not save the \ninformation is exorbitant at this point, and we would hope that \nnational information as it moved forward would allow the \nFederal Trade Commission or whatever other national entity is \ninvolved in this sufficient flexibility to say that is a small \nbusiness. The risks are not very large. They do not save the \ninformation. We do not need to have them hire a security \nofficer. We do not need to have them do a security scan every \nyear. They should not have to pay $100,000 for an expensive \nsecurity audit.\n    And our private sector system already allows for that kind \nof flexibility right now.\n    Chairman Akin. And then the other thing I think I heard all \nof you make the comment that the reporting requirement should \nbe proportional to what the level of risk is. So if your \ncomputer falls in the ocean when you are going across something \nlike that, you do not need to worry about that particularly, \nwhereas if somebody has come in and literally stolen that \ninformation, then you would have a more onerous reporting \nrequirement.\n    Now, the reporting requirement, so what? I happen to be one \nof those 26 million people in the veterans' thing. Okay? And I \nfind out that they have my name and Social Security number and \nbirthday or whatever it is. What do I do? Does it do me any \ngood to know that somebody stole it? Can I take any precautions \nas a consumer?\n    Mr. Kurtz. Again, may I?\n    Chairman Akin. Whoever wants, yes.\n    Mr. Kurtz. In the first place, I would go back to the point \nthat to me there is a realization that we need to come to in \nour society about the portability of vast amounts of \ninformation, and the need to take security more seriously in \nthe recognized tools that exist today, including encryption. \nThey have a laptop or the disk. The disk involved in the event \ninvolving VA, if it was encrypted, you would not be having the \nflash of news that we have today because VA could report that \ndo not worry; it was stolen, but it is encrypted and the \nchances are incredibly low that--\n    Chairman Akin. Is encryption pretty expensive or not \nreally?\n    Mr. Kurtz. In fact, encryption technologies have changed \nover the past several years. So they are, if you will, more \nseamless and easier to apply. Under the PCI standard, PCI \nstandard that Mark made reference to, they encourage encryption \nas well. I think if we were to ask this question of ourselves, \nyou know, four or five years ago, it would be more difficult. \nIt would have been difficult to implement.\n    To answer your question more specifically about, you know, \nall right, so I am notified; how does that help me? Well, one, \nyou know, it allows you to at least understand and to look into \nyour credit report, and now as a citizen you are entitled to \nfree access to your credit report, I believe it is, once or \ntwice a year. So you can at least put a flag out and look at \nyour financial statements more clearly than you would in the \npast.\n    There are also other services that are out there. The \npeople that organizations are supplying that help with ID theft \nassistance that come with home mortgages and all of those kinds \nof things. So the market is, if you will, coming to the problem \nand providing solutions for people and providing guidance.\n    And the final point I would make is, you know, \norganizations like the National Cyber Security Alliance who I \nbelieve testified here a month or ago has tips out there for \nwhat people can do if they think they are a victim of identity \ntheft.\n    Chairman Akin. Okay. I have run out of time. I have got to \nfollow my own rules, but we have got time for other questions. \nI think, Mr. Sodrel you were here first and slightly edged out \nMs. Musgrave, yes, if you would like to proceed.\n    Mr. Sodrel. Thank you, Mr. Chairman.\n    Mark, you were say that if the law was sufficiently \nflexible, it would give the regulators an opportunity not to \nregulate. It has been my experience that bureaucrats have a \ntendency to err on the side of more regulation, not less \nregulation. It is called job security, you know, more people, \nmore budget, bigger building.\n    So I would probably be inclined to work something that is \nrelatively inflexible so that they do not have that opportunity \nto grow their business, if you will, and the business of \nregulating. I mean, I do not want small business to be put at \nthe whim, if you will, of a regulator by passing something that \nhas enough elasticity that they can overreach. So I would like \nto think in terms of how do we prevent over regulation.\n    If you have any comments along those lines because I think \nthat is a bigger risk than not enough regulation.\n    Mr. MacCarthy. There are two ways. If it is the Federal \nTrade Commission, there are a couple of ways in which I think \nthey can be prevented from engaging in over regulation, but, \nfrankly, I think the danger that they would reach down to the \nlocal dry cleaner is pretty minimal.\n    I mean, there are five and a half million merchants out \nthere who accept Visa cards. They cannot go after every one for \ntrivial violations of some rules. What they have done in their \ncurrent actions is they have found the cases where it is large \ncompanies who have clearly violated the most minimal, basic \nsecurity rules. they have not encrypted the data or otherwise \nprotected it. They have saved security codes that they should \nnot have saved. They have not had passwords, they do not \nmonitor their systems. They do not do scans of their systems, \nand they have lost large amounts of data and millions of people \nhave been adversely affected.\n    They focused their scarce resources on those kind of cases. \nSo I think that should continue, and if there is any questions \nabout the overreaching of their authority to affect small \nbusinesses in a way that does not make any sense from the \npublic point of view, then I think there are two ways of \ngetting at them. One is oversight hearings. I mean, the \ncommittees that have authority over these people should bring \nthem in and say, ``What are you doing? Why don't you do a \nbetter job of administrating your own scarce resources?''\n    And the other is the Appropriations Committee where you can \nsay to them, you know, if you want to spend money on this stuff \nin this area, spend it on places where the risks are real and \nnot on the areas where the risks are minimal. My sense is that \nyou have to write it into the national standard that they have \nto take into account the size of the business and the nature of \nthe risks. That has got to be in the national standard, and \nthat gives you enough statutory flexibility to go after them in \nan oversight sense to make sure they do not overreach.