[Senate Hearing 111-1040]
[From the U.S. Government Publishing Office]
S. Hrg. 111-1040
S. 3742, THE DATA SECURITY
AND BREACH NOTIFICATION ACT OF 2010
=======================================================================
HEARING
before the
SUBCOMMITTEE ON CONSUMER PROTECTION, PRODUCT SAFETY, AND INSURANCE
of the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 22, 2010
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
U.S. GOVERNMENT PRINTING OFFICE
67-687 WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
JOHN D. ROCKEFELLER IV, West Virginia, Chairman
DANIEL K. INOUYE, Hawaii KAY BAILEY HUTCHISON, Texas,
JOHN F. KERRY, Massachusetts Ranking
BYRON L. DORGAN, North Dakota OLYMPIA J. SNOWE, Maine
BARBARA BOXER, California JOHN ENSIGN, Nevada
BILL NELSON, Florida JIM DeMINT, South Carolina
MARIA CANTWELL, Washington JOHN THUNE, South Dakota
FRANK R. LAUTENBERG, New Jersey ROGER F. WICKER, Mississippi
MARK PRYOR, Arkansas GEORGE S. LeMIEUX, Florida
CLAIRE McCASKILL, Missouri JOHNNY ISAKSON, Georgia
AMY KLOBUCHAR, Minnesota DAVID VITTER, Louisiana
TOM UDALL, New Mexico SAM BROWNBACK, Kansas
MARK WARNER, Virginia MIKE JOHANNS, Nebraska
MARK BEGICH, Alaska
Ellen L. Doneski, Staff Director
James Reid, Deputy Staff Director
Bruce H. Andrews, General Counsel
Ann Begeman, Republican Staff Director
Brian M. Hendricks, Republican General Counsel
Nick Rossi, Republican Chief Counsel
------
SUBCOMMITTEE ON CONSUMER PROTECTION, PRODUCT SAFETY, AND INSURANCE
MARK PRYOR, Arkansas, Chairman ROGER F. WICKER, Mississippi,
BYRON L. DORGAN, North Dakota Ranking
BARBARA BOXER, California OLYMPIA J. SNOWE, Maine
BILL NELSON, Florida JIM DeMINT, South Carolina
CLAIRE McCASKILL, Missouri JOHN THUNE, South Dakota
AMY KLOBUCHAR, Minnesota JOHNNY ISAKSON, Georgia
TOM UDALL, New Mexico DAVID VITTER, Louisiana
C O N T E N T S
----------
Page
Hearing held on September 22, 2010............................... 1
Statement of Senator Pryor....................................... 1
Statement of Senator Wicker...................................... 36
Statement of Senator Klobuchar................................... 41
Witnesses
Maneesha Mithal, Associate Director of the Division of Privacy
and Identity Protection, Federal Trade Commission.............. 3
Prepared statement........................................... 5
Mark Bregman, Chief Technology Officer, Symantec Corporation on
Behalf of Symantec Corporation and TechAmerica................. 10
Prepared statement........................................... 12
Ioana Rusu, Policy Counsel, Consumers Union...................... 21
Prepared statement........................................... 22
Stuart K. Pratt, President and CEO, Consumer Data Industry
Association.................................................... 24
Prepared statement........................................... 25
Melissa Bianchi, Hogan Lovells U.S. LLP, on Behalf of the
American Hospital Association.................................. 32
Prepared statement........................................... 33
Appendix
Hon. John D. Rockefeller IV, prepared statement.................. 51
Confidentiality Coalition, prepared statement.................... 51
Response to written questions submitted by Hon. Mark Pryor to:
Maneesha Mithal.............................................. 55
Ioana Rusu................................................... 58
Stuart K. Pratt.............................................. 59
Melissa Bianchi.............................................. 61
Letter, dated December 7, 2010 to Senator Roger Wicker, from
Stuart K. Pratt, Consumer Data Industry Association............ 63
S. 3742, THE DATA SECURITY
AND BREACH NOTIFICATION ACT OF 2010
----------
WEDNESDAY, SEPTEMBER 22, 2010
U.S. Senate,
Subcommittee on Consumer Protection, Product
Safety, and Insurance,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:33 p.m. in
room SR-253, Russell Senate Office Building, Hon. Mark Pryor,
presiding.
OPENING STATEMENT OF HON. MARK PRYOR,
U.S. SENATOR FROM ARKANSAS
Senator Pryor. I'll go ahead and call us to order here. I
want to thank everyone for being here today on this hearing on
S. 3742, the Data Security and Breach Notification Act of 2010.
I know we have a couple of Senators that are on the way,
whether literally or figuratively, but they'll be here shortly.
So I think what I will do is go ahead and do my opening
statement, and if they want to make opening statements when
they come that would be great, or we'll jump right into
statements and questions.
But let me go ahead and start today, to say that the
Privacy Rights Clearinghouse recently estimated that since 2005
a half billion sensitive records have been breached. So I think
that is worth repeating: The Privacy Rights Clearinghouse
recently estimated that since 2005 a half billion sensitive
records have been breached.
The TJMaxx case is one of the more high profile cases, but
the truth is, even though that one did involve 45 million
names, credit cards, driver's license information, et cetera,
there are a slew of other examples of entities large and small
who've had these data breaches. In fact, just recently in
Arkansas an employee of one of our State universities
inadvertently released personal information on more than 2,000
university employees to a list of nearly 150 individuals.
So obviously this is an issue that touches all of us.
Studies have shown the average victim of identity theft pays
between $400 and $880 and devotes between 400 and 300 hours to
remedy problems due to identity theft. Just think about someone
spending 40 hours trying to fix this. That's an entire week's
worth of work that they could be working, could be productive,
could be with their families or whatever else they're doing,
but they're fooling around with this thing because someone has
stolen their identity.
This has become such a problem, and my sense is the current
state of the law is not sufficient to handle it. I think we
need to do more. As we all know, data security breaches can
lead to identity theft and other types of fraud. They say each
year--and I'm not quite sure how solid this statistic is, but
they say each year approximately 9 million Americans have their
identities stolen.
So if their information is compromised due to inadequate
security measures or insufficient safeguards, those entities
responsible should be held accountable and should notify
customers when a breach has occurred. If a customer's personal
information falls into the wrong hands, it's only fair that
companies be expected to give quick warning to affected
consumers.
So I've drafted a bill along with Senator Rockefeller that
we filed on August 5 of this year. It's S. 3742, the Data
Security and Breach Notification Act of 2010. It will require
entities that own or possess data containing personal
information to establish reasonable security policies and
procedures to protect that data. If a security breach occurs,
entities would have to notify each individual whose information
was acquired or accessed as a result of the breach within 60
days.
Affected consumers would be entitled to receive consumer
credit reports and credit monitoring services for 2 years, as
well as instructions on how to request these services.
As a former attorney general, I'm very comfortable with
allowing the State AGs to protect their residents from harm and
so my bill grants the State attorneys general important powers
enabling them to do just that.
Before I turn it over to our witnesses for their opening
statements, I would like to thank the Chairman for his
steadfast support of the bill. He and I have worked closely on
this, and I look forward to continuing those conversations. I
also want to thank Chairman Inouye, who graciously allowed me
to pick up this issue and to carry it forward. Finally, I want
to thank my friends on the House side, including Congressmen
Rush and Stern, for their hard work on this issue. The House
passed by voice vote last December a companion measure which
we've used as some of our base text here, and I think that one
of the good things about the Commerce Committee is we have a
record of working across the aisle and down the hall with the
House as well. So I just want to let my Republican colleagues
know that I look forward to the dialogue and look forward to
working on this and trying to get this to a fairly rapid
conclusion. I'm certainly receptive to more input and
suggestions.
Again, I want to thank the Chairman for this opportunity to
take the lead on this very critical matter.
So what I thought we would do here is, when Senator Wicker
comes we'll ask him if he wants to give an opening statement. I
know he's in another committee tied up right now, but I think
he's on his way at some point.
Also what I'd like to do is just go ahead and introduce our
witnesses very quickly and try to introduce everybody. What I'd
like to ask everyone to do is limit your opening statements to
5 minutes if possible, and we'll make your written statement
part of the record and then we'll dive in and ask questions.
So I guess in the order--I guess you guys are lined up in
the order that we have you listed here. So why don't we first
go with Maneesha Mithal. She's the Associate Director, Division
of Privacy and Identity Protection, Bureau of Consumer
Protection, Federal Trade Commission.
Then we'll have: Mr. Mark Bregman, Chief Technology Officer
of Symantec, and on behalf of TechAmerica; and then Ms. Ioana
Rusu, Policy Counsel, Consumers Union; and then Mr. Stuart
Pratt. He's President, Consumer Data Industry Association. And
then Ms. Melissa Bianchi. Am I getting that right?
Ms. Bianchi. Yes.
Senator Pryor. American Hospital Association. And I guess
you're with a law firm, Hogan Lovells; is that right?
Ms. Bianchi. Yes.
Senator Pryor. On behalf of the American Hospital
Association.
So, Ms. Mithal, why don't we start with you, and we'll just
try to do 5 minutes and then we'll just go from there. Go
ahead. Thank you.
STATEMENT OF MANEESHA MITHAL, ASSOCIATE DIRECTOR OF THE
DIVISION OF PRIVACY AND IDENTITY PROTECTION, FEDERAL TRADE
COMMISSION
Ms. Mithal. Thank you, Mr. Chairman. My name is Maneesha
Mithal and I'm an Associate Director at the Federal Trade
Commission, and I'm delighted to be here today to talk about
our data security program and also to provide comments on S.
3742.
The FTC promotes data security through law enforcement,
education, and policy initiatives. On the law enforcement
front, we've brought 29 cases against businesses that failed to
safeguard consumers' personal information. Let me give you a
couple of recent examples.
First, we sued Rite-Aid because they disposed of sensitive
health, financial, and employee information into open
dumpsters. We alleged that they didn't implement reasonable
security to dispose of this information.
Second, we sued the social media service Twitter for, among
other things, failing to require its employees to use strong
passwords. Because of its security failures, a hacker was able
to use a simple automated password-guessing tool to access
employee accounts and send fake tweets.
Third, we sued LifeLock for inadequate data security.
LifeLock sold consumers an identity theft protection service.
You may recall LifeLock's ads, which prominently displayed the
CEO's real Social Security number to show how confident he was
in LifeLock's service. As it turns out, the CEO later became a
victim of identity theft. Despite the fact that LifeLock
collected Social Security numbers from consumers, it didn't
maintain reasonable security for them.
In each of these cases, the Commission's orders required
the companies to maintain reasonable security and to get
periodic independent audits of their security practices.
In addition to law enforcement, we've launched educational
campaigns directed to consumers on how to avoid identity theft
and what to do if they become victims. We've released general
data security guidance for businesses and we've also created
business education materials on specific topics. For example,
earlier this year, we sent letters notifying several entities
that customer information from their computers had been made
available through P2P file sharing networks. In the letter we
included educational materials about the risks associated with
P2P file sharing and companies' obligations to protect consumer
and employee information from these risks.
Finally, we engage in policymaking efforts to promote data
security and stay abreast of new issues in this area. For
example, over the past several months, the FTC has hosted three
privacy roundtables to explore consumer privacy issues.
Panelists discussed the impact of new technologies, such as
cloud computing and mobile services, on data security. The
Commission staff expects to issue a report on the roundtables
later this year.
Let me now turn to our legislative recommendations. We
strongly support the goals of S. 3742. In particular, we
support the general requirement to maintain reasonable
security, the requirement to provide notice to consumers when
their information is breached, and the grant of civil penalty
authority to the FTC. We also support the provisions giving
State attorneys general authority to sue companies for
violations of the bill.
In addition, S. 3742 contains specific provisions governing
data brokers, including provisions giving consumers the right
to access data that data brokers have about them. The
Commission believes these provisions can help to alleviate
concerns raised at our privacy roundtables about the
invisibility of practices of the data broker industry.
On a related note, just today, the Commission announced a
case against a data broker named US Search. This company had a
public-facing search engine that allowed consumers to search
for information about other consumers. The company allowed
consumers to opt out of having their information appear in
search results for a fee of $10. Although 4,000 consumers opted
out of the service, their names still appeared in search
results. The Commission's settlement with the company requires
US Search to disclose limitations on its opt-out and to refund
consumers who had previously opted out.
Although the Commission has used its authority under the
FTC Act to sue data brokers, S. 3742's data broker provisions
would give the Commission additional authority in this area.
Finally, let me provide some comments about the scope of
the bill. We're pleased that it covers nonprofits, as many of
the security breaches we've heard about in the past several
years involve universities and other nonprofits. We believe the
bill should also apply to telecom common carriers, many of
which maintain significant quantities of personal information.
In addition, we'd like to see the bill's breach
notification provisions apply to paper as well as electronic
records. Many cases we've seen, including the Rite-Aid case I
mentioned earlier, involved inadequate security for paper
records, which could cause significant harm to consumers.
We look forward to working with this committee as the bill
moves forward. I thank you, Mr. Chairman. I'd be happy to
answer any questions.
[The prepared statement of Ms. Mithal follows:]
Prepared Statement of Maneesha Mithal, Associate Director of the
Division of Privacy and Identity Protection, Federal Trade Commission
I. Introduction
Chairman Pryor, Ranking Member Wicker, and members of the
Subcommittee, I am Maneesha Mithal, Associate Director of the Division
of Privacy and Identity Protection at the Federal Trade Commission
(``FTC'' or ``Commission''). I appreciate the opportunity to present
the Commission's testimony on data security and to provide the
Commission's thoughts on legislation in this area.\1\
---------------------------------------------------------------------------
\1\ This written statement represents the views of the Federal
Trade Commission. My oral presentation and responses are my own and do
not necessarily reflect the views of the Commission or of any
Commissioner.
---------------------------------------------------------------------------
As the Nation's consumer protection agency, the FTC is committed to
protecting consumer privacy and promoting data security in the private
sector. Data security is of critical importance to consumers. If
companies do not protect the personal information they collect and
store, that information could fall into the wrong hands, resulting in
fraud and other harm, and consumers could lose confidence in the
marketplace. Accordingly, the Commission has undertaken substantial
efforts to promote data security in the private sector through law
enforcement, education, and policy initiatives. The Commission's
testimony begins by describing these initiatives. It also sets forth
the Commission's support of the proposed data security legislation
introduced by Chairman Pryor and Chairman Rockefeller along with
certain recommendations on the legislation.
