[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]

                       THE INFORMED P2P USER ACT 



                               BEFORE THE

                        AND CONSUMER PROTECTION

                                 OF THE

                        HOUSE OF REPRESENTATIVES


                             FIRST SESSION


                              MAY 5, 2009


                           Serial No. 111-36

      Printed for the use of the Committee on Energy and Commerce


                         U.S. GOVERNMENT PRINTING OFFICE 

72-885 PDF                       WASHINGTON : 2012 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 


                 HENRY A. WAXMAN, California, Chairman

JOHN D. DINGELL, Michigan            JOE BARTON, Texas
  Chairman Emeritus                    Ranking Member
EDWARD J. MARKEY, Massachusetts      RALPH M. HALL, Texas
RICK BOUCHER, Virginia               FRED UPTON, Michigan
FRANK PALLONE, Jr., New Jersey       CLIFF STEARNS, Florida
BART GORDON, Tennessee               NATHAN DEAL, Georgia
BOBBY L. RUSH, Illinois              ED WHITFIELD, Kentucky
ANNA G. ESHOO, California            JOHN SHIMKUS, Illinois
BART STUPAK, Michigan                JOHN B. SHADEGG, Arizona
ELIOT L. ENGEL, New York             ROY BLUNT, Missouri
GENE GREEN, Texas                    STEVE BUYER, Indiana
DIANA DeGETTE, Colorado              GEORGE RADANOVICH, California
  Vice Chairman                      JOSEPH R. PITTS, Pennsylvania
LOIS CAPPS, California               MARY BONO MACK, California
MICHAEL F. DOYLE, Pennsylvania       GREG WALDEN, Oregon
JANE HARMAN, California              LEE TERRY, Nebraska
TOM ALLEN, Maine                     MIKE ROGERS, Michigan
JAN SCHAKOWSKY, Illinois             SUE WILKINS MYRICK, North Carolina
HILDA L. SOLIS, California           JOHN SULLIVAN, Oklahoma
CHARLES A. GONZALEZ, Texas           TIM MURPHY, Pennsylvania
JAY INSLEE, Washington               MICHAEL C. BURGESS, Texas
TAMMY BALDWIN, Wisconsin             MARSHA BLACKBURN, Tennessee
MIKE ROSS, Arkansas                  PHIL GINGREY, Georgia
ANTHONY D. WEINER, New York          STEVE SCALISE, Louisiana
JIM MATHESON, Utah                   PARKER GRIFFITH, Alabama
G.K. BUTTERFIELD, North Carolina     ROBERT E. LATTA, Ohio
BARON P. HILL, Indiana
DORIS O. MATSUI, California
JERRY McNERNEY, California

        Subcommittee on Commerce, Trade, and Consumer Protection

                        BOBBY L. RUSH, Illinois
JAN SCHAKOWSKY, Illinois             CLIFF STEARNS, Florida
    Vice Chair                            Ranking Member
JOHN SARBANES, Maryland              RALPH M. HALL, Texas
BETTY SUTTON, Ohio                   DENNIS HASTERT, Illinois
FRANK PALLONE, New Jersey            ED WHITFIELD, Kentucky
BART GORDON, Tennessee               CHARLES W. ``CHIP'' PICKERING, 
BART STUPAK, Michigan                    Mississippi
GENE GREEN, Texas                    GEORGE RADANOVICH, California
CHARLES A. GONZALEZ, Texas           JOSEPH R. PITTS, Pennsylvania
ANTHONY D. WEINER, New York          MARY BONO MACK, California
JIM MATHESON, Utah                   LEE TERRY, Nebraska
G.K. BUTTERFIELD, North Carolina     MIKE ROGERS, Michigan
JOHN BARROW, Georgia                 SUE WILKINS MYRICK, North Carolina
DORIS O. MATSUI, California          MICHAEL C. BURGESS, Texas
JOHN D. DINGELL, Michigan (ex 

                             C O N T E N T S

Hon. Bobby L. Rush, a Representative in Congress from the State 
  of Illinois, opening statement.................................     1
Hon. George Radanovich, a Representative in Congress from the 
  State of California, opening statement.........................     2
Hon. John Barrow, a Representative in Congress from the State of 
  Georgia, opening statement.....................................     4
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, prepared statement.................................     5
Hon. Mary Bono Mack, a Representative in Congress from the State 
  of California, prepared statement..............................     6
Hon. Tim Murphy, a Representative in Congress from the 
  Commonwealth of Pennsylvania, prepared statement...............     6
Hon. Lee Terry, a Representative in Congress from the State of 
  Nebraska, opening statement....................................     7
Hon. Phil Gingrey, a Representative in Congress from the State of 
  Georgia, opening statement.....................................     8
Hon. Marsha Blackburn, a Representative in Congress from the 
  State of Tennessee, prepared statement.........................   151


Eileen Harrington, Acting Director, Bureau of Consumer 
  Protection, Federal Trade Commission...........................     9
    Prepared statement...........................................    12
    Answers to submitted questions...............................   153
David M. Sohn, Senior Policy Counsel, Center for Democracy and 
  Technology.....................................................    36
    Prepared statement...........................................    38
    Answers to submitted questions...............................   157
Robert W. Holleyman II, President and Chief Executive Officer, 
  Business Software Alliance.....................................    48
    Prepared statement...........................................    50
    Answers to submitted questions...............................   161
Martin C. Lafferty, Chief Executive Officer, Distributed 
  Computing Industry Association.................................    57
    Prepared statement...........................................    59
Stuart K. Pratt, President and Chief Executive Officer, Consumer 
  Data Industry Association......................................    88
    Prepared statement...........................................    90
    Answers to submitted questions...............................   164
Marc Rotenberg, Executive Director, Electronic Privacy 
  Information Center.............................................   101
    Prepared statement...........................................   103
    Answers to submitted questions...............................   167
Robert Boback, Chief Executive Officer, Tiversa, Inc.............   113
    Prepared statement...........................................   115
Thomas D. Sydnor, Senior Fellow and Director, Center for the 
  Study of Digital Property, Progress and Freedom Foundation.....   127
    Prepared statement...........................................   129

                       THE INFORMED P2P USER ACT


                          TUESDAY, MAY 5, 2009

                  House of Representatives,
           Subcommittee on Commerce, Trade,
                           and Consumer Protection,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:00 p.m., in 
Room 2123 of the Rayburn House Office Building, Hon. Bobby L. 
Rush (chairman) presiding.
    Members present: Representatives Rush, Stupak, Barrow, 
Radanovich, Stearns, Bono Mack, Terry, Murphy of Pennsylvania, 
Gingrey and Scalise.
    Staff present: Christian Fjeld, Counsel; Marc Gromar, 
Counsel; Valerie Baron, Legislative Clerk; Brian McCullough, 
Minority Senior Professional Staff; Will Carty, Minority 
Professional Staff; and Sam Costello, Minority legislative 


    Mr. Rush. The subcommittee will now come to order.
    Today the subcommittee is holding a legislative hearing on 
two bills: H.R. 2221, the Data Accountability and Trust Act, 
and H.R. 1319, the Informed P2P User Act. The chair will 
recognize himself for 5 minutes for the purposes of an opening 
    Today the subcommittee is holding a legislative hearing on 
the two above-mentioned bills. They were both introduced by two 
distinguished members of the subcommittee, my colleagues Ms. 
Bono Mack and Mr. Barrow, and H.R. 2221, which is the Data 
Accountability and Trust Act, also known as DATA, was 
introduced by myself and Mr. Stearns. Ms. Bono Mack and Mr. 
Barrow introduced H.R. 1319. Both of these bills represent 
strong bipartisan efforts to address high-profile problems 
affecting American consumers.
    H.R. 1319, the Informed P2P User Act, addresses the 
increasingly frequent problem of consumers inadvertently 
exposing their private sensitive information by way of peer-to-
peer file-sharing programs. Too often when consumers download 
these programs onto their computers with the intent of sharing 
and downloading certain files on the network, they are unaware 
that they are also sharing other files they otherwise might 
want to keep private. For instance, recent media reports have 
focused on consumers unknowingly sharing their tax returns and 
their Social Security numbers on P2P networks. Such inadvertent 
file sharing can be the result of deceptive or misleading 
disclosures by P2P software companies or they might emanate 
from simple confusion on the part of consumers. Whatever the 
case, the intent of H.R. 1319 is to provide consumers with the 
power of informed consent before they download P2P software 
onto their computers and share folders and files with network 
    The second bill that we will be discussing today is H.R. 
2221, the Data Accountability and Trust Act. This is the third 
Congress in which this bill has been introduced. Mr. Stearns as 
chairman of this subcommittee in the 109th Congress originally 
introduced the bill as H.R. 4127, and with the help of then-
Ranking Member Schakowsky, it eventually passed the full Energy 
and Commerce Committee by a unanimous vote. However, no further 
action was taken on the bill as a result of jurisdictional 
disputes. In the subsequent 110th Congress, I reintroduced the 
bill as H.R. 958, but we were unable to take any action. Once 
again in this current Congress, I have reintroduced the bill 
with Mr. Stearns, Mr. Barton, Ms. Schakowsky and Mr. Radanovich 
as H.R. 2221 with the intent that it does eventually become 
    H.R. 2221 has two basic components. First, the bill 
requires that persons processing electronic data that contains 
personal information must take steps to ensure that the data is 
secure. Second, the bill establishes a notification procedure 
and process that a company must take when a data breach occurs 
in order to allow affected consumers to protect themselves. 
Companies do not have to initiate such notices of they 
determine that ``there is no reasonable risk of identity theft, 
fraud or other unlawful acts.'' H.R. 2221 also imposes special 
requirements on data brokers but accommodates other laws that 
govern how certain data brokers are regulated. These bills may 
require some revision, and while this may not be the first time 
we have taken up data security, and H.R. 2221 already reflects 
significant changes forged by compromise made in the 109th 
Congress, the bill may be dated and in need of an update. This 
subcommittee is looking forward to working in a bipartisan 
fashion and seeking bipartisan cooperation based on our 
historical bipartisanship, and I expect that bipartisanship to 
be at work on both of these bills.
    Lastly, I want to just announce for the record that I have 
an intention to hold a joint hearing on consumer privacy with 
Chairman Boucher and the Subcommittee on Communications, 
Technology, and the Internet and to work on comprehensive 
legislation. This is just a part of a larger process.
    Mr. Rush. With that, I yield back the balance of my time 
and recognize now for the purposes of an opening statement the 
ranking member on this subcommittee, Mr. Radanovich, for 5 