\n    Ms. Sotto. If I can add to Mark's comments, traditionally \nwe have seen in privacy and security legislation in this \ncountry a requirement that standards are flexible and scalable \nto the size and the complexity of the entity and the \nsensitivity of the data that the entity maintains.\n    The FTC and HHS in enacting regulations under GLB and HIPAA \nhave been very careful to make sure that they're not imposing \nspecific security requirements on an entity, but are in fact \nasking the entity to assess its own systems and determine what \nis right for that size of entity given the data that is \nmaintained.\n    I would expect that same sort of standard would follow in a \nnew law.\n    Mr. Kurtz. I do not disagree with any of what has been said \nby the panelists. I think when you talk about how a statute is \neventually crafted, one other point I would just add to the mix \nto keep in mind is that technology is changing so swiftly today \nthat you want to build flexibility into the statute that allows \ntechnology to change because if you are too specific, then we \nhave new mean available to people in order to secure \nthemselves. Then if it is stuck in statute, then that inhibits \ninnovation. It inhibits flexibility of small businesses even to \nperhaps deploy more efficient and cost effective security \ntechnologies for companies in the future.\n    Mr. Sodrel. Thank you, Mr. Chairman.\n    Chairman Akin. Thank you. Good questions.\n    Marilyn, have you got a question?\n    Ms. Musgrave. Well, I apologize that I have not been here \nfor the entire testimony. Could someone give me an idea when we \ntalk about national standards? You know, we talk about how \nstates vary, and I would like to hear some examples of where \nyou think states have gone too far. Whether you name the state \nor not, I do not care, but in trying to find that happy medium \nwhen we are at a time where people have a very heightened \nconcern about identity theft.\n     The Chairman mentioned, you know, the story about the \nveterans today. You know, in Colorado there was the Department \nof Motor Vehicle issue where, you know, information was sold. \nPeople were just incredulous, very angry.\n    So tell me when a consumer advocate group would look at \nthis situation what would be a national standard that you think \nwould be appropriate or national standards that would be \nappropriate?\n    Ms. Sotto. If I may, some of the distinctions are \nproblematic. I represent companies that need to notify \nindividuals when they have breaches, and a breach, by the way, \ncould mean a stolen laptop. IT could mean a laptop stolen from \na home that has been burglarized, as has happened recently, \nyesterday. It was reported yesterday with respect to the VA.\n    A couple of distinctions that make it difficult to \ndetermine how to comply on a nationwide basis. First, the \ndefinition of personal information varies from state to state. \nThere is a typical definition that follows the California \ndefinition, but there are a few states that include items like \ndate of birth, and I can tell you that it is very difficult to \nsteal somebody's identity with their name and date of birth, \nand in fact, that is very much public record information.\n    Other states include employee ID number, not meaningful \nwhen it comes to stealing somebody's identity, and by the way, \nwhen we talk about identify theft, that is a very broad range. \nIt can mean account fraud where you get into somebody's \nfinancial information either through their bank account or \ncredit card and do an unauthorized transaction or it can mean \nactually stealing somebody else's identity, taking the place of \nthat person and taking out a loan, for example, or mortgage. So \nthat is a very broad term.\n    Other distinctions. In some states you need to report to \nstate agencies about the breach. So you have to deal with some \nstates on a very specific and robust level. Other states could \nnot care less about reporting specifically to them.\n    Another difference is that some states contain a specific \nnumber of days by which you need to notify individuals. That is \na very difficult standard to meet when you are continuing to \ninvestigate and you cannot even quite pin down what happened.\n    So these distinctions make it very difficult when you are \nnotified of a breach to figure out exactly how to comply with \nall 30, and it would really be enormously helpful to businesses \nof any size to have a national standard, and it would be very \nhelpful, I think, to consumers as well, who would not be \nsubject to the vagaries of these various state laws.\n    Ms. Musgrave. Thank you very much.\n    Either one of you gentlemen like to comment on that?\n     Mr. MacCarthy. Let me just jump in. I do think the reason \nto have a national standard has been explained by Lisa in \npretty comprehensive terms. We support that.\n    The one item I would like to emphasize is this difference \nbetween account fraud and ID theft that she mentioned. In the \nVA incident, the Social Security number was taken. The name was \ntaken. I do not think the address was taken, but I am not sure \nof that, and I do not know all of the details, but the risk \nthere when your Social Security number, your name, your \naddress, your date of birth, if all of that information has \nbeen compromised, the risk there is that someone can become \nyou, can open up a cell phone account in your name or a bank \naccount in your name or get a credit card in your name. They \ncan become you and unbeknownst to you run up enormous amounts \nof debt in your name, which then will be reported to a credit \nbureau and you are going to have trouble clearing that up. That \nis a substantial risk.\n    When data is compromised from one of these cardholder \ndatabases which I talked about before, typically they get the \ncardholder number, the 16 digit number in the case of the Visa \ncard. They probably get the expiration date, and they will also \nget the security code that allows them to make a counterfeit \ncard.\n    With that they cannot become you. They cannot open up a new \naccount in your name. What they can do is commit fraud, and so \nthe risk there is not that someone will become you and open up \nan account to cause you indefinitely financial harm. The risk \nthere is that someone will use your card to commit fraud.