II. The Commission's Data Security Program
A. Law Enforcement
To promote data security through law enforcement, the Commission
brings enforcement actions against businesses that fail to implement
reasonable security measures to protect consumer data. The FTC enforces
several laws and rules imposing data security requirements. The
Commission's Safeguards Rule under the Gramm-Leach-Bliley Act (``GLB
Act''), for example, provides data security requirements for financial
institutions.\2\ The Fair Credit Reporting Act (``FCRA'') requires
consumer reporting agencies to use reasonable procedures to ensure that
the entities to which they disclose sensitive consumer information have
a permissible purpose for receiving that information,\3\ and imposes
safe disposal obligations on entities that maintain consumer report
information.\4\ In addition, the Commission enforces the FTC Act's
proscription against unfair or deceptive acts or practices \5\ in cases
where a business makes false or misleading claims about its data
security procedures, or where its failure to employ reasonable security
measures causes or is likely to cause substantial consumer injury.
---------------------------------------------------------------------------
\2\ 16 CFR Part 314, implementing 15 U.S.C. � 6801(b). The Federal
Deposit Insurance Corporation, National Credit Union Administration,
Securities and Exchange Commission, Office of the Comptroller of the
Currency, Board of Governors of the Federal Reserve System, Office of
Thrift Supervision, Secretary of the Treasury, and state insurance
authorities have promulgated comparable safeguards requirements for the
entities they regulate.
\3\ 15 U.S.C. � 1681e.
\4\ Id. at � 1681w. The FTC's implementing rule is at 16 CFR Part
682.
\5\ 15 U.S.C. � 45(a).
---------------------------------------------------------------------------
Since 2001, the Commission has used its authority under these laws
to bring 29 cases against businesses that allegedly failed to protect
consumers' personal information appropriately.\6\ These cases
illustrate several general principles.
---------------------------------------------------------------------------
\6\ See In re Rite Aid Corp., FTC File No. 072-3121 (July 27, 2010)
(consent approved subject to public comment); In re Twitter, Inc., FTC
File No. 092-3093 (June 24, 2010) (consent approved subject to public
comment); Dave & Buster's, Inc., FTC Docket No. C-4291 (May 20, 2010)
(consent order); FTC v. LifeLock, Inc., No. 2:10-cv-00530-NVW (D. Ariz.
Mar. 15. 2010) (stipulated order); United States v. ChoicePoint, Inc.,
No. 1:06-CV-0198-JTC (N.D. Ga. Oct. 14, 2009) (stipulated order); In re
James B. Nutter & Company, FTC Docket No. C-4258 (June 12,2009)
(consent order); United States v. Rental Research Servs., No. 0:09-CV-
00524 (D. Minn. Mar. 6, 2009) (stipulated order); FTC v. Navone, No.
2:08-CV-001842 (D. Nev. Dec. 29, 2009) (stipulated order); United
States v. ValueClick, Inc., No. 2:08-CV-01711 (C.D. Cal. Mar. 13, 2008)
(stipulated order); United States v. American United Mortgage, No.
1:07-CV-07064 (N.D. Ill. Dec. 18, 2007) (stipulated order); In re CVS
Caremark Corp., FTC Docket No. C-4259 (Jun. 18, 2009) (consent order);
In re Genica Corp., FTC Docket No. C-4252 (Mar. 16, 2009) (consent
order); In re Premier Capital Lending, Inc., FTC Docket No. C-4241
(Dec. 10, 2008) (consent order); In re The TJX Cos., FTC Docket No. C-
4227 (July 29, 2008) (consent order); In re Reed Elsevier Inc., FTC
Docket No. C-4226 (July 29, 2008) (consent order); In re Life is good,
Inc., FTC Docket No. C-4218 (Apr. 16, 2008) (consent order); In re Goal
Fin., LLC, FTC Docket No. C-4216 (Apr. 9, 2008) (consent order); In re
Guidance Software, Inc., FTC Docket No. C-4187 (Mar. 30, 2007) (consent
order); In re CardSystems Solutions, Inc., FTC Docket No. C-4168 (Sept.
5, 2006) (consent order); In re Nations Title Agency, Inc., FTC Docket
No. C-4161 (June 19, 2006) (consent order); In re DSW, Inc., FTC Docket
No. C-4157 (Mar. 7, 2006) (consent order); In re Superior Mortgage
Corp., FTC Docket No. C-4153 (Dec. 14, 2005) (consent order); In re
BJ's Wholesale Club, Inc., FTC Docket No. C-4148 (Sept. 20, 2005)
(consent order); In re Nationwide Mortgage Group, Inc., FTC Docket No.
C-9319 (Apr. 12, 2005) (consent order); In re Petco Animal Supplies,
Inc., FTC Docket No. C-4133 (Mar. 4, 2005) (consent order); In re
Sunbelt Lending Servs., Inc., FTC Docket No. C-4129 (Jan. 3, 2005)
(consent order); In re MTS Inc., d/b/a Tower Records/Books/Video, FTC
Docket No. C-4110 (May 28, 2004) (consent order); In re Guess?, Inc.,
FTC Docket No. C-4091 (July 30, 2003) (consent order); In re Microsoft
Corp., FTC Docket No. C-4069 (Dec. 20, 2002) (consent order).
---------------------------------------------------------------------------
First, businesses that make claims about data security should be
sure that they are accurate. The Commission has brought several cases
against companies that allegedly misrepresented their own security
procedures. A recent example is our action against LifeLock, in which
the Commission challenged the company's claims that it took stringent
security measures to protect consumer data and that it encrypted such
data.\7\ The FTC charged that Lifelock's data was in fact not encrypted
and that its data system was vulnerable and could have been exploited
by identity thieves or others seeking access to customer information.
Similarly, in actions against Microsoft,\8\ Petco,\9\ Tower
Records,\10\ Life is good,\11\ and Premier Capital Lending,\12\ the FTC
challenged claims on the companies' websites that each had strong
security procedures in place to protect consumer information. In these
cases the FTC alleged that, contrary to their claims, the companies did
not employ many of the most basic security measures.
---------------------------------------------------------------------------
\7\ FTC v. LifeLock, Inc., No. 2:10-cv-00530-NVW (D. Ariz. Mar. 15.
2010) (stipulated order).
\8\ In re Microsoft Corp., FTC Docket No. C-4069 (Dec. 20, 2002)
(consent order).
\9\ In re Petco Animal Supplies, Inc., FTC Docket No. C-4133 (Mar.
4, 2005) (consent order).
\10\ In re MTS Inc., d/b/a Tower Records/Books/Video, FTC Docket
No. C-4110 (May 28, 2004) (consent order).
\11\ In re Life is good, Inc., FTC Docket No. C-4218 (Apr. 16,
2008) (consent order).
\12\ In re Premier Capital Lending, Inc., FTC Docket No. C-4241
(Dec. 10, 2008) (consent order).
---------------------------------------------------------------------------
Second, businesses should protect against well-known, common
technology threats. In a number of cases, the Commission has alleged
that companies failed to protect their customer information from a
simple and well-known type of attack--an SQL injection--designed to
install hacker tools on the companies' computer networks.\13\ Most
recently, the Commission announced its first data security case against
social networking company Twitter, alleging that it failed to implement
simple measures to counteract basic technology threats. For example,
the Commission alleged that the company failed to require strong
administrative passwords and to suspend passwords after a reasonable
number of log-in attempts, and further alleged that this failure
resulted in a hacker being able to use a simple automated password-
guessing tool to gain administrative control of Twitter.
---------------------------------------------------------------------------
\13\ See, e.g., In re Genica Corp., FTC Docket No. C-4252 (Mar. 16,
2009) (consent order); In re Guidance Software, Inc., FTC Docket No. C-
4187 (Mar. 30, 2007) (consent order).
---------------------------------------------------------------------------
Third, businesses must know with whom they are sharing customers'
sensitive information. One of the Commission's most well-known security
cases involved ChoicePoint, a data broker that sold 160,000 consumer
files to identity thieves posing as clients. In its complaint, the
Commission alleged that ChoicePoint lacked reasonable procedures to
verify the legitimacy of its customers.\14\ In settling the case,
ChoicePoint agreed to pay $10 million in civil penalties for alleged
violations of the FCRA and $5 million in consumer redress for identity
theft victims. The company also agreed to undertake substantial new
data security measures. Last year, the Commission charged that the
company violated the earlier court order and obtained a stipulated
modified order under which ChoicePoint agreed to expand its data
security obligations and pay penalties in the amount of $275,000.\15\
---------------------------------------------------------------------------
\14\ United States v. ChoicePoint, Inc., No. 1:06-CV-0198 (N.D. Ga.
Feb. 15, 2006) (stipulated order).
\15\ United States v. ChoicePoint, Inc., No. 1:06-CV-0198-JTC (N.D.
Oct. 14, 2009) (stipulated order).
---------------------------------------------------------------------------
Fourth, businesses should not retain sensitive consumer information
that they do not need. In cases against BJ's Warehouse,\16\ DSW Shoe
Warehouse,\17\ and CardSystems Solutions,\18\ for example, the
Commission alleged that the companies stored unencrypted, full magnetic
stripe information on payment cards \19\ unnecessarily--long after the
time of the transaction, when the companies no longer had a business
need for the information. The Commission further alleged that, as a
result, when thieves gained access to the companies' systems, they were
able to obtain hundreds of thousands--in some cases millions--of credit
card numbers and security codes.
---------------------------------------------------------------------------
\16\ In re BJ's Wholesale Club, Inc., FTC Docket No. C-4148 (Sep.
20, 2005) (consent order).
\17\ In re DSW, Inc., FTC Docket No. C-4157 (Mar. 7, 2006) (consent
order).
\18\ In re CardSystems Solutions, Inc., FTC Docket No. C-4168 (Sep.
5, 2006) (consent order).
\19\ Magnetic stripe information is particularly sensitive because
it can be used to create counterfeit credit and debit cards that appear
genuine in the authorization process.
---------------------------------------------------------------------------
Finally, businesses should dispose of sensitive consumer
information properly. The Commission's most recent data security case
against Rite Aid illustrates this principle.\20\ In that case, the
Commission alleged that Rite Aid failed to implement reasonable and
appropriate procedures for handling personal information about
customers and job applicants, particularly with respect to its
practices for disposing of such information. The FTC's action followed
media reports that Rite Aid pharmacies across the country were throwing
pharmacy labels and employment applications into open dumpsters. The
FTC coordinated its investigation and settlement with the Department of
Health and Human Services (``HHS''), which investigated Rite Aid's
handling of health information under the Health Insurance Portability
and Accountability Act. Under its settlement order with the FTC, Rite
Aid agreed to establish a comprehensive information security program
and obtain biennial audits of this program for the next 20 years. HHS
announced a separate agreement with Rite Aid in which the company
agreed to pay a $1 million fine.\21\
---------------------------------------------------------------------------
\20\ See In re Rite Aid Corp., FTC File No. 072-3121 (July 27,
2010) (consent approved subject to public comment).
\21\ The FTC brought a similar case against CVS Caremark alleging
that the company failed to properly dispose of sensitive customer and
employee information. See In re CVS Caremark Corp., FTC Docket No. C-
4259 (Jun. 18, 2009) (consent order). The FTC also has brought cases
involving mortgage companies' alleged improper disposal of sensitive
customer financial information. See FTC v. Navone, No. 2:08-CV-001842
(D. Nev. Dec. 29, 2009) (stipulated order); United States v. American
United Mortgage, No. 1:07-CV-07064 (N.D. Ill. Dec. 18, 2007)
(stipulated order).
---------------------------------------------------------------------------
Some of the Commission's data security actions described above
involve unfair or deceptive practices under the FTC Act, while others
involve the GLB Act and related Safeguards Rule or the FCRA. Although
the Commission brings its cases under different laws, all of its cases
stand for the principle that companies must maintain reasonable and
appropriate measures to protect sensitive consumer information.\22\
---------------------------------------------------------------------------
\22\ The Commission recognizes that what is ``reasonable'' under
these laws will depend on the size and complexity of the business, the
nature and scope of its activities, and the sensitivity of the
information at issue. The principle recognizes that there cannot be
``perfect'' security, and that data breaches can occur even when a
company maintains reasonable precautions to prevent them. At the same
time, companies that put consumer data at risk can be liable even in
the absence of a known breach.
---------------------------------------------------------------------------
B. Education
The Commission also promotes better data security practices through
extensive use of consumer and business education. On the consumer
education front, the Commission sponsors OnGuard Online, a website
designed to educate consumers about basic computer security.\23\
OnGuard Online was developed in partnership with other government
agencies and the technology sector. Since its launch in 2005, OnGuard
Online and its Spanish-language counterpart Alerta en Linea have
attracted nearly 12 million unique visits.
---------------------------------------------------------------------------
\23\ See www.onguardonline.gov.
---------------------------------------------------------------------------
In addition, the Commission has engaged in wide-ranging efforts to
educate consumers about identity theft, one of the harms that could
result if their data is not adequately protected. For example, the
FTC's identity theft primer \24\ and victim recovery guide \25\ are
widely available in print and online. Since 2000, the Commission has
distributed more than 10 million copies of the two publications, and
recorded over 5 million visits to the Web versions. In addition, in
February 2008, the U.S. Postal Service--in cooperation with the FTC--
sent copies of the Commission's identity theft consumer education
materials to more than 146 million residences and businesses in the
United States. Moreover, the Commission maintains a telephone hotline
and dedicated website to assist identity theft victims and collect
their complaints, through which approximately 20,000 consumers contact
the FTC every week.
---------------------------------------------------------------------------
\24\ Avoid ID Theft: Deter, Detect, Defend, available at http://
www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt01.htm.
\25\ Take Charge: Fighting Back Against Identity Theft, available
at http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.htm.
---------------------------------------------------------------------------
The Commission recognizes that its consumer education efforts can
be even more effective if it partners with local businesses, community
groups, and Members of Congress to educate their employees,
communities, and constituencies. For example, the Commission has
launched a nationwide identity theft education program, ``Avoid ID
Theft: Deter, Detect, Defend,'' which contains a consumer education kit
that includes direct-to-consumer brochures, training materials,
presentation slides, and videos for use by such groups. The Commission
has developed a second consumer education toolkit with everything an
organization needs to host a ``Protect Your Identity Day.'' Since the
campaign launch in 2006, the FTC has distributed nearly 110,000
consumer education kits and over 100,000 Protect Your Identity Day
kits.