    Mr. Radanovich. Thank you, Mr. Chairman. Good afternoon, 
    I would first like to thank the witnesses before us today 
and the organizations that have offered comments and 
suggestions assisting the important work of crafting a robust 
and workable data security bill. Both that bill and the P2P 
bill that we have, there are core concerns about the 
unauthorized or inadvertent sharing of sensitive information. I 
want to commend Mr. Stearns, Ms. Schakowsky, Mr. Barton, Mr. 
Dingell, Mr. Whitfield and now Mr. Rush and Mr. Waxman, all of 
whom were chairmen and/or ranking members who have helped bring 
attention to these issues. I also want to recognize Ms. Bono 
Mack's leadership on digital security over the years and on her 
bill to prevent inadvertent file sharing on peer-to-peer 
    File sharing presents privacy and security issues but also 
relates to online safety more generally, and being a father, I 
am glad to see that a bill that improves children's digital 
safety and will help protect from some of the atrocities that 
are being committed using these networks on line.
    Huge data security breaches shocked us all starting back in 
2005 with the ChoicePoint breach and millions of people in the 
United States had discovered that they are victims of identity 
theft. Billions are lost by consumers and by businesses as they 
spend money and time to repair their finances. Particularly in 
difficult economic times when credit is increasingly tough to 
secure, the potential disruption and obstruction of commercial 
activity in every sector of the U.S. economy cannot be ignored. 
Internet-based and other electronic transactions are 
fundamental these days and ensuring consumer confidence in 
these systems is essential. The Congress, and this committee in 
particular, are charged with the responsibility to ensure that 
the entities possessing and dealing in sensitive consumer data 
keep the doors locked and the alarm on.
    The health of our modern network system of commerce demands 
it. Very simply, H.R. 2221 would create a uniform national data 
breach notification regime. I believe that notification must be 
based on the actual risk of potential harm from identity theft 
or other malfeasance and the mandates that we put on covered 
entities must be the same across the country. Allowing 
individual States to alter the rules will only lead to consumer 
confusion and unnecessary business expenses, costs that will 
inevitably be passed on to the consumer. Let us get a good bill 
that robustly protects consumers while not adding requirements 
that only add costs.
    The world has changed since we last considered this bill, 
and I am anxious to hear about those developments. Some parts 
of the bill may now be obsolete, given the actions of the 
private sector, actions by both those who hold sensitive 
information and by companies who now offer products directly to 
consumers to monitor their credit. We must take all of this 
into account and get a workable bill that we can all support.
    While the data security bill is one with which the 
committee has some experience, Ms. Bono Mack's bill, H.R. 1319, 
is a relatively new one. She was out in front on the issue last 
Congress, introducing an earlier version of the bill last 
September. Since then we have seen multiple news stories about 
the problems the bill attempts to addressing, inadvertent 
sharing of sensitive files across peer-to-peer networks. I want 
to state at the outset that it is not the committee's intent to 
simply demonize P2P software. There are many legitimate and 
important uses of this innovative program and I am glad that 
the P2P industry is here to talk about the uses of their 
products. However, the systems present some interesting 
problems as well. Last month the P2P security company Tiversa, 
who is here to testify, found the schematics of Marine One, 
President Obama's new helicopter, on a P2P server in Iran. In 
other reporting it was found that millions of sensitive 
personal records including Social Security numbers, medical 
records, credit reports and tax returns with names and 
addresses were easily found on P2P networks.
    The problem of inadvertent sharing is enhanced by the 
actual architecture of the programs. It is often unclear to a 
user what may be leaked, and it can be difficult to change 
settings to prevent it. After Mr. Waxman examined this in the 
former committee down the hall, it appears that 2 years later 
many P2P providers have not taken adequate steps to address 
this. We need to take a close look at the problem and the bill. 
We do not want to sweep technologies into a potential regime 
that we do not intend nor do we want to exclude technologies 
that we can all agree should be covered. How we define P2P 
software is critical.
    Mr. Chairman, I look forward to the comments on these bills 
and I would like to express my gratitude to the majority for 
their intent to develop these bills. Thank you, Mr. Chairman.
    Mr. Rush. The chair thanks the gentleman.
    The chair now recognizes Mr. Barrow for 2 minutes. Mr. 
Barrow is a sponsor of one of the bills and certainly I am 
grateful to him for his legislative work. Mr. Barrow, you are 
recognized for 2 minutes for the purposes of an opening 


    Mr. Barrow. Thank you, Mr. Chairman.
    We live in a world where digital technology has connected 
people and their ideas, their information and products, making 
possible all kinds of new kinds of collaboration and 
innovation. There is no doubt that this has made us all a lot 
more productive. It has also made it possible for folks to 
invade our personal records and reveal private information 
about us and our families that we choose not to disclose.
    The purpose of today's hearing is to discuss threats to 
data security and ways we can work to fill in the gaps that 
leave our personal records vulnerable. I had the opportunity to 
work with Congresswoman Mary Bono Mack on H.R. 1319, the 
Informed Peer to Peer User Act, and I hope that this hearing 
will shed some light on the privacy and security risks that are 
associated with peer-to-peer file-sharing programs. A lot of 
folks who connect to these networks don't even realize that 
their most personal and private files are visible to everyone 
else on the network at any time. A lot of folks are posting 
their tax returns, financial records and personal messages on 
the Internet and don't even know it. I hope that our work on 
this committee will come up with a strategy that will let 
individuals know in a way that they can understand and use that 
the information on the computers could be at risk. We have 
truth in lending and we have truth in labeling. I think it is 
time we had truth in networking also.
    I want to thank Congresswoman Mary Bono Mack for allowing 
me to work with her on the Informed Peer to Peer User Act and I 
want to thank Chairman Waxman and Ranking Member Barton for 
bringing these important issues to the forefront in our 
committee, and most importantly, I want to thank every one of 
you on this panel today for being here to lend your expertise 
on this important subject.
    Thank you, and I yield back the balance of my time.
    Mr. Rush. The chair thanks the gentleman. The chair now 
recognizes the other author of one of these bills that we are 
hearing today, Ms. Bono Mack--I am sorry--Mr. Stearns, I am 
sorry, the former ranking member of the subcommittee, Mr. 
Stearns of Florida, who is recognized for 2 minutes for the 
purposes of an opening statement.
    Mr. Stearns. Thank you, Mr. Chairman, and I--
    Mr. Rush. I didn't mean to confuse you with Ms. Bono Mack.


    Mr. Stearns. She is much better looking.
    Mr. Chairman, thank you very much, and I think in your 
opening statement you pretty much outlined my feeling about 
this. Obviously this is a bill that was introduced on October 
25, 2005. It was H.R. 4127, and as you pointed out, we passed 
this bill by unanimous consent. Ms. Schakowsky and I worked 
together on that bill and we had compromises. We got the bill. 
So I am very pleased that you have taken the initiative, the 
leadership to offer this bill again, and I am very glad to be 
an original cosponsor with you. I am hoping it has the same 
kind of success that we had, Ms. Schakowsky and I, because it 
is a very, very important bill.
    Recently some hackers broke into a Virginia State website 
used by pharmacists to track prescription drug abuse. They took 
all these names and it is 8 million patients and they deleted 
them from the site and they are asking for money to replace 
them, so in a way they are asking for ransom, and if this 
Virginia website had an encrypted data security full-blown 
protection of this information, it would have been difficult, 
if not impossible, for these hackers to get in and to take this 
information. It is 8,257,000 names. And that is why this bill 
is so important so I am very pleased to support it.
    Also, the gentlelady from California's bill, the Informed 
P2P User Act, which is again very important. With the diverse 
connectivity we have in networks, and of course with the 
increased broadband that we are starting to see, people are 
going to go more to this peer-to-peer downloading and this 
centralized resources in your computer and these servers going 
back and forth between each other, you have got to have some 
notification to the users what is occurring or a lot of their 
applications and their information will be also taken.
    So it is very appropriate these two bills come together, I 
think, and Mr. Chairman, I commend you and your staff for 
bringing them both because in a way we are talking about data 
security with both of them and protection of the consumer, and 
I thank you, Mr. Chairman.
    Mr. Rush. The chair thanks the gentleman. Now the chair 
recognizes Ms. Bono Mack of California for 2 minutes for the 
purposes of an opening statement.


    Ms. Bono Mack. I thank the chair and Ranking Member 
Radanovich and the distinguished panel for being here today. 
Thank you for holding a hearing on important privacy 
legislation. Today my comments will focus entirely on H.R. 
1219, the Informed P2P User Act, but before I dig into the 
issue of P2P, I would like to thank Ranking Member Barton as 
well as my colleague, Congressman Barrow, for their willingness 
to work together on H.R. 1319. As you have seen, this is a 
bipartisan bill and their support has been essential. I thank 
them both.
    The risks associated with peer-to-peer file-sharing 
programs has been widely reported by the media and thoroughly 
investigated by Congress. Many of our witnesses today have 
testified before other Congressional committees on the dangers 
associated with P2P file-sharing programs, and each time the 
committee was given a status update of the dangers. 
Additionally, industry claimed ignorance and stated they would 
handle the problem through self-regulation. This hands-off 
approach has not worked and any set of voluntary best practices 
put forth by the P2P industry can no longer be seen as 
credible. To paraphrase Groucho Marx, you want me to believe 
you and your voluntary measures instead of my own two eyes. How 
many more medical records and tax returns is it going to take 
for us to act? How many state secrets will be made available to 
those who want to harm us? How much more damage are we going to 
allow P2P file-sharing programs to do to our economy? I believe 
enough is enough and the time to act is now.
    Industry's opportunity to self-regulate has passed. P2P 
file-sharing programs like Lime Wire and Kazaa before it have 
proven they are either incapable of solving the problem of 
inadvertent file sharing on their own or they have absolutely 
no intention of solving the problem at all. Either way, this 
behavior is unacceptable, as the committee charged with 
consumer protection, we have a responsibility to our 
constituents to act.
    I am also aware that some of you have concerns about some 
of the language of H.R. 1319. Please note that my office is 
very willing to listen to your concerns and work with you to 
craft a bill that is not overly broad but still carries out the 
current intent of H.R. 1319. I believe that if we work together 
we should be able to produce a bill that protects our 
constituents and preserves the legitimate use of P2P 
    I look forward to today's discussion, and I thank the 
chairman very much for holding this hearing. I yield back.
    Mr. Rush. The chair thanks the gentlelady. Now the chair 
recognizes the gentleman from Pennsylvania, Dr. Murphy, for the 
purposes of an opening statement. The gentleman is recognized 
for 2 minutes.


    Mr. Murphy of Pennsylvania. Thank you, Mr. Chairman, and by 
the way, I would also like to welcome a Pittsburgher, Mr. 
Boback of Tiversa, he and I have spoken a number of times in 
the past, as well as this incredibly distinguished panel. The 
expertise you all have, I am excited about you being here.
    The sad thing about this is, this is a discussion that has 
not begun today. I think some of you have testified in past 
years and I know that Mr. Boback and I have spoken years ago. 
When we look at what has been released about the documents from 
Marine One, a couple terabytes of information on the Joint 
Strike fighter jet, a whole host of so much information, it 
makes me wonder why anybody trusts to have any files on the 
computers at all. It reminds me of the way that Rome acted 
during the time the Barbarians were beginning to invade various 
parts of Germany, and I am sure some Roman emperor, some Roman 
generals were saying nothing to worry about, we have this 
system under control, even when they were sacking Rome, and I 
believe that is where we are now. It is not safe. The portals 
created by these peer-to-peer networks are huge and the fact 
that our Department of Defense keeps anything on any computer 
that is accessible from the outside still astounds me. I 
applaud this bill, and I think this is important because it 
does move a long way towards protecting consumers and families 
who inadvertently have their files stolen and accessed whether 
it is their tax records, medical records or anything else. But 
the best thing we need to remember for so many folks whether 
they are John and Jane Doe in their home somewhere or it is our 
defense department or is any corporation that no matter what we 
do here, they are still responsible for keeping the information 
inaccessible to the Internet because those folks from other 
countries who continue to send out press releases denying they 
are doing it and yet all paths seem to lead back to those 
countries, we have to understand that the wealth of information 
we have on our computer networks and what we have done to 
protect those is all for naught if we continue to put those on 
    With that, Mr. Chairman, I yield back.
    Mr. Rush. The chair thanks the gentleman. Now the gentleman 
from Nebraska, Mr. Terry, is recognized for 2 minutes for the 
purposes of an an opening statement.