\n    We have zero liability. So the cardholder is protected in \nthat circumstance. So what does this mean for policy? It means \nthat in one case you might think carefully about the need to \nnotify individuals that there is a problem and encourage them \nto do things like under federal law they have a right to put a \nfraud alert on their credit bureau account when they think that \nthey have been a victim of identity theft. That is already in \nfederal law, and probably they should do something like that to \nmake sure that the people who use those credit bureaus know \nthat there might be a problem here.\n    In the case of account fraud, our neutral networks will \nfind that before they even know what is going on, will stop the \ntransactions associated with that card, reissue a new card. \nThat is not a good thing for the consumer. It is a bad thing, \nbut it is a different kind of bad thing that full identity \ntheft.\n    Chairman Akin. Those were good questions, Marilyn, and \nthank you for clarifying the distinction there because that is \na question I had as we were going into this hearing. You know \nexactly what they are going to do with that data and what the \nuses are of it.\n    I assume the most common thing is to just rip somebody off, \nover the phone, give them a credit card number and buy a bunch \nof stuff, simple theft. Whereas you start getting more \nsophisticated when you go out and take a loan for a house or \nsomething.\n    Okay. We have got two panels. We have got three more \nwitnesses. So I think what we will need to do is to move on to \nthe next three witnesses.\n    Thank you, Paul, Lisa, and Mark, for joining us. If you \nwould like to stick around, that would be good. Sometimes the \nmembers want to talk after the hearing, but I would like to \nkind of keep things on schedule.\n    Our next witness I believe is Tomas Lenard, Vice President \nfor Research for the Progress & Freedom Foundation, Washington, \nD.C.\n    And, Tomas, I think we are going to get the new placards up \nthere. We will go ahead with the same set of rules. You have \ngot five minutes, and then we'll proceed to the other two \nwitnesses and do questions.\n\n  STATEMENT OF TOMAS M. LENARD, PROGRESS & FREEDOM FOUNDATION\n\n    Mr. Lenard. Thank you very much, Chairman Akin. Thanks for \nthe opportunity to testify today.\n    I am Senior Vice President for Research at the Progress and \nFreedom Foundation, and our mission at PFF is to study public \npolicy issues that affect the information economy, and data \nsecurity is surely one of the most important of those.\n    As has been mentioned earlier today, there are about 30 \nstates now with data security laws and federal bills are moving \nthrough both houses of Congress. These new regulatory programs, \nlike regulatory programs generally, should in my view be \nevaluated by weighing their benefits as against their costs.\n    To illustrate the benefit-cost approach to these issues, \nthe testimony that I have submitted briefly summarizes an \neconomic analysis of notification requirements for data \nsecurity breaches that I recently did with Paul Rubin who is a \nprofessor of law and economics at Emory University, as well as \nan adjunct of PFF Fellow, and I have attached that to my \ntestimony.\n    Very briefly, the major conclusions of the study are, \nfirst, that the annual cost of identity theft and related \nfrauds are primarily borne by businesses, which gives them \nstrong incentives to spend money on data security, and I think \nthat was indicated by Mr. MacCarthy's testimony.\n    Second, the expected benefits to consumers of the \nnotification requirement are extremely small and likely to be \noutweighed by the costs.\n    And because the notification mandate is dubious on benefit-\ncost plans, it should be targeted carefully.\n    And finally, federal preemption of state notification laws \nwill reduce compliance costs and improve the benefit cost \nbalance.\n    The effect of data security regulations on small businesses \nshould be an important part of the benefit-cost calculus. These \nregulations impose a per unit burden that is generally \ninversely related to the size of the company, which means that \nit is less likely that they will pass a benefit cost test when \nthey are applied to small firms.\n    In addition, the added cost could have an adverse effect on \ncompetition because they make it more difficult for firms to \nenter markets in which the use of personal information is \nimportant.\n    There are a number of ways in which data security \nregulation disproportionately affects small firms. First, the \nrequirement to establish a data security program involves \ncosts, for example, specialized computer and legal expertise \nthat are likely to be relatively invariant with the size of the \nfirm and, therefore, hirer per unit of output for small than \nfor large firms.\n    Second, establishing a safe harbor, for example, for \ncompanies that encrypt their data is also likely to disfavor \nsmall businesses because encryption is often quite expensive \nand its costs may not be sensitive to firm size.\n    Third, many of the costs of a notification program are also \nlikely to be relatively fixed. Costs of some methods of \nnotification, for example, posting a notice on the company's \nwebsite or using the mass media may totally invariant with \nrespect to the size of the breach, and this bias against small \nbusinesses is exacerbated by provisions that allow alternative \nnotice if individual notice exceeds a size trigger.\n    And, fourth, without federal preemption, companies must \nfamiliarize themselves with numerous different state laws to \nmake sure that they are in compliance, and the costs of this \nalso do not vary much with firm size. So federal preemption, if \nenacted, will eliminate these costs and work to the advantage \nof small firms.\n    Finally, it is important to note that any regulation of the \ninformation sector that raises the costs of targeted \nadvertising and obtaining accurate customer lists has a greater \nadverse effect on new entrants and small firms than it does on \nlarge, established firms. Established firms have lists of their \nown customers and visitors to their websites, but new firms \nmust purchase such lists. As long as there is a healthy, robust \nmarket for customer lists and other such information, entrants \ncan begin competing relatively easily.\n    All of this does not imply that data security regulations \nare necessarily a bad thing, but what I want to emphasize is \nthe need subject then to rigorous benefit-cost analysis to \nassure that if they are adopted their benefits will be \nsufficient to outweigh their costs.\n    Thank you.\n    [Mr. Lenard's testimony may be found in the appendix.]