The Commission directs its outreach to businesses as well. The FTC
widely disseminates its business guide on data security, along with an
online tutorial based on the guide.\26\ These resources are designed to
provide diverse businesses--and especially small businesses--with
practical, concrete advice as they develop data security programs and
plans for their companies.
---------------------------------------------------------------------------
\26\ See www.ftc.gov/infosecurity.
---------------------------------------------------------------------------
The Commission also has released articles for businesses relating
to basic data security issues for a non-legal audience,\27\ which have
been reprinted in newsletters for local Chambers of Commerce and other
business organizations.
---------------------------------------------------------------------------
\27\ See http://business.ftc.gov/privacy-and-security.
---------------------------------------------------------------------------
The FTC also creates business educational materials on specific
topics, often to address emerging issues. For example, earlier this
year, the Commission sent letters notifying several dozen public and
private entities--including businesses, schools, and local
governments--that customer information from their computers had been
made available on peer-to-peer (``P2P'') file sharing networks. The
purpose of this campaign was to educate businesses and other entities
about the risks associated with P2P file sharing programs and their
obligations to protect consumer and employee information from these
risks. As part of this initiative, the Commission developed a new
business education brochure--Peer-to-Peer File Sharing: A Guide for
Business.\28\
---------------------------------------------------------------------------
\28\ See http://www.ftc.gov/bcp/edu/pubs/business/idtheft/
bus46.shtm.
---------------------------------------------------------------------------
C. Policy
The Commission's efforts to promote data security also include
policy initiatives. Over the past several months, the FTC has convened
three public roundtables to explore consumer privacy.\29\ Panelists at
the roundtables repeatedly noted the importance of data security in
protecting privacy. Many participants stated that companies should
incorporate data security into their everyday business practices,
particularly in today's technological age. For example, participants
noted the increasing importance of data security in a world where cloud
computing enables companies to collect and store vast amounts of data
at little cost.\30\ In addition, participants noted that the falling
cost of data storage enables companies to retain data for long periods
of time, again at little cost. Even if old data is not valuable to a
particular company, it could be highly valuable to an identity thief.
This is one of the reasons why businesses should promptly and securely
dispose of data for which they no longer have a business need.\31\
---------------------------------------------------------------------------
\29\ See generally FTC Exploring Privacy web page, www.ftc.gov/bcp/
workshops/privacyround
tables.
\30\ See, e.g., Privacy Roundtable, Transcript of January 28, 2010,
at 182, Remarks of Harriet Pearson, IBM (noting the importance of data
security as an issue for new computing models, including cloud
computing).
\31\ See, e.g., Privacy Roundtable, Transcript of January 28, 2010,
at 310, Remarks of Lee Tien, Electronic Frontier Foundation (``And
having the opposite of data retention, data deletion as a policy, as a
practice is something that, you know, really doesn't require any fancy
new tools. It is just something that people could do, would be very
cheap, and would mitigate a lot of privacy problems.''); Privacy
Roundtable, Transcript of March 17, 2010, at 216, Remarks of Pam Dixon
(supporting clear and specific data retention and use guidelines). The
Commission has long supported this principle in its data security
cases. Indeed, at least three of the Commission's data security cases--
against DSW Shoe Warehouse, BJ's Wholesale Club, and Card Systems--
involved allegations that companies violated data security laws by
retaining magnetic stripe information from customer credit cards much
longer than they had a business need to do so. Moreover, in disposing
of certain sensitive information, such as credit reports, companies
must do so securely. See FTC Disposal of Consumer Report Information
and Records Rule, 16 CFR � 682 (2005).
---------------------------------------------------------------------------
The Commission staff expect to issue a report later this year
seeking comment on these and other topics. Among other things, the
report will encourage companies to incorporate sound data security and
data retention practices into their business models in a reasonable and
cost-effective way.
III. Legislative Recommendations
The Commission appreciates the opportunity to comment on the
proposed legislation introduced by Chairman Pryor and Chairman
Rockefeller. The Commission supports the goal of improving the security
of consumer data. The proposed legislation contains several important
components.
First, it would require a broad array of companies to implement
reasonable security policies and procedures, including both commercial
and nonprofit entities. Problems with data security and breaches affect
businesses and nonprofit organizations alike. Requiring reasonable
security policies and procedures of this broad array of entities is a
goal that the Commission strongly supports, as illustrated by its
robust data security enforcement program described above.
Second, it would require covered companies to notify consumers when
there is a security breach. The Commission believes that notification
in appropriate circumstances can be beneficial.\32\ Indeed, various
states have already passed data breach notification laws which require
companies to notify affected consumers in the event of a data breach.
These laws have further increased public awareness of data security
issues and related harms, as well as data security issues at specific
companies.\33\ Breach notification at the Federal level would extend
notification nationwide and accomplish similar goals.
---------------------------------------------------------------------------
\32\ This recommendation is consistent with prior Commission
recommendations. See Prepared Statement of the Federal Trade Commission
Before the S. Comm. on Commerce, Science, and Transportation, 109th
Cong. (Jun. 16, 2005), available at http://www.ftc.gov/os/2005/06/
050616databreaches.pdf; Prepared Statement of the Federal Trade
Commission Before the S. Comm. on Commerce, Trade, and Consumer
Protection, 1 1 1th Cong. (May 5, 2009), available at http://
www.ftc.gov/os/2009/05/P064504peertopeertestimony.pdf.
\33\ See, e.g., Samuelson Law, Technology, & Public Policy Clinic,
University of California-Berkeley School of Law, Security Breach
Notification Laws: Views from Chief Security Officers (Dec. 2007),
available at http://www.law.berkeley.edu/files/cso_study.pdf; Federal
Trade Commission Report, Security in Numbers: SSNs and ID Theft (Dec.
2008), available at http://www.ftc.gov/os/2008/12/P075414ssnreport.pdf.
---------------------------------------------------------------------------
Third, the Commission learned from its privacy roundtables that
data brokers often gather consumer data from a variety of sources,
combine it, and use it for purposes that consumers may never have
anticipated when it was collected. Given the invisibility of these
practices, consumers are unaware of and thus unable to control them. If
information from data brokers is inaccurate--for example, if a data
broker provides inaccurate information to a business for purposes of
verifying a job applicant's identity--consumers can be harmed by the
lack of access to, and ability to correct, that information. The
Commission believes that S. 3742's provisions on access can help to
alleviate these concerns.
At the same time, the Commission acknowledges that providing access
can be costly, and that the right to suppress data rather than correct
it may be sufficient in certain circumstances--if the data is used, for
example, to make marketing decisions. The proposed rulemaking authority
for the Commission will allow it to scale the legislative provisions on
access, weighing its costs and benefits in particular circumstances.
Finally, the Commission supports the legislation's robust
enforcement provisions, which would: (1) give the FTC the authority to
obtain civil penalties for violations \34\ and (2) give state attorneys
general concurrent enforcement authority.\35\
---------------------------------------------------------------------------
\34\ See supra at n. 32.; see also Prepared Statement of the
Federal Trade Commission Before the Subcomm. on Interstate Commerce,
Trade, and Tourism of the S. Comm. on Commerce, Science, and
Transportation Committee, 110th Cong. (Sep. 12, 2007) available at
http://www.ftc.gov/os/testimony/070912reauthorizationtestimony.pdf;
Prepared Statement of the Federal Trade Commission Before the S. Comm.
on Commerce, Science, and Transportation, 110th Cong. (Apr. 10, 2007),
available at http://www.ftc.gov/os/testimony/P040101FY2008Budget
andOngoingConsumerProtectionandCompetitionProgramsTestimonySenate0410200
7.pdf. These recommendations also were made in an April 2007 report
released by the President's Identity Theft Task Force, which was co-
chaired by the Attorney General and the FTC Chairman, as well as in a
report on Social Security numbers released in December 2008. See The
President's Identity Theft Task Force Report, Sep. 2008, available at
http://idtheft.gov/reports/IDT
Report2008.pdf; FTC Report, ``Recommendations on Social Security Number
Use in the Private Sector,'' (Dec. 2008), available at http://
www.ftc.gov/opa/2008/12/ssnreport.shtm.
\35\ See The President's Identity Theft Task Force, ``Combating
Identity Theft: A Strategic Plan,'' (Apr. 2007), available at http://
www.idtheft.gov/reports/StrategicPlan.pdf.
---------------------------------------------------------------------------
The Commission has three main recommendations for the legislation
at this time. First, it recommends that the provision requiring
notification in the event of an information security breach not be
limited to entities that possess data in electronic form, because the
breach of sensitive data stored in paper format can be just as harmful
to consumers.\36\ Second, as the proposed legislation is currently
drafted, its requirements do not apply to telecommunications common
carriers, many of which maintain significant quantities of highly
personal information. The Commission believes that the legislation
should cover these entities and that the Commission should have
authority to enforce the legislation as to them. Third, the bill
requires the Commission to establish a process for small businesses to
request a waiver from having to provide free credit reports or credit
monitoring to consumers following a breach. The Commission believes
that such a business-by-business waiver process would be resource
intensive for both the Commission and small businesses. Instead, the
Commission suggests that the bill grant it rulemaking authority to
determine circumstances under which the provision of free credit
reports or credit monitoring may not be warranted.\37\ The Commission
would be pleased to work with this Committee to address these issues.
---------------------------------------------------------------------------
\36\ According to one survey, a significant number of breaches
involve paper documents. See Ponemon Institute, Security of Paper
Documents in the Workplace (Oct. 2008), available at http://
www.ponemon.org/data-security. In addition, the Commission has brought
several data security cases involving improper disposal of paper
documents, including the Rite Aid case discussed above. The facts of
these cases illustrate how breaches of sensitive data stored in paper
format may create a serious potential for consumer harm.
\37\ The Commission notes that, as drafted, S. 3742 would preempt
state law. In light of this, the Commission encourages this Committee
to closely examine relevant state law, such as state data breach
notification laws, to ensure that any Federal legislation in this area
continues to provide consumers with a high level of protection.
---------------------------------------------------------------------------
IV. Conclusion
Thank you for the opportunity to provide the Commission's views on
the topic of data security. We remain committed to promoting data
security and look forward to continuing to work with you on this
important issue.
Senator Pryor. Mr. Bregman.
STATEMENT OF MARK BREGMAN, CHIEF TECHNOLOGY
OFFICER, SYMANTEC CORPORATION ON BEHALF OF
SYMANTEC CORPORATION AND TechAmerica
Mr. Bregman. Mr. Chairman, Ranking Member Wicker: I am Mark
Bregman, Chief Technology Officer for Symantec Corporation.
Thank you for inviting me to appear before you to discuss the
Data Security and Breach Notification Act.
As a global information security leader, Symantec welcomes
the opportunity to provide our insights on this important
legislation. Today I will also be testifying on behalf of
TechAmerica, which is the technology industry's largest
advocacy organization, representing over 1,500 member
companies.
Mr. Chairman, TechAmerica commends you and Chairman
Rockefeller for your thoughtful leadership in addressing the
pervasive threat of data breaches through the introduction of
the Data Security and Breach Notification Act. Over the past
few years, the frequency and severity of significant data
breaches has increased dramatically, along with the costs of
responding to such incidents. One survey estimates that between
80 and 90 percent of Fortune 500 companies and government
agencies have experienced security breaches.
Additionally, as the Chairman mentioned in his opening
remarks, the Privacy Rights Clearinghouse disclosed that over
510 million records containing sensitive personal information
have been exposed by data breaches since 2005.
For organizations that possess critical information assets,
such as customer data, intellectual property, and trade
secrets, the risk of a data breach is now higher than ever
before, especially for those organizations that store and
manage large amounts of personal information. Not only can
compromises result in the loss of personal data, they also
undermine customer and institutional confidence. Breaches often
lead to damage that is financially debilitating to
organizations, while leaving consumers open to identity theft.
The root causes of a data breach are of three main types:
well-meaning insiders, targeted attacks, and malicious
insiders. In fact, in many cases breaches are caused by a
combination of these factors. For example, targeted attacks are
often enabled inadvertently by well-meaning insiders who fail
to comply with security policies.
Company employees who inadvertently violate data security
policies represent the largest population of data breaches.
Other breaches are as a result of targeted attacks by organized
crime, which are increasingly aimed at stealing information for
the purposes of identity theft. Such attacks are often
automated by using malicious code that can penetrate into an
organization undetected and export data to remote hacker sites.
TechAmerica believes that consumers should have the highest
confidence that any personal information they share with
government agencies or business entities will remain private
and secure in a trusted environment. We have long advocated
that Congress include three essential core elements in data
security legislation. First of all, the scope should apply
equally to government and private sector entities that collect,
maintain, or sell significant numbers of records containing
sensitive personal information. Second, implementing reasonable
pre-breach security measures and risk assessments should be
central to any legislation in order to minimize the likelihood
of the breach. And third, encryption or other proven security
measures that render data unreadable or unusable should be a
key element to establish the risk-based threshold for
notification.
TechAmerica strongly supports the Data Security and Breach
Notification Act. We believe that it's a well-considered piece
of legislation on a very complex topic. The bill would
establish a much-needed national law for all holders of
sensitive personal information, requiring organizations to
safeguard data and establish uniform notification mechanisms
when a security breach presents a real risk of harm.
In addition to protecting consumers, the bill provides a
clear roadmap for compliance for nearly all businesses by
requiring organizations to take common sense steps to protect
personally identifiable information both at rest and in motion.
This bill prudently promotes reasonable preventative security
measures, practices, and policies in order to ensure that
confidentiality and integrity of consumers' personally
identifiable information is maintained.
We commend the inclusion of a provision in the bill that
provides a rebuttable presumption that loss of data has been
rendered unusable, unreadable, or undecipherable through the
use of encryption or other acceptable means should not be
subject to the breach disclosure requirements.
This is precisely the kind of roadmap to compliance that
will reduce the burden on consumers and businesses while
achieving the bill's goal of greater security.
Finally, it's important to note that, through effective
preemption, this legislation will unify and simplify the
existing 46 State data breach laws now in effect, making the
current patchwork of compliance efforts less burdensome and
costly.
In closing, TechAmerica urges Congress to act to enact a
national data breach law this year.
Thank you for considering the views of Symantec and
TechAmerica on this important measure. I'd be happy to answer
any questions.
