b"<html>\n<title> - IDENTITY THEFT: INNOVATIVE SOLUTIONS FOR AN EVOLVING PROBLEM</title>\n<body><pre>[Senate Hearing 110-62]\n[From the U.S. Government Printing Office]\n\n\n                                                         S. Hrg. 110-62\n \n      IDENTITY THEFT: INNOVATIVE SOLUTIONS FOR AN EVOLVING PROBLEM\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                       SUBCOMMITTEE ON TERRORISM,\n                    TECHNOLOGY AND HOMELAND SECURITY\n\n                                 of the\n\n                       COMMITTEE ON THE JUDICIARY\n                          UNITED STATES SENATE\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             MARCH 21, 2007\n\n                               __________\n\n                          Serial No. J-110-22\n\n                               __________\n\n         Printed for the use of the Committee on the Judiciary\n\n\n                      U.S. GOVERNMENT PRINTING OFFICE\n35-797 PDF                    WASHINGTON  :  2007\n---------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government\nPrinting Office Internet:  bookstore.gpo.gov Phone:  toll free (866)\n512-1800; DC area (202) 512-1800 Fax: (202)512-2250 Mail: Stop SSOP,\nWashington, DC 20402-0001 \n\n                       COMMITTEE ON THE JUDICIARY\n\n                  PATRICK J. LEAHY, Vermont, Chairman\nEDWARD M. KENNEDY, Massachusetts     ARLEN SPECTER, Pennsylvania\nJOSEPH R. BIDEN, Jr., Delaware       ORRIN G. HATCH, Utah\nHERB KOHL, Wisconsin                 CHARLES E. GRASSLEY, Iowa\nDIANNE FEINSTEIN, California         JON KYL, Arizona\nRUSSELL D. FEINGOLD, Wisconsin       JEFF SESSIONS, Alabama\nCHARLES E. SCHUMER, New York         LINDSEY O. GRAHAM, South Carolina\nRICHARD J. DURBIN, Illinois          JOHN CORNYN, Texas\nBENJAMIN L. CARDIN, Maryland         SAM BROWNBACK, Kansas\nSHELDON WHITEHOUSE, Rhode Island     TOM COBURN, Oklahoma\n            Bruce A. Cohen, Chief Counsel and Staff Director\n      Michael O'Neill, Republican Chief Counsel and Staff Director\n                                 ------                                \n\n      Subcommittee on Terrorism, Technology and Homeland Security\n\n                 DIANNE FEINSTEIN, California, Chairman\nEDWARD M. KENNEDY, Massachusetts     JON KYL, Arizona\nJOSEPH R. BIDEN, Jr., Delaware       ORRIN G. HATCH, Utah\nHERB KOHL, Wisconsin                 JEFF SESSIONS, Alabama\nCHARLES E. SCHUMER, New York         JOHN CORNYN, Texas\nRICHARD J. DURBIN, Illinois          SAM BROWNBACK, Kansas\nBENJAMIN L. CARDIN, Maryland         TOM COBURN, Oklahoma\n                      Jennifer Duck, Chief Counsel\n               Stephen Higgins, Republican Chief Counsel\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                    STATEMENTS OF COMMITTEE MEMBERS\n\n                                                                   Page\n\nFeinstein, Hon. Dianne, a U.S. Senator from the State of \n  California.....................................................     1\nKennedy, Hon. Edward M., a U.S. Senator from the State of \n  Massachusetts, prepared statement..............................    52\nKyl, Hon. Jon, a U.S. Senator from the State of Arizona..........     3\nLeahy, Hon. Patrick J., a U.S. Senator from the State of Vermont, \n  prepared statement.............................................    54\n\n                               WITNESSES\n\nDavis, Jim, Associate Vice Chancellor, Information Technology, \n  Chief Information Officer, and Professor of Chemical \n  Engineering, University of California, Los Angeles, Los \n  Angeles, California............................................    15\nHoofnagle, Chris Jay, Senior Staff Attorney, Samuelson Law, \n  Technology & Public Policy Clinic, and Senior Fellow, Berkeley \n  Center for Law and Technology, University of California, \n  Berkeley, Boalt Hall School of Law, Berkeley, California.......    19\nMcNabb, Joanne, Chief, California Office of Privacy Protection, \n  Sacramento, California.........................................    17\nParnes, Lydia B., Director, Bureau of Consumer Protection, \n  Federal Trade Commission, Washington, D.C......................     7\nTenpas, Ronald J., Associate Deputy Attorney General, Department \n  of Justice, Washington, D.C....................................     5\n\n                       SUBMISSIONS FOR THE RECORD\n\nDavis, Jim, Associate Vice Chancellor, Information Technology, \n  Chief Information Officer, and Professor of Chemical \n  Engineering, University of California, Los Angeles, Los \n  Angeles, California, statement and attachments.................    28\nMcNabb, Joanne, Chief, California Office of Privacy Protection, \n  Sacramento, California, statement..............................    55\nMulligan, Deirdre K., Clinical Professor of Law; Director, \n  Samuelson Law, Technology & Public Policy Clinic, Faculty \n  Director, Berkeley Center for Law and Technology, Director, \n  Clinical Program, and Chris Jay Hoofnagle, Senior Staff \n  Attorney, Samuelson Law, Technology & Public Policy Clinic, and \n  Senior Fellow, Berkeley Center for Law and Technology, \n  University of California, Berkeley, Boalt Hall School of Law, \n  Berkeley, California, joint statement..........................    62\nParnes, Lydia B., Director, Bureau of Consumer Protection, \n  Federal Trade Commission, Washington, D.C., statement..........    87\nTenpas, Ronald J., Associate Deputy Attorney General, Department \n  of Justice, Washington, D.C., statement........................   102\nWatkins, Bill, Chief Executive Officer, Seagate Technology, Inc., \n  Scott's Valley, California, statement..........................   113\n\n\n      IDENTITY THEFT: INNOVATIVE SOLUTIONS FOR AN EVOLVING PROBLEM\n\n                              ----------                              \n\n\n                       WEDNESDAY, MARCH 21, 2007\n\n                                       U.S. Senate,\n        Subcommittee on Terrorism, Technology and Homeland \n                                                  Security,\n                                Committee on the Judiciary,\n                                                   Washington, D.C.\n    The Subcommittee met, pursuant to notice, at 2:37 p.m., in \nroom SD-226, Dirksen Senate Office Building, Hon. Dianne \nFeinstein, Chairman of the Subcommittee, presiding.\n    Present: Senators Feinstein and Kyl.\n\nOPENING STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM \n                    THE STATE OF CALIFORNIA\n\n    Chairman Feinstein. This Subcommittee will come to order. \nSenator Kyl and I have participated in this Subcommittee now \nfor something like 12 years, I think.\n    Senator Kyl. Going on 13.\n    Chairman Feinstein. Going on 13, back and forth. He has \nbeen Chair more than I have, but, of course, I hope to change \nthat record. But we have been able to work very well together \nover these many years, and I appreciate that so much.\n    Today we are going to talk about identity theft. Identity \ntheft is a crime that has many, many victims, and all of them \ninnocent consumers that can be victims of a theft when a \ncriminal gets hold of sensitive information like a Social \nSecurity number, a driver's license, then becomes them and \nbuilds up debt in the consumer's name.\n    The victim might not even know about the problem until he \nor she applies for a mortgage or a car loan or a job that \nrequires a background check or finds out their credit is really \nshot. Suddenly, that new house, the new car that is needed for \nthe daily commute, or even the job opportunity is out of reach.\n    It might be less obvious, but businesses are also major \nvictims of identity theft. Under recent estimates, the business \ncommunity loses as much as $48 billion a year in fraudulent \ntransactions that involve stolen identities.\n    And, finally, our economy as a whole suffers from the \nchilling effect of identity theft. People who are worried about \nthe security of their personal data will avoid making purchases \nthat might put that data at risk.\n    Commerce on the Internet is stifled. And when consumers \nhave fewer options for online commerce, there is less of the \ncompetition that fosters innovation and economic success.\n    Since the beginning of 2005, which is just a short time \nago, over 100 million data records containing individuals' most \nsensitive personal financial data, health data, other kinds of \ndata, have been exposed due to data breaches. And that works \nout to about one in every three Americans. It could include the \nmost personal data of many people in this room, and I will bet \nyou do not even know that.\n    Some people whose data has been breached do not know they \nare at risk. Some States require notice to affected individuals \nwhen a breach happens, and others do not.\n    I believe it is really important to ensure that people know \nwhen their data has been exposed. The law actually allows \npeople to take steps to protect themselves from identity theft, \nbut that is of no use unless somebody knows they are a \npotential victim or have been a victim. So that is why I \nintroduced the Notification of Risk to Personal Data Act.\n    This legislation would require Federal agencies and \nbusinesses all across the country to give notice of data \nbreaches involving sensitive personal information, unless they \nconcluded--and the Secret Service agrees because they have the \nknow-how--within 10 days that there is no significant risk of \nharm to the people whose data was breached.\n    Today we will talk about why this legislation is needed. We \nwill hear from representatives of the Department of Justice and \nthe Federal Trade Commission, which are leading an Identity \nTheft Task Force that the President created last year.\n    I am very proud that my home State has been a leader in \nthis fight, and the Nation's first State agency devoted to \nprivacy protection actually opened in California in 2001, and \nthe head of that agency is here as a witness today.\n    One of the steps that California took was to enact a law \nthat requires businesses and Government agencies to send people \na notice when their sensitive personal information is acquired \nin a data breach.\n    Because of that notification requirement, in 2005 Senator \nKyl and I learned that over 160,000 records with personal data \nwere accessed in a data breach at a company called ChoicePoint. \nNow, many consumers never even heard of ChoicePoint in 2005, \nlet alone even knew that the company was holding their personal \ndata. Yet on that day over 160,000 people were, in fact, put at \nrisk.\n    More recently, in November of last year, the University of \nCalifornia at Los Angeles discovered that a computer hacker had \naccessed the personal records of up to 800,000 faculty, staff, \nstudents, and applicants. Now, UCLA fortunately did the right \nthing. They sent notices to everyone that was affected, so we \nknow it can be done. The University also set up a toll-free \nhotline for the affected individuals to get more information. \nAn official from UCLA is here as a witness to describe the \nUniversity's experience and show why it is important to give \nnotice of breaches.\n    Last year, the Federal Trade Commission received 250,000 \ncomplaints of identity theft. And even though California is a \nlongtime leader in the fight against this crime, five of the \nten cities with the highest number of complaints per capita \nwere in California.\n    The problem of identity theft is persistent, and it is not \ngoing to be solved without a strong effort from Congress and \nfrom all those who investigate and prosecute identity thieves.\n    Now, my bill in the last session, Senator Kyl, was included \nas part of the Specter-Leahy bill on identity theft. It did not \ngo anywhere. I wanted to break just this data breach part free \nfrom the bigger bill and get it passed so people could be \nnotified.\n    This year the bigger bill was introduced with some changes \nthat are problematic, and, therefore, it is stalled. So I have \nreintroduced this bill separately with the hope that we could \nat least move this bill so that people whose information was at \nrisk could at least be notified. I think it is pretty much \nbasic and simple, but hopefully we will be able to move it \nshortly.\n    I would like to turn it over to you now for any comment you \nwould like to make, and then I will introduce the panels.\n\n  STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE STATE OF \n                            ARIZONA\n\n    Senator Kyl. Thank you very much. Senator Feinstein, thank \nyou for calling this hearing and really for years of hard work \nin helping to lead the effort to deal with identity theft. Much \nof the legislation that Congress has enacted is due to your \ninitiative and work that we have done here in this \nSubcommittee. In fact, I had my staff check. We have held eight \nhearings in the last 9 years in this Subcommittee on the \nsubject of identity theft and financial privacy and security \nfor our citizens, and a lot of the information that has come \nfrom the hearings has resulted in legislative activity.\n    As Senator Feinstein noted, identity theft is one of the \nfastest-growing crimes, not just in America but in the world. \nAccording to an article in the Baltimore Sun, identity theft-\nrelated crime cost business and individuals--almost the same \nnumber you had--nearly $50 billion in 2006 and an estimated 8.4 \nmillion Americans were victims of ID theft in 2006, about 1 in \n25 people. If you just stop and think about that, it is a lot, \nespecially if you consider that the young and the elderly are \nespecially targets for this crime.\n    My home State has the dubious distinction of being, and I \nwill quote from an FTC report from February 7th of this year, \n``an ID theft hotbed,'' posting more per capita complaints than \nany other State in the year 2006. Last year alone, there were \n8,146 victims of identity theft in Arizona, the fourth \nconsecutive year Arizona led the Nation in per capita ID theft.\n    I recently met with Todd Davis, who is the CEO of LifeLock, \nwhich is a company that offers a proactive solution for \nindividuals concerned about this problem. For $10 a month, \nLifeLock will set alerts on a customer's credit reports at each \nof the major credit reporting agencies, and once the alerts are \nset, the credit reporting agencies are required to contact a \ncustomer personally to verify the legitimacy of any credit \nactivity that is occurring. These alerts, which the company \nrenews periodically, help prevent the unauthorized use of an \nindividual's personal information after that person has become \nthe victim of identity theft.\n    I mention this just to note that the private sector is \ncoming up with some innovative solutions as well, which, \ncombined with what we are doing here, hopefully can reduce the \nincidence and the significance of the problem.\n    According to Arizona Attorney General Terry Goddard, there \nis a high correlation between ID theft and methamphetamine use. \nMeth users typically steal identities in order to feed their \nhabits, he says. An October 2006 article in the Washington Post \nalso discussed this relationship and said, ``Unlike other drug \nusers, those on meth stay up for days and can become absorbed \nin methodical, repetitive tasks, creating a high correlation \nbetween meth abuse and identity theft crimes.''\n    In fact, an investigation by the Tucson Police Department \nand the U.S. Postal Service recently led to the arrest of a \nnumber of members of an ID theft ring that was mostly made up \nof heavy methamphetamine users.\n    Another cause of identity theft in this country is illegal \nimmigration. U.S. Immigration and Customs Enforcement agents \nrecently arrested nearly 1,300 illegal aliens as part of an \nongoing investigation into a large identity theft conspiracy. \nThe ICE operation, known as Operation Wagon Train, targeted a \nlarge meat-processing company in six States and uncovered \nillegal workers from eight countries. According to the head of \nICE, Homeland Security Assistant Secretary Julie Myers--and I \nam quoting--``The use of fraudulent documents by illegal aliens \nseeking employment has been a significant problem. In recent \nyears, however, this fraud has evolved into a disturbing new \ntrend. Now, instead of obtaining fraudulent documents with \nfraudulent identities, illegal aliens are buying genuine \ndocuments using identities of unwitting U.S. citizens.''\n    Terrorism is another cause of ID theft. In 2002, Dennis \nLormel, Chief of the FBI's Terrorist Financial Review Group, \ntestified before this Subcommittee that identity theft was a \nkey catalyst for terrorist groups. Also at that hearing, John \nPistole, Acting Assistant Director for Counterterrorism at FBI, \ntestified that financing of terrorism is facilitated through \nidentity theft and that terrorists use identity theft to obtain \ncover employment and access to secure locations.\n    So we have a multitude of problems and relationships, all \nnefarious, with this problem of ID theft, and I applaud the \nChairman for examining further the adequacy of our ID theft \nlaws today.\n    I want to tell you also in advance that at 3:15 I am \nsupposed to go to the floor to offer an amendment, so I hope I \nwill be able to at least hear from the first panel, but I might \nmiss the second panel. If I do, I apologize, and I will be \nanxious to read the transcript of the hearing later.\n    Thank you again, Senator Feinstein.\n    Chairman Feinstein. Thank you very much, Senator Kyl.\n    I thought your comments were very interesting, and I look \nforward to working with you.\n    Let me get on with the first panel. I would like to \nintroduce the witnesses. I am going to ask you if you could \nconfine your remarks to 5 minutes so we have an opportunity to \ngo back and forth.\n    Ron Tenpas is the Associate Deputy Attorney General for the \nUnited States Department of Justice. He was appointed in \nNovember of 2005. He serves as Executive Director to the \nPresident's Identity Theft Task Force. His other duties include \ncoordinating the work of the President's Corporate Fraud Task \nForce, overseeing initiatives and work relating to health care \nfraud enforcement, and reviewing legislative and policy \nproposals to prevent and punish misconduct by corporate and \npublic officials.\n    Before his appointment as Associate Deputy Attorney \nGeneral, he served as a U.S. Attorney for the Southern District \nof Illinois--so we know there is life after--and was an \nAssistant U.S. Attorney in the District of Maryland and the \nMiddle District of Florida. He was a law clerk to Chief Justice \nWilliam H. Rehnquist. He is a graduate of Michigan State \nUniversity, the University of Virginia Law School, and earned a \ndegree from Oxford University as a Rhodes scholar.\n    Lydia Parnes is the Director of the Bureau of Consumer \nProtection of the Federal Trade Commission, which is one of the \nFTC's two law enforcement bureaus. The Bureau is the Nation's \nonly general jurisdiction consumer protection agency. This \nBureau enforces a wide range of laws designed to prevent fraud \nand deception in the commercial marketplace, to protect \nconsumers' privacy, and to provide consumers with important \ninformation about the goods and services they purchase.\n    Ms. Parnes joined the FTC in 1981 as Attorney Advisor to \nthe Chairman. During her career, she has held a number of \nmanagement positions, including Deputy Director of the Bureau \nof Consumer Protection from 1992 to 2004. She received her J.D. \nfrom the Washington College of Law at American University.\n    Welcome, both of you. Mr. Tenpas, if you would begin, that \nwould be excellent.\n\n   STATEMENT OF RONALD J. TENPAS, ASSOCIATE DEPUTY ATTORNEY \n        GENERAL, DEPARTMENT OF JUSTICE, WASHINGTON, D.C.\n\n    Mr. Tenpas. Thank you. Good afternoon, Madam Chairman and \nRanking Member Kyl. I appreciate the opportunity to testify on \nthe important issues that are the focus of today's hearing. \nMadam Chairman, we are grateful for the Committee's role in \naddressing the problem of identity theft and appreciate the \nlegislative leadership that you personally have demonstrated in \nthis area. You were a leader in the adoption of the Aggravated \nIdentity Theft Penalty Enhancement Act of 2004, which gave \nFederal prosecutors important new tools in prosecuting this \ncrime. We have made extensive use of that statute, and the \nDepartment of Justice shares your concern and interest in \nfinding new ways to address this problem.\n    The Department of Justice remains committed to aggressively \ncombating the problem of identity theft working in concert with \nour many other Federal agency partners, such as the FTC, that \nplay equally important roles. The precise scope of identity \ntheft escapes uniform quantification; however, as you noted, it \nis clear that identity theft affects millions of Americans \nevery year, cheats Americans of tens of billions of dollars, \nand as a result, demands continued attention across Government, \nin the private sector, and by individual citizens.\n    The Department has aggressively sought to address this \ngrowing problem on parallel tracks. The first is our \nlongstanding and continuing role as the leader of national law \nenforcement efforts. Our prosecutors continue to investigate \nand charge criminal identity theft cases every day all across \nthe country, and in my written testimony, I have given a number \nof examples that range in scope of the cases that our \nprosecutors have been working on. They do so working closely \nwith our agents in the FBI and with other important law \nenforcement partners, such as the Secret Service, the United \nStates Postal Inspection Service, the Social Security \nAdministration's Inspector General, and State and local \nauthorities.\n    Our Department brings cases involving identity theft under \na variety of statutes, including mail and wire fraud, statutes \ncriminalizing the misuse of Social Security numbers and of \ncredit cards, and statutes relating to postal theft. And as you \nalluded to, because identity theft is so often interwoven with \nother crimes, for example, the methamphetamine problem that you \nalluded to--that is a matter I am personally familiar with \nespecially in my time as U.S. Attorney in Southern Illinois. \nEven to concentrate on the fraud statutes probably \nunderestimates the work that we do related to identity theft \nbecause so often we are using other statutes to go after people \nfor whom identity theft may be a means to a bigger and even \nmore--at least as important crime.\n    But let me cite one particular example. We have prosecuted \nmore than 700 of America's most serious offenders in the last 2 \nyears using the new 2-year mandatory minimum penalty that is \nprovided for in the Identity Theft Penalty Enhancement Act, \nwhich I alluded to a moment ago and which this Committee and \nyou, Senator Feinstein, led the legislative efforts to create.\n    Our second role at the Department has been to work closely \nwith our colleagues at the FTC to lead the work of the \nPresident's Identity Theft Task Force, which the Attorney \nGeneral chairs and the FTC Chairman co-chairs. The task force \nwas established in May of 2006 by the President. It is composed \nof 17 different Federal departments and agencies and is charged \nwith implementing Federal policy to deter, prevent, detect, \ninvestigate, proceed against, and prosecute identity theft, \nfocusing on three specific approaches: first is increased law \nenforcement actions to prosecute identity thieves and deprive \nthem of the benefits of their crimes; second is improved public \noutreach by the Federal Government to the public and private \nsector; and third is increased safeguards within the Federal \nGovernment to protect the personal data that we in the \nGovernment hold.\n    The task force was specifically charged with producing a \nstrategic report with recommendations for the President for \nimproving the Federal Government's work related to identity \ntheft. The task force is in the final stages of what has been \nan unprecedented Federal effort to examine the identity theft \nproblem and to identify comprehensive, multilayered solutions \nto address it. We have convened multi-agency working groups, \nmet with representatives of various groups interested in this \nproblem, invited formal public comment, and we are now in the \nvery final stages and expect the report to be delivered to the \nPresident in mid-April. We look forward to providing the report \nto this Committee and to public so that we can work with you to \naddress areas of common concern.\n    Because this area is so important, the task force released \na group of seven interim recommendations last September. They \nfocus on the following areas: proposed immediate steps that \nFederal agencies can take to improve our own practices as \nrepositories of data; urging the Government to sponsor \nworkshops to highlight new identification and authentication \ntechnologies that the marketplace is currently producing so \nthat we can promote best practices; and proposing the adoption \nof new criminal provisions designed to help victims get better \nrestitution and designed to help victims and law enforcement \nthrough the creation of universal police reports. All of these \ninterim recommendations either have occurred and been executed \nat this point or are in the process of being so or doing so.\n    Again, we thank you, Madam Chairman, for your continued \ninterest and leadership in addressing this complex and pressing \nissue. We look forward to your questions today, and we look \nforward to working with you and the Committee going forward. \nThank you.\n    [The prepared statement of Mr. Tenpas appears as a \nsubmission for the record.]\n    Chairman Feinstein. Thank you very much. Good work, and I \nthank you for your work.\n    Ms. Parnes, please proceed.\n\n  STATEMENT OF LYDIA B. PARNES, DIRECTOR, BUREAU OF CONSUMER \n     PROTECTION, FEDERAL TRADE COMMISSION, WASHINGTON, D.C.\n\n    Ms. Parnes. Thank you. Chairman Feinstein, Ranking Member \nKyl, I also appreciate the opportunity to testify today about \nidentity theft, data security, and the collection, use, and \ndisclosure of Social Security numbers. Although the views \nexpressed in my written testimony represent those of the \nCommission, my oral presentation and responses to your \nquestions are my own and not necessarily those of the \nCommission or an individual Commissioner.\n    Chairman Feinstein. We understand the disclaimer.\n    [Laughter.]\n    Ms. Parnes. Thank you. It is--yes, thank you.\n    Identity theft is a pernicious crime that afflicts millions \nof Americans and costs consumers and businesses billions of \ndollars every year. But the damage caused by identity theft, as \nyou indicated, transcends these direct costs. It threatens \nconsumer confidence in the marketplace, especially in \nelectronic commerce, and, Chairman Feinstein, I also thank you \nfor your leadership in trying to address the identity theft \nproblem by introducing bills on breach notification and misuse \nof Social Security numbers.\n    There are many causes of identity theft, but I would like \nto focus today on two of them: the failure to safeguard \nconsumer-sensitive information and the availability and value \nof Social Security number to identity thieves.\n    Although not all data breaches result in identity theft, \nsome do. And for that reason it is critical that those who \nmaintain sensitive consumer information adequately protect it. \nThe Commission has been vigorous both in educating businesses \nabout data security and in enforcing the existing Federal data \nsecurity laws. We have business education materials on ensuring \ncomputer security, complying with the GLB Safeguard Rules, and \nresponding to a data breach. And just this month, we issued a \nnew guide for businesses providing comprehensive advice on \ndeveloping and implementing reasonable data security \nprocedures.\n    On the law enforcement front, the Commission has since 2001 \nbrought 14 cases challenging inadequate data security \npractices. These cases have certain common elements. In each, \nthe company's security vulnerabilities were multiple and \nserious. The company did not take advantage of readily \navailable and often inexpensive measures to avoid or correct \nthese vulnerabilities. Together, these cases stand for the \nproposition that companies must maintain reasonable and \nappropriate procedures to protect sensitive consumer data.\n    We also must do more to keep Social Security numbers out of \nthe hands of identity thieves, and we must do what we can to \nreduce the value of Social Security numbers to thieves who are \nable to procure them. Reducing the unnecessary collection, use, \nand disclosure of Social Security numbers is a good first step, \nand the Federal Government has already begun this effort. The \nIdentity Theft Task Force issued interim recommendations in \nSeptember. One of these recommendations was that the Federal \nGovernment review its policies for collecting and using Social \nSecurity numbers. The Office of Personnel Management is \nfinalizing its review of the use of Social Security numbers in \nits collection of human resource data from agencies, with the \ngoal of eliminating unnecessary use.\n    It is still important to remember, though, that the Social \nSecurity number, which is widely used to match individuals to \ninformation about them, serves important and beneficial \nfunctions in our economy. Excessive restrictions could harm \nsuch important purposes as public health, criminal law \nenforcement, and anti-fraud and anti-terrorism efforts.\n    Yet even with better security and appropriate restrictions \non the unnecessary use of Social Security numbers, some \nsensitive information inevitably will find its way to identity \nthieves. For that reason, making it more difficult for \ncriminals to use the information to steal an identity is an \nessential part of the solution.\n    Too often, criminals with a stolen, name, address, and \nSocial Security number are able to open accounts in the \nvictim's name. We should do what we can to improve \nauthentication of identities. Next month, the Commission will \nhost a workshop on this subject designed to facilitate the \ndevelopment of improved means of authentication.\n    Finally, empowering consumers by educating them on identity \ntheft is another important tool at our disposal. The Commission \nhas been a leader in this endeavor. To date, we have \ndistributed more than 22 million publications on identity \ntheft. Our nationwide identity theft education program, \nentitled ``Avoid ID Theft: Detect, Detect, Defend,'' was \nlaunched last year. It includes direct-to-consumer brochures, \nas well as ready-made kits for organizations to use in training \nemployees or constituencies, complete with presentation slides \nand a video. Our multimedia website, OnGuard Online, educates \nconsumers about basic computer security. And the Commission \nmaintains a hotline and online complaint form through which we \nreceive between 15,000 to 20,000 contacts each week from \nidentity theft victims and those who hope to avoid becoming \nvictims.\n    Identity theft is one of the most important consumer \nprotection issues of our time. The Commission will continue to \nplace a high priority on preventing this crime and helping \nvictims recover from it. We look forward to continuing our work \nwith you in this effort, and I would be happy to take any \nquestions.\n    [The prepared statement of Ms. Parnes appears as a \nsubmission for the record.]\n    Chairman Feinstein. Thank you very much for the testimony. \nI am going to ask Senator Kyl to go first since he has to be on \nthe floor. Senator?\n    Senator Kyl. I really appreciate that. Thank you very much.\n    First, probably to Mr. Tenpas, but either one of you are \nwelcome to respond, according to the Identity Theft Resource \nCenter, a national nonprofit organization based in San Diego, \nabout 30 percent of identity theft victims have had fraudulent \naccounts opened in their names after placing a fraud alert. \nWhat is the penalty or consequence for a company that extends \ncredit despite knowing of the existence of the fraud alert? And \nwould a consumer have a private right of action against such a \nbusiness?\n    Chairman Feinstein. Good question.\n    Mr. Tenpas. We have been working very closely together. Can \nwe confer for a moment about who is better to take that?\n    Senator Kyl. Sure.\n    [Laughter.]\n    Senator Kyl. And, incidentally, I am not trying to play \n``Stump the Witness'' here. If you get any ideas that you would \nlike to present to us later, that would be fine, too.\n    Mr. Tenpas. We have been pretty closely joined at the \nshoulder over the last 10 months, so if you will give us a \nmoment.\n    Ms. Parnes. Yes, I can--\n    Mr. Tenpas. I will defer to my learned colleague.\n    Senator Kyl. OK, good.\n    Ms. Parnes. The 30-percent figure is a familiar one. Most \nof the surveys that have been conducted indicate that about 30 \npercent of the victims have been the subject of what is called \n``new account fraud.'' But what I actually have not heard is \nthat these have been accounts that have been opened after \nalerts have been placed. That is actually new information, and \nI would like to go back and look at that, if I may.\n    Senator Kyl. Sure. I will provide you the--this comes from \nthe Identity Theft Resources Center, a January 2007 article. I \ncan give you the citation for it. So maybe what you could do is \ntake a look at that and then get back with any information that \nyou can.\n    Ms. Parnes. OK. Thank you.\n    Senator Kyl. Thanks. And this is kind of a followup. \nVarious companies--and I mentioned one--offer services that--\nwell, actually, this is a different point, but offer services \nthat provide addresses, criminal, civil, and professional \nhistory as well as a list of assets and bank account numbers. \nYou are familiar with these.\n    Also available are Social Security numbers, current phone \nnumbers, names and phone numbers of neighbors and family member \nnames.\n    What protection is needed so that credit bureaus and \ninformation agencies are prohibited from selling such personal \ninformation?\n    Ms. Parnes. Well, I certainly think that the restrictions \non Social Security numbers that are included in this bill are a \nstart in limiting the sale and disclosure of Social Security \nnumbers.\n    Senator Kyl. Have the credit bureaus been working closely \nwith FTC to address these kinds of problems?\n    Ms. Parnes. We work very closely with the credit bureaus. \nYes, we do.\n    Senator Kyl. I think that is important. The President's ID \nTheft Task Force is something else that has at least been in \nexistence. Do you know what type of input the task force has \nsought from different consumer groups and private sector \ngroups? It seems pretty heavily Federal Government oriented.\n    Ms. Parnes. Well, the task force--we have spent a good deal \nof time talking among the 18 agencies that are members of the \ntask force. But we also had a period of time when there was \npublic input that was sought. Notice was given, and we \nreceived--\n    Mr. Tenpas. We had about a 2-month public comment period. \nWe set that public comment period once the task force had begun \nits work, and rather than simply inviting general comment--you \nknow, ``Tell us what you think about identity theft''--we tried \nto identify eight or nine broad areas where we thought a lot of \nthe task force work was being focused.\n    A set of the questions essentially invited comments in the \narea you have described about what, if anything, remains to be \ndone in terms of establishing regimes for businesses about \nprotecting data, providing notification, and uses of that data. \nAnd I think within the task force there has also been a \nrecognition that, as Lydia referred to, there are important \nlegitimate uses of Social Security numbers, and one of the \nthings that is important to do is make sure we have a good \ngrasp of the legitimate--all of the ways in which Social \nSecurity numbers and other sensitive data are being used and \nshared, so that you can then parse out which ones really \nbenefit consumers, which ones potentially make businesses \nbetter able to meet consumer needs, and which of those are sort \nof historic curiosities that grew up because, for example, a \nSocial Security number was the easiest identifier at the time \nbut where we have now got better ways to go about that.\n    Senator Kyl. A very good way of distinguishing these \ndifferent uses. Just to mention a final point, we are in very \ndetailed discussions with members of the Department of Homeland \nSecurity and the Department of Commerce, and they have in turn \ngot conversations going with the Social Security Administration \nand others about the Social Security number data base as it \nrelates to enforcement of the immigration laws and potentially \na new employee verification system that could be put in place \nas part of a comprehensive immigration reform. Clearly, we are \ngoing to have to have another whole conversation about that, \nand you all will be important in that.\n    Senator Feinstein, I am sorry. I will have to go.\n    Chairman Feinstein. I am sorry, too.\n    Senator Kyl. But thank you for allowing me to go forward \nhere, and I appreciate it very, very much.\n    Chairman Feinstein. If you can come back, please do. Thank \nyou.\n    For either one of you, let me ask this question: Any data \nbreach notification statute has to strike the right balance, \nand this is more difficult than people might think. If notices \nare sent even when a breach poses no risk of harm, consumers \ntune it out. Yet if notices are only sent when there is a high \nlikelihood of harm, notices will not be sent often enough \nbecause in many cases it will be hard to predict whether the \ndata will be used for identity theft.\n    The data breach bill that we have introduced requires that \nnotice of a data breach be given unless the breached entity \nconducts a risk assessment and concludes that there is no \nsignificant risk of harm to the affected individuals. So the \nburden is put on the entity that makes the money by selling \nthis information.\n    The entity that suffered the breach is also required to \nsend that assessment to the Secret Service, which can overrule \nthe assessment and require notice to be sent to the affected \nindividuals.\n    Do you believe that it is appropriate to require notice \nunless there is no significant risk of harm?\n    Mr. Tenpas. I think the general approach that you have \ndescribed is one that actually is already reflected in some of \nthe task force's own work. One of the things that occurred as \npart of the interim recommendations that I alluded to was that \nthe task force prepared guidance for Federal agencies to serve \nas, you know, something of a playbook for a Federal agency if \nit had an incident where sensitive information may have been \ncompromised. And one of the things that that guidance \nrecommends is to conduct an analysis of the kind you have \ndescribed, not to sort of jump to the conclusion that every \ntime information may have been--''compromised'' may not be \nquite the right word--but some way there is some level of loss \nof control of it, you do not immediately jump to notification \nbecause, as you say, I think there is a very substantial \nconcern that consumers will grow immune to notices and not be \nable to distinguish really important ones from less important \nones.\n    So I would say I think generally the approach you have \noutlined is one that the task force has already thought about \nand is one that we have sort of embraced for the Federal \nGovernment itself.\n    Chairman Feinstein. I really appreciate that because this \nhas been difficult, as you probably know, to work out. But in \nretrospect, as I look back on it, it seems to make the best \nsense as a way to do it.\n    Mr. Tenpas. Senator, could I make one other just very small \npoint on that?\n    Chairman Feinstein. Sure.\n    Mr. Tenpas. I think there are a couple of other things that \nare reflected in that that are useful. One is the notion of a \nnotification to law enforcement so that they are able to \ninvolve themselves in a timely way in trying to figure out what \nthe potential criminal opportunities might be from a particular \nincident. I think from a Department of Justice angle, we would \nalso just note that the FBI is a very important investigative \nagency in parallel with the Secret Service, and so we think it \nwould be useful for there to be some recognition of that in \nterms of any kind of notification or law enforcement kind of \nvetting.\n    Chairman Feinstein. I would be open to any suggestion you \nmight make. We chose the Secret Service because they apparently \nhave the know-how to do this and can do it. But if you have a \nrecommendation, I would sure welcome it.\n    Mr. Tenpas. OK. Thank you.\n    Chairman Feinstein. We want to make this as good as we \npossibly can.\n    Mr. Tenpas. And the Secret Service does have tremendous \nexpertise. That is not meant, you know, in any way to suggest \nthey do not. But this is an area where a number of agencies all \nplay important roles. Some have closer ties to one industry \nsector than another, and so I think we just want to be sure \nthat anything we do here, we capitalize on the collective \ntalents and abilities of all those agencies.\n    Chairman Feinstein. I think one of the things that I have \nbeen interested in is, for example, I did not know that every \ntime I buy something out of a catalogue or use my credit card \nor virtually do anything, it all goes into a big data grist \nmill, and the information is all compiled, and companies sell \nthis information to other people. And almost nothing is private \nanymore.\n    All your financial information is easily available and can \nbe used. If somebody gets your driver's license and your Social \nSecurity number, they can go to this financial information and \nrip off people to the tune of hundreds of thousands of dollars.\n    Do you have any other suggestions, either one of you, as to \nwhat we might do in this? Now, I know that L.A. County has set \nup an identity theft unit to service people who have had these \nproblems. But it is very hard. I have talked to people where it \nhas taken 18 months to recover your identity, and during that \nperiod of time, you were almost a non-entity. You have no \ncredit. You cannot do this or that.\n    See, I think that if you are going to sell somebody's \npersonal data, you ought to have their permission. And that is \nthe old opt-in/opt-out argument, and business resists it.\n    That is the only answer I know.\n    Ms. Parnes. I think, you know, a couple of things. The risk \nof lost or stolen information in our experience at the \nCommission, you know, goes beyond the situation that you were \ndescribing where your data is compiled, your personal financial \ninformation is compiled somewhere, and that it can be sold \namong entities. But what we have seen is the risk that exists \nwhen retailers are holding information. I mean, many of the \ncases that the Commission has brought involved data breaches at \nretailers--retailers that held information, credit card account \ninformation.\n    Chairman Feinstein. Give an example of that, would you?\n    Ms. Parnes. Well, you know, one example is the case--well, \ncertainly one example was the ChoicePoint case that you \nmentioned. But another one was a case we brought involving BJ's \nWarehouse, a store, and they held information--they held credit \ncard information when consumers paid for that information, and \nthey were--that information was hacked by someone who was able \nto get into the system through the store scanners. It was a \nvulnerability in their system. So someone was able to get into \ntheir system and get all of this credit card account \ninformation.\n    Now, a couple of problems there. First of all, retailers \nhave no need to hold that account information for a \nparticularly long period of time, and some do, and that is a \nproblem.\n    Chairman Feinstein. I think a lot do.\n    Ms. Parnes. Yes.\n    Chairman Feinstein. The question is: What do we do about \nthat?\n    Ms. Parnes. Well, you know, one of the things that we have \nbeen trying to do in our cases is highlight what the problems \nare and get out then consumer--excuse me, business education \nmaterial really alerting the business sector what are the do's \nand don'ts in terms of data security. And the recent brochure \nthat we released earlier this month I really think is an \nexcellent example. We talk about tossing information. Don't \nkeep it if you don't need it. Really look at what you need.\n    Chairman Feinstein. Well, let me give you an example. I \nwent into a store here not long ago, and the individual that \nwaited on me--they knew I was coming in--knew everything I had \nbought on the other side of the country. I was sort of \nstaggered by that.\n    So I say to everybody out there, there are no secrets \nanymore. Everything is an open book, and I really have some \nconcerns. I do not know what I think of that in terms of \nprivacy being so violated all the time.\n    Mr. Tenpas. Senator, could I add just one or two \nobservations on that as well? I think we share that concern. \nOne of the aspects of this problem that is, I think, so \ndifficult to wrestle with is that same phenomenon that you \ndescribe of sort of the information being everywhere, also in \ncertain cases presents opportunities to help consumers.\n    As an example, one of the things we have been looking at in \nconnection with the task force is thinking about, you know, in \nthose unfortunate cases where a Government agency has an \nincident and some information is lost, how you respond to that. \nAnd one of the things that has happened during the life of that \nis a number of business enterprises have stepped forward to \npoint out that they believe they have technologies or systems \nthat, sort of capitalizing on the fact that a lot of \ninformation is out there, allows them to track whether a \nparticular data breach is leading to identity theft.\n    Chairman Feinstein. Right.\n    Mr. Tenpas. So, you know, this is a sort of short layman's \nsummary of it, but if 10,000 names or records were kind of \nlost, there are businesses now that believe they can, if you \ngive that information to them, essentially go out and monitor \nwhat is going on in the world in terms of new accounts being \nopened, purchase activity, and detect unusual surges that would \nsuggest that the information that has been compromised is \nactually being used for identity theft, because, obviously, the \ncompromise is not the same as a person taking it up and \nmisusing it.\n    And so one of the really hard problems here is the things \nthat create risk for us also create some opportunities to help \nconsumers. And so getting the balance right is a difficult one.\n    Chairman Feinstein. Let me ask you for your advice. Do you \nthink we should pass legislation that would require Federal \nagencies to give notice of a data breach?\n    Mr. Tenpas. I think our sense on that is that you should \ngive us some chance, through the task force and other places, \nto get policies in place. I think one of the concerns about \nsort of legislating in this area is it is changing so quickly.\n    Chairman Feinstein. Yes.\n    Mr. Tenpas. For example, the ability that I described to \nyou was not one that certainly I was aware of and I do not \nthink was well developed even perhaps 2 years ago. And so I \nthink what we want to really be encouraging in the Federal \nGovernment is for our agencies to be adopting the best possible \npractices available at any moment. And what those are today, \nyou know, I am not a big gambler, but I would be willing to bet \nthat whatever those are today, 2 years or 3 years from now we \nare going to think there is something even better and smarter \nthat you can do. And sort of allowing us--\n    Chairman Feinstein. That is a pretty good non-answer.\n    Mr. Tenpas. Well, I think it is--\n    Chairman Feinstein. I take it the answer is no, you do not \nthink we should.\n    Mr. Tenpas. I think we would like some time--\n    Chairman Feinstein. OK. Fair enough.\n    Mr. Tenpas.--to sort of try to manage our affairs and see \nif we can come up with ways to be responsive.\n    Chairman Feinstein. Fair enough. That is why we tried to \nkeep this bill simple, just data breach notification, and at \nleast get that first step of protection out for the consumer. I \njust hope we can pass the bill. Anything both of you can do to \nbe supportive would really be appreciated. I would like to get \nit passed as soon as possible, as a stand-alone bill if we have \nto, at least so there are some specifics out there with respect \nto notification in the event of a data breach, instead of \nhaving different States doing a different thing.\n    Mr. Tenpas. Right.\n    Chairman Feinstein. So let me just thank you for your \ntestimony. Unless you have another comment you would like to \nmake, we will move on to the next panel. You have been very \ngenerous, and we appreciate it.\n    Ms. Parnes. Thank you.\n    Mr. Tenpas. Thank you very much, Senator.\n    Chairman Feinstein. Thank you.\n    All right. This should be a very interesting panel, and I \nwill introduce the individuals. In particular, Mr. Davis, let \nme thank you for coming such a long distance to be here today. \nI will begin by introducing you.\n    James Davis is the Associate Vice Chancellor, Information \nTechnology, and Chief Information Officer of UCLA. Mr. Davis \nwill describe the data breach that UCLA discovered in November \nof 2006. He is a professor in the Department of Chemical and \nBiomolecular Engineering at UCLA. In his Associate Vice \nChancellor position, he has broad responsibility for \nUniversity-wide technology planning and implementation \noversight. That means he is the point man there. He both \nfacilitates and coordinates the campus IT planning, policy \nsetting, prioritization, and decisionmaking processes, and is \nresponsible for the strategic deployment of academic and \nadministrative operations, services, and resources in support \nof the University, which is a big University, and its central \nand distributed technology requirements. He is responsible for \nUCLA's Office of Information Technology and coordinating IT \ndeployment.\n    Joanne McNabb is the Chief of the California Office of \nPrivacy Protection that was created by legislation and opened \nin 2001. It is the first in the Nation, and it is a resource \nand advocate in identity theft and privacy issues. Mrs. McNabb \nis a certified information privacy professional, is co-chair of \nthe International Association of Privacy Professionals' \nGovernment Working Group. She also serves on the Privacy \nAdvisory Committee of the United States Department of Homeland \nSecurity. Before starting the Office of Privacy Protection, she \nhad 20 years' experience in public affairs and marketing, in \nboth the public and private sectors. She attended Occidental \nand holds a master's degree, of all things, in medieval \nliterature from the University of California at Davis.\n    Chris Jay Hoofnagle is the Senior Staff Attorney, Samuelson \nLaw, Technology & Public Policy Clinic. He is a senior fellow \nat the Berkeley Center for Law and Technology, the School of \nLaw, Boalt Hall, University of California. He previously served \nas director of the West Coast office and senior counsel at the \nElectronic Privacy Information Center. He is the author of many \nscholarly articles on identity theft and privacy protection and \nhas served as a witness and commentator on privacy issues in \nCongressional Committees, State legislative bodies, and major \nmedia.\n    Thank you, all of you, for being here. You have all come a \ndistance, and we really appreciate that on this first day of \nspring. So let's begin with you, Mr. Davis.\n\nSTATEMENT OF JIM DAVIS, ASSOCIATE VICE CHANCELLOR, INFORMATION \n    TECHNOLOGY, CHIEF INFORMATION OFFICER, AND PROFESSOR OF \n CHEMICAL ENGINEERING, UNIVERSITY OF CALIFORNIA, LOS ANGELES, \n                    LOS ANGELES, CALIFORNIA\n\n    Mr. Davis. Thank you, Madam Chair. Obviously, I am here \nbecause UCLA, as noted, was the recent victim of a large data \nbase security breach and reached the decision to notify more \nthan 800,000 people that their Social Security numbers were or \nmight have been illegally accessed. The scale and complexity of \nthe situation served to amplify a number of difficult questions \nduring deliberations, the intersections of competing goals, and \nthe important elements of notification. So my objective today \nis to share some of our key experiences in light of the \nCalifornia law that I believe bear on the proposed legislation.\n    I would like to start by saying we were thankful that we \nhad a well-established incident response policy, process, and \nprotocol in advance of the breach. Given the complex technical \nenvironment, the forensics picture evolved over multiple weeks, \nrapidly changing our understanding of the nature and \nsophistication of the attack, and dramatically affecting the \nnumber of potentially affected individuals.\n    By UCLA policy, the final decision to notify rests with me \nas the Chief Information Officer. I convened what I considered \nto be the most objective, independent panel to help reach a \nfinal decision. The panel included the director of IT security, \nthe director of IT policy, the campus network architect, legal \ncounsel, and the University of California director of IT \npolicy, as well as the director responsible for the particular \ndata base.\n    We needed to meet repeatedly, and our deliberations \ninvolves systematically reviewing the technical evidence, the \nprojected approach of the hacker, and the intent of the attack. \nThese were reviewed against the notification criteria from \nintegrated technical, policy, and legal viewpoints. And I want \nto stress that the ability to analyze the situation from these \nviewpoints simultaneously was critical.\n    A key lesson involved also was the tension in maintaining \nconfidentiality while the investigation was in progress. We \nwere keenly aware that the information going out prematurely or \ninappropriately could expose our systems to further harm or \nadversely impact notification. At the same time, we wanted to \nshare information, especially technical information, quickly \nwith others who could benefit. Ultimately, we were able to \nconclude with confidence that a very small percentage of the \n800,000 individuals in our data base required notification \nunder California law. There was not conclusive evidence, \nhowever, of access for the rest. Therefore, the more difficult \ndecision became whether to notify the rest of the individuals, \nthe vast majority, when we knew doing so would have a large \nimpact on them and on the campus.\n    We used additional criteria--duration of exposure and the \ntargeted nature of the attack--to help think through the \nsituations where technical proofs were inconclusive. These are \ncriteria articulated as guidelines by the University of \nCalifornia and drawn from Joanne's office.\n    There was also a larger philosophical question about UCLA's \nposition. Individual privacy is an institutional value highly \nregarded by the University of California and deeply embedded in \nour policies. There was early on a consensus that ensuring \npeople are in the best possible position to protect their \ninformation indeed supported this value. Providing broader \nnotification than was strictly required legally was part of \nthis position.\n    At the point of notification, it was critical to have the \ncall center and website fully ready to go. We had 12,000 calls \nthe first day. At its peak the call center operation included \n1,600 non-dedicated operators at 26 locations, handling as many \nas 1,000 calls per hour. Our website averaged 15,000 daily \nvisitors during the first week of notification. We want to \nstress the importance of solid information, especially the \nability to confirm a name in the data base and the specifics on \nhow to protect oneself from identity theft. We were continually \nupdating information in response to questions and reactions.\n    We identified three groups of callers. The largest group \nfelt violated and anxious and wanted the connection with a live \nperson for answers and empathy. A much smaller group just \nwanted information. And about 2 percent of the callers were \nsufficiently angered or distraught that they demanded to speak \nwith a higher-level UCLA official. Defining the escalation \nprocess was key to handling this last group of callers and \nessential to a successful notification process.\n    Our experience left no doubt that notification \neffectiveness was determined by the ability to reach someone \nknowledgeable and/or to quickly find useful information for \ntaking action; designed to minimize busy signals, voice \nmessages, providing up-to-date information, and ensuring \nsympathetic operators were also very important. In terms of \nactual notification, all channels were important: e-mail and \nthe media for the fastest way to reach individuals, and U.S. \nMail for the more personalized notice.\n    The enactment of the 2003 California law has empowered \nindividuals to protect themselves against identity theft, and \nwe want to also note it caused the University of California to \naccelerate and intensify institutional efforts to protect data. \nThe fundamental belief is that the best protection, however, is \nnot to have the protected data at all. Since 2003, UCLA has put \nsignificant effort into reducing the retention of Social \nSecurity numbers for all internal business practices. The same \nis true for the other UC campuses.\n    In light of the breach, we have examined why we keep Social \nSecurity number institutionally, and we find it is because we \nmust provide them to external organizations, such as the \nInternal Revenue Service and the National Student \nClearinghouse. Though we continue to eliminate the unnecessary \ninternal use of Social Security numbers, we see a threshold \nbeyond which we will no longer be able to do so without \nreduction in the requirements from the external organizations. \nAs the FTC's recent recommended practices and guidelines \nindicate, an incident response protocol is obligatory, no \nmatter how well one protects data. However, incident response \nis the last step. We believe that an effective partner to the \nincident response and notification would be a reduction in \nthese external requirements.\n    Thank you very much for the opportunity to share these \nexperiences.\n    [The prepared statement of Mr. Davis appears as a \nsubmission for the record.]\n    Chairman Feinstein. All 800,000 were notified?\n    Mr. Davis. All 800,000 were notified.\n    Chairman Feinstein. Thank you. Joanne, welcome.\n\nSTATEMENT OF JOANNE MCNABB, CHIEF, CALIFORNIA OFFICE OF PRIVACY \n               PROTECTION, SACRAMENTO, CALIFORNIA\n\n    Ms. McNabb. Thank you very much. Thank you, Chairman \nFeinstein. I am very happy to be here. As you mentioned, the \nCalifornia Office of Privacy Protection is an education and \nadvocacy office; that is, we do not enforce any of California's \nprivacy laws. Our mission is, rather, to identify consumer \nprivacy problems and to encourage fair information practices.\n    We have four main functions: We assist consumers, and \nothers, who call our hotline or e-mail us. We provide a lot of \neducational and informational tools, documents, a lot of \nworkshops. For example, this year we are doing a series of \nvictim assistance training programs for community-based \norganizations to help us reach groups that we do not routinely \ncome across. We work with law enforcement, particularly on \nidentity theft, and also on security incidents. We are just \nabout to release a training manual for law enforcement on \ninvestigating and prosecuting identity theft. And, finally, we \nmake best-practice recommendations to organizations on how to \nhandle personal information in ways that reduce the exposure to \nidentity theft for the people whose personal information is \ninvolved. One of our sets of recommended practices is related \nto breach notification, and we issued that one in 2003.\n    Identity theft has been a major focus of the office from \nthe beginning. In fact, about 60 percent of the calls that we \nget are about identity theft. Fortunately, only about 8 percent \nare from victims. The rest are from people who perhaps got a \nbreach notice or saw a television ad or a news story that made \nthem concerned about identity theft.\n    California, as you mentioned, has indeed been a leader in \nprivacy protection, and many of the more than 80 significant \nprivacy laws introduced--enacted, actually, since 1999 have \nbeen imitated by other States and are receiving some \nconsideration here in Washington. I want to just highlight \nthree briefly, all of which were inspired by concerns about \nidentity theft.\n    The first one is a law relating to Social Security number \nconfidentiality, which took effect started in 2003, which \nprohibits the public posting or display of Social Security \nnumbers. It is because of that law that I no longer have my \nSocial Security number on my Blue Shield card, nor do the other \nmembers of my family who used to have my Social Security number \non their Blue Shield cards. Similarly, it is no longer on \nstudent ID cards, and every professor no longer has to receive \nthe Social Security number of every student in his or her \nclass. So that cut at dealing with Social Security numbers is \naimed at removing them from public view, to some extent.\n    The second law that I think has had a significant impact on \nidentity theft is the security freeze law which allows \nindividuals to have control over who gets access to their \ncredit files, which are full of sensitive personal information, \nincluding Social Security numbers. This law has been in effect \nsince 2002 and gives consumers the most effective tool \navailable to them to protect themselves against new account \nidentity theft, which, as Ms. Parnes mentioned, is one of the \nmost difficult kinds to recover from.\n    And then, finally, we come to the best known California \nprivacy law, the breach notice law, which was indeed inspired \nby a concern about identity theft. A look at the legislative \nhistory reveals that the way it was described as a means of \ngiving consumers sort of early warning so that they could take \ndefensive action because their information was exposed in a way \nthat put them at risk of identity theft. That was the way they \ntalked about it as they were passing it.\n    I think, however, the real impact of the law has been the \nextent to which it has served as a stimulus to organizations to \nimprove their practices for handling personal information and \nthat that has been the biggest impact. One way to look at it is \nthat the notification process, the requirement to notify, \nrevealed the cost of insecurity. Before that it just seemed \nlike information security was just a cost that did not have any \nbenefit. Well, now there is a cost to not securing information, \nso we can look at spending some money to protect it.\n    I want to mention a couple of examples that we have learned \nof about the way in which organizations have changed their \npractices because of the breach notification requirement, and \nUCLA is an excellent example. It was not only a very good \nresponse on so many levels, being genuinely helpful, using \nmultiple communications channels, offering people information \nabout the security freeze, which is much more effective to \nprotect them than credit monitoring and using the call centers \nso effectively, but principally, I want to commend their \ndedication to looking for ways to reduce the presence of Social \nSecurity numbers even further than they already have.\n    We have seen similar actions in a couple of other \norganizations, which I do not think I will go into right now.\n    So I would like to, in closing, quote another UCLA \nprofessor, Phil Agre, who says that personal information is \nlike toxic waste, it takes skill and training to manage it, and \nto suggest that sometimes the best way to manage it is to \ndetoxify the waste stream.\n    Thank you.\n    [The prepared statement of Ms. McNabb appears as a \nsubmission for the record.]\n    Chairman Feinstein. Thank you very much, Ms. McNabb.\n    Mr. Hoofnagle?\n\n   STATEMENT OF CHRIS JAY HOOFNAGLE, SENIOR STAFF ATTORNEY, \n SAMUELSON LAW, TECHNOLOGY & PUBLIC POLICY CLINIC, AND SENIOR \n FELLOW, BERKELEY CENTER FOR LAW AND TECHNOLOGY, UNIVERSITY OF \n   CALIFORNIA, BERKELEY, BOALT HALL SCHOOL OF LAW, BERKELEY, \n                           CALIFORNIA\n\n    Mr. Hoofnagle. Thank you, Madam Chair. Let me say that it \nis very nice to see you so well ensconced in that chair and in \npossession of the gavel.\n    Chairman Feinstein. Thank you.\n    Mr. Hoofnagle. Thank you for inviting me to this hearing. \nLet me mention two procedural issues. My written testimony is \njoined by Professor Deirdre Mulligan. It is not well known that \nProfessor Mulligan at the University of California was one of \nthe architects of security breach notification law in \nCalifornia. She provided a theoretical basis for it and helped \nthen-Assemblyman Joseph Simitian introduce AB 700, which \neventually was passed as Senate bill 1386. So we have a deep \nhistory in working on security breach notification at the law \nschool at Berkeley.\n    The second issue I wanted to mention is that our work is \nsupported by the National Science Foundation, and we continue \nto be dependent on public funding for research, and it is a \nvery important issue to us.\n    With that, I just have a short amount of time today, so let \nme mention four of the recommendations we make in our written \ntestimony. We actually make six all together.\n    Our first recommendation is that Congress should consider \nthe broad beneficial effects of security breach notification. \nThese laws do not just shield individuals from identity theft. \nThey perform a lot of other functions. And perhaps the best way \nto illustrate this is to visit environmental laws for a moment.\n    Professor Mulligan borrowed the idea for security breach \nnotification from environmental right-to-know laws, laws that \nrequired registration of dangerous chemicals and then public \nreporting once those dangerous chemicals were released. \nSecurity breach notification laws perform many of the same \nfunctions as these environmental right-to-know laws. They \naddress a form of information pollution, if you will, just as \nJoanne alluded to in Phil Agre's comment. So not only do they \nwarn individuals of risk, they do other things. Breach \nnotification has caused a serious increase in investment in \nsecurity. Prior to the passage of these laws, companies could \nsimply not disclose security breaches and let consumers bear \nthe costs of identity theft and other harms. But now those \ncosts are internalized, and businesses have to do more to \nprotect data.\n    Second, one of the best aspects of security breach \nnotification laws is that they are so-called lightweight \nregulatory mechanisms, meaning that the Government does not \ndictate how an entity should protect information. They simply \nsay, ``agency or business, you figure out how to protect \nsecurity and privacy, but if it does not work, you have to tell \nthe public.'' And that is a major benefit of these laws.\n    Third, just as environmental right-to-know laws reduced \ninventories of toxic chemicals, one of the things we are seeing \nis that security breach notification is reducing reliance on \nsensitive personal information. Now, as Jim noted in his \ntestimony, entities cannot always get rid of all sensitive \ninformation. Sometimes it is external entities that are \nrequiring them to hold Social Security numbers and other \ninformation. However, these laws are encouraging businesses to \ngo through the process of determining whether or not they \nactually need Social Security numbers and removing them from \ntheir data bases if they can.\n    Finally, security breach notification laws are very \nvaluable in that they provide benchmarks for performance. One \nof the problems in investing in security is there are not good \nmetrics to show that security is worthwhile, and having a \nsecurity breach is a metric. It is a benchmark that can be \nlooked at and can cause re-evaluation and greater security.\n    Our second recommendation is that the Committee require \nstandardized, central, and public reporting of breaches, just \nlike environmental right-to-know laws. In the appendix to our \nwritten testimony today, we have a standardized form from the \nState of New York which the State requires when you have a \nsecurity breach. That form sets forth basic information about \nthe breach, how many people are affected, when notice is going \nto be given, et cetera. And those forms are essential for the \npublic to learn more about breaches, for security researchers \nto learn about other incidences and whatnot. We really think it \nis essential that some type of public reporting be included in \nyour bill.\n    And then, finally, as I am running out of time here, let me \njust mention that just as security breach notification has \ngiven us more information about security lapses, if we had \nreporting on identity theft incidences, that is, if lending \ninstitutions were required to publicly report about how often \nthey experience identity theft and the vectors of the crime--\nthat is, the types of products that are taken advantage of by \ncriminals--I think we would get a clearer picture of the \nidentity theft problem. And consumers could actually decide \nwhich bank to us based on the bank's rates of identity theft, \nand we could actually have competition.\n    And with that, allow me to thank you again, Madam Chair, \nfor holding this hearing.\n    [The prepared statement of Mr. Hoofnagle appears as a \nsubmission for the record.]\n    Chairman Feinstein. Thank you.\n    Now, let me ask each of you a few questions, if I might. \nLet me begin with Mr. Davis.\n    Mr. Davis, would a standard that requires notification of a \nbreach, unless there is no significant risk of harm, be a \nuseful and meaningful standard for entities that are deciding \nhow to respond to a breach?\n    Mr. Davis. I need to give you a mixed answer. In our \nparticular case, the forensics were very complicated, and as I \nmentioned in the testimony, we had the vast majority of the \npeople, you know, who were faced with the decision about \nwhether to do this. So the really hard question was this risk \nanalysis that you are speaking to.\n    And so there is the question of how can one put the \ncriteria together and in such a way that this risk analysis can \nbe done in a uniform and a good way. So I raise that question. \nThe principle of it makes good sense to us. How to do it in \npractice is the question I am raising.\n    Chairman Feinstein. Well, this would depend upon the nature \nof the breach and the data, it would seem to me. Perhaps I am \nall wet, but can you come up with a better standard? This is \nwhere we get into, you know, dicey water because this is not \nsomething that has not been well considered and kind of vetted \nwith various groups. And it is really the best we have been \nable to come up with.\n    Perhaps, Ms. McNabb, would you like to get involved in this \npart of it?\n    Ms. McNabb. I can speak to the issue, not any specific \nlegislative proposal. I think that, in fact, Jim's discussion \nof the deliberative process they went through is very \nillustrative. In California, State agencies are subject to \nnotification, so I have been involved in some deliberations \nsimilar to that in California, and--\n    Chairman Feinstein. But we are talking about writing laws \nfor everybody.\n    Ms. McNabb. Exactly. I know, so I just want to say that how \nyou conduct the risk analysis can be very tricky. Finally, you \nmay find yourself--\n    Chairman Feinstein. But that is up to the company or the \nuniversity or--\n    Ms. McNabb. You may find yourself in a position of trying \nto prove--establish a negative. His case was one example. Some \nother ones I can think of are where what the forensic evidence \nshows is that the apparent purpose of a hacking, let's say, was \nto store pirated music and there was no indication that data \nthat was also on that server was touched, but there was no \nindication that it wasn't touched. So then you don't have \nforensic facts that tell you, yes, that data was accessed or \nacquired or, no, it was not. So then you have to go to a next \nlevel that is not part of risk--well, maybe it is part of risk \nanalysis, but it is part of what are our values and principles \nand do we believe in an abundance of caution or not.\n    Chairman Feinstein. What we do, by the way this is worded, \nis leave it up to the entity to make those decisions rather \nthan to legislate a protocol which might work for some and not \nwork for others. I do not know how we could legislate a \nprotocol.\n    Ms. McNabb. Yes. I do not either.\n    Mr. Davis. That is, in effect, what I am saying. It seems \nvery difficult to legislate a protocol.\n    Just to build on what Joanne said, in our particular case \nwe did have to apply additional criteria, as I said. These had \nto do with an analysis of the targeted nature of the event, the \nduration of the event, and our campus position on this. Those \nwere the three ingredients that actually led us to proceed with \nthe notification.\n    I can certainly think of different situations, for example, \nwith a stolen laptop, then the situation becomes very \ndifferent, and you can have a very different kind of risk \nanalysis. But if you are saying, you know, the principle of \nthis, that does make very good sense to this, and it does put \nthe burden back on us to do that kind of analysis, which I \nthink that is where it needs to rest.\n    Chairman Feinstein. I do not know a better way of doing \nthis than saying no significant risk and that the company has \nto certify that. And that goes within 10 days to the Secret \nService with the facts, and they then can reverse that. Let's \nsay the company says there is no significant risk. Then there \nis a check that says, yes, you have to notify, and that check \nwould be the Secret Service evaluation.\n    Mr. Davis. If I may make one other comment, I may have been \nanswering the question just a little bit differently as I \nlisten to what you are saying. We would actually agree with \nwhat you are saying, and that is a good principle to proceed \nby. What I was really trying to say is that the definition of \n``significant risk'' is very, very difficult, and so when we do \nour own analysis, it actually is going to be very difficult to \nfind a situation in which we would not notify.\n    Mr. Hoofnagle. Madam Chair, if I may make two \nrecommendations--\n    Chairman Feinstein. Well, my staff just put a question \nbefore me which is interesting. Do you suggest then that the \nlaw include criteria for assessing the risk? Even that, I do \nnot know how it could be complete because there are such \ndifferences.\n    Mr. Davis. There are people to my left that can speak to \nthis. My own perspective is that it would be very difficult to \nput criteria together, but I think some criteria based on the \nexperiences across multiple breaches, much like Chris and \nJoanne have talked about, can be put together that would be \nuseful for us to do our risk analysis and help us do this as an \ninternal exercise.\n    Chairman Feinstein. Would you be willing to make some \nsuggestions?\n    Mr. Davis. Well, I am trying to suggest two that did work \nvery well for us, which was the targeted nature of the attack \nas well as the duration of the attack in the particular kind of \nevent that we experienced. Those would be examples of these \nkinds--\n    Chairman Feinstein. So you are saying, in other words, that \nthere must be a protocol set up that covers such things?\n    Mr. Davis. That is right.\n    Chairman Feinstein. OK. Anybody else like to comment on \nthat point?\n    Ms. McNabb. I think Jim's testimony actually lists the \nnumber of criteria that they had before and that they developed \nafterwards that would be worth looking at.\n    Chairman Feinstein. How about misplaced rather than stolen?\n    Ms. McNabb. The California law, the triggering event is \nthat data is acquired by an unauthorized person.\n    Chairman Feinstein. That is a good definition.\n    Ms. McNabb. Not ``accessed'' but ``acquired.'' As it moved \nthrough the legislature, it started as ``accessed,'' and that \nwas considered not as good an indication of risk as \nacquisition. So that can help in some situations.\n    Chairman Feinstein. For example, what do you do, somebody \nis traveling--\n    Ms. McNabb. Yes, and they lose their laptop.\n    Chairman Feinstein. They are carrying a computer that has a \nhuge data base in it, and they misplace it.\n    Ms. McNabb. Well, you have to decide if you have reasonable \nbelief that it has fallen into the hands of an unauthorized \nperson.\n    Chairman Feinstein. You would have no way of knowing.\n    Ms. McNabb. Right. So you have to--\n    Chairman Feinstein. So you would have to proceed, it would \nseem to me, to provide some notification.\n    Ms. McNabb. That tends to be what happens.\n    Chairman Feinstein. Because you cannot take the risk.\n    Ms. McNabb. Something like, I think, 46 percent of the \nnotification--of about 530 notifications that we have noted, 46 \npercent of the time it was a lost or stolen computer or CD or \nserver.\n    Chairman Feinstein. That is exactly right, and it seems to \nme that companies have to recognize that their employees, if \nthey carry around these data bases, that is one policy \nquestion. Then they have to be responsible--\n    Ms. McNabb. And then they can encrypt them.\n    Chairman Feinstein.--if a computer is misplaced or lost or \nstolen.\n    Ms. McNabb. And the data an be encrypted. California \ngovernment established a policy that sensitive personal \ninformation on portable computing or storage devices must be \nencrypted.\n    Chairman Feinstein. That is a good thing to have in our \nlaw.\n    OK. Mr. Davis, was the toll-free number a successful way \nfor affected people to communicate with the University? And how \nmany actually used it?\n    Mr. Davis. Well, let's see. We had a total of about 36,000 \ncalls to the call center over the entire time, so we had quite \na few people out of the total number using that call center.\n    In terms of useful, I would use stronger words. I think it \nwas essential to have the call center and to have that toll-\nfree number. When we look at the responses from the people--and \nwe did track this very closely -people really did want to talk \nto people, as I said, and the call center was essential to \ngetting information out.\n    Of course, there were many people that did not have access \nto a computer or did not have other means to get information, \nand it proved to be the only way to get information through \nsome of the people who were involved.\n    Chairman Feinstein. Right. Do you believe that providing an \ne-mail address to which individuals could write for more \ninformation about a breach would be as effective as a call \ncenter? And, everybody, please chime in.\n    Mr. Davis. I do not. I think it is a useful second layer \nmechanism, but I believe the call center--our experience would \nsay--I should not even say ``I believe.'' Our experience would \nsay that the call center was essential as a first line of \ncommunication in this kind of situation.\n    Ms. McNabb. That is our experience, too. My office has \ngotten lots and lots of calls over the years from people who \ngot notices, and your statistics were very similar to what ours \nhave been. A lot of people get a letter, and it says something \nthat sounds a little frightening, and they want to talk to \nsomebody.\n    Chairman Feinstein. Yes, I understand.\n    Ms. McNabb. And what the people are saying on the phone is \npretty much what it said in the letter, but they want to get it \nfrom a live human being.\n    Chairman Feinstein. Right.\n    Do you have a comment?\n    Mr. Hoofnagle. It does make sense to have multiple channels \navailable to victims, whether it is e-mail or telephone or the \nInternet.\n    Chairman Feinstein. OK. Should notice be required when a \nbreach involves a hard-copy printout of computerized data?\n    Ms. McNabb. that is the policy for California State \nagencies. The policy is that when the kind of information that \nwould require a notice in electronic form has been acquired by \nan unauthorized person, if it is in paper form we would notify \nthe same way.\n    Chairman Feinstein. Mr. Davis?\n    Mr. Davis. We are treating it exactly the same way.\n    Chairman Feinstein. OK. Well, we have covered the lost or \nstolen laptop. Perhaps you could give us some help on this, and \nthat would be the wording to ensure that it covers not just \nhacking incidents, but also breaches that involved hard-copy \ndata and lost laptops?\n    Ms. McNabb. Well, the California law, when it says \n``acquisition by an unauthorized person,'' has been constantly \ninterpreted to apply to lost or stolen laptops or other \ndevices.\n    Chairman Feinstein. So the whole thing.\n    Ms. McNabb. Yes, because--\n    Chairman Feinstein. The California law, the wording has--\n    Ms. McNabb.--it says if the data--\n    Chairman Feinstein.--been legally interpreted to--\n    Ms. McNabb. It has been interpreted by behavior, that is, \npeople since the beginning, those who have had breaches, \nwhether it was a stolen laptop or lost hard drive, have \nconsidered that acquisition, apparently, because they notified. \nThere have been proposals in the California Legislature several \ntimes since the law was first enacted to remove the word \n``computerized,'' because it says ``computerized data.'' So it \nwould just say ``data,'' which would make it clearly apply to \npaper, and those have never been passed. They were objected to.\n    Chairman Feinstein. Right. That is interesting. All right. \nIf any of you have a comment you would like to make, we will \nconclude this, but I would like to ask that if you have not had \na chance to look at the bill, that you perhaps do so and give \nus any comment you might care to make, how to strengthen it or \nbetter it in any way. Any comments?\n    Mr. Hoofnagle. Madam Chair, may I make one comment? That \nis, there is an exemption for situations where there is no \nsignificant risk of harm that would exempt a company or an \nagency from giving notice.\n    Chairman Feinstein. Right.\n    Mr. Hoofnagle. I do think it makes sense to consider using \nthe word ``misuse'' rather than ``harm.'' The word ``misuse'' \nis more relevant. It has better context in privacy law, and \nthat ``harm'' is usually equated with financial loss or injury, \nbut sometimes data are stolen, sometimes there are security \nbreaches made that are mere misuses of information. So--\n    Chairman Feinstein. Define ``misuse.''\n    Mr. Hoofnagle. A use of the data that is not compatible \nwith its collection. Now, that is a confusing way of saying \nusing the data in such a way that the victim would object to, \nand a common example would be the pretexting cases where \ninformation was used to investigate other people but not to \nsteal their identity.\n    Chairman Feinstein. Oh, I see where you are going.\n    Mr. Hoofnagle. Or where data are stolen to embarrass \nanother person or, let's say, data are stolen to locate a \ndomestic violence victim. Those type of risks are particular to \ncertain people, and the entity that is experiencing the breach \nmay not know about those risks.\n    Chairman Feinstein. Well, take a data base like UCLA had of \n800,000. If it were misused, how would they ever get to the \npoint they got to? Because you would never know. All these \nother issues enter into it with respect to misuse.\n    Mr. Hoofnagle. Well, it would be ``reasonable risk of \nmisuse'' instead of ``significant risk of harm.'' So there is \ngoing to be a risk assessment made, and I think it makes more \nsense to assess whether or not the information is going to be \nmisused, not whether or not there will be harm flowing from the \nincident.\n    Chairman Feinstein. Well, we have opened a whole other \nchapter. Can you comment, Mr. Davis?\n    Mr. Davis. I have to think about that one.\n    Chairman Feinstein. Yes, I do, too. I do not know what it \nmeans, really. I understand what he is saying, but in terms of \na law--I mean, I know what harm is, but is it proper use? Is it \nmisuse? And you have 800,000 people, all of whom--take the case \nof UCLA. You have applicants, you have students, you have \nalumni. What else do you have on that data base?\n    Mr. Davis. And we had some people from the Office of the \nPresident and faculty.\n    Ms. McNabb. And you?\n    Mr. Davis. I did get a letter.\n    [Laughter.]\n    Chairman Feinstein. So you had a cross-section of people. \nNow, if you go into the private sector away from a University \nsetting, you are going to have an even broader group of people. \nLet's say it is a bank that has its data breached that owns \ninsurance companies, and all that stuff, it is millions of \npieces of data. How do you determine whether misuse would \noccur? How do you determine even who the population is? It \nseems to me it is a huge delaying effort just to get to that \npoint.\n    Mr. Hoofnagle. You are right, Madam Chair. This is the most \ndifficult issue in security breach notification. But what I am \ntrying to say is that we do not want entities just looking for \nrisk of identity theft. There are other risks out there.\n    Chairman Feinstein. Yes, but this is aimed at identity \ntheft. It is not aimed at taking care of all the world's \nproblems. That is the hard part of this. I see where you are \ngoing, but we have enough trouble moving this bill now.\n    Mr. Hoofnagle. Well, it would be important, for instance, \nif a data base were breached, if information were stolen from a \nbusiness by someone who attempted to stalk another person, to \nlocate a domestic violence victim, to embarrass that person, \nthat would be--\n    Chairman Feinstein. But how would the bank know? How would \nthe insurance company know?\n    Mr. Hoofnagle. It might become apparent in the risk \nassessment. Of course, every situation is different. What I am \nsaying is that the scope--\n    Chairman Feinstein. You cannot do a risk assessment for \nevery single person in that data base. There are millions. You \nhave to do this in a timely way, within a very limited period \nof time.\n    Mr. Hoofnagle. Let's consider the pretexting scandals where \nindividuals' records were accessed without authorization. Those \nwere single individuals' information that was stolen. It was \nnot done for identity theft. It was done to investigate those \npeople and possibly to embarrass them.\n    What I am saying is that the scope of harms that may occur \nto a victim are broader, and sometimes in the risk assessment \nit will be possible to determine that. Sometimes it will not.\n    Chairman Feinstein. Well, it seems to me with the word \n``harm'' it is a much more general phrase that you identify \nwhether this particular break is apt to result in any kind of \nharm to an individual whose name or data is in that data base. \nAnd if the answer is yes and it is a significant risk of harm, \nyou have to do certain things. If the answer is no, then you \nsubmit your assessment. The Secret Service will take a look at \nit and either agree with you or disagree with you.\n    Mr. Hoofnagle. That is a sensible definition of ``harm,'' \nand what I would recommend is that the Committee report \nlanguage specify that the harms, the possible harms, can be \nbroader than just physical harm or identity theft.\n    Chairman Feinstein. Well, I will think about it.\n    Mr. Hoofnagle. OK.\n    Chairman Feinstein. How is that one?\n    Mr. Hoofnagle. That is perfect.\n    [Laughter.]\n    Chairman Feinstein. Thank you all very, very much. I think \nit has been an interesting hearing. I very much appreciate what \nyou do. Please stay the course and continue on, and we will as \nwell. Thank you.\n    The hearing is adjourned.\n    [Whereupon, at 4:05 p.m., the Subcommittee was adjourned.]\n    [Submissions for the record follow.]\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n                                 <all>\n\x1a\n</pre></body></html>\n"