\n    Chairman Akin. Thank you very much for your testimony \nthere, Tomas.\n    Our next witness is Steve DelBianco; is that correct?\n    Mr. DelBianco. DelBianco.\n    Chairman Akin. DelBianco. Okay.\n    And, Steve, you are the Vice President of Public Policy for \nthe Association of Competitive Technology from Washington, \nD.C.; is that correct?\n    Mr. DelBianco. Yes, if is, Mr. Chairman.\n    Chairman Akin. Okay, and you know the drill and what the \nlittle lights indicate. When you get to the second one, that's \na 30 second mark, right? Okay. Proceed, please, Steve.\n\n   STATEMENT OF STEVE DELBIANCO, ASSOCIATION FOR COMPETITIVE \n                           TECHNOLOGY\n\n    Mr. DelBianco. Chairman Akin, members of the Subcommittee, \nthank you for discussing the impact of data security threats \nand the impact of data security regulation on small business.\n    ACT, our group, is an advocacy group of more than 3,000 \ntech firms, small tech firms and E-commerce businesses, \nincluding many who handle the sensitive financial data \nassociated with billing applications, but also those who handle \npayroll application. It is not just about billing customer \ncredit cards. If you handle payroll information, you have got \nSocial Security numbers as well.\n    I am also here before you today after making my own small \nbusiness Odyssey. In 1984, I started an IT consulting firm in \nNorthern Virginia, grew it to $20 million and 200 employees, \nand then sold the business before helping to start ACT. So I am \na small business survivor.\n    Mr. Chairman and members of the Committee, I hope that you \nhad a chance to see the new crime series, ``CSI: Identity \nTheft.'' The premier episode featured a gang called shadow \ncrew, and they made a science out of ID theft. They have got \n4,000 gang members around the world working in an online \nmarketplace to trade in stolen credit card, stolen document \ninformation, and personal data.\n    We meet the leader in this first episode who is an American \nbusiness student and a few of his managers, who is a moderator \nwho helps design convincing fishing E-mails to dupe people into \ngiving up their personal information. There is another guy who \ndesigns spyware to get onto people's computers.\n    You meet these reviewers who take a look at the information \nthey have stolen and figure out how they are going to charge \nfor it or how they are going to sell it. Everyone on this \nepisode, they talk fast, they move fast because they have got \nto use this stolen credit card information quickly before Visa \nor the card member cancers the credit card account.\n    Then in this episode they cut to a nighttime scene in \ndowntown Washington where Secret Service agents are conducting \na sophisticated surveillance of a gang member meeting. Well, \nthe chief agent gives the go order and armed agents break down \nthe doors, encounter some weapons. One of the perpetrators \nleaps out of the second story window only to be caught by an \nagent on the ground.\n    Well, as the credits roll in that first episode, you hear \nthe narrator say, ``The events you have seen are true,'' \nbecause this shadow crew bust really happened in October of \n2004. The episode reminds us of something we have all lost \nsight of, I believe; that if a laptop is left in an airport or \nI leave one of these in the laundry, no ID theft has yet been \ncommitted. It takes a thief to commit identity theft. By using \nyour card and fraudulently you're opening new credit accounts \nin your name. ID theft already has multiple victims, the \nconsumers who have to go through great drama to get their \ncredit cleared in the case of bad account, retailers and \nlenders. We heard Mark MacCarthy talk about the burdens on \nthem, and the businesses who are pilloried for being sloppy \nwith the data or, in the case of a disgruntled employee, takes \noff with a Rolodex. The business still is going to be pilloried \nfor not having security provisions in place.\n    I would encourage you, please, let's not create a new set \nof victims by piling heavy regulation onto the backs of small \nbusiness. Everyone knows, as Dr. Lenard said, that fixed costs \ndisproportionately impacts small business, but there are some \nmore subtle ways that small business is vulnerable, I think, to \nthe regulation we're considering today.\n    One is that an owner's attention is stretched so thin. I \nwas always far too busy fighting fires to spend any time \npreventing fires, although today you can bet that small \nbusiness owners around the country are asking all of their \nemployees what kind of data is on that laptop they take home. \nSo fortunately they are paying attention to it today.\n    It is also very rare, as Dr. Lenard said, for a small \nbusiness to have any in-house expertise in legal and IT \nsecurity, and that means it is a very difficult for them to \nsolicit, select, and then manage IT vendors and our source \nvendors to get the security implemented.\n    As this Committee well knows, this makes compliance awfully \nexpensive for small business, as we saw in the case of \nSarbanes-Oxley. I'm not as convinced as my fellow panelists \ntoday that we absolutely need new data protection regulation in \norder to make small business care about security, and I'm not \nactually convinced that that would actually reduce the \nincidence of ID theft.\n    But I am clear regulation is coming. You can feel the \nmomentum coming, and there are some good reasons. Consumers can \ntake measures to protect themselves if they receive notice of a \nbreach just like we discussed with the Chairman, and also since \nstates have created a patchwork of notice laws, we have got to \nhave preemption for reasons others have discussed.\n    But Congress is looking not just at notice preemption. \nThey're also eager to expand the data protection requirements, \nand that has made this a two-part discussion today. It's not \njust notice. It is data protection.\n    Now, the anticipated legislation could expand it to \nbusinesses that aren't even covered today, businesses that use \nany information for interstate commerce. Now, in regulating \ndata protection flexibility is always better than a \nprescriptive solution, but flexibility does not mean that it is \noptional. A small business will not know where they are in \nterms of security unless they hire a consultant and pay for an \nassessment, and they probably cannot understand where they need \nto arrive even in a flexible standard because there is a range \nof different risk mitigation levels you can arrive at.