[The prepared statement of Mr. Bregman follows:]
Prepared Statement of Mark Bregman, Chief Technology Officer,
Symantec Corporation on Behalf of Symantec Corporation and TechAmerica
Introduction
Chairman Pryor, Ranking Member Wicker, members of the Committee,
good afternoon. Thank you very much for the opportunity to testify here
today. My name is Mark Bregman and I am the Chief Technology Officer at
Symantec Corporation. I will be testifying here today on behalf of
TechAmerica.
Symantec \1\ is the world's Information security leader with over
25 years of experience in developing Internet security technology.
Today we protect more people and businesses from more online threats
than anyone in the world. Symantec's best-in-class Global Intelligence
Network \2\ allows us to capture worldwide security intelligence data
that gives us an unparalleled view of emerging cyber attack trends. We
utilize over 240,000 attack sensors in 200 countries to track malicious
activity 24 hours a day, 365 days a year. In short, if there is a class
of threat on the Internet, Symantec knows about it.
---------------------------------------------------------------------------
\1\ Symantec is a global leader in providing security, storage and
systems management solutions to help consumers and organizations secure
and manage their information-driven world. Our software and services
protect against more risks at more points, more completely and
efficiently, enabling confidence wherever information is used or
stored. More information is available at www.symantec.com.
\2\ Symantec has established some of the most comprehensive sources
of Internet threat data in the world through the Symantec Global
Intelligence Network. This network captures worldwide security
intelligence data that gives Symantec analysts unparalleled sources of
data to identify, analyze, deliver protection and provide informed
commentary on emerging trends in attacks, malicious code activity,
phishing, and spam. More than 240,000 sensors in 200+ countries monitor
attack activity through a combination of Symantec products and services
as well as additional third-party data sources.
---------------------------------------------------------------------------
TechAmerica \3\ is the leading voice for the U.S. technology
industry, which is the driving force behind productivity, growth and
job creation in the United States, as well as the foundation of the
global innovation economy. Representing approximately 1,500 member
companies of all sizes, along with their millions of employees from the
public and commercial sectors, TechAmerica is the industry's largest
advocacy organization.
---------------------------------------------------------------------------
\3\ TechAmerica is the technology industry's only grassroots-to-
global advocacy network, with offices in state capitals around the
United States, Washington, D.C., Europe (Brussels) and Asia (Beijing).
TechAmerica was formed by the merger of AeA (formerly the American
Electronics Association), the Cyber Security Industry Alliance (CSIA),
the Information Technology Association of America (ITAA) and the
Government Electronics & Information Association (GEIA).
---------------------------------------------------------------------------
Further, TechAmerica's CxO Council is the only advocacy group
dedicated to ensuring the privacy, reliability and integrity of
information systems through public policy, technology, education and
awareness. The Council is led by CEOs of the world's top security
providers who offer the technical expertise, depth and focus needed to
encourage a better understanding of security issues. A comprehensive
approach to ensuring the security and resilience of information systems
is fundamental to global protection, national security and economic
stability.
The Recent Proliferation of Data Breaches
TechAmerica appreciates the opportunity to discuss the serious
issue of data security. For organizations that have critical
information assets such as customer data, intellectual property, trade
secrets, and proprietary corporate data, the risk of a data breach is
now higher than ever before. In fact, more electronic records were
breached in 2008 than in the previous 4 years combined.\4\
---------------------------------------------------------------------------
\4\ Verizon Business Risk Team, 2009 Data Breach Investigations
Report.
---------------------------------------------------------------------------
Identity theft continues to be a high-profile security issue. In a
recent survey, 65 percent of U.S.-based poll respondents said that they
were either ``very concerned'' or ``extremely concerned'' about
identity theft.\5\ Furthermore, 100 percent of enterprise-level
respondents surveyed for the Symantec State of Enterprise Security
Report 2010 experienced loss or theft of data.\6\ The danger of data
breaches is of particular importance for organizations that store and
manage large amounts of personal information. Not only can compromises
that result in the loss of personal data undermine customer and
institutional confidence, result in costly damage to an organization's
reputation, and result in identity theft that may be costly for
individuals to recover from, they can also be financially debilitating
to organizations.\7\ In 2009, the average cost per incident of a data
breach in the United States was $6.75 million, which is slightly higher
than the average for 2008. Considering that the average cost per
incident has also been rising in recent years (having risen from $4.5
million in 2005, for example), it is reasonable to assume that average
costs will continue to rise in coming years. Reported costs of lost
business ranged from $750,000 to $31 million.\8\
---------------------------------------------------------------------------
\5\ http://arstechnica.com/security/news/2009/10/americans-fear-
online-robberies-more-than-meatspace-muggings.ars.
\6\ http://www.symantec.com/content/en/us/about/presskits/
SES_report_Feb2010.pdf.
\7\ http://www.wired.com/threatlevel/2009/11/
pos?utm_source=feedburner&utm_medium=
feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stori
es+2%
29%29.
\8\ http://www.encryptionreports.com/download/
Ponemon_COB_2009_US.pdf.
---------------------------------------------------------------------------
Over the past several years, the frequency and severity of
significant database security breaches has increased dramatically as
well as the costs of responding to such incidents. One recent survey
found that nearly 80 to 90 percent of Fortune 500 companies and
government agencies have experienced security breaches. The stakes are
high for consumers and getting higher all the time. Hardly a week
passes without a news story about the theft of personal data from a
computer database of a major company or organization. According to the
Privacy Rights Clearinghouse, since 2005, over 365 million records
containing sensitive personal information have been exposed by database
breaches at companies and organizations that keep such information.
The Identity Theft Resource Center (ITRC) reports that the number
of personal records--data such as Social Security numbers, medical
records and credit card information tied to an individual--that hackers
exposed has skyrocketed to 220 million records in 2009, compared with
35 million in 2008. That represents the largest collection of lost data
on record. Symantec's 2010 Internet Security Threat Report also found
that 60 percent of the data records exposed were compromised as a
result of hacking, up from 22 percent in 2008.
Why Data Breaches Happen
While the continuing onslaught of data breaches is well documented,
what is far less understood is why data breaches happen and what can be
done to prevent them. In order to prevent a data breach, it is
essential to understand why they occur. Third-party research into the
root causes of data breaches, gathered from the Verizon Business Risk
Team \9\ and the Open Security Foundation,\10\ reveals three main
types: well-meaning insiders, targeted attacks, and malicious insiders.
In many cases, breaches are caused by a combination of these factors.
For example, targeted attacks are often enabled inadvertently by well-
meaning insiders who fail to comply with security policies, which can
lead to a breach.\11\
---------------------------------------------------------------------------
\9\ Ibid.
\10\ http://datalossdb.org/
\11\ Verizon Business Risk Team, op. cit.
---------------------------------------------------------------------------
Well-Meaning Insiders
Company employees who inadvertently violate data security policies
represent the largest population of data breaches. According to the
Verizon report, 67 percent of breaches in 2008 were aided by
``significant errors'' on the part of well-meaning insiders.\12\ In a
2008 survey of 43 organizations that had experienced a data breach, the
Ponemon Institute found that over 88 percent of all cases involved
incidents resulting from insider negligence.\13\ An analysis of
breaches caused by well-meaning insiders yields five main types:
---------------------------------------------------------------------------
\12\ Ibid.
\13\ Ponemon Institute, 2008 Annual Study: Cost of a Data Breach,
February 2009.
Data exposed on servers and desktops. Daily proliferation of
sensitive information on unprotected servers, desktops, and
laptops is the natural result of a highly productive workforce.
Perhaps the most common type of data breach occurs when well-
meaning insiders, unaware of corporate data security policies,
store, send, or copy sensitive information unencrypted. In the
event a hacker gains access to a network, confidential files
stored or used without encryption are vulnerable and can be
captured by hackers. As a result of data proliferation, most
organizations today have no way of knowing how much sensitive
data exists on their systems. Systems that held data the
organization did not know was stored on them accounted for 38
percent of all breaches in 2008--and 67 percent of the records
breached.\14\
---------------------------------------------------------------------------
\14\ Verizon Business Risk Team, op. cit.
Lost or stolen laptops. The 2008 Ponemon Institute study
found that lost laptops were the top cause of data breaches,
representing 35 percent of organizations polled.\15\ In a
typical large enterprise, missing laptops are a weekly
occurrence. Even when such cases do not result in identity
theft, data breach disclosure laws make lost laptops a source
of public embarrassment and considerable expense.
---------------------------------------------------------------------------
\15\ Ponemon Institute, op. cit.
E-mail, web mail, and removable devices. Risk assessments
performed by Symantec for prospective customers show that on
average approximately one in every 400 e-mail messages contains
unencrypted confidential data.\16\ Such network transmissions
create significant risk of data loss. In a typical scenario, an
employee sends confidential data to a home e-mail account or
copies it to a memory stick or CD/DVD for weekend work. In this
scenario, the data is exposed to attack both during
transmission and on the potentially unprotected home system or
removable media device.
---------------------------------------------------------------------------
\16\ Symantec Data Loss Prevention Risk Assessments.
Third-party data loss incidents. Business relationships with
third-party business partners and vendors often require the
exchange of confidential information such as with a 401(k)
plan, outsourced payment processing, supply chain order
management, and many other types of operational data. When data
sharing is overly extensive or when partners fail to enforce
data security policies, the risk of data breaches increases.
The Verizon report implicated business partners in 32 percent
of all data breaches.\17\
---------------------------------------------------------------------------
\17\ Verizon Business Risk Team, op. cit.
Automated business processes. One reason for proliferation
of confidential data is that inappropriate or out-of-date
business processes automatically distribute such data to
unauthorized individuals or unprotected systems, where it can
be easily captured by hackers or stolen by malicious insiders.
Onsite risk assessments by Symantec find that in nearly half of
these cases, outdated or unauthorized business processes are to
blame for exposing sensitive data on a routine basis.
Targeted Attacks
In today's connected world--where data is everywhere and the
perimeter can be anywhere--protecting information assets from
sophisticated hacking techniques is an extremely tough challenge.
Driven by the rising tide of organized cyber-crime, targeted attacks
are increasingly aimed at stealing information for the purpose of
identity theft. More than 90 percent of records breached in 2008
involved groups identified by law enforcement as organized crime.\18\
Such attacks are often automated by using malicious code that can
penetrate into an organization undetected and export data to remote
hacker sites.
---------------------------------------------------------------------------
\18\ Ibid.
---------------------------------------------------------------------------
What makes large scale data breaches so dangerous is that modern
organized crime has developed efficient mechanisms for the sale and
wide spread distribution of large quantities of identities and personal
financial information. In 2008, Symantec created more than 1.6 million
new malicious code signatures--more than in the previous 17 years
combined--and blocked on average 245 million attempted malicious code
attacks worldwide per month.\19\ Measured by records compromised, by
far the most frequent types of hacker attacks in 2008 were unauthorized
access using default or shared credentials, improperly constrained
access control lists (ACLs), and Structured Query Language (SQL)
injection attacks.\20\ In addition, 90 percent of lost records were
attributed to the deployment of malware.\21\ The first phase of the
attack, the initial incursion, is typically perpetrated in one of four
ways:
---------------------------------------------------------------------------
\19\ Symantec Internet Security Threat Report XIV.
\20\ Verizon Business Risk Team, op. cit.
\21\ Ibid.
System vulnerabilities. Many times laptops, desktops and
servers do not have the latest security patches deployed, which
creates a gap in an overall security posture. Gaps or system
vulnerabilities can also be created by improper computer or
security configurations. Cybercriminals search for and exploit
these weaknesses in order to gain access to the corporate
---------------------------------------------------------------------------
network and confidential information.
Improper credentials. Passwords on Internet-facing systems
such as e-mail, Web, or FTP servers are often left on factory
default settings, which are easily obtained by hackers. Under-
constrained or outdated ACLs provide further opportunities for
both hackers and malicious insiders.
Structured Query Language (SQL) injection. By analyzing the
URL syntax of targeted websites, hackers are able to embed
instructions to upload spyware that gives them remote access to
the target servers.
Targeted malware. Hackers use spam, e-mail and instant
message communications often disguised as being from known
entities to direct users to websites that are compromised with
malware. Once a user visits a compromised website, malware can
be downloaded with or without the user's knowledge. Gimmicks
such as free software often deceive users into downloading
spyware that can be used to monitor user activity on the web
and capture frequently used credentials such as corporate
logins and passwords. Remote access tools (RATs) are an example
of spyware that is automatically downloaded to a user's machine
without their knowledge, silently providing the hacker control
of the user's computer and access to corporate information from
a remote location.
The Malicious Insider
Malicious insiders constitute drivers for a growing segment of data
breaches, and a proportionately greater segment of the cost to business
associated with those breaches. The Ponemon study found that data
breaches involving negligence cost $199 per record, whereas those
caused by malicious acts cost $225 per record.\22\ Breaches caused by
insiders with intent to steal information fall into four groups:
---------------------------------------------------------------------------
\22\ Ponemon Institute, op. cit.
White collar crime. The employee who knowingly steals data
as part of an identity theft ring has become a highly notorious
figure in the current annals of white collar crime. Such
operations are perpetrated by company insiders who abuse their
privileged access to information for the purpose of personal
---------------------------------------------------------------------------
gain.
Terminated employees. Given the current economic crisis--
where layoffs are a daily occurrence--data breaches caused by
disgruntled former employees have become commonplace. Often,
the employee is notified of his or her termination before
entitlements such as Active Directory and Exchange access have
been turned off, leaving a window of opportunity for the
employee to access confidential data and e-mail it to a private
account or copy it to removable media. A recent study of the
effects of employee terminations on data security revealed that
59 percent of ex-employees took company data, including
customer lists and employee records.\23\
---------------------------------------------------------------------------
\23\ Ponemon Institute, ``Data Loss Risks During Downsizing: As
Employees Exit, So Does Corporate Data,'' 2008.
Career building with company data. It is common for an
employee to store company data on a home system in order to
build a library of work samples for future career
opportunities. While the motives for such actions may not be
considered malicious on the order of identity theft, the effect
can be just as harmful. If the employee's home system is hacked
and the data stolen, the same damage to the company and its
---------------------------------------------------------------------------
customers can ensue.
Industrial espionage. The final type of malicious insider is
the unhappy or underperforming employee who plans to defect to
the competition and sends examples of his or her work to a
competing company as part of the application and review
process. Product details, marketing plans, customer lists, and
financial data are all liable to be used in this way.