    Mr. Terry. Thank you, Mr. Chairman. I want to thank you for 
holding today's hearing, but more specifically, we have been 
down this road a couple times before and I think it is 
imperative that we move these bills.
    I am going to pile on a little bit Mr. Murphy's comments 
that I view this as nibbling around the edges of cybersecurity. 
We are pointing to specific problems and trying to come up with 
specific solutions. All the while we are losing sight of the 
forest. I am not saying these shouldn't be done but I just 
think we need to think about in a grander scheme of 
cybersecurity and how it all ties in with our national security 
now, our financial security, and hopefully we can start 
elevating the level of discussion here but I want to 
congratulate the authors of both of the bills here. I think you 
have done a decent job here of finding the right solution for 
these specific problems and I support them. Yield back.
    Mr. Rush. The chair thanks the gentleman and now the chair 
recognizes the gentleman from Georgia, Dr. Gingrey, for 2 
minutes for the purposes of an opening statement.


    Mr. Gingrey. Mr. Chairman, thank you for calling this 
hearing today that focuses on two bipartisan pieces of 
legislation, H.R. 2221, the Data Accountability and Trust Act, 
and H.R. 1319, the Informed Peer to Peer User Act. I also want 
to commend both you and Ranking Member Radanovich for your 
collective leadership and for the spirit of comity in which 
this subcommittee is operating, Mr. Chairman.
    At a time when our society is becoming ever more reliant on 
technology, whether for e-commerce or HIT, health information 
technology, we need to ensure the security of an individual's 
identity and personal information. Unfortunately, we have seen 
significant breaches of information that have led to identity 
theft, fraud and allegations that were first reported in the 
Wall Street Journal that Chinese hackers--it is bad enough what 
Ranking Member Stearns was saying about the pharmaceutical and 
prescription drug information but Chinese hackers stole several 
terabytes of data related to design and electronic systems of 
the Joint Strike fighter. That is some serious business.
    H.R. 2221 is legislation that was first written in the 
109th Congress by my colleague from Florida, Mr. Stearns. It is 
now being spearheaded by you, Mr. Chairman, and I applaud you 
on this effort. This legislation requires entities holding data 
that contains personal information to implement enhanced 
security measures to prevent future breaches. In instances in 
which unauthorized access does occur, then the consumers must 
be notified shortly thereafter that their files were 
    Similarly, H.R. 1319 is legislation that was introduced by 
Ms. Bono Mack of California, full committee Ranking Member 
Barton and my colleague from Savannah, Georgia, Mr. Barrow, and 
it is designed to protect consumers through additional 
information about the practice of peer-to-peer file sharing 
over the Internet. Simply referred to as P2P file sharing 
around the IT industry, this practice certainly has a number of 
benefits. However, too often personal information is 
compromised over the peer-to-peer program for various reasons, 
many of which of course are inadvertent. H.R. 1319 would add an 
additional layer of security that would prohibit peer-to-peer 
programs from sharing files until the program receives informed 
consent from the user on two separate occasions.
    Mr. Chairman, we need to maintain security on the Internet 
in this growing technologically-based world, and I do support 
both bipartisan bills. I look forward to hearing from the 
witnesses, and I yield back.
    Mr. Rush. The chair thanks the gentleman and the chair 
thanks all the members of the subcommittee for their opening 
    It is now my pleasure to introduce our outstanding expert 
panel. These panelists have come from far and near to be with 
us today, and we certainly welcome them and we certainly want 
to tell each and every one of you beforehand that we thank you 
so much for taking the time out from your busy schedule to 
participate with us in this hearing.
    I would like to first of all introduce you now. From my far 
left is Ms. Eileen Harrington. Ms. Harrington is the acting 
director of the Bureau of Consumer Protection for the Federal 
Trade Commission. Next to Ms. Harrington is Mr. David M. Sohn, 
who is the senior policy counsel for the Center for Democracy 
and Technology. Next to Mr. Sohn is Mr. Robert W. Holleyman, 
II. Mr. Holleyman is the president and CEO of Business Software 
Alliance. Seated next to him is Mr. Martin C. Lafferty. He is 
the chief executive officer of Distributed Computing Industry 
Association. Next to Mr. Lafferty is Mr. Stuart K. Pratt, 
president and CEO of the Consumer Data Industry Association, 
and then next to him is Mr. Marc Rotenberg, who is the 
executive director of the Electronic Privacy Information 
Center. The gentleman next to Mr. Rotenberg is Mr. Robert 
Boback. He is the CEO of Tiversa, Incorporated. And lastly but 
not least, the gentleman seated next to Mr. Boback is Mr. 
Thomas D. Sydnor. He is the senior fellow and director of the 
Center for the Study of Digital Property of the Progress and 
Freedom Foundation.
    Again, I want to thank each and every one of the witnesses 
for appearing today. It is my pleasure to extend to you 5 
minutes for the purposes of opening statement, and we will 
begin with Ms. Harrington.



    Ms. Harrington. Thank you very much, Chairman Rush, Ranking 
Member Radanovich and members of the subcommittee. I am Eileen 
Harrington, the acting director of the FTC's Bureau of Consumer 
Protection. I appreciate the opportunity to appear to present 
the Commission's testimony on data security and peer-to-peer 
file sharing. The Commission's views are set forth in its 
written testimony. My oral presentation and answers to your 
questions represent my views.
    Let me start with data security. Companies must protect 
consumers' sensitive data. If they don't, that data could fall 
into the wrong hands, resulting in fraud and consumers losing 
confidence in the marketplace. The Commission has undertaken 
substantial efforts described fully in its written testimony to 
promote data security. Let me highlight three particular 
efforts for you: our law enforcement activities, our pending 
rulemaking on health information security and our study of 
emerging technologies.
    Today the Commission announced its 26th law enforcement 
action against a business that we allege failed to have 
reasonable procedures to protect consumers' personal 
information. Case number 26 is against mortgage broker James 
Nutter and Company for allegedly failing to implement basic 
computer security measures. In settling these charges, the 
company has agreed to maintain reasonable security measures in 
the future and to periodic outside audits of its security 
practices. The Commission's data security cases are well 
publicized and send a strong message to the business community: 
you must have reasonable data security measures in place.
    Second, a few weeks ago the Commission issued a proposed 
rule to require that consumers be notified when the security of 
their health information is breached. The proposed rule arises 
from a mandate in the Recovery Act to address new types of web-
based entities that collect or handle consumers' sensitive 
health information. Covered entities include those that offer 
personal health records which consumers can use as an 
electronic individually controlled repository for their medical 
information. Personal health records have the potential to 
provide numerous benefits for consumers but only if they have 
confidence that the security of the health information they put 
it in will be maintained.
    Third, the Commission continues to examine new technologies 
to identify emerging privacy and data security issues. In 
February, for example, the Commission staff released a report 
recommending principles for industry self-regulation of privacy 
and data security in connection with behavioral advertising. We 
are also considering a petition submitted by EPIC raising data 
security concerns about cloud computing services provided by 
    Finally, a few words about the proposed data security bill, 
H.R. 2221. The Commission strongly supports the goals of the 
legislation, which are to require companies to implement 
reasonable security procedures and provide security breach 
notification to consumers. We also strongly support the 
provisions that would give the Commission the authority to 
obtain civil penalties for violations. We have provided 
technical comments to committee staff, particularly with regard 
to the scope of the proposed legislation and the data broker 
provisions and very much appreciate the opportunity to provide 
    Turning to P2P file sharing, let us be clear about one 
thing. The FTC's interest is the safety and privacy of 
consumers' personal documents and information, not copyright 
piracy. Although P2P technologies may offer benefits to 
computing, they have also been associated with significant data 
security risks. The press has reported disturbing instances of 
sensitive documents being shared via P2P networks. Sensitive 
documents likely have been shared under three scenarios. First, 
some consumers may have shared documents because they failed to 
read or understand information about how to keep files from 
being shared or did not understand the consequences of altering 
default settings. Second, some consumers may have unknowingly 
downloaded malware that caused their files to be made available 
on P2P networks. Third, some businesses and other organizations 
that hold sensitive personal information such as tax or medical 
records have not implemented procedures to block installation 
of P2P file-sharing software on their company or organization-
owned computers and networks. Some of the most highly 
publicized instances of personal information being shared over 
P2P networks occurred because businesses failed to prevent the 
installation of P2P software on their systems or because their 
employees placed sensitive corporate documents onto home 
computers that had downloaded P2P software.
    The FTC has worked with the P2P industry as it has set 
standards for disclosure and default settings that protect 
consumers' files and information. We have received reports 
about the performance of seven P2P companies and are currently 
reviewing them to see whether these companies comply with the 
industry standards. We will make the results of our review 
public this summer. We also educate consumers about the risks 
associated with these programs. In addition to a 2008 consumer 
alert, the FTC's Internet website, onguardonline.gov, 
highlights information about the risks of P2P file-sharing 
    Finally, we support legislation that requires distributors 
of P2P file-sharing programs to provide timely, clear and 
conspicuous notice and obtain consent from consumers regarding 
the essential aspects of those programs. H.R. 1319 may provide 
very useful protections for consumers. The agency has worked 
with committee staff on previous versions of the bill and we 
look forward to working with committee staff again regarding 
this proposed legislation, and we thank you very much for 
giving the FTC the opportunity to present its views today.
    [The prepared statement of Ms. Harrington follows:]

    Mr. Rush. The chair now recognizes Mr. Sohn for 5 minutes.