\n    Small businesses, what they need are road maps. We need \nroad maps to get from where we are to where we need to be under \na flexible standard. Regulators should evaluate best practices \nin industry to decide which road maps can work for a small \nbusiness. We could look to currently regulated industry for \nbest practices, such as Mark MacCarthy described with the PCI \ndata standard, and we can look to IT vendor, members of my \ngroup and Paul's group, to come up with best vendor solutions.\n    In closing, Mr. Chairman, I would say please remember who \nare the real criminals behind identity theft, and please don't \noverburden small businesses. Perhaps it is best to come right \nout of the gate with the kind of small business protection that \nwas being considered down the stretch on Sarbanes-Oxley, and \nthat is please consider giving small businesses a delayed \nimplementation date for new data protection laws.\n    Go ahead and preempt notice immediately, but give a delay \non data protection laws. Until there are enough approved road \nmaps in place to get us from where we are to where we need to \nbe.\n    Thank you, and I look forward to your questions.\n    [Mr. DelBianco's testimony may be found in the appendix.]\n    Chairman Akin. Thank you very much, and I appreciate your \nperspective, Steve, as the guy who started your own business \nthat way. The things that you articulated are very much the \nconcerns of this Committee.\n    There are other committees that are working on these bills, \nbut we're particularly concerned with the regulation's effect \non small businesses.\n    We have been joined also by my good friend Congressman \nWestmoreland from Georgia. Welcome, and this is our second \npanel. We have one more testimony and then we will get around \nto some questions.\n    Our last witness is Harry Dinham, President-elect, National \nAssociation of Mortgage Brokers, Washington, D.C.\n    Harry, welcome to the hearing.\n\n  STATEMENT OF HARRY DINHAM, NATIONAL ASSOCIATION OF MORTGAGE \n                            BROKERS\n\n    Mr. Dinham. Thank you, Mr. Chairman.\n    Thank you for inviting NAMB to testify today on the \npotential burdens placed on small businesses by proposed data \nsecurity legislation. As the voice of mortgage brokers NAMB \nspeaks on behalf of more than 25,000 members in all 50 states.\n    Identity theft remains one of the fastest growing crimes in \nAmerica. Clearly, efforts to protect against identity theft are \nnecessary and we commend Congress for taking action on this \nissue.\n    Equally important, however, is the awareness that proposed \nmeasures should not result in unintended harm to small \nbusinesses of America. I would like to discuss the lack of \nuniformity and clarity caused by the current patchwork of laws, \ncredit freeze provisions, and the time and cost burdens placed \non small businesses by any final monitoring provisions.\n    Today at least 30 states have enacted security breach \nnotification laws. These multiple state laws create a \nregulatory framework that is unduly burdensome, costly and \ncomplicated for mortgage brokers that have limited resources \nand time, especially for those who operate in tri-state areas. \nNAMB believes that a uniform national standard will help small \nbusinesses protect their consumers' sensitive personal \ninformation effectively in a cost efficient manner.\n    Adding to the issues raised by this patchwork of state \nsecurity branch laws is the recent trend of enabling consumers \nto lock their credit files, often referred to as credit freeze \nlaws. Credit freeze laws are especially burdensome to small \nbusinesses. A credit freeze eliminates any point of sale \ntransaction because it can take as many as three days to remove \nthe freeze once the consumer has notified the consumer \nreporting agency to thaw the file.\n    Proposed legislation should not include a credit freeze \nprovision because it inhibits small business mortgage brokers \nfrom accessing borrowers' credit report in time sensitive \ntransactions. Moreover, an unintended consequence with these \ncredit freeze laws is that small businesses are placed at a \ncompetitive disadvantage compared to financial institutions \nwhere the consumers have preexisting accounts. This is because \npreexisting business relationships are exempt from credit \nfreeze.\n    For example, the mortgage division of a bank that the \nconsumer already has a relationship with can still access \nconsumer's credit file. This preexisting business relation \nexemption inhibits comparison shopping and reducing competition \nby limiting consumer choice to their existing bank.\n    Lastly, proposed legislation should not require small \nbusinesses to offer file monitoring. NAMB supports legislative \nproposals that would permit functional regulatory agency to \nexempt small businesses in a fair manner while at the same time \nprotecting consumer interest. To aid the agency, Congress \nshould incorporate statutory factors or guidelines that must be \nconsidered by the agency.\n    For an example, the legislation can provide that an \nexemption from the file monitoring required for mortgage \nbrokers that are under certain size or have a limited volume of \nloans per year. At a minimum, NAMB recommends the file \nmonitoring services be provided only if the consumer has \nalready exercised their right to obtain their free credit \nreport from each credit reporting agency for the calendar year.\n    Congress should also provide regulatory authority to place \nprice gaps on the fees that small business mortgage brokers \nmust pay to provide the service. In short, any proposed file \nmonitoring provisions should be crafted so that it does not \nprovide costly and unduly burdensome for the small businesses. \nTo do otherwise would only increase consumer costs \nsignificantly.\n     NAMB supports federal legislation that establishes a \nuniform national standard for investigation and notification of \ndata security breaches, but which is cognizant of the time and \ncosts limitations that small businesses face.\n    NAMB believes that any proposed legislation must complement \nbut not otherwise duplicate or override existing legislative \nand regulatory schemes that safeguard sensitive consumer \ninformation against identity theft.\n    NAMB looks forward to working with Congress to insure that \nany such proposed legislation balances the need of both \nconsumers and small business. NAMB appreciates the opportunity \nto offer our views on the impact of current legislative \nproposals may have on small businesses.\n    [Mr. Dinham's testimony may be found in the appendix.]\n    Chairman Akin. Thank you, Harry. I think you are one of the \nfew that brought it in 30 seconds ahead of time. So good job.