Data Breaches That Could Lead to Identity Theft, by Sector
Using publicly available data, Symantec was able to determine the
sectors that were most often affected by breaches and the most common
causes of data loss.\24\ Using the same data, we also explored the
severity of each breach in question by measuring the total number of
identities exposed to attackers.\25\
---------------------------------------------------------------------------
\24\ Open Security Foundation (OSF) Dataloss DB, see http://
datalossdb.org.
\25\ An identity is considered to be exposed if personal or
financial data related to the identity is made available through the
data breach.
---------------------------------------------------------------------------
It should be noted that some sectors might need to comply with more
stringent reporting requirements for data breaches than others. For
instance, government organizations are more likely to report data
breaches, either due to regulatory obligations or in conjunction with
publicly accessible audits and performance reports.\26\ Conversely,
organizations that rely on consumer confidence may be less inclined to
report such breaches for fear of negative consumer, industry, or market
reaction. As a result, sectors that are not required or encouraged to
report data breaches are consistently under-represented.
---------------------------------------------------------------------------
\26\ Please see http://www.privacyrights.org/fs/fs6a-facta.htm and
http://www.cms.hhs.gov/HealthPlansGenInfo/12_HIPAA.asp.
---------------------------------------------------------------------------
The education sector accounted for the highest number of known data
breaches that could lead to identity theft, accounting for 20 percent
of the total. This was a decrease from 27 percent in 2008, when the
education sector also ranked first. Institutions in the education
sector often store a wide range of personal information belonging to
students, faculty, and staff. This information may include government-
issued identification numbers, names, or addresses that could be used
for identity theft. Finance departments in these institutions also
store bank account information for payroll purposes and may hold credit
card information for people who use this method to pay for tuition and
fees.
Educational institutions are faced with the difficult task of
standardizing and enforcing security across dispersed locations, as
well as educating everyone with access to the data on the security
policies. This may increase the opportunities for an attacker to gain
unauthorized access to data because there are multiple points of
potential security weakness or failure.
Although the education sector accounted for the largest percentage
of data breaches in 2009, those breaches accounted for less than 1
percent of all identities exposed during the reporting period and
ranked fourth. This is similar to 2008, when a significant percentage
of breaches affected the education sector, but only accounted for 4
percent of all identities exposed that year. This is mainly attributed
to the relatively small size of data bases at educational institutions
compared to those in the financial or government sectors. Each year,
even the largest universities in the United States only account for
students and faculty numbering in the tens of thousands, whereas
financial and government institutions store information on millions of
people.\27\ As such, data breaches in those sectors can result in much
larger numbers of exposed identities.
---------------------------------------------------------------------------
\27\ http://www.osu.edu/osutoday/stuinfo.php.
---------------------------------------------------------------------------
In 2009, the health care sector ranked second, accounting for 15
percent of data breaches that could lead to identity theft. In 2008,
this sector also accounted for 15 percent, but ranked third. This rise
in rank is most likely due to the decreased percentage of breaches that
could lead to identity theft in the government sector. The health care
sector accounted for less than 1 percent of exposed identities in
2009--a decrease from 5 percent in 2008. Like the education sector,
health care institutions store data for a relatively small number of
patients and staff compared to some organizations in the financial and
government sectors.
Additionally, health care organizations often store information
that may be more sensitive than that stored by organizations in other
sectors and this may be a factor in the implementation of certain
regulatory measures. For instance, as of 2010, greater responsibility
for data breaches will be enforced for health care organizations in
United States because of regulations introduced by the Health
Information Technology for Economic and Clinical Health Act
(HITECH).\28\
---------------------------------------------------------------------------
\28\ http://findarticles.com/p/articles/mi_hb4365/is_21_42/
ai_n47569144/.
---------------------------------------------------------------------------
The government sector accounted for 13 percent of breaches that
could lead to identity theft in 2009 and ranked third. This is a
decrease from 20 percent in 2008, when the government sector ranked
second. Although the percentage of these breaches has decreased in
recent years, they account for a larger percentage of exposed
identities. In 2009, data breaches in the government sector exposed 35
percent of reported identities exposures, an increase from 17 percent
in 2008.
The increase in percentage of identity exposures in the government
sector is primarily due to a breach attributed to insecure policy from
the National Archives and Records Administration in the United
States.\29\ A faulty hard drive containing unencrypted personal
information on 76 million military veterans was sent to a third-party
electronics recycler without first removing the data. This was the
largest ever exposure of personal information by the U.S. Government.
Earlier in 2009, another hard drive belonging to the National Archives
and Records Administration was either lost or stolen; it is believed to
have contained highly sensitive information about White House and
Secret Service operating procedures, as well as data on more than
100,000 officials from the Clinton Administration.\30\
---------------------------------------------------------------------------
\29\ http://www.wired.com/threatlevel/2009/10/probe-targets-
archives-handling-of-data-on-70-million-vets/.
\30\ http://fcw.com/Articles/2009/05/20/Web-NARA-missing-hard-
drive.aspx.
---------------------------------------------------------------------------
The financial sector was subject to one of the most notable data
breaches reported in 2009. This sector ranked fifth for breaches with
10 percent of the total, but accounted for the largest number of
identities exposed with 60 percent. The majority of this percentage was
the result of a successful hacking attack on a single credit card
payment processor.\31\ The attackers gained access to the company's
payment processing network using an SQL-injection attack. They then
installed malicious code designed to gather sensitive information from
the network on the compromised computers, which also allowed them to
easily access the network at their convenience. The attack resulted in
the theft of approximately 130 million credit card numbers. An
investigation began when the company began receiving reports of
fraudulent activity on credit cards that the company itself had
processed. The attackers were eventually tracked down and charged by
Federal authorities.
---------------------------------------------------------------------------
\31\ http://voices.washingtonpost.com/securityfix/2009/01/
payment_processor_breach_may
_b.html.
---------------------------------------------------------------------------
Notably, one of the hackers was Albert ``Segvec'' Gonzalez, who had
been previously convicted of other attacks. He plead guilty to 19
counts of conspiracy, wire fraud and aggravated identity theft charges
in March 2010 and was sentenced to serve up to 25 years in prison. He
had also worked as an FBI informant at one point, providing information
about the underground economy.\32\ These attacks and the events
surrounding them are referenced in the Symantec Report on the
Underground Economy.\33\
---------------------------------------------------------------------------
\32\ See http://www.wired.com/threatlevel/2009/12/gonzalez-
heartland-plea/ and http://yro.
slashdot.org/article.pl?sid=10/03/26/124256.
\33\ http://eval.symantec.com/mktginfo/enterprise/white_papers/b-
whitepaper_underground
_economy_report_11-2008-14525717.en-us.pdf.
---------------------------------------------------------------------------
This attack is evidence of the significant role that malicious code
can play in data breaches. Although data breaches occur due to a number
of causes, the covert nature of malicious code is an efficient and
enticing means for attackers to remotely acquire sensitive information.
Furthermore, the frequency of malicious code threats that expose
confidential information, underscores the significance of identity
theft to attackers who author and deploy malicious code.
Practical Security Considerations to Avoid a Security Breach
While a company's information security system may be unique to its
situation, there are recognized basic components of a comprehensive,
multi-layered program to protect personal information from unauthorized
access. At the outset, companies should review their privacy and
security policies and inventory records systems, critical computing
systems, and storage media to identify those containing personal
information.
It is important to categorize personal information in records
systems according to sensitivity. Based on those classifications,
physical and technological security safeguards must be established to
protect personal information, particularly higher-risk information such
as Social Security numbers, driver's license numbers, financial account
numbers, and any associated passwords and PIN numbers, as well as
health information. This involves establishing policies that provide
employees with access to only the specific categories of personal
information their job responsibilities require, use technological means
to restrict access to specific categories of personal information,
monitor employee access to higher-risk personal information, and remove
access privileges of former employees and contractors immediately.
Companies should promote awareness of security and privacy policies
through ongoing employee training and communications. They should also
require third-party service providers and business partners that handle
personal information on behalf of the company to follow specified
security procedures. This can be accomplished by making privacy and
security obligations of third parties enforceable by contract.
Internally, companies must employ the use of intrusion-detection
technology to ensure rapid detection of unauthorized access to higher-
risk personal information and, wherever feasible, must use data
encryption, in combination with host protection and access control, to
protect sensitive information. Data encryption should meet the National
Institute of Standards and Technology's Advanced Encryption Standard.
Companies should also dispose of records and equipment containing
personal information in a secure manner, such as shredding paper
records and using a program to ``wipe'' and overwrite the data on hard
drives.
TechAmerica's Federal Data Security Legislative Principles
TechAmerica believes that consumers should have confidence that any
personal information they provide to government agencies or business
entities will remain private and secure, and we consider privacy and
security to be key components of business operations for the public and
private sectors. We have advocated for three essential elements to any
data security and breach notification bill:
1. Data security legislation should apply equally to all. The
scope of the legislation should include all entities that
collect, maintain, or sell significant numbers of records
containing sensitive personal information. Requirements should
impact government and the private sector equally, and should
include educational institutions and charitable organizations
as well.
2. Implementing pre-breach security measures should be central
to any legislation. An ounce of prevention is worth a pound of
cure. New legislation should not simply require notification of
consumers in case of a data breach. It should also require
reasonable security measures to ensure the confidentiality and
integrity of sensitive personal information in order to
minimize the likelihood of a breach. New legislation should not
direct the creation of new standards, but draw upon existing
standards set out under Gramm-Leach-Bliley, the Fair Credit
Reporting Act, and industry-developed standards such as the
Payment Card Data Security Standard and ISO 27001. Directing
the creation of new standards could unnecessarily create
conflicting or duplicative standards, increasing the burden on
business and increasing confusion for consumers.
3. The use of encryption or other security measures that render
data unreadable and unusable should be a key element in
establishing the threshold for the need for notification. Any
notification scheme should minimize ``false positives.'' A
clear reference to the ``usability'' of information should be
considered when determining whether notification is required in
case of a breach. Consistent with the position of consumer and
financial groups, TechAmerica believes a provision similar to
California's SB 1386 promoting the voluntary use of encryption
as a best practice without a mandate would significantly reduce
the number of ``false positives,'' reducing the burden on
consumers and business.
Additional Federal Data Breach Public Policy Issues
TechAmerica recognizes that there are a number of other critical
issues to the data security debate. These are issues on which we may be
called to give an opinion, but are not issues that are TechAmerica's
top priorities. They may, however, be critical to whether a bill gets
enacted, and are therefore important to TechAmerica.
1. Enforcement. Enforcement should be by the Federal functional
regulators. TechAmerica would acknowledge that the State
Attorneys General could enforce data notification requirements
on entities that do not have a Federal functional regulator.
Entities already covered by a Federal law such as the Health
Insurance Portability and Accountability Act, Fair Credit
Reporting Act, or the Gramm-Leach-Bliley Act, would not need to
be additionally covered by a new law.
2. Pre-emption. New legislation should preempt relevant State
and local laws and regulation. In the absence of such a
provision, multiple conflicting standards for security and
notification will emerge, unnecessarily increasing the burden
on business and confusing consumers.
3. Information Broker. Special provisions for information
brokers have emerged in data breach legislation over the last
few Congresses. This was in large part a response to the
scandal involving ChoicePoint a number of years ago. Any
special Information Broker provisions should be carefully
targeted to those engaged in the data broker business, which
have otherwise slipped through the cracks of laws such as the
Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. Where
there is a gap in regulation, it should be filled; but
overlapping requirements are counter-productive. Particular
care must be taken not to inadvertently sweep in companies
collecting information in the normal course of business, such
as businesses monitoring their own websites. In general, we
believe information broker provisions are not core to an
effective data security and breach notice bill, and therefore
should be dropped, as they have become a complication and
impediment to the enactment of a bill. We think this provision
certainly merits further analysis and may warrant legislation
as a separate bill.
4. Public Records. A breach notice should not be required for a
breach involving only information that is already publicly
available. This is a related issue to the issue of the
``threshold'' for notice.
The Data Security and Breach Notification Act of 2010
Mr. Chairman, I commend you and Chairman Rockefeller for your
leadership in addressing the pervasive threat of data breaches through
the introduction of the Data Security and Breach Notification Act (S.
3742). TechAmerica strongly supports this legislation which, if
enacted, would establish a much-needed national law for all holders of
sensitive personal information requiring organizations to safeguard
data and establish uniform notification requirements when a security
breach presents a risk of harm. We urge the Committee to expedite
passage of this important legislation in order to create a strong,
uniform national data breach notification law.
The Data Security and Breach Notification Act is a well-considered
piece of legislation on a complex topic. The bill not only protects
consumers in that it requires nearly all businesses to take steps to
protect personally identifiable information at rest and in motion. The
legislation prudently promotes reasonable, preventative security
measures, practices and policies to ensure the confidentiality and
integrity of consumers' personal identifiable information.
Besides providing extensive consumer protection, the Data Security
and Breach Notification Act also provides businesses a reasonable
``rebuttable presumption'' by declaring loss of data that is
``unusable, unreadable, or indecipherable'' by the use of encryption or
other technology, not subject to the breach disclosure requirements.
This bill also, of course, will unify the existing 47 state data breach
bills now in effect. TechAmerica believes that the Data Security and
Breach Notification Act effectively addresses several key areas
necessary to secure consumer sensitive personal information,
specifically:
1. Federal Pre-emption. S. 3742 would preempt relevant State or
local laws or regulation. In the absence of such a provision,
multiple conflicting standards for notification will emerge,
unnecessarily increasing the burden on business and confusing
consumers. Without Federal pre-emption, businesses will
continue to face a web of potentially conflicting breach
notification requirements in forty-six states. TechAmerica
believes that your bill takes the appropriate approach to pre-
emption.
2. Scope. A breach notification requirement should apply to any
agency or person, as defined in Title V of the U.S. Code, who
owns or licenses computerized data containing the sensitive
personal information of others and should not be limited to
``data brokers.'' Legislation should address ``gaps'' in
existing laws related to the security of personal information,
not add another layer on those already bound by an existing
Federal law. Security breaches have been confirmed in a variety
of organizations, ranging from data brokers, to banks,
hospitals, educational institutions and other large employers.