                   STATEMENT OF DAVID M. SOHN

    Mr. Sohn. Chairman Rush, Ranking Member Radanovich, members 
of the subcommittee, thank you for the opportunity to 
participate in today's hearing. The Center for Democracy and 
Technology is very pleased to see this subcommittee focusing on 
data privacy and security issues. Based on my conversations 
with subcommittee staff, I am going to focus my comments this 
afternoon on the Data Accountability and Trust Act with just a 
few words at the end about the Informed P2P User Act.
    But before I do that, I would like to make a general point. 
Both of the bills that are the focus of today's hearing reflect 
the fact that technology has greatly expanded the ability to 
collect, store, use and share personal data. The modern 
information economy that this makes possible has many benefits 
but it also has greatly changed the privacy landscape and it 
has expanded the risk of inappropriate disclosure of personal 
data. Unfortunately, the law has simply not kept pace with 
these changes. In particular, the United States has no general 
privacy law establishing any kind of fair baseline of 
principles or expectations to govern consumer privacy, and in 
the absence of that kind of overall legal framework, when new 
privacy issues arise, Congress is essentially left to legislate 
on a one-off basis without any clear guiding principles and 
without necessarily much consistency. The result, what we have 
today, is a confusing patchwork of laws in this area. So based 
on that, CDT would certainly urge the subcommittee to put a 
high priority on the enactment of baseline federal privacy 
legislation and we are very happy to hear Chairman Rush saying 
today that he plans a joint hearing and does plan to work on 
comprehensive privacy legislation.
    Now I would like to turn to the Data Accountability and 
Trust Act. CDT supports the idea of a nationwide data breach 
notification standard so long as that standard is as least as 
effective as the laws already in place at the State level. The 
key point to understand here is that data breach notification 
is already the law of the land because it is required by all 
but a few of the States. So from a consumer perspective, 
replacing State notification laws with a weak federal standard 
could actually be a step backwards, and even replacing them 
with a good federal standard still doesn't offer a lot of 
tangible progress. The principal consumer gains from H.R. 2221 
therefore come from section 2 of the bill, namely the provision 
for requiring data security procedures and especially the 
provisions requiring information brokers to let consumers 
review what is in their data broker files. Based largely on 
these provisions, the CDT does support the framework set forth 
in the bill.
    My written testimony offers some suggestions for 
improvements to the bill. For example, the breach notification 
provisions could be improved by requiring a company that 
suffers a breach but determines that there isn't enough risk to 
notify consumers to nonetheless provide a brief explanation to 
a regulator basically just to keep everybody honest. For the 
provisions on security standards and consumer access to 
information broker files, CDT recommends taking a close look at 
the scope of those requirements. In particular, the bill uses a 
definition of personal data that is really quite limited, which 
may make sense for breach notification provisions but might 
make less sense for the provisions in section 2.
    Preemption deserves a mention as well. It is important to 
note that preempting State laws in this area is a very 
significant step. The only reason we are here talking about 
breach notification today is that notification laws were 
pioneered by the States and especially California. States were 
able to do that because the Gramm-Leach-Bliley Act preempted 
inconsistent State laws but otherwise left States free to 
experiment. Fortunately, the authors of H.R. 2221 have been 
careful with preemption. CDT does believe that preemption makes 
sense for the specific issue of breach notification and the 
bill does provide for that. I would just say that as the bill 
moves forward, Congress needs to keep in mind that the price of 
preemption must be strong federal action and that overbroad 
preemption has to be avoided. Overall, CDT does appreciate the 
careful work of Chairman Rush and the other sponsors of this 
bill and we stand ready to cooperate with them on possible 
improvements as the bill moves forward.
    Finally, just a couple words on the Informed P2P User Act. 
CDT absolutely supports the principle that file-sharing 
software should clearly communicate to users how their files 
may be made available to third parties. Inadvertent sharing of 
personal files is a very serious privacy matter. As set forth 
in my written testimony, however, legislating this area does 
pose some difficulties. CDT has reservations about the 
potential unintended breadth of the bill and also has some 
reservations about Congress starting down the path of imposing 
specific design mandates for software developers. That said, we 
share the broad goal and my written testimony offers some ideas 
for modifications to consider if the subcommittee chooses to 
proceed with the bill.
    Thanks again for the opportunity to testify.
    [The prepared statement of Mr. Sohn follows:]

    Mr. Rush. The chair thanks the gentleman. The chair 
recognizes now for 5 minutes of opening statement Mr. 


    Mr. Holleyman. Mr. Chairman, Ranking Member Radanovich, 
other members of this subcommittee, I want to thank you for the 
opportunity to testify today. The Business Software Alliance 
represents the leading developers of software and hardware. Of 
the software that is sold around the world, roughly 90 percent 
of that is from companies who are U.S.-based companies and our 
members believe strongly that the type of inquiry that this 
committee is engaged in today is important not only to ensure 
that our customers are using software properly but also to 
ensure that the promise of electronic commerce and equally 
important the promise for the type of sensitive data that the 
government will hold and does hold that we could have greater 
confidence because that will add enormous efficiencies to our 
    As we look at the issue of breaches, the data is astounding 
in terms of the problems that we have seen. I won't repeat all 
of the information that has been so widely covered in the press 
and by the subcommittee except that I will note that the trend 
is that data breaches are growing. In 2008, it is estimated 
that there was a 47 percent increase in data breaches over the 
prior year, and the average cost of each breach is growing, and 
for the ninth year in a row, identity theft has topped the list 
of FTC consumer complaints, about 26 percent of all their 
complaints, and according to the Privacy Rights Clearinghouse, 
a staggering 270 million records containing sensitive personal 
information have been affected since 2005. And certainly we 
have heard on this panel today, we have heard in your opening 
statements about Heartland Payment Systems, the single largest 
fraud-related data loss ever in the United States. Estimates of 
over $100 million individual credit and debit card accounts 
were compromised and the consequences of that have been 
    And finally, to the point that I made about the importance 
of government data, nearly 20 percent of all data breaches 
involve government, federal, State and local governments, and 
as we move to the promise of governments holding even more 
sensitive data regarding our health records as people live 
longer, as our population grows, as we build the kind of 
openness and confidence in government, we have to ensure that 
that important nexus is also protected.
    With that, Mr. Chairman, I would like to comment on your 
pending bill. We believe that this bill, Mr. Rush, makes 
significant contributions to restoring and building a goal of 
consumer citizen trust. We support its effort to establish a 
uniform national standard and provide the preemption of State 
laws. We also believe that it is important to recognize that it 
would prevent excessive notification. We do need notification 
but not all breaches are equal, and part of what we need both 
in business but part of what consumers need is to ensure that 
when the notification occurs, it is the result of something 
that is meaningful. Third, we support exempting from 
notification data that has been rendered unusable, unreadable 
and indecipherable. We would recommend that the limitation in 
the bill that refers to encryption be broader so that we are 
looking at what the test is, and really this creates market-
based incentives that supplement the regulatory authority that 
is given. It is that combination that will ensure that more 
holders of data ensure that even if there is a breach, that the 
party that has carried out the breach or the unlawful entity 
can't do anything with that data, and that is an important 
safeguard. Fourth, we believe that your bill takes an 
appropriate risk-based approach to securing data and we support 
the grant of authority and would recommend that it be limited 
to the FTC and State attorneys general rather than extending a 
private right of actions.
    A couple of comments about H.R. 1319. We welcome this 
effort by Ms. Bono Mack and other members of the subcommittee 
to address this issue. Consumer privacy can be and is being 
compromised because of certain peer-to-peer file-sharing 
applications. We also appreciate this subcommittee's 
willingness, the committee's willingness to look at the current 
breadth of this bill to identify where it could be 
appropriately limited. We do believe that there are two goals 
in this. One is to protect consumer security and promote trust 
and the second is to ensure that technological innovation 
continues to proceed. It is this balance that must be struck 
and it must be struck carefully. We are all concerned that the 
bill, if it is in its current form, could pull in some of the 
very legitimate applications and uses of peer-to-peer 
technology that are important for every consumer, important for 
legitimate companies. As it seeks to look at some of the bad 
actors or some of the peer-to-peer software that we widely know 
as an anti-piracy organization that have led to the widespread 
theft of software, music, movies and other content, we also 
know that the bill in its current form could sweep in any 
Internet-aware features of software such as automatic updates 
for anti-virus software such as the crash analysis feature of 
operating systems or the web browsers on our computers. We know 
that that is not the intent of this bill but as written it 
could reach that breadth, and so we would urge the committee to 
recognize that while some effort should be made, it is 
important to enhance security. We also want to ensure that the 
technological progress and growth proceeds and that will 
benefit all users of legitimate software.
    So on behalf of BSA, thank you for this opportunity and 
look forward to your questions.
    [The prepared statement of Mr. Holleyman follows:]

    Mr. Rush. The chair thanks the gentleman. The Mr. Chairman, 
Mr. Lafferty, for 5 minutes.


    Mr. Lafferty. Chairman Rush, Ranking Member Radanovich, 
subcommittee members, thank you for holding this important 
hearing. I am Marty Lafferty, CEO of the Distributed Computing 
Industry Association.
    Both of the bills under consideration have far-reaching 
consequences. Our expertise relates primarily to H.R. 1319. 
DCIA is a trade group focused on P2P and related technologies. 
Our mission is to foster commercial development of these 
technologies so that their benefits can be realized by all 
participants in the distribution chain including content rights 
holders and Internet service providers. We currently have 125 
member companies including P2P, cloud computing, file sharing 
and social network software distributors, broadband operators, 
content providers and service and support companies. P2P has 
evolved greatly in the 8 years since Napster first brought the 
term P2P file sharing to prominence. Fully licensed ad-
supported P2P, subscription P2P, paid download P2P, commercial 
enterprise P2P, P2P TV, hybrid P2P and live P2P streaming now 
deserve to be separated from the narrow subset of functionality 
associated with file sharing. DCIA member companies 
increasingly use P2P for the delivery of authorized 
entertainment and corporate communications content where rights 
holders rather than end users introduce files or live streams 
for online delivery. We strongly urge the committee to apply 
the term ``file sharing'' without the P2P prefix as a more 
accurate descriptor for the focus of H.R. 1319.
    The Committee on Oversight and Government Reform held a 
hearing on this topic in July 2007 at which one of our member 
companies testified. Within weeks of that hearing, the DCIA 
established the Inadvertent Sharing Protection Working Group. 
Over several months we recruited participants among leading P2P 
and other tech sector companies and engaged with FTC staff to 
address issues associated with unintended publishing of 
confidential data by file sharers. This effort began by 
providing demonstrations for FTC staff of how current file 
share programs work in terms of users uploading material for 
distribution. It continued through a process involving private 
sector and regulatory participants to develop a program of 
voluntary best practices for file-sharing software developers 
to protect users against inadvertently sharing personal or 
sensitive data. This program was announced in July of 2008. Its 
summary, included in our written testimony, begins by defining 
terms relevant to 1319 such as recursive sharing, sensitive 
file types and user-originated files. It then outlines seven 
steps that are required to be in compliance: default settings, 
file-sharing controls, shared folder configurations, user error 
protections, sensitive file type restrictions, file sharing 
status communications and developer principles. The principles 
address feature disablement, uninstallation, new version 
upgrades and file-sharing settings. In August 2008, the DCIA 
announced that compliance monitoring would begin in December to 
allow developers time to integrate required elements of the 
ISPG program into their planned upgrades and new releases. 
Compliance monitoring resulted in reports from top brands that 
use P2P for downloading, live streaming, open environment 
sharing and corporate Internet deployments and for both user-
generated and professionally produced content. Specifically, 
seven leading P2P representative program distributors submitted 
detailed reports to FTC staff in February 2009. In March the 
DCIA prepared and submitted a summary. We also noted that 
software implementations of the popular BitTorrent protocol 
typically require users to conduct a deliberate conversion 
process from whatever native file format their content is in to 
a torrent file before it can be published, thus minimizing this 
risk of user error. The entire report plus data tables of 
individual company submissions are in our written testimony but 
here are highlights.
    All respondents now have clearly disclosed install default 
settings that only permit sharing files downloaded from the 
network. They do not share user-generated files by default. A 
hundred percent also provide complete uninstallation of their 
file-sharing software that is simple to do and explained in 
plain language, for example, by using the standard add/remove 
program in Windows. And six out of seven, which is all where 
this is applicable, now offer a simple way to stop sharing any 
folder, subfolder or file by using easily accessed controls.
    In April 2009, subcommittee staff invited the DCIA to 
participate in redrafting H.R. 1319. We formed a DCIA member 
subgroup to conduct this work. The process is underway and we 
are glad to coordinate that work with staff. Among our greatest 
concerns is that the bill as drafted would have unintended 
consequences. The present draft goes way beyond the specific 
concerns discussed here and would apply to additional 
functionality and technologies that have nothing to do with 
recursive sharing of sensitive file types. Applying these 
requirements to numerous products, services and companies would 
be burdensome and counterproductive. To the extent that 
legitimate consumer concerns persist in the area that the bill 
intends to address, we strongly believe they can best be 
handled by ongoing self-regulation under the oversight of the 
appropriate federal authority as we initiated with the ISPG.
    The bill as constructed would unnecessarily burden U.S.-
based technology firms with innovation freeze and constraints 
while being unenforceable against overseas competitors' 
software available to U.S. consumers. The great concern also is 
how it might stifle yet undeveloped new and potentially very 
useful and valuable software applications. On the other hand, 
the DCIA has committed to self-regulation through the ISPG to 
address the subject matter of this bill and is making 
substantial progress. So rather than a problematic new legal 
measure, we believe that formalized requirements for compliance 
with that process will be more effective in achieving the 
purpose of the bill.
    We look forward to working with the subcommittee on these 
issues in a productive manner and will benefit all your 
constituents. Thank you for your continued interest in our 
    [The prepared statement of Mr. Lafferty follows:]