\n    I have got a question. Steve, if you were to take a look at \nfrom a small business point of view, which is a bigger threat, \nthe reporting piece or the procedure piece, from a cost point \nof view for a small business.\n    Mr. DelBianco. Mr. Chairman, by ``reporting'' I think you \nmean the mandatory notice, right? In the case where there is a \nrisk based trigger and there is an opportunity to provide the \nnotice in a way that I am most customarily communicating with \nmy customers, I believe that cost is far less than the \nprocedural requirements for what we have been calling data \nprotection requirements that would be imposed on small \nbusiness.\n    Chairman Akin. I guess it does vary. It probably depends on \nwhat the laws say and also what the situation is because the \nguy that lost the laptop with 26 million people on it, that \nreporting cost is going to be hefty, I would think; is that \ncorrect?\n    Mr. DelBianco. Yes, it would. Most, if not all, of the 29 \nstates that have adopted notice laws though have provisions in \nthere that if the cost or quantity of notice exceeds certain \nthresholds--I think it was half a million dollars in \nCalifornia--that there are alternative means of notification \nthrough public press releases, website announcements, newspaper \npostings.\n    Chairman Akin. So you do not have to literally send direct \nmail to every single person.\n    Mr. DelBianco. You would if the numbers are below the \nthresholds. But when the numbers exceed the thresholds, there \nare alternative forms of notice.\n    Chairman Akin. Okay. One of the issues that receives at \nleast passing attention here in Congress is the question of \nimmigration. If you are trying to establish one of the things \nthat we have passed a bill in the House regarding a prospective \nemployer, what he is supposed to do is to check when somebody \ncomes the Social Security number against the name and the \nbirthday. If you have those three things, basically you have \nestablished your identity for the purposes of that bill as a \nlegal immigrant in order to work in this country.\n    What are the key pieces of information that are most \nnecessary to misuse in terms of identify theft? What are the \nkey pieces of data?\n    Mr. DelBianco. Mr. Chairman, as Lisa Sotto has indicated, \nif you got the Social Security number, full name and address \nrecord, you are in probably pretty good shape to begin to open \na cell phone account, a credit account and begin to assume the \nidentity.\n    Chairman Akin. Do you need a birthday or not? Is birthday \ncritical information? No, it is not. If it were critical, we \nwould have an extra panel here.\n    Mr. DelBianco. If it were critical, you could look it up. \nIt is part of the public records.\n    Chairman Akin. Oh, that is right. Yes, because we do those \nautomatic--I mean some politicians do birthday cards to people. \nSo that is all public. That is right. Okay. Yes, so you do not \neven need the birthday. All you have got to do is get Social \nSecurity number and the right name, and then you are in \nbusiness then. Okay. Good.\n    Let's see. Other questions? I think Mr. Sodrel is next.\n    Mr. Sodrel. Well, I am only 16 months out of what I call \nreal life. This is the first public office I have ever held, \nand I spent my life either being on the payroll or making the \npayroll. So I tend to have a little bit different perspective.\n    I do not know if you heard earlier when I talked about \nmission creep. When you build in too much flexibility in the \nlaw, the regulators tend to over regulate. They always want to \nerr on the side of too much regulation rather than too little. \nI watched in our company. In my granddad's time, you had to \nhave a truck and a license plate, and you were in the trucking \nbusiness. Now you have to have an EEOC officer, an EPA officer, \nan OSHA officer, and ADA officer and a federal DOT compliance \nofficer, and this officer and that officer which is not really \npractical for a small business.\n    So I am kind of concerned here that we are going to crate \nnow information security officer in addition to all of the \nother officers for a five-person business. Particularly \nInternet businesses tend to be short on employees, maybe big on \ndata, but small on people.\n    So any suggestion that you have to try to come up with \nsomething that is common sense, you know. I understand \ninterstate commerce is difficult for a business to comply with \n30 state laws. It may be appropriate to have federal preemption \nsince we are in interstate commerce, but we need to do it in a \nfashion that does not overburden small business.\n    I am from Southern Indiana. We often call small business \nyour seed corn. I mean if you follow the string back far enough \nevery business was a small business whether it was Bill Gates \nor Microsoft or Lewis Chevrolet. So we do not want to \ncompletely stifle the growth of small business while we are \ntrying to fix this problem.\n    So if you have got suggestions on how we keep it simply, \nhow we do it in a fashion that makes sense and still small \nbusinesses can still survive, and Sarbanes-Oxley was a good \nexample.\n    Mr. Lenard. I think I agree with everything you said, and I \nthink you do point up kind of a tension there. It seems to me \nyou do want to have some flexibility because you do not want to \nlock in procedures that really may not make sense, you know, \nthat may make people spend a lot of money addressing problems \nwhere, you know, the risk is minimal or use technologies, you \nknow, when they become outdated or when other technologies that \nare better or cheaper.\n    So I think you want to try to do both things. It is a \nchallenge. You want to have flexibility to do something that \nreally does make sense, but also, you know, limit the law so \nthat it is not susceptible to regulatory creep of the type that \nyou are concerned about because I think that is very \nlegitimate.\n    I think, you know, the primary rationale at this stage for \npassing a law probably is federal preemption to get one law \nthat you are going to have laws anyway. So you might as well \nhave one, and then to try to put in sensible procedures that \nreally do target, are precisely targeted as possible to address \nthe situations where there is a real risk so that you really \ncan get some benefits out of the law and not spend money where \nthe benefits are minimal.\n    Mr. DelBianco. The Representative is also one who has \nsigned the front of the paycheck before. I can sympathize with \nyour prior life.