TechAmerica believes that S. 3742 is generally applicable to
the correct scope of persons and organizations. Some
clarification may be necessary on the carve-out for those bound
by another Federal law.
3. Reasonable Security Practices. S. 3742 goes beyond simple
notification requirements to consumers in case of data breach;
it importantly also requires reasonable security measures to
ensure the confidentiality and integrity of sensitive personal
information. For data breach legislation to be effective in
safeguarding consumers' sensitive information, all business
entities operating in the U.S., as well as Federal and state
agencies, should follow a consistent set of security standards.
We note that some Federal laws already exist that require
private entities to establish security programs for protecting
the privacy and security of consumer information. Legislation
should not duplicate or impose conflicting obligations for
private entities that already are bound by these Federal data
security requirements.
4. Threshold for Notification. TechAmerica believes that the
Data Security and Breach Notification Act's notification
requirement will minimize ``false positives.'' The bill's
language contains a clear understanding that the ``usability''
of information should be considered when determining whether
notification is required in case of a breach. Consistent with
the position of consumer groups and the financial services
sector, TechAmerica believes a provision similar to CA's SB
1386 promoting the voluntary use of encryption as a best
practice without specifically mandating it would significantly
reduce the number of ``false positives,'' reducing the burden
on consumers and business. TechAmerica applauds the inclusion
of section 3(f), which creates a presumption that, when used
properly, encryption can provide a strong tool to prevent the
misuse of personal information. S. 3742 also prudently
recognizes the use of redaction, truncation or other methods of
rendering data unreadable or unusable as a best practice
without creating a technology mandate.
5. Global Harmonization. The passage of S. 3742 will also have
important implications internationally as it is likely to form
the basis upon which the Federal Trade Commission will commence
negotiations to create consistency in breach regulations with
the European Union. The European Union continues to lead the
way in enforcing some of the most stringent privacy regulations
on the Internet. With regulators in Europe moving ahead on
their plans to provide even more privacy safeguards for their
citizens, it's critical that U.S. regulators finalize the data
breach requirements so they can focus on some of the more
current issues.
Conclusions
TechAmerica urges Congress to enact a national data breach bill
this year for several key reasons:
Identity Theft Tops the Federal Trade Commission's List of
U.S. Consumers Complaints: The increasing number of data
breaches is a major threat to privacy, consumers' identities
and our Nation's economic stability. Data bases of sensitive
personal information are prime targets of hackers, identity
thieves and rogue employees as well as organized criminal
operations. According to the Better Business Bureau identity
theft affects an estimated 10 million U.S. victims per year.
For the ninth year in a row, identity theft tops the list of
complaints that consumers filed with the Federal Trade
Commission.
Massive Data Leakage Will Continue Unless the Public and
Private Sectors are Required by Congress to Implement Strong
Security Measures to Prevent Breaches: According to the non-
partisan Privacy Rights Clearinghouse, a staggering 365 million
records containing sensitive personal information have been
breached since 2005. Congressional action is urgently needed to
ensure the security and resilience of information systems
fundamental to consumer confidence, homeland security, e-
commerce and economic growth.
Data Breaches Continue to Undermine Consumer Confidence in
the Internet for E-Commerce: Consumers are beginning to rethink
doing business online--and with good reason. In the wake of
massive data breaches at businesses, educational institutions
and medical facilities, consumers are modifying their
purchasing behavior, including online buying, out of concern
for the security of their personal information. The 2007
Consumer Survey on Data Security from Vontu and the Ponemon
Institute found that 62 percent of respondents have been
notified that their confidential data has been lost. 84 percent
of those respondents reported increased concern or anxiety due
to data loss events. These data breaches have had a direct
impact on consumer buying behavior, including reluctance to use
their credit or debit card to make a purchase with a Web
merchant they don't know, and unwillingness to provide their
Social Security number online. Congress needs to act to stop
the erosion of public trust in the Internet.
The Increasingly Expensive Financial Impact of Data Breaches
on Business and Government: In 2008, the average cost per
incident of a data breach in the United States was $6.7
million, an increase of 5 percent from 2007, and lost business
amounted to an average of $4.6 million.
A Pre-emptive, National Data Security Law Makes Compliance
Less Burdensome: Currently, businesses with nation-wide
operations face a challenging patchwork quilt of state data
breach laws regarding both steps required to safeguard personal
data as well as steps to be taken in the event of a breach.
With regard specifically to post-breach notifications, 46
states, the District of Columbia, Puerto Rico and the Virgin
Islands all have enacted their own data breach laws requiring
notification of security breaches involving personal
information. Therefore, for large enterprises, which are also
subject to complex Federal rules such as HIPAA, data security
planning can be a daunting undertaking making compliance a
difficult and burdensome.
In conclusion, TechAmerica believes that the United States urgently
needs to pass a national data breach law. We urge the Committee to
expeditiously approve S. 3742, The Data Security and Breach
Notification Act.
TechAmerica appreciates the opportunity to testify today. Thank you
for considering TechAmerica's views on this important measure. I'd be
happy to answer any questions the Committee may have at this time.
Senator Pryor. Thank you.
Ms. Rusu.
STATEMENT OF IOANA RUSU, POLICY COUNSEL,
CONSUMERS UNION
Ms. Rusu. Good afternoon, Chairman Pryor, Ranking Member
Wicker, and distinguished members of the Subcommittee. My name
is Ioana Rusu, Policy Counsel for Consumers Union, the
nonprofit publisher of Consumer Reports. We appreciate this
opportunity to share our perspective on the Data Security and
Breach Notification Act of 2010.
In January of this year, over 600,000 Citigroup customers
were shocked to discover that their Social Security numbers had
been printed on the outside of envelopes containing annual tax
statements. In July, a Lincoln National Life Insurance vendor
made available on its public website a user name and password
for agents and authorized brokers. The log-in information
allowed access to anyone to medical records, Social Security
numbers, addresses, policy numbers, and driver's license
numbers of individuals seeking life insurance. Only last June,
in one of the largest data security breaches recorded,
malicious spyware compromised around 130 million credit card
transactions processed by Heartland Payment Systems, a U.S.
payments processing company.
These incidents are not unique or isolated. Almost every
day new data breach incidents lead to identity theft, lost
revenue, and decreased consumer confidence in the marketplace.
Sometimes these incidents affect 10 or 20 consumers. At other
times the private information of hundreds of millions of
Americans is compromised.
The ubiquity of security breach incidents today renders the
Data Security and Breach Notification Act of 2010 particularly
timely and relevant. Consumers Union strongly supports the
provisions of this bill. I would like to highlight a number of
the bill's provisions which we believe will best promote
consumer data privacy.
First of all, we are pleased that the bill covers not only
business entities, but also nonprofit organizations, including
private universities. Consumers face the same risks when their
information is compromised whether or not the source of the
compromise is a for-profit entity. As a result, we commend the
bill's scope. This provision will provide more meaningful
protection for consumer information.
In addition, we applaud the bill's notification provisions,
which require covered entities to provide notice of security
breach within 60 days. The sooner consumers are made aware of
the breach, the quicker they can take remedial action such as
closely monitoring their credit, checking their financial
statements frequently, placing a Federal fraud alert on their
credit files, and placing a security freeze on their consumer
credit files. The instances in which a covered entity may
exceed the 60-day deadline are appropriate and narrowly
tailored.
We also support the bill's requirements that covered
entities that provide at least 2 years of free credit reports
or credit monitoring following a notice of breach. Consumers
should not have to bear the cost of securing personal
information when a data breach is caused by a company's
inadequate data security practices.
The exemption in the bill allowing covered entities to
avoid the bill's requirements only as long as there is no
reasonable risk of identity theft, fraud, or other unlawful
conduct is also narrowly tailored. However, we do have some
concern that under this bill all data breach incidents
involving encrypted information, defined in the bill as
information that has been rendered unusable, unreadable, or
indecipherable, would automatically be presumed to present no
reasonable risk of identity theft, fraud, or other unlawful
conduct. While that may be true in most cases, data that has
been initially rendered unusable or unreadable can sometimes be
reconstructed. We encourage the bill's sponsors to address this
issue by directing the Federal Trade Commission to clearly
identify which technologies do indeed render consumer data
indecipherable and unusable.
We are particularly pleased that the bill focuses on the
activities of information brokers, defined as commercial
entities whose business is to collect, assemble, or maintain
personal information concerning individuals with the purpose of
selling such information to unaffiliated third parties. We
agree that information brokers should maximize the accuracy and
accessibility of their records, as well as provide consumers
with a process to dispute information. In addition, the
provisions requiring information brokers to submit their
security policies to the FTC, as well as to undergo potential
FTC post-breach audits, will foster accountability and
enforcement of this bill.
We strongly favor the provision that permits State
attorneys general and other officials or agencies of the State
to bring enforcement actions against any entity that engages in
conduct violating this bill. High profile cases such as
ChoicePoint and TJX have demonstrated that State attorneys
general, in particular, have been at the forefront of notice of
data breach issues and have played an invaluable role in
addressing identity theft and data breach. This bill arms State
officials with strong enforcement tools to ensure compliance
with the law. Consumers' personal information will be better
protected.
In closing, I want to thank you for the opportunity to
speak before you today in support of the Data Security and
Breach Notification Act of 2010. Consumers Union appreciates
the Subcommittee's interest in addressing issues of data
security and consumer privacy. We believe that the passage of
this bill will give rise to responsible data security policies
and will increase consumer confidence in the marketplace.
Thank you.
[The prepared statement of Ms. Rusu follows:]
Prepared Statement of Ioana Rusu, Policy Counsel, Consumers Union
Good afternoon Chairman Rockefeller, Ranking Member Hutchinson, and
distinguished members of this Committee. My name is Ioana Rusu, Policy
Counsel for Consumers Union, the non-profit publisher of Consumer
Reports�. We appreciate the invitation by the Senate Committee on
Commerce, Science, and Transportation to share our perspective on the
Data Security and Breach Notification Act of 2010.
In January of this year, over 600,000 Citigroup customers were
shocked to discover that that their Social Security numbers had been
printed on the outside of envelopes containing annual tax statements.
In July, a Lincoln National Life Insurance vendor printed a user name
and password for agents and authorized brokers in a brochure, which was
made readily available on the agent's public website. The login
information allowed access to a website containing the medical records,
Social Security numbers, addresses, policy numbers, and driver's
license numbers of individuals seeking life insurance. And only last
year, in one of the largest data security breaches recorded, malicious
spyware compromised around 130 million credit card transactions
processed by Heartland Payment Systems, a U.S. payments processing
company.
These incidents are not unique or isolated. Almost every day, new
data breach incidents lead to identity theft, lost revenue, and
decreased consumer confidence in the way their personal information is
handled in the marketplace. The incidents often occur through
inadvertent disclosures, physical loss of stored paper or electronic
records, data theft by company insiders, and data breach by third
parties through hacking or malware. Sometimes, these incidents affect
ten or twenty consumers. Other times, the private information of
hundreds of millions of Americans is compromised.
The ubiquity of security breach incidents today renders the Data
Security and Breach Notification Act of 2010 particularly timely and
relevant. Consumers Union strongly supports the provisions of this
bill. I would like to highlight a number of the bill's provisions,
which we believe will best promote consumer data privacy.
First of all, we are pleased that the bill covers not only business
entities, but also non-profit organizations, including private
universities. Personal consumer data must be safeguarded by all those
to whom it is entrusted, without regard to for-profit or non-profit
status. Consumers face the same risks when their information is
compromised, whether or not the source of the compromise is a for-
profit entity. As a result, we commend the bill's scope. This provision
will provide more meaningful protection for consumer information.
In addition, we applaud the bill's notification provisions, which
require covered entities to provide notice of security breach within 60
days of the breach. The sooner consumers are made aware of the breach,
the quicker they can take remedial action such as closely monitoring
their credit, checking their financial statements frequently, placing a
Federal fraud alert on their credit files, and placing a security
freeze on their consumer credit files. The instances in which a covered
entity may exceed the 60-day deadline are appropriate and narrowly
tailored.
We also support the bill's requirements that covered entities
provide at least 2 years of free credit reports or credit monitoring
following a notice of breach. Consumers should not have to bear the
costs of securing personal information when a data breach is caused by
a company's inadequate data security practices.
The exemption in the bill, allowing covered entities to avoid the
bill's requirements only as long as there is ``no reasonable risk of
identity theft, fraud, or other unlawful conduct,'' is also narrowly
tailored.
However, we have some concern that, under this bill, all data
breach incidents involving encrypted information, defined in the bill
as information that has been rendered ``unusable, unreadable, or
indecipherable,'' would automatically be presumed to present ``no
reasonable risk of identity theft, fraud, or other unlawful conduct.''
While that may be true in most cases, data rendered ``unusable or
unreadable'' can sometimes be reconstructed. We encourage the bill's
sponsors to address this issue by directing the Federal Trade
Commission to clearly identify which technologies do, indeed, render
consumer data indecipherable and unusable.
We also support the bill's definition of ``personally identifiable
information,'' which includes not only an individual's name, in
combination with one other listed data element, but also an
individual's address or phone number, combined with one of the listed
data elements. We believe including an individual's address and phone
number is important due to the use of reverse search directories, which
can reveal the person's name as long as an address or phone number is
provided.
We are particularly pleased that the bill focuses on the activities
of information brokers, defined as commercial entities whose business
is to collect, assemble, or maintain personal information concerning
individuals with the purpose of selling such information to
unaffiliated third parties. We strongly support the provisions
instructing information brokers to maximize the accuracy and
accessibility of their records, as well as to provide consumers with a
process to dispute information. In addition, the provisions requiring
information brokers to submit their security policies to the FTC, as
well to undergo potential FTC post-breach audits, will foster
accountability and enforcement of this bill.
We strongly favor the provision that permits State Attorneys
General and other officials or agencies of the state to bring
enforcement actions against any entity that engages in conduct
violating the bill. High-profile cases such as ChoicePoint and TJX have
demonstrated that state attorneys general, in particular, have been at
the forefront of notice of data breach issues, and have played an
invaluable role in addressing identity theft and data breach. This bill
arms state officials with strong enforcement tools to ensure compliance
with the law. Consumers' personal information will be better protected.
In closing, I want to thank you for the opportunity to speak before
you today in support of the Data Security and Breach Notification Act
of 2010. Consumers Union appreciates this committee's interest in
addressing issues of data security and consumer privacy. We believe
that the passage of this bill will give rise to responsible data
security policies and will increase consumer confidence in the
marketplace.
Senator Pryor. Thank you.
Mr. Pratt.
STATEMENT OF STUART K. PRATT, PRESIDENT AND CEO,
CONSUMER DATA INDUSTRY ASSOCIATION
Mr. Pratt. Chairman Pryor and Ranking Member Wicker: thank
you for this opportunity to discuss S. 3742. Today my testimony
will focus on the value of our members' products, the
sufficiency of current laws which regulate them, and specific
comments on the bill.
The use of our members' products protects consumers from
criminal acts, such as identity theft, and ensure that they are
treated fairly in the marketplace. Beneficial uses include
preventing money laundering, making fair and sound underwriting
decisions, researching fugitives, reducing government
entitlement fraud, ensuring that pedophiles don't work in day
care centers, and improving disaster assistance responses and
services to victims.
With these uses in mind, let me turn to the relevant
Federal laws which are on the books today. The U.S. is at the
forefront of establishing sector-specific laws regulating the
uses of personal information of many types. The list of laws is
extensive, but let me focus on two of these in greater detail.
First, the Fair Credit Reporting Act regulates any use of
personal information which is used to make decisions, such as
approval of a credit application. Due to the fact that data
regulated by the FCRA is used to make decisions, the law
provides consumers with a full complement of rights, such as
access, correction, as well as receiving notices regarding
adverse action in risk-based decisions. Further, furnishers
must provide accurate data to consumer reporting agencies and
consumer reporting agencies must load that data accurately.
Data regulated under the Gramm-Leach-Bliley Act is not used
to make a yes-or-no decision, but GLB does impose strict
limitations on how nonpublic personal information can be used.
Many of our members' fraud prevention systems are regulated by
GLB and annually U.S. businesses conduct an average of 2.6
billion searches to check for fraud.
Our members' location services are also regulated by GLB.
Annually, hundreds of millions of searches are conducted to
enforce child support orders, and contracts to pay debts.
Pension funds use them to locate beneficiaries. Blood donor
organizations ensure sufficient and safe blood supplies, as
well as organizations focused on missing and exploited
children.
With both an understanding of our members' products and the
laws that regulate them, let me now turn to S. 3742 and start
by stating unequivocally that CDIA's members agree that
sensitive personal information should be protected and that
consumers should receive breach notices where there is a
significant risk of them becoming a victim of identity theft.
Though we support these goals, we believe provisions of S. 3742
need improvement. Further, it is our view that the information
broker provisions should be struck.
To expand on this last point, let me touch on just some of
the problems with the information broker provisions. These
provisions impose accuracy, access, and correction standards to
anyone defined as an information broker. However, on what
industry or product the information broker provisions are
intended to focus is very unclear. For example, the definition
does not expressly and completely exclude consumer reporting
agencies under the Fair Credit Reporting Act or financial
institutions under GLB. This lack of clarity of scope and
overlap with other Federal laws creates problems.
For example, it creates a system of double jeopardy under
FCRA. Rather than fully exempt consumer reporting agencies, the
bill proposes an exception which establishes an ``in compliance
with'' test. In essence, a consumer reporting agency under FCRA
is also an information broker under this proposal where the
consumer reporting agency is not in compliance with FCRA.
Further, applying accuracy, access, and correction
standards to fraud prevention and location tools can erode the
performance of the very tools which are most effective in
protecting consumers. None of these are used to deny or approve
an application and the application of these standards does not
make sense.
Regarding the data security provisions of the bill, while
CDIA supports the creation of a national standard, we believe
that it is also critical that such a standard does not
interfere with the regulation of products governed by other
Federal laws. The bill currently stipulates that a company is
exempt from the data security standard only when it is ``in
compliance with'' a similar standard found in another law. As
discussed above, this ``in compliance with'' approach imposes
two sets of duties, two sets of costs, two sets of liabilities,
on that company. We urge the Committee to adjust the exception
so the company is exempt where it is subject to a similar
standard in another law.
In closing, CDIA also applauds the intent of this bill to
set a true uniform national standard for data security and
breach notification. However, the exception to this preemption
standard which attempts to preserve State laws swallows the
rule. Congress should not enact a 51st law. A true national
standard will benefit consumers because they will enjoy the
benefits of this standard no matter where they live.
We thank you again for giving us the opportunity to
testify, and I'm happy to answer any questions.
[The prepared statement of Mr. Pratt follows:]
Prepared Statement of Stuart K. Pratt, President and CEO,
Consumer Data Industry Association
Chairman Rockefeller, Ranking Member Hutchison and members of the
Committee, thank you for this opportunity to appear before you today to
discuss S. 3742, the Data Security and Breach Notification Act of 2010.
For the record, my name is Stuart K. Pratt and I am President and CEO
of the Consumer Data Industry Association.\1\ My testimony will focus
on:
---------------------------------------------------------------------------
\1\ CDIA, as we are commonly known, is the international trade
association representing over 300 consumer data companies that provide
fraud prevention and risk management products, credit and mortgage
reports, tenant and employment screening services, check fraud and
verification services, systems for insurance underwriting, skip-tracing
tools, law enforcement investigative systems and also collection
services.
The value and importance of the data systems and analytical
---------------------------------------------------------------------------
tools our members produce.
The sufficiency of current laws which regulate our members'
products.
Comments on S. 3742.
CDIA Members' Data and Technologies Help Both the Public and Private
Sectors to Manage Risk and Protect Consumers
Whether it is counter terrorism efforts, locating a child who has
been kidnapped, preventing a violent criminal from taking a job with
access to children or the elderly or ensuring the safety and soundness
of lending decisions our members' innovative data bases, software and
analytical tools are critical to how we manage risk in this country,
ensure fair treatment and most importantly, how we protect consumers
from becoming victims of both violent and white-collar crimes of all
types.
Following are examples of how our members' products, software and
data bases bring material value to consumers and our country:
Helping public and private sector investigators to prevent
money laundering and terrorist financing.
Ensuring lenders have best-in-class credit reports, credit
scoring technologies, income verification tools and data on
assets for purposes of making safe and sound underwriting
decisions so that consumers are treated fairly and products
make sense for them.
Bringing transparency to the underlying value of
collateralized debt obligations and in doing so ensuring our
Nation's money supply is adequate which militates against the
possibility and severity of economic crises.
Enforcing child support orders through the use of
sophisticated location tools so children of single parents have
the resources they need.
Assisting law enforcement and private agencies which locate
missing and exploited children through location tools.
Researching fugitives, assets held by individuals of
interest through the use of investigative tools which allow law
enforcement agencies tie together disparate data on given
individuals and thus to most effectively target limited
manpower resources.
Witness location through use of location tools for all types
of court proceedings.
Reducing government expense through entitlement fraud
prevention, eligibility determinations, and identity
verification.
Making available both local and nationwide background
screening tools to ensure, for example, that pedophiles don't
gain access to daycare centers or those convicted of driving
while under the influence do not drive school buses or vans for
elder care centers.
Helping a local charity hospital to find individuals who
have chosen to avoid paying bills when they have the ability to
do so.
Producing sophisticated background screening tools for
security clearances, including those with national security
implications.
Improving disaster assistance responses through the use of
cross-matched data bases that help first-responders to quickly
aid those in need and prevent fraudsters from gaming these
efforts for personal gain.
Not only do our members' technologies and innovation protect us and
ensure that we are managing risk in this country, but they reduce costs
and labor intensity. Risk management is not merely the domain of the
largest government agencies or corporations in America, it is available
to companies of all sizes thanks to our members' investments. Consider
the following scenarios:
Scenario 1--Effective Use of Limited Resources
The following example was given during a Department of Homeland
Security meeting on use of data by the department:
``One extremely well-known law enforcement intelligence example
from immediately post-9/11 was when there was a now well-
publicized threat . . . that there might be cells of terrorists
training for scuba diving underwater bombing, similar to those
that trained for 9/11 to fly--but not land--planes. How does
the government best acquire that? The FBI applied the standard
shoe- leather approach--spent millions of dollars sending out
every agent in every office in the country to identify
certified scuba training schools. The alternative could and
should have been for the Federal Government to be able to buy
that data for a couple of hundred dollars from a commercial
provider, and to use that baseline and law enforcement
resources, starting with the commercial baseline.''
Scenario 2--Lowering Costs/Expanding Access to Best-in-Class Tools
One commercial database provider charges just $25 for an instant
comprehensive search of multiple criminal record sources, including
fugitive files, state and county criminal record repositories,
proprietary criminal record information, and prison, parole and release
files, representing more than 100 million criminal records across the
United States. In contrast, an in-person, local search of one local
courthouse for felony and misdemeanor records takes 3 business days and
costs $16 plus courthouse fees. An in-person search of every county
courthouse would cost $48,544 (3,034 county governments times $16).
Similarly, a state sexual offender search costs just $9 and includes
states that do not provide online registries of sexual offenders. An
in-person search of sexual offender records in all 50 states would cost
$800.
Scenario 3--Preventing Identity Theft & Limiting Indebtedness
A national credit card issuer reports that they approve more than
19 million applications for credit every year. In fact they process
more than 90,000 applications every day, with an approval rate of
approximately sixty percent. This creditor reports that they identify
one fraudulent account for every 1,613 applications approved. This
means that the tools our members provided were preventing fraud in more
than 99.9 percent of the transactions processed. These data also tell
us that the lender is doing an effective job of approving consumers who
truly qualify for credit and denying consumers who are overextended and
should not increase their debt burdens.
Current Laws Regulating Our Members Are Robust
The United States is on the forefront of establishing sector-
specific and enforceable laws regulating uses of personal information
of many types. The list of laws is extensive and includes but is not
limited to the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), The
Gramm-Leach-Bliley Act (Pub. L. 106-102, Title V), the Health Insurance
Portability and Accountability Act (Pub. L. 104-191), and the Drivers
Privacy Protection Act (18 U.S.C. 2721 et seq.).
Following are more probative descriptions of some of these laws,
the rights of consumers and also the types of products that fall within
the scope of the law.
Fair Credit Reporting Act
Key to understanding the role of the FCRA is the fact that it
regulates any use of personal information (whether obtained from a
public or private source) defined as a consumer report. A consumer
report is defined as data which is gathered and shared with a third
party for a determination of a consumer's eligibility for enumerated
permissible purposes. This concept of an eligibility test is a key to
understanding how FCRA regulates an extraordinarily broad range of
personal information uses. The United States has a law which makes
clear that any third-party-supplied data that is used to accept or
deny, for example, my application for a government entitlement,
employment, credit (e.g., student loans), insurance, and any other
transaction initiated by the consumer where there is a legitimate
business need. Again, this law applies equally to governmental uses and
not merely to the private sector and provides us as consumers with a
full complement of rights to protect and empower us. Consider the
following:
The right of access--consumers may request at any time a
disclosure of all information in their file at the time of the
request. This right is enhanced by requirements that the cost
of such disclosure must be free under a variety of
circumstances including once per year upon request, where there
is suspected fraud, where a consumer is unemployed and seeking
employment, when a consumer places a fraud alert on his or her
file, or where a consumer is receiving public assistance and
thus would not have the means to pay. Note that the right of
access is absolute since the term file is defined in the FCRA
and it includes the base information from which a consumer
report is produced.
The right of correction--a consumer may dispute any
information in the file. The right of dispute is absolute and
no fee may be charged.
The right to know who has seen or reviewed information in
the consumer's file--as part of the right of access, a consumer
must see all ``inquiries'' made to the file and these inquiries
include the trade name of the consumer and upon request, a
disclosure of contact information, if available, for any
inquirer to the consumer's file.
The right to deny use of the file except for transactions
initiated by the consumer--consumers have the right to opt out
of non- initiated transactions, such as a mailed offer for a
new credit card.
The right to be notified when a consumer report has been
used to take an adverse action. This right ensures that I can
act on all of the other rights enumerated above.
Beyond the rights discussed above, with every disclosure of
a file, consumers receive a notice providing a complete listing
all consumer rights.
Finally, all such products are regulated for accuracy with a
``reasonable procedures to ensure maximum possible accuracy''
standard. Further all sources which provide data to consumer
reporting agencies must also adhere to a standard of accuracy
which, as a result of the FACT Act, now includes new rulemaking
powers for Federal agencies.
Gramm-Leach-Bliley Act
Not all consumer data products are used for eligibility
determinations regulated by the FCRA. Congress has applied different
standards of protection that are appropriate to the use and the
sensitivity of the data. We refer to these tools as Reference,
Verification and Information services or RVI services. RVI services are
used not only to identify fraud, but also to locate and verify
information for the public and private sectors.
Fraud prevention systems, for example, aren't regulated under FCRA
because no decision to approve or deny is made using these data.
Annually businesses conduct an average more than 2.6 billion searches
to check for fraudulent transactions. As the fraud problem has grown,
industry has been forced to increase the complexity and sophistication
of the fraud detection tools they use. While fraud detection tools may
differ, there are four key models used.
Fraud data bases--check for possible suspicious elements of
customer information. These data bases include past identities
and records that have been used in known frauds, suspect phone
numbers or addresses, and records of inconsistent issue dates
of SSNs and the given birth years.
Identity verification products--crosscheck for consistency
in identifying information supplied by the consumer by
utilizing other sources of known data about the consumer.
Identity thieves must change pieces of information in their
victim's files to avoid alerting others of their presence.
Inconsistencies in name, address, or SSN associated with a name
raise suspicions of possible fraud.
Quantitative fraud prediction models--calculate fraud scores
that predict the likelihood an application or proposed
transaction is fraudulent. The power of these models is their
ability to assess the cumulative significance of small
inconsistencies or problems that may appear insignificant in
isolation.
Identity element approaches--use the analysis of pooled
applications and other data to detect anomalies in typical
business activity to identify potential fraudulent activity.
These tools generally use anonymous consumer information to
create macro-models of applications or credit card usage that
deviates from normal information or spending patterns, as well
as a series of applications with a common work number or
address but under different names, or even the identification
and further attention to geographical areas where there are
spikes in what may be fraudulent activity.
The largest users of fraud detection tools are financial
businesses, accounting for approximately 78 percent of all
users. However, there are many non-financial business uses for
fraud detection tools. Users include:
Governmental agencies--Fraud detection tools are used by the
IRS to locate assets of tax evaders, state agencies to find
individuals who owe child support, law enforcement to assist in
investigations, and by various Federal and state agencies for
employment background checks.