    Mr. Rush. The chair thanks the gentleman. The chair now 
recognizes Mr. Pratt for 5 minutes for the purposes of an 
opening statement.

                  STATEMENT OF STUART K. PRATT

    Mr. Pratt. Chairman Rush, Ranking Member Radanovich and 
members of the subcommittee, thank you for this opportunity to 
appear before you today. My name is Stuart Pratt, president and 
CEO of the Consumer Data Industry Association. Our 250 member 
companies provide our Nation's businesses with data tools 
necessary to manage risk and a wide range of consumer 
transactions, and these products include credit, mortgage 
reports, identity verification tools, law enforcement 
investigative products, fraud check transaction identification 
systems, decision sciences technologies, location services and 
collections. My comments today will focus exclusively on H.R. 
2221, and we applaud its introduction.
    CDIA's members agree that sensitive personal information 
should be protected. We also agree that consumers should 
receive breach notices when there is a significant risk of them 
becoming victims of identity theft. Our members agree with the 
Federal Trade Commission recommendations which embrace these 
two concepts. I would only add that if a federal law is to be 
enacted, it should be a true national standard.
    We believe that data security and breach notification 
provisions in H.R. 2221 would be most effective if they were 
better aligned with requirements found in other current laws. 
Alignment is key to ensuring that all who are affected by the 
Act are successful in complying with new duties under DATA and 
also with their current duties found under other laws such as 
the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act. 
Let me discuss some of the ways that 2221 interplays with 
existing duties found in current laws.
    Section 56 defines the term ``information broker.'' Absent 
aligning this definition with other current laws, our members' 
products will be affected. This bill would require information 
brokers to have reasonable procedures to verify the accuracy of 
personal information, provide consumers with access to these 
data and ensure a system by which consumers can dispute 
information. All of our members operate consumer reporting 
agencies as this term is defined in the Fair Credit Reporting 
Act. They produce data products defined as consumer reports. 
Consumer reports are used to make determinations of a 
consumer's eligibility for a service or a product and the FCRA 
establishes duties for accuracy, access and correction as it 
relates to these products. Our members agree that where data is 
used to make a decision regarding consumers' eligibility for a 
product or service, consumers should have these rights.
    Since there are similar duties under the FCRA and DATA, we 
propose the definition of information broker should be amended 
to exclude the term ``consumer reporting agency'', and while we 
appreciate the inclusion of section C3C which attempts to 
address our concern, we believe that since the FCRA's duties 
are well understood and the FTC has direct enforcement powers, 
that we should have a complete exemption.
    Regarding disclosure, section C3 allows an information 
broker under certain circumstances to not disclose personal 
information to a consumer. This section does not exempt an 
information broker's fraud prevention tool from the duty to 
verify accuracy. Fraud prevention tools are designed to 
identify the possibility of fraud and to apply an accuracy 
standard of fraud prevention tools is unworkable since these 
tools are designed to warn a lender or utility or other 
business about the possibility of fraud. Fraud prevention tools 
consider how data has been used in previous identified cases of 
fraud and employ many other relational strategies. We would 
urge the expansion of C3B to include fraud prevention tools so 
that they are completely exempted from the accuracy standard 
requirement, not because the tools are designed poorly but 
because these tools cannot line up with an accuracy standard in 
the first place.
    Your bill also as indicated establishes both a requirement 
for data security and a requirement for security breach and we 
have absolutely no qualms about either of those requirements. 
Our member in fact comply with those types of requirements 
today and our only request is that where our member companies 
are already operating as a consumer reporting agency under the 
Fair Credit Reporting Act or where they are operating as a 
financial institution under the Gramm-Leach-Bliley Act, that 
they would be exempted from these data security and these 
security breach notification duties because they already have 
those duties under the Fair Credit Reporting Act and also under 
the Gramm-Leach-Bliley Act and in particular the safeguards 
rules which include breach notification.
    So this process of alignment will make this bill more 
effective. If we can make this truly a national standard, you 
certainly will have filled some gaps along the way. I think 
that Mr. Sohn said it very well. In the meantime, we live with 
a range of State laws. We have worked constructively with many, 
many States in establishing those statutes and in establishing 
definitions of the crime of identity theft and we will continue 
to do that and we look forward concurrently to working with you 
in the committee. Thank you.
    [The prepared statement of Mr. Pratt follows:]


    Mr. Rush. The chair thanks the gentleman, and now the chair 
recognizes Mr. Rotenberg for 5 minutes.


    Mr. Rotenberg. Mr. Chairman, Mr. Radanovich, members of the 
committee, thank you very much for the opportunity to be here 
today. EPIC is a nonprofit research organization here in 
    We have a particular interest in this issue of security 
breach notification. EPIC was the organization that had urged 
the Federal Trade Commission to investigate the data practices 
of a company called ChoicePoint because we believed that that 
company was making the personal information of American 
consumers vulnerable to misuse. The FTC did not heed our 
warning and instead we all read in the newspapers when an 
investigation broke in Los Angeles that revealed that the 
records of 145,000 American consumers had been sold to a 
criminal ring engaged in the act of identity theft. I promise 
you, after that news story appeared, the FTC and many State 
attorneys general became very interested in this problem.
    Now, we learned of the problem with ChoicePoint in part 
because of a good law that had been passed in the State of 
California which required companies that suffered from a 
security breach to notify people who are impacted, and as a 
result of the ChoicePoint notification, many other States began 
to understand the need for security breach notification. Now, 
this has been an evolving process. I think there are now 44 
States in the United States that have security breach 
notification, and while we certainly support an effort to 
establish a high standard across the country, I do want to warn 
you that one of the consequences of this bill would be to 
effectively tie the hands of the State from further updating 
their laws or enforcing stronger laws, and I think this would 
be a mistake. I read recently, for example, that the California 
State Senate has just approved new changes to its notification 
law that would provide individuals with better information 
about the type of personal information that was improperly 
disclosed and how it might be misused. This need to be able to 
continue to update security breach notification I think should 
be a consideration as the committee looks at legislation to 
establish a national standard.
    One of the other points I would like to make about the 
legislation concerns the relationship in the realm of 
notification between the individuals who are impacted and the 
role of the Federal Trade Commission, which is also notified 
under the bill. There is understandable concern that if 
individuals receive too many breach notices, they will serve no 
purpose, and so there is a need to set a standard so that 
people are not receiving lots and lots of these notices which 
they will come to ignore. But with respect to the role of the 
Federal Trade Commission, I think the bill could be 
strengthened by requiring companies in all circumstances to 
notify the Commission where substantive breaches have occurred, 
and moreover to put on the Commission an obligation to be more 
transparent about the information that it receives regarding 
the problems of breach notification in the United States. There 
is also a risk with the legislation as it is currently drafted 
that the FTC will obtain information about security breaches, 
may choose not to act on the information it receives and that 
information will effectively remain secret both to the public 
and to this committee and the problem will continue to grow, so 
I hope that is an area that can be considered as well.
    We talk also about the safe harbor provisions, essentially 
companies that have certain security practices such as 
encryption should be encouraged to put in place and maintain 
those practices but again we think that notification can be 
made to the Federal Trade Commission in those instances where 
security breaches occur even if it may not be necessary to 
notify the target population.
    Finally, I would like to point out that since when the bill 
was originally introduced there have been significant changes 
both in the Internet and also in communications technology. 
Facebook, for example, now has 200 million users. Four years 
ago when this bill was first considered, there were many, many 
fewer people using these social network services. This has two 
implications. First of all, there is a new way to notify people 
online. It is no longer necessary to talk just about a website 
but also a social network presence. It also means that there is 
a new risk in data collection that needs to consider the 
growing significance of social network services. And finally, I 
might mention that text messaging has become a very effective 
way to notify people about things that might concern them 
regarding security. We propose in our testimony that where 
possible, text messaging be used as a supplement to the other 
notification procedures including mail and e-mail.
    So thank you again for the chance to testify and I would be 
pleased to answer your questions.
    [The prepared statement of Mr. Rotenberg follows:]

    Mr. Rush. The chair now recognizes Mr. Boback for 5 


    Mr. Boback. Chairman Rush, Ranking Member Radanovich and 
distinguished members of the committee, I thank you for giving 
us the opportunity to testify here today.
    As many of you discussed in your opening statements the 
security risks associated with peer-to-peer, our company, 
Tiversa, which I am the CEO of, has unique insight on this in 
that Tiversa has the unique technology that allows us to span 
out globally to see all information that is occurring on all 
the peer-to-peer clients, so it is just a Lime Wire or a Kazaa 
or a BearShare, it is everyone, all encompassing, and we see it 
in real time. So therefore this provides us a great insight to 
provide information to the committee here today.
    This information that we are finding is very sensitive. 
There are security measures. I commend the Honorable Ms. Bono 
Mack for bringing this here today. The reason why is that many 
security professionals around the world in high-ranking 
positions in corporations in the United States and abroad 
aren't even aware of this, so again, for her insight to bring 
this to the committee and bring 1319 forward, it is very 
important, because, again, the awareness is still not where it 
needs to be. For instance, in the last 60 days, despite the 
measures that have been taken by the peer-to-peer clients, 
despite which I also admit are improving, Lime Wire is 
improving its protocols to decrease the amount of breaches that 
have happened, but in the last 60 days Tiversa has downloaded 
breaches in the amount of 3,908,000 breaches, individual 
breaches in the last 60 days. I find it very important that 
2221 and 1319 are actually discussed on the same day. The 
reason why is, this is where breaches are happening. As Mr. 
Gingrey of Georgia called out, obviously we all saw the Wall 
Street Journal article April 21st about the Joint Strike 
fighter. It wasn't reported in the Wall Street Journal, this 
was peer-to-peer. The information unfortunately is still on the 
peer-to-peer. This was discovered in January 2005. We 
discovered it. We reported it to the DOD. It is still here. It 
is still out there. It has never been remediated. Awareness is 
not where it needs to be. Oversight is not where it needs to be 
in order to address these problems. That is the type of 
national security ends.
    Now, there are also the consumer ends. From Tiversa, we 
process 1.6 billion searches per day every day. Google is about 
1.7 billion per day, so we were about nine times what Google is 
processing on a daily basis. In those searches we are able to 
see what the users are looking for around the world, and in 
those searches we see people searching for your financial 
records. They are not looking to apply for a credit card. They 
are not looking for health insurance. They are looking for your 
health insurance because they want to quickly go online and buy 
online pharmaceuticals using your medical insurance card as 
medical identity theft. No credit monitoring will stop that. 
They want to get your Social Security number filed with your 
tax return. We did a study with the Today show showing that in 
that instant 275,000 tax returns were found in one search on 
the peer-to-peer, so a minimum of 275,000 Social Security 
numbers on one time. Now, we have done other searches where it 
has been over half a million on one time and yet I would also 
strongly urge the FTC that on the website where it would 
identify to users that this information is coming from the 
peer-to-peer, there is not one mention of peer-to-peer on where 
are they getting your information. Nine million victims every 
year of identity theft and the number one mention on the FTC's 
website is dumpster diving. It doesn't add up. The numbers 
don't add up to dumpster diving. Consumers are not aware of 
this problem, not from a national security standpoint. 
Executives don't know it. Security executives do not know this 
problem. Consumers aren't aware of this problem. They need to 
know that their information is out there and it is being sought 
after on an enormous scale such that even in our research in 
the last few months we have had a 60 percent increase in 
searches for information that will lead to identity theft and 
fraud. This is a serious growing problem that consumers again 
are not aware of, so we applaud 2221 for a national breach. I 
will tell you that as we find these breaches, these 3,900,000 
breaches, as we can we return the information and alert the 
companies to the breach. Again, we do it out of our duty of 
care policy. There are no strings attached to that.
    I will tell you that there are thousands of cases that our 
employees have provided to users, to companies nationwide that 
they completely disregard the breach. Many of those are 
actually cited in my written testimony, so you would think that 
you are safe if you do not use peer-to-peer. Well, I will show 
you in the written testimony there are users out there that all 
they did was go to the hospital and they provided their 
information there and now that is one of the things, so 
individuals need to have an identity theft protection service 
as well as a national breach notification such as 2121, and I 
thank you for the opportunity and welcome questions.
    [The prepared statement of Mr. Boback follows:]

    Mr. Rush. Thank you very much. Now the chairman recognizes 
Mr. Sydnor. Mr. Sydnor, you are recognized for 5 minutes for 
opening statement.


    Mr. Sydnor. Thank you, Chairman Rush, Ranking Member 
Radanovich and members of the subcommittee. My name is Thomas 
Sydnor and I am a senior fellow at the Progress and Freedom 
Foundation. I am here speaking today on my own behalf, and I am 
also the author of two studies on the causes of inadvertent 
file sharing, File-Sharing Programs and Technological Features 
to Induce Users to Share, published by the United States Patent 
and Trademark Office, and Inadvertent File Sharing Revisited, 
published by the Progress and Freedom Foundation, and I am here 
today to testify in support of H.R. 1319, the Informed Peer-to-
Peer User Act.
    Mr. Rush. Mr. Sydnor, would you please excuse me just for a 
moment? I want to alert the members that there is a little over 
5 minutes for a vote, a three-series vote. There are three 
votes in the series, and that will be the last votes of the 
day. So if members want to leave to go and vote after this 
witness completes his opening statement, then the chair will 
recess the committee and reconvene at the conclusion of this 
series of votes. So we would ask that the members please return 
promptly so that we can complete the questioning of these 
witnesses and complete this hearing.
    Mr. Sydnor, would you please continue?
    Mr. Sydnor. Thank you, Mr. Chairman.
    I am testifying today in support of the bill because my 
written statement and my past published work on inadvertent 
sharing I think shows that in the past we have tried to rely on 
voluntary self-regulation and it has failed. Voluntary self-
regulation should be an incredibly important part of our 
technology policy and for that reason it must be taken 
seriously. Unfortunately, in the context of distributors of 
filing sharing programs used mostly for unlawful purposes, it 
has been tried, voluntary self-regulation. It has failed 
miserably in the past, and I can report that it is failing 
again right now.
    I want to consider just as an example the file-sharing 
program Lime Wire 5. The DCIA has hailed Lime Wire 5 as the 
gold standard for the implementation of its new voluntary best 
practices, and Lime Wire itself has a result of this hearing 
generated great publicity for itself by telling Congress that 
at long last Lime Wire 5 put the final nail in the coffin of 
inadvertent sharing of sensitive files, and the program is that 
last statement is not even arguably correct, and to show why, I 
want you to consider a hypothetical based upon the recent 
reports from Today Investigates showing that in New York State 
alone researchers could find over 150,000 inadvertently shared 
tax returns. The report also showed the real-world consequences 
of inadvertent sharing by profiling the Bucci family, who had 
their tax returns stolen by an identity thief because they had 
inadvertently shared their tax returns because their preteen 
daughters were using a file-sharing program reported to be Lime 
Wire. But the real problem in such a case is that a tax return 
is really only the tip of the iceberg. Such episodes usually 
occurring mean that a family is sharing all of its personal 
data file stored on the family computer. All the parents' work 
and personal documents, scans of legal, medical and financial 
records, scanned documents providing identifying information 
about the family's children, all of the family's digital 
photos, all of its home videos, entire music collection, 
probably thousands of files.
    Now, consider two families that have been affected by this 
type of catastrophic inadvertent file sharing, and just assume 
it was caused by an earlier version of Lime Wire. Consider what 
happens if they upgrade to Lime Wire 5. One family doesn't know 
they have a problem. They are unaware that a problem exists but 
they hear reports like Lime Wire 5 has ensured the complete 
lockdown of the safety and security of Lime Wire users and so 
they upgrade to Lime Wire 5. Will that correct their 
inadvertent sharing of sensitive documents problem? It will 
not. By default, simply by being installed, the family will 
continue to share documents that are by any a reasonable 
definition sensitive. They will continue to share the family 
photo collection. They will continue to share scanned legal, 
medical and financial records, perhaps even tax returns, 
continue to share data about their children. They will continue 
to share all their home videos. They will continue to share 
their entire music collection. So they will continue to be 
exposed to the full range of risks: identity theft, data on 
their children getting into the hands of the pedophiles that 
use their networks, and the risk of a lawsuit.
    Now, the other family does know their problem. They detect 
it and they resolve it by uninstalling Lime Wire, remove it 
from their computer. So this family actually has put the final 
nail in the coffin of their inadvertent file-sharing problem 
but they hear about Lime Wire, they kids reinstall it because 
now it is completely secure. What will happen? By default, 
simply by being installed, that program will revive, will call 
back from the dead the family's inadvertent file-sharing 
problem. It will automatically begin re-sharing all the data 
files that were shared before except for some types simply by 
being installed. That is not acceptable behavior, it is not 
acceptable practice, and I think it indicates why the committee 
should be commended for its work on H.R. 1319. Thank you.
    [The prepared statement of Mr. Sydnor follows:]

    Mr. Rush. The chair thanks this witness and all the 
witnesses. Now the chair will ask that this committee stand in 
recess until such time as we return from a series of three 
votes. I would ask the witnesses if you please would wait so 
that the members can come back and ask questions. Thank you so 
much. The committee is in recess.
    Mr. Rush. The hearing will now come to order. The chair 
recognizes himself for 5 minutes for the purposes of 
questioning the witnesses.
    I would like to start out with some very simple questions 
to get on the record how the witness may view the legislation 
we are contemplating today. I will ask each and every one of 
you if you would just answer with a yes or no if you can, and 
if not, give me a very brief explanation of your answer. So my 
first question is with regard to H.R. 1319, do you support the 
legislation in its current form? If not, do you support the 
intent of the bill with revisions? And my second question, do 
support H.R. 2221 as it is currently drafted? If not, do you 
support the intent of the bill with some revisions? I will 
start with Mrs. Harrington.
    Ms. Harrington. The Federal Trade Commission strongly 
supports the intent of both bills. We would like to continue 
working with committee staff on revisions to each but we are 
very--and we are particularly supportive of the enforcement 
authority and tools that both bills give the FTC of civil 
penalty authority.
    Mr. Rush. Thank you.
    Mr. Sohn?
    Mr. Sohn. CDT has significant reservations about H.R. 1319 
as drafted but we certainly support the intent. We do think it 
may be tricky to figure out the drafting details but we are 
certainly happy to work with the committee on that. On H.R. 
2221, we generally do support the bill as drafted. There are 
some modifications we have suggested and we absolutely support 
the intent.
    Mr. Rush. Thank you.
    Mr. Holleyman?
    Mr. Holleyman. I actually agree fully with Mr. Sohn's 
comment that we support the intent of both bills. We have some 
recommendations in our written testimony. I believe strongly 
that action is needed. I think it may be more difficult to make 
some of the definitions in 1319 but are certainly eager to work 
with the committee to ensure the intent is fulfilled.
    Mr. Rush. Mr. Lafferty?
    Mr. Lafferty. I will just speak to 1319. We absolutely 
support the intent of the bill, the clear, conspicuous notice 
and the informed consent for very important file-sharing 
modalities that could have major impact on consumers. We just 
don't think it can be legislated. We have worked hard to try to 
come up with suggestions for a redraft and it is very difficult 
to get the language not to reach out and touch other kinds of 
technologies and future software applications that would be 
impacted and disadvantage U.S. firms from overseas competitors. 
So we support the intent but not the language.
    Mr. Rush. Mr. Pratt?
    Mr. Pratt. The CDIA has no position on H.R. 1319. With 
regard to H.R. 2221, we certainly support the intent. We have 
outlined in our written testimony the range of suggestions 
about how we could align the bills with other federal laws and 
if we could accomplish that goal, I think we would feel more 
comfortable with the final work product. Thank you.
    Mr. Rush. Thank you.
    Mr. Rotenberg. Mr. Chairman, we do support the intent of 
H.R. 2221 and generally support the legislation as drafted. We 
have a number of suggestions in our testimony for how to 
strengthen it.
    With respect to 1319, we don't have a position for or 
against the bill. With respect to the intent behind 1319, we 
think it may be possible to get to some of the concerns 
regarding security through other legislation but we would 
certainly be happy to work with the committee to see how it can 
be accomplished.
    Mr. Rush. Mr. Boback?
    Mr. Boback. Mr. Chairman, we strongly support both 2221 as 
well as 1319 in clearly raising awareness and providing some 
responsibility and structure to a very needed process both on 
the peer-to-peer as well as just federal data breach 
    Mr. Sydnor. Mr. Chairman, I will confine my comments to 
H.R. 1319. Yes, absolutely strongly support the intent of the 
bill. I am aware that there are legitimate concerns about 
making sure that we don't necessarily sweep in entirely--
potentially entirely legitimate uses of peer-to-peer technology 
and would be happy to continue to work with the committee and 
anyone else to try to get to a place where everyone is 
    Mr. Rush. The chair thanks the witnesses. The chair's time 
is concluded. The chair now recognizes Ms. Bono Mack from 
California for 5 minutes for questioning.
    Ms. Bono Mack. I thank the chairman and our panelists also 
for your time today.
    Mr. Lafferty, I would like to read to you a bolded warning 
in the user guide on the Lime Wire website entitled ``Using 
Lime Wire and P2P software safely.'' The warning states, and I 
quote, ``Please ensure that any folder on your computer that 
contains personal information is not included in your Lime Wire 
library.'' So tell me, Mr. Lafferty, if I were to complete a 
default installation of Lime Wire 5.1.2, what files and folders 
will the mere installation of the program included in my Lime 
Wire library?
    Mr. Lafferty. With Lime Wire 5 and later versions of Lime 
Wire, sensitive file types, which are a large number of 
extensions of files to protect your spreadsheets, your Word 
documents, PDFs, things that might have sensitive data, are 
unshared by default. So I would completely refute the testimony 
of Tom Sydnor earlier. It just isn't true. When you--neither 
example that he gave with the family that kept--just upgraded 
the version or the one that uninstalled it and reinstalled it, 
in both cases all the sensitive file types are unshared by 
default. It is over. They are no longer accessed or shared. To 
re-share any of those files, you would have to individually 
take the file and go through--ignore several warnings to put 
those individual files into the mode where they could be shared 
and then be asked whether you want to share that with specific 
friends or the network at large. So Lime Wire 5 has done away 
with the concept of shared folders really and now it is a file-
    Ms. Bono Mack. There are specific warnings? What do they 
say? And it is not--it is still actually sort of an inherent 
default. You have little boxes that come up. I believe there 
are four different boxes that are there. And one does say my 
documents, so you just that that could be an Excel spreadsheet 
which in fact would probably be saved under a my documents 
folder, would it not?
    Mr. Lafferty. If you chose to put the my documents folder 
into a shared mode, it would still--
    Ms. Bono Mack. Is that the default for an Excel spreadsheet 
for the standard user?
    Mr. Lafferty. I don't understand the question.
    Ms. Bono Mack. Where is a default Excel spreadsheet saved 
on your computer, on your hard drive? Is it not necessarily 
defaulted to my documents?
    Mr. Lafferty. It is probably different for every person, 
but the point is--
    Ms. Bono Mack. Probably different? What is the default? 
Where does--Mr. Sydnor, perhaps you have the answer to that.
    Mr. Lafferty. It doesn't really matter where it is that. 
That file type won't be shared.
    Ms. Bono Mack. How could it not matter? With all due 
respect, how could it not matter where it is? That is the root 
of the whole problem here.
    Mr. Lafferty. Because it won't be shared.
    Ms. Bono Mack. Unless you check simply one of the four--
    Mr. Lafferty. Unless you choose that individual file if it 
has that Excel spreadsheet.
    Ms. Bono Mack. That individual file?
    Mr. Lafferty. Individual file, correct.
    Ms. Bono Mack. Mr. Sydnor, do you care to comment on that?
    Mr. Sydnor. Yes. That is not quite an accurate statement 
about how the Lime Wire my library feature works. My library in 
Lime Wire 5 basically are the set documents that are going to 
be managed in Lime Wire and thereby that set of documents is 
going to be much easier to share because they are going to be 
in the library and there will be a button to click to share 
them, and that is why Lime Wire users' guide has the warning 
that you read, please ensure that any folder in your computer 
that contains personal information is not included in your Lime 
Wire library. Now, by default when you install Lime Wire 5.1, 
and I did it last night again, the default option is to have 
Lime Wire put all the files stored in your my documents folder 
and all of its subfolders into the Lime Wire library. That 
alone will not share them but it will make them available for 
sharing and much easier to share and therefore the behavior of 
the program simply not consistent with the advice in the users' 
guide. As to my testimony earlier, it was quite correct. The 
difference--the reason I think we are getting confused is, when 
I say sensitive files, I mean files that would actually be 
sensitive to share over a network like Gnutella so you have, 
for example, scans of your family medical records and tax 
returns, those can be stored in image file formats often and 
those will be shared by default, and if you upgrade to Lime 
Wire 5, it will continue to share those file types if you were 
sharing them before, and if you install Lime Wire 5 on your 
computer and a previous version of Lime Wire has ever been 
there, then it will automatically begin re-sharing files that 
were shared previously. So simply installing the program can 
indeed resume sharing of files even if you are installing on a 
computer where there is no version of Lime Wire currently 
installed. I am correct about that. I reran the test again this 
morning before the hearing.
    Ms. Bono Mack. Thank you. I know my time is expired and I 
hope we have a second round. Thank you, Mr. Chairman.
    Mr. Rush. The chair intends to have a second round. The 
chair now recognizes the gentleman from Georgia, Mr. Barrow, 
for 5 minutes.
    Mr. Barrow. I thank the chair. I want to try and get my 
arms around the inadequacy of the current situation and talk 
about what it is this legislation proposes to do in order to 
try and alter the situation for the better.
    Ms. Harrington, am I correct in understanding that there 
are very limited tools available to the FTC right now to deal 
with this issue, that basically the only option you have under 
current law is to initiate a specific enforcement action 
against somebody, a fact-specific action based on a specific 
instance and that basically you are pretty much limited to, is 
it adjunctive proceedings? Is that about the extent of it?
    Ms. Harrington. That is right.
    Mr. Barrow. No civil penalties whatsoever?
    Ms. Harrington. No civil penalties.
    Mr. Barrow. No rulemaking authority, no prescribing of 
proper procedures or best practices, you just have to go after 
individual cases and all you can do is tell folks to stop doing 
what they are doing when you prove that they have done it?
    Ms. Harrington. The rulemaking authority available to the 
Commission is under the Magnusson-Moss amendments to the FTC 
Act and those are laborious and take a very long time, the 
procedures to use.
    Mr. Barrow. So what we are proposing to give the FTC under 
1319 would give you all some authority you don't have right 
now. Are the civil penalties helpful to you all in trying to 
bring some order to this situation?
    Ms. Harrington. There are two things that are helpful. 
Civil penalty authority is very helpful, and also to the extent 
that some practices in these very fact-specific situations 
might be injurious but neither deceptive nor unfair, then 
having additional statutory authority is very helpful.
    Mr. Barrow. Earlier on in the testimony, we heard some 
folks raise some issues about the international end of things. 
We all know we are connected to a worldwide web and that any 
effective regulation of this marketplace in our country is 
going to involve dealings with folks who can cross the 
boundaries in cyberspace pretty much at will. What was your 
concern, if not the extraterritoriality of the law, the 
extraterritorial effect of us being able to regulate this? How 
do you think we can address that supposed shortcoming of us 
attempting to regulate this on our own shores?
    Ms. Harrington. Well, first of all, the subcommittee was 
instrumental in giving the Commission additional authority 
under the U.S. Safe Web Act, which we used to get information 
about overseas targets and to enlist help from other 
governments and that is very useful. But that said, if there 
are overseas software providers who are making available file-
sharing software that is injurious to U.S. consumers, we can 
certainly assert our jurisdiction over those practices that 
occur within the United States but we may not be able to reach 
the purveyors if they are in other countries and particularly 
in countries that aren't particularly interested in helping 
    One of the things that we are very concerned about is that 
the dominant players in this industry, which are in the United 
States, do the best thing and the right thing and we think that 
setting some legislative standards such as the ones that are 
set forth in the bill would really help. We want the U.S. 
players to be the best players so that they continue to be the 
dominant players and the ones that consumers can use with some 
    Mr. Barrow. The impression I get from what you are saying, 
this is how I hear what you are saying, is that if we police 
the marketplace where everybody shops, we don't have to worry 
about the marketplace where few very people shop or hardly 
anybody goes. Is that a fair way of putting it?
    Ms. Harrington. Well, we certainly should police the 
marketplace where everybody stops if that marketplace is 
subject to our jurisdiction.
    Mr. Barrow. But the high-volume users, the ones that have 
the lion's share of the market, if we can make sure that what 
they are doing is right and appropriate and folks who trade at 
these places will not have to worry about losing their stuff, 
we don't have to worry quite so much about those areas that 
might be hard to reach. Why strain at a gnat and swallow an 
elephant in the process.
    Ms. Harrington. You know, that is certainly the intention. 
There is always a risk that overseas operators can gain in 
market share in the United States by doing--you know, by 
gaining some sort of competitive advantage over the regulated 
entities in our marketplace but, you know, that is not a worry 
right now that is keeping me awake at night.
    Mr. Barrow. I will wait for a second round, Mr. Chairman. 
Thank you, ma'am.
    Mr. Rush. Thank you.
    The chair now recognizes the gentleman from Louisiana, Mr. 
Scalise, for 5 minutes.
    Mr. Scalise. Thank you, Mr. Chairman. Really I can open 
this up to the whole panel on H.R. 1319. Do you think this will 
help prevent a legal use of peer-to-peer software including 
stealing personal records, copyright violations and things like 
sharing child pornography?
    Ms. Harrington. I think it will help under some 
circumstances and under others we need more. The data security 
bill actually could be very helpful here too because, as I 
mentioned in my oral statement, there are really three 
scenarios where sensitive information is shared. One is when 
consumers don't know, don't understand, and this bill will 
hopefully go a long way I think there. It is not going to help 
when the problem is malware, and it is not going to help when 
the problem is a business that has not prohibited and barred 
from its system and its computers file-sharing software and it 
is not going to help if the problem is that an employee of a 
company takes sensitive information home and puts it on his or 
her computer and that computer has file-sharing software or 
malware on it that extracts that, so it is going to go a long 
way to help in scenario one.
    Mr. Scalise. Anybody else want to touch on that?
    Mr. Sohn. I will just say I do think the intent and the 
focus of the bill is certainly on the inadvertent disclosure so 
that the privacy-related concerns, I think that would be the 
main impact and is the main thrust of the bill.
    Mr. Scalise. Let me ask about the data breaches that have 
occurred, I think FTC had dealt with it, the largest one I have 
seen, the TJX, which I think initial estimates were about 45 
million Visa/MasterCard records were breached. Ultimately it 
turned out somewhere close to 100 million were breached, and 
you all had brought charges against them, and subsequently 
other companies. Is there now an industry standard for data 
protection? What is your feeling on where we are today versus 
some of those cases a few years ago?
    Ms. Harrington. Well, there are certainly well-established 
good practices that in the cases that we have brought were not 
followed. For example, you know, downloading available patches, 
preventing against well-known attacks and kinds of attacks are 
well-settled, you know, necessary practices. They are not even 
best practices. They are necessary. And those companies did not 
follow those practices.
    Mr. Scalise. Anybody else want to add anything to that? We 
are getting into now an area of moving towards electronic 
medical records. There was some funding language in the 
stimulus bill to start going down that road more as people's 
health information gets put on the Web more and more. What kind 
of protections are there today, what kind do we need, whether 
it is in either these two bills or another vehicle to protect 
people's health records as they become available on the 
Internet so that they are only available to the doctors who 
need to be reviewing them?
    Ms. Harrington. Well, the Recovery Act also directed both 
the FTC and the Department of Health and Human Services to do 
rulemaking to set standards for breach notification when 
consumers' sensitive health information is placed at risk. The 
FTC, as I mentioned, has just issued a proposed rule dealing 
with personal health records and other non-HIPAA-covered 
entities that may have this sensitive information to set breach 
notification standards and we are continuing also to work with 
HHS to do a report that is due back to Congress in a year on 
these issues.
    Mr. Scalise. Any of you all doing any work on that issue? 
Mr. Boback?
    Mr. Boback. I would like to also comment on that. There are 
no standards as far as peer-to-peer notifications. There are no 
standards as far as peer-to-peer security measures. In fact, 
most companies don't even have any standards on peer-to-peer. 
When asked, most corporations, large and scale, what 
information they are doing about peer-to-peer, most people, if 
they respond at all will say that they are blocking peer-to-
peer and that they have a policy against it. That is the extent 
of it. And I will tell you that--or they will say that they 
have a firewall or an encryption of which nothing--firewall 
does not stop peer-to-peer, encryption does not stop peer-to-
peer. Intrusion prevention detection and all the standard 
security measures do not peer-to-peer disclosures from 
happening, which is why in the past 60 days we have had, you 
know, almost 4 million disclosures of this type via peer-to-
peer because there is just no standards.
    Mr. Scalise. And finally Mr. Holleyman.
    Mr. Holleyman. Mr. Scalise, we believe that the incentives 
that are in Chairman Rush's bill that would encourage a 
marketplace to grow for companies who hold sensitive data to 
use proper security technologies to make that information 
inaccessible to anyone who might actually breach it, that those 
market-based incentives is a great supplement to the 
enforcement authority that the bill would give. So we think the 
two together can be effective.
    Mr. Scalise. Thanks. I yield back, Mr. Chairman.
    Mr. Rush. The chair intends to engage the members of the 
committee in a second round of questioning and we will allow 
each member an additional 2 minutes for the second round of 
questioning. The chair recognizes himself now for the second 
round and allocates 2 minutes for the purposes of questioning.
    Mr. Rotenberg and Mr. Sohn, is the definition of personal 
information under H.R. 2221, is it adequate in terms of data 
security? The bill only addresses financial information. Should 
we also consider requiring companies to secure sensitive 
information such as medical information or password numbers or 
et cetera? I mean, should we expand the definition of personal 
    Mr. Sohn. Well, the bill has several different components, 
and I think for purposes of the breach notification component, 
the definition there is fairly close to what has been done in a 
lot of the States and it reflects a lot of what has been common 
in the data breach notification area. I think for purposes of 
something like security standards, asking companies to have 
reasonable procedures in place to protect data, there is no 
reason to restrict it to the rather narrow set of data that is 
in the definition of personal information now because what is 
currently in the bill only applies--it is not just name and 
address and some other information. There actually has to be 
either a Social Security number or a financial account number 
plus password or a driver's license number, something like 
that. So I do think that the bill might consider using a 
broader definition of personal information for some purposes 
and the narrower definition for others.
    Mr. Rotenberg. Mr. Chairman, in my written statement I made 
a suggestion on this issue of personal information. I do think 
it is appropriate to have a broader standard and also to 
recognize that some of the personal identifiers nowadays aren't 
just limited, for example, to a Social Security number or 
driver's license number. There are other types of personal 
identifiers like a Facebook member number or even the IP 
address associated with your computer that needs to be 
incorporated as well. So I think those changes can be made both 
to get to more circumstances where the bill should reach and 
also new types of identifiers.
    Mr. Rush. The chair thanks the witnesses. Now the chair 
recognizes the gentlelady from California for 2 minutes for 
additional questions.
    Ms. Bono Mack. I thank the chair for the second round.
    Mr. Holleyman, you testified that the P2P bill would cover 
more than just the illegitimate purpose software. You 
identified a number of legitimate uses of P2P software such as 
bicoastal collaboration on projects. I think you actually 
mentioned Palm Springs to Chicago airports collaborating. So 
this is of course when used correctly beneficial use of P2P 
software. So we all agree that this technology can be extremely 
helpful but if such programs are covered by H.R. 1319, what is 
the harm? How is notice and consent an issue? Back to the Palm 
Springs-Chicago, yes, I can see them collaborating on plans but 
I don't think they necessarily want to collaborate on payroll 
numbers and the like. So how is notice and consent an issue in 
this case?
    Mr. Holleyman. Ms. Bono Mack, our sense is that there is a 
rapid growth in the legitimate uses of P2P, and that it will 
become a de facto part of how we use technology that most 
people will want to use. So our sense is as that part of the 
market grows, we want to ensure that the legislation doesn't 
overreach to get into things which all of us would generally 
agree would not necessarily need--an initial notice that that 
is there is fine but the process of how you would then disable 
that needs to be clarified.
    Ms. Bono Mack. Which is growing faster, illegitimate or 
legitimate uses?
    Mr. Holleyman. I think our sense as technologists is--and I 
am not a technologist, I play one on TV, but not as 
technologists but our engineers and our companies believe that 
legitimate purposes of peer-to-peer in the next 10 years will 
certainly grow much faster than the illegitimate ones.
    Ms. Bono Mack. In the next 10 years, quickly in 10 seconds, 
Mr. Boback, which has grown faster, legitimate or illegitimate 
    Mr. Boback. I will tell you that legitimate uses are now 
emerging so while there is still a growth at this point because 
the awareness is still decreased and there is not enough 
awareness as to the problem, the legitimate uses and the 
distribution content is an absolute must going forward. So I am 
a supporter of peer-to-peer, however, the security measures 
just as in the early stages of the World Wide Web need to be 
addressed as in your bill 1319.
    Ms. Bono Mack. Thank you.
    Mr. Rush. The chair now recognizes the gentleman from 
    Mr. Barrow. I thank the chair. I think Ms. Bono Mack is 
getting to the heart of the issue on the peer-to-peer 
legislation. If I could reframe the issue, we want to fix what 
is broke with this system. There is stuff out there that is 
inside this legislation's definition of peer-to-peer file-
sharing program that is malicious. There is stuff out there 
that is inside this definition that is perfectly benign.
    Mr. Holleyman and Mr. Sohn, I am going to pitch this one in 
you all's direction. How would you all define what we are 
getting at in such a way as to stop the bad stuff and allow all 
the other stuff to continue without having to have a 
proliferation of warnings and opt-outs that basically hobble 
this technology before it can even get started? Take a shot at 
how you would define this in order to be able to reach the 
stuff you want to reach.
    Mr. Holleyman. I will start on that, Mr. Barrow. In our 
testimony, we have actually listed five ways in which we would 
modify the definition in the bill and believe that if those 
types of changes are made, that that would be useful and would 
help preserve the intent of the bill including looking at the 
type of purposes that peer-to-peer file-sharing program is 
typically used for, going at many of those things like 
copyright infringements, which are a huge source of concern 
    Mr. Barrow. Is that an effective way of defining it though 
so that the regulators can get at what is going on?
    Mr. Holleyman. We actually think that the regulators 
would--their hand would be strengthened by more precision in 
the definition rather than the breadth that is in there 
    Mr. Barrow. Mr. Sohn, what do you think?
    Mr. Sohn. I also set forth in my testimony some ideas on 
that point of how you might make this more narrow and apply to 
what we think of as file-sharing software. I agree with Mr. 
Lafferty's testimony that the key here really isn't peer-to-
peer. Peer-to-peer is a kind of architecture. It is really 
about file-sharing functions that could enable documents and 
other kinds of files on a user's local computer to be made 
available to third parties, you know, in bulk and third parties 
that haven't been selected or aren't even known to the user and 
so we propose four bullet points of items that we think could 
be in the definition but it tends to focus on that, the ability 
to share files with unknown parties with no intervening action 
or knowledge or selection by the user in terms of who that file 
will be shared with.
    Mr. Barrow. Mr. Chairman, my time is expired but I would 
like to ask the witnesses to go beyond that and actually be 
prepared to work with counsel and us to see if we can actually 
come up with some concrete language to accomplish this. Thank 
you. I yield the mic.
    Mr. Rush. The chair now recognizes the gentleman from 
Louisiana for an additional 2 minutes.
    Mr. Scalise. Thank you again, Mr. Chairman.
    These two bills might not necessarily be the vehicles for 
it but they might. It has been a problem for years, especially 
with identity theft getting worse with so many documents and 
authenticators that use Social Security numbers that require 
Social Security numbers to be used or documents that are public 
record that still require people to use Social Security 
numbers. A number of States have gone on their own and tried to 
ferret those out and prohibit Social Security numbers on public 
documents but it is not universal. There is no real standard 
still. I think there as standalone legislation, it might have 
been in the last Congress, that really didn't go anywhere but 
there is a way that we can have some kind of standard to 
protect people's Social Security numbers so that they are not 
required for certain documents or authenticators so that they 
are not so easily obtainable by third parties that are trying 
to take them for bad purposes? I will start it off with Ms. 
Harrington and anybody else that wants to take a shot.
    Ms. Harrington. Well, as part of the President's identity 
theft task force work that we have been engaged in, there are 
couple of important initiatives that we are supporting. One, 
the task force brought about a government-wide examination of 
government uses of Social Security numbers with the goal of 
minimizing to circumstances where the number is absolutely 
essential, federal government agencies' use of Social Security 
numbers, and I think a lot of progress has been made in the 
government on that. Number two, the FTC as part of the identity 
theft task force work convened a workshop and has continued to 
work on the question of authentication and how better 
authentication procedures and technologies can be developed so 
that something like the ubiquitous Social Security number is no 
longer needed. But there are lots of commercial settings right 
now where both consumers and businesses benefit from the use of 
Social Security numbers and may need them, and until we have 
much better authentication measures available, it is a very 
tough question to answer what to use instead of Social Security 
numbers. For example, consumers have really benefited in many 
instances from being able to quickly get a loan to get a car. 
That whole credit reporting system depends on Social Security 
numbers, and you know, we need a replacement but we don't have 
one yet.
    Mr. Scalise. And at least in the government sector where we 
can set up a mechanism where people aren't required to have it 
on a document that is public record because--
    Ms. Harrington. Right.
    Mr. Scalise. --clearly in the government arena, there are 
records that are public and some of those records require a 
Social Security number, which obviously poses big, big security 
breach problems that have been documented. In this legislation, 
if there a way to maybe try to address that, I don't want to 
interfere with the chairman or Ms. Bono Mack's bill but if 
there is a way we can do something that doesn't necessarily 
cause other problems on the other side we can try to address a 
narrow part of that problem.
    Mr. Rush. The gentleman's time is expired.
    Mr. Scalise. Thank you.
    Mr. Rush. The chair really just wants to again thank the 
witnesses. We have imposed on your time pretty significantly 
this afternoon and we certainly are appreciative of the fact 
that you have allowed us to do that and you have been a great 
panel. If you would be so kind, we want to keep the record open 
for at least 72 hours until there might be members of the 
subcommittee who will in writing ask questions and if you would 
respond in writing within 72 hours, the chair would certainly 
appreciate that.
    So thank you so very much again and you have really done 
this subcommittee quite a great service. The hearing now stands 
    [Whereupon, at 4:45 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]