\n    There are two issues to consider on preemption. The notice \nlaws, the notification requirements, I believe it is a slam \ndunk, Representative, to make that a federal preemption. But on \ndata protection, I think we have to be careful to watch for the \ntrap that you describe, the trap of flexibility coming out of \nCongress, turning into too much regulation by the regulator.\n    But I would point to GLB and the regulation pursuant to it \nas perhaps a better example than ones you have experienced \nbefore. Congress was very flexible in the instructions it gave \nto the FTC on GLB, and FTC, I think, has done an admirable job \nof coming up with equally flexible requirements that business \ncan then meet.\n    However, I want you to be clear. Having been in the \nbusiness myself, I know what happens when a vendor, a \nconsultant, a systems integrator has an opportunity to tell a \nbusiness whether and how it is compliant with something that is \nvery flexible, and then after telling the business where your \nrisk lies in your data protection practices, it is then up to \nme to adapt all of your business procedures, the scale of your \noperation and your business model to say, ``Here is a solution \nthat I can deliver for you that will meet the requirements of \nthe law.''\n    Now, a consultant might be inclined as I was to over \nengineer things, but again, both of us are going to be inclined \nto eliminate the risk not just manage the risk, but to \neliminate the risk, and in that sense the solutions become very \nexpensive. So flexibility from Congress to the regulators, \nflexibility from the regulators to industry is all working \npretty well in GLB, but what I believe has happened is that the \nindustry has only begun to deliver solutions that are compliant \nwith that. We need more time for those solutions to be cooked \ndown into road maps and best practices that are affordable and \ndigestible for small businesses.\n    Chairman Akin. I think that was a good set of questions. \nJust before I go to Congressman Musgrave, one of the comments \nthat was made is I do not think the government is going to go \nafter all of those different dry cleaners and small people. You \nknow, the government doesn't have to go after all of them. They \njust have to ream one of them out and they have everybody \nscared to death and adding tremendous overhead to their cost of \noperations.\n    We see numerous examples in Congress. People, our \nconstituents, complain to us about excessive regulation from \nthe federal government and I have seen some really amazing \nexamples. I think the recent one was where we have people that \nare building subdivisions in our area, and the drainage ditches \nin the subdivisions are being viewed as navigable waterways. \nWasn't that innovative? I do not know who thought of that, but \nanyway, we have those difficulties.\n    Well, we now have my good friend, Marilyn Musgrave from \nColorado.\n    Ms. Musgrave. I was just looking over the section, Mr. \nChairman, about file monitoring, and you know, certain \npresumptions there that reporting occurs, but then say, you \nknow, that there are bad actors that don't do that, and I'm \nlooking down here and my ears kind of perk up when you talk \nabout price control and asking for more regulatory oversight \nfrom the SBA. So I assume it would fare better there.\n    So you actually want a price cap on what the mortgage \nbroker can be charged for monitoring services. Could you \ncomment on that, please?\n    Mr. Dinham. Well, yes, ma'am. We really feel that, you \nknow, we need to maintain our cost controls because we are in a \nsmall business. One to five people is our normal membership of \nour association, and anything we can do to hold our cost down \nis just a benefit to the consumer because everything that we \nhave to do outside of that is going to add to the cost that we \nare going to have. It is going to be passed on to the consumer \neventually. So anything we can do to control what it is going \nto cost us to do this monitoring would definitely be a benefit \nto the consumer.\n    Ms. Musgrave. Do you think that changes in technology will \naffect the price of the monitoring, the cost of the monitoring?\n    Mr. Dinham. I really do not know that it would change that, \nbut you know, we have just seen things that would start out at \na low price and they tend to edge up as it becomes more and \nmore popular, and that is a real concern to us. We are very \ncost conscious as small business people.\n    Chairman Akin. Lisa, you have been kind enough to stay \naround. If you would like to jump in on any of these questions \njust pretend like you are part of the immediate panel if you \nwould like to. If you want to, yes.\n    Ms. Sotto. The cost of credit monitoring actually varies \nquite dramatically depending on the leverage of the company, \nand I have worked with some companies that pay one price and \nother companies that pay a dramatically different price because \nthey are big enough so that they have negotiating power, and \nthey also have more leverage based on the number of enrollees \nwho are anticipated in the credit monitoring.\n    Typically I have found that about five to ten percent of \nthe number of names that have been breached will, in fact, \nenroll in credit monitoring. So the cost that the credit \nbureaus charge for the monitoring tends to be based on the \nvolume and on the leverage that the particular company has with \nthe credit bureau.\n    Ms. Musgrave. That is why I was trying to figure out how a \nprice cap would work. It seems very complicated to me.\n    Thank you.\n    Chairman Akin. Does that conclude your questions?\n    Ms. Musgrave. It does, and thank you, Mr. Chairman.\n    Chairman Akin. Okay. Let's see. I had one more I was just \nthinking of. I am trying to remember what it was.\n    Does it make sense from a passing point of view to do the \nreporting piece of the bill separate from the other part of the \nbill? Does that seem like that it logically fits into two \npieces from a legislative point of view?\n    Mr. DelBianco. Mr. Chairman, I would agree with that \napproach.\n    Mr. Dinham. I would also.\n    Ms. Sotto. Thank you.\n    It is interesting to me that California passed SB 1386 \nbefore AB 1950. It is backwards in a way. I think if you pass \nlegislation that requires that you have a security program in \nplace first, you would prevent the need to have notification \nrequirements in at least some measure because if there are \nsecurity fixes in place with respect to a particular database, \nthere is less likelihood that that database will be vulnerable \nto attack and, therefore, less likelihood that you will need \nto, in fact, notify individuals whose data might have been \nbreached.\n    Chairman Akin. I see the logic of what you are saying, but \nit also sounds like the predominance of testimony here this \nmorning was because of the patchwork of various state laws, \nthat there is almost a more practical sense a need for a \nfederal standardization kind of procedure. That almost might be \na simpler question and less expensive question than the second.\n    Ms. Sotto. I think it is simpler, yes, but I don't think it \nreally solves the problem. I think there really is a need for \nfederal legislation. There is a dire need in the breach \nnotification arena because of the patchwork of state laws, but \nI think I am dealing with a company right now that has \nencrypted all of its laptops. So they have done the right \nthing, but prior to encryption, which is, by the way, about \n$100 a laptop depending on the type of encryption technology \nyou use; prior to encryption they had a dozen or so incidents \nof stolen or lost laptops that now need reporting.\n    So after the first one they knew to go ahead and encrypt, \nbut they still had many more. I think if you impose security \nrequirements, then you wouldn't have these multiple incidents \nof breaches that would require notification.\n    Chairman Akin. Well, anybody want a last word on that? \nMaybe Steve.\n    Mr. DelBianco. Thank you, Mr. Chairman. While security \nrequirements if enforced and affordable would reduce the \nincident of breaches, you can still be sure breaches would \noccur, and the state patchwork of laws would apply. We are \ndealing with laws that are inconsistent with each other.\n    Illinois, for instance, does not permit the delay of notice \nif you are working with law enforcement. So you might have \nIllinois residents in your database. That means that they have \ngot to know right away, whereas the other states have allowed \nyou to delay while you try to set up a sting operation to catch \nthe bad guys.\n    In the case of New Hampshire, if you missed by a day the \n15-day notice deadline to 1,000 customers, you are liable for a \nmillion dollar private right of action from the plaintiff's \nbar, and that is for a technical failure. We have a lot of \nconcerns and need to solve it in the states right now, and even \nif we had data protection mandates that were followed, things \nhappen. Laptops get lost, and we cannot pass a state patchwork \nof notice laws for much longer.\n    Thank you, Mr. Chairman.\n    Chairman Akin. With that, the hearing is concluded. Thank \nyou all very much for your testimony.\n    [Whereupon, at 11:14 a.m., the hearing was adjourned.]\n    [GRAPHIC] [TIFF OMITTED] 28741.001\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.002\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.003\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.004\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.005\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.006\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.007\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.008\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.009\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.010\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.011\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.012\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.013\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.014\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.015\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.016\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.017\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.018\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.019\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.020\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.021\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.022\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.023\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.024\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.025\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.026\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.027\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.028\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.029\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.030\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.031\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.032\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.033\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.034\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.035\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.036\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.037\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.038\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.039\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.040\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.041\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.042\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.043\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.044\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.045\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.046\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.047\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.048\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.049\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.050\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.051\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.052\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.053\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.054\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.055\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.056\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.057\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.058\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.059\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.060\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.061\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.062\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.063\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.064\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.065\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.066\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.067\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.068\n    \n    [GRAPHIC] [TIFF OMITTED] 28741.069\n    \n      \n\n                                 <all>\n\x1a\n</pre></body></html>\n"