Private use--Journalists use fraud detection services to
locate sources, attorneys to find witnesses, and individuals
use them to do background checks on childcare providers.
CDIA's members are also the leading location services providers in
the United States. These products are also not regulated under FCRA
since no decision is based on the data used. These services, which help
users locate individuals, are a key business-to-business tool that
creates great value for consumers and business alike. Locator services
depend on a variety of matching elements. Consider the following
examples of location service uses of a year's time:
There were 5.5 million location searches conducted by child
support enforcement agencies to enforce court orders. For
example, the Financial Institution Data Match program required
by the Personal Responsibility and Work Opportunity
Reconciliation Act of 1996 (PL 104-193) led to the location of
700,000 delinquent individuals being linked to accounts worth
nearly $2.5 billion.
There were 378 million location searches used to enforce
contractual obligations to pay debts.
Tens of millions of searches were conducted by pension funds
(location of beneficiaries), lawyers (witness location), blood
donors organizations (blood supply safety), as well as by
organizations focused on missing and exploited children.
There were 378 million location searches used to enforce
contractual obligations to pay debts.
Tens of millions of searches were conducted by pension funds
(location of beneficiaries), lawyers (witness location), blood
donors organizations, as well as by organizations focused on
missing and exploited children.
Clearly RVI services bring great benefit to consumers, governmental
agencies and to businesses of all sizes. Laws such as the Gramm-Leach-
Bliley Act and Fair Credit Reporting Act are robust, protective of
consumer rights, but also drafted to ensure that products used to
protect consumers, prevent fraud and to locate individuals are allowed
to operate for the good of consumers and business.
S. 3742--The Data Security and Breach Notification Act of 2010
Now let me turn to S. 3742. CDIA is pleased to provide our comments
on the bill as a whole and in particular on provisions which propose to
regulate and entity called an ``information broker.''
Let me start by stating unequivocally that CDIA's members agree
that sensitive personal information should be protected. CDIA agrees
that consumers should receive breach notices when there is a
significant risk of them becoming victims of identity theft. Our
members agree with the Federal Trade Commission recommendation offered
in multiple testimonies on the Hill and via their joint Task Force
report issued along with the Department of Justice that if a Federal
statute is to be enacted, it should be a true national standard and
that it should focus on safeguarding sensitive personal information and
notifying consumers when a breach has occurred which exposes the
consumer to a significant risk of becoming a victim of identity theft.
Though our members support these goals, we believe provisions of S.
3742 need improvement and it is also our view that the provisions which
propose to regulate an entity defined as an ``information broker''
should be struck. Following are more detailed comments regarding the
bill.
Information Broker
This section of the bill imposes accuracy, access and correction
standards to a certain type of entity defined as an information broker.
It is still unclear to us on what industry the information broker
provisions are intended to focus. We believe the provision should be
struck from the bill and encourage the focus of this bill to be on data
security and breach notification. Following are concerns we have with
this provision:
Double Jeopardy with FCRA: As discussed above, consumer
reporting agencies which compile and maintain data for purposes
of producing consumer reports which are used for eligibility
determinations are regulated under the FCRA. These products are
subject to accuracy, access and correction standards. The
definition of ``information broker'' does not expressly exclude
consumer reporting agencies (FCRA). Rather than fully exempt
consumer reporting agencies, the bill proposes an exception
which establishes an ``in compliance with'' test. In essence a
consumer reporting agency is regulated as a consumer reporting
agency under FCRA and also as an ``information broker'' under
this proposal where the consumer reporting agency is not in
compliance with FCRA. CDIA appreciates the effort to exclude
consumer reporting agencies via Section 2(b)(3)(C) but we
oppose this approach to an exception. By contrast in Section
2(c) the bill unequivocally exempts certain service providers.
Consumer reporting agencies as defined under FCRA should not be
considered information brokers in any context.
Interference with Fraud Prevention, Identity Protection and
Location Services--RVI products such as those designed for
fraud prevention and location are produced under laws such as
the Gramm-Leach-Bliley Act and Section 5 of the Federal Trade
Commission Act. financial institutions (GLB). The definition of
information broker does not exclude financial institutions
regulated under GLB. Therefore products developed under the
data-use limitations found in GLB Title V, Section 502(e) are
adversely affected by the information broker provision.
Neither a product developed for fraud prevention nor location
should be subject to accuracy, access and correction standards since
neither product is used to deny or approve an application, etc. If they
were designed for the purpose of making decisions about a consumer's
eligibility, then they would already be regulated under the FCRA.
Consider the effect of the information broker duties on fraud
tools. While Section 2(b)(3)(A)(ii) provides a limited exception for
fraud data bases consisting of inaccurate information, the exception is
not sufficient, though we do applaud the effort to try and address the
problem of imposing an accuracy standard on fraud tools. Fraud
prevention tools are built based on data about consumers, data about
confirmed fraud attempts, data about combinations of accurate and in
accurate data used for fraud attempts and more. Fraud tools are
designed to identify transactions or applications that are likely to be
fraudulent in order to allow the user to take additional steps to
prevent the crime and still process legitimate transactions. The
current exception does not appear to address all types of fraud
prevention tools used today and further the limitations of the
exception impose statutory rigidity that will prevent the design of new
tools as the strategies of the criminals change. It is our view that
applying an accuracy standard to any aspect of a fraud prevention
system that is not used to stop a transaction or used to make a yes-or-
no decision does not make sense.
Similarly it is wrong to subject fraud prevention tools to be
subject to an access and correction regime. While Section 2(b)(3)(iv)
attempts to exclude fraud prevention tools from the duty to disclose
(and therefore any right to dispute data), the exception is tied to a
variety of tests such as where the use of the tool would be
``compromised by such access.'' It is our view that fraud tools,
because they are not used to make decisions, should be absolutely
excluded from duties to disclose. If details of a fraud tool are
disclosed it is akin to disclosing the recipe for fraud prevention. The
fact that the exception to disclosure is not absolute leaves open the
risk that a tool will have to be disclosed which simply reduces the
value of fraud prevention tools which are protecting consumers. This
result works against the premise of the bill which is to protect
consumer's from crime, particularly identity theft.
As discussed in this testimony, location services are materially
important to how risk is managed. These tools are not designed to be
used for decisionmaking and thus are not regulated under the FCRA,
which already regulates all data used for eligibility decisions
(including the imposition of accuracy, access and correction rights).
Location services cannot have an accuracy standard applied to them as
this bill would propose. The tools are about helping local law
enforcement investigate crimes, attorneys to locate witnesses, and
Federal agencies to cross match data in the pursuit of kidnappers,
etc., nonprofit hospitals to collect debts from patients who have the
ability to pay but refuse to do so and in the enforcement of child
support orders. These systems are designed to, for example, help a user
identify possible connections between disparate records and ultimately
possible locations for the subject of the search. Measuring the quality
of the possible connections is not akin to an accuracy standard, nor
should an accuracy standard be applied to ``possible matches.''
Further, providing access to a database for purposes of error
correction could affect the quality of the systems since matches are
sometimes based on combinations of accurate and inaccurate data.
Ultimately, the data is not used to deny a consumer access to goods or
services and thus CDIA opposes the application of accuracy, access and
correction duties to these fraud prevention systems or RVI services.
Information Brokers and Audit Logs
Section 2(b)(4) establishes a duty for information brokers to
maintain an audit logs for accessed or transmitted information. Such a
duty is appropriate to a database used for eligibility and thus is
appropriate under the FCRA. CDIA urges the Committee to reject the
application of such a concept to data systems which are not used to
determine eligibility. Audit systems impose costs on business both
small and large. Based on even the current limited exceptions to
information broker duties to ensure accuracy and provide access and
correction, it appears that an audit log must be maintained.
Harmonizing Data Security Standards
While CDIA's members support the creation of a national standard
for data security, we believe that it is also critical that such a
standard not interfere with the operation of other Federal laws which
already exist. To accomplish this, additional work must be done to
fine-tune the exception in the current bill. Allowing a company to be
exempt from a data security standard only when it is ``in compliance
with'' a similar standard found in another law imposes two sets of
duties, two sets of costs and two sets of liability on that company.
For CDIA's largest and smallest businesses this is an unnecessary
burden. For our smallest businesses this duty likely increases the
costs of the Errors and Omissions insurance policies which have to
cover this dual liability risk. We urge the Committee to adjust the
exception so that is not an ``in compliance with'' test and to instead
use a ``subject to'' test.
FTC Website for Publishing Breaches
The bill requires covered entities to report any breach to the
Federal Trade Commission and further it requires the FTC to publish the
fact of these breaches on a website. The fact that the bill has a
breach notification standard ensures that all affected consumers are
notified when there's a risk of being harmed by the breach. CDIA agrees
that notices to consumers who are at significant risk of becoming a
victim of identity theft makes sense. However, publishing the names of
companies does not. A company could have deployed best-in-class
technologies and procedures and still have been affected by the
criminal actions of rogue employees or new technologies used by an
organized gang. The business or governmental agency which suffered the
breach due to criminal actions is a victim of a crime. The publication
of the names of those who have suffered a breach would imply that the
business did not work hard, did not care about their customers and by
these implications, the publication of names imposes a guilty verdict
on their good names, no matter how hard the business had worked to
protect the data and no matter how responsible they were in working to
protect their customers following a breach. We urge the Committee to
strike this provision.
Preemption
CDIA applauds the intent of this bill to set uniform national
standards for data security and breach notification. However, the
exception to this preemptive standard, which attempts to preserve state
laws, swallows the rule. Congress should not enact a fifty-first law. A
true national standard will benefit consumers because they will enjoy
the benefits of this standard no matter where they live.
Enforcement
CDIA believes that the preservation of uniform national standards
for data security and breach notification are best achieved by limiting
the enforcement of the law to a single Federal agency, in this case the
Federal Trade Commission. By extending the enforcement powers to state
attorneys general, which in turn can designate any other ``official or
agency of the state'' to bring enforcement actions, as well will not
increase a company's desire to comply but will lead to experimental
litigation that may simply diminish the true national standard the bill
sets out to establish. Further, the same issues and same facts of a
given incident should not be open for multiple lawsuits. CDIA operates
an errors and omissions insurance program for its small-business
members and it is our experience that policy costs will rise where
there is additional exposure. Even larger members who self-insure
simply have to set aside more money for litigation rather than
investing it in research and development. We urge the Committee to
limit enforcement to the FTC.
Conclusion
We thank you again for giving us this opportunity to testify. It is
only through such dialogue that good laws are enacted. We welcome
continued dialogue on S. 3742 and I'm happy to answer any questions.
Senator Pryor. Ms. Bianchi.
STATEMENT OF MELISSA BIANCHI, HOGAN LOVELLS U.S. LLP, ON BEHALF
OF THE AMERICAN HOSPITAL ASSOCIATION
Ms. Bianchi. Good afternoon, Chairman Pryor and Ranking
Member Wicker. My name is Melissa Bianchi and I'm here today to
testify on behalf of the American Hospital Association. Thank
you for the opportunity to share the AHA's views today.
The AHA represents nearly 5,000 member hospitals, health
systems, and other health care organizations, as well as 38,000
individual members. Our member hospitals are dedicated to
safeguarding the privacy of their patients' personal
information and are experienced in protecting this data.
As I'll discuss today, hospitals are deeply familiar with
the type of obligations that are proposed in this legislation
and indeed already are subject to a very similar regulatory
framework. In the past, Congress has recognized this by
exempting hospitals from duplicate regulatory requirements and
we believe that a similar approach make sense here.
The Department of Health and Human Services has established
detailed requirements under HIPAA for how hospitals must
protect the privacy and security of the patient information
they maintain. In 2009, Congress strengthened the HIPAA privacy
and security requirements, as well as established new security
breach requirement for HIPAA-covered entities. Under the HITECH
Act, part of ARRA, HIPAA now contains stronger enforcement
mechanisms and higher penalties for noncompliance. State
attorneys general now have the power to bring enforcement
actions under HIPAA and patients have more rights with respect
to their own information. Also under HITECH, the HIPAA rules
apply now not only to HIPAA-covered entities, but also directly
apply to their subcontractors, known as business associates.
The protections proposed under this legislation duplicate
those already in place under HIPAA. For hospitals and other
HIPAA-covered entities, this act would require a whole new set
of compliance activities that largely mirror HIPAA. This act
also may subject hospitals to two parallel sets of enforcement
activities. Penalties could apply under each set of
requirements. Requiring HIPAA-covered entities to establish
compliance standards for two different regulatory systems will
be costly.
Because hospitals already must meet HIPAA's stringent data
security standards, these additional compliance costs will not
afford consumers any greater protection. Indeed, if hospitals
are required to send both an HHS and an FTC notice to consumers
in the event of a security breach, it will be confusing. In
order for a consumer notice of a security breach to be
meaningful, it is important that consumers not receive multiple
notices of a single data breach.
The HIPAA rules apply to protected health information.
Basically, this is health information that is held by a HIPAA-
covered entity. Protected health information includes
demographic information like a person's name and address. It
includes payment information, such as credit card information
or checking account information that a patient uses to pay for
care. Generally, all identifiable information about a patient
that is held by a hospital is protected by HIPAA.
HIPAA contains detailed requirements for maintaining the
security and privacy of health information, and that includes
electronic health information. Covered entities must put
safeguards in place to protect the confidentiality, the
integrity, and the security of this information, and these
requirements cover virtually every circumstance in which
patient information is stored or transmitted in the health care
setting.
HIPAA regulations include new rules for responding to
security breaches as the result of HITECH. A HIPAA-covered
entity is required to notify each individual whose information
is breached and also must notify HHS. For larger breaches, a
hospital must also notify the media. HHS posts a list of
breaches on its website.
The HITECH Act also establishes security breach
requirements for a different kind of information, personal
health records. These are records that any one of us can set up
on a publicly available website to store our own health
information ourselves. This information is not protected by
HIPAA because it's not maintained by a HIPAA-covered entity.
Instead, the information is maintained by the vendor of the
website. In this case, the FTC regulates these entities.
These two sets of security breach rules do not overlap.
This is because Congress recognized in HITECH that there is an
existing privacy framework for HIPAA-covered entities, and we
believe that this same approach makes sense going forward.
HIPAA-covered entities and their business associates are fully
and vigorously regulated by HHS. They are obligated to comply
with detailed requirements designed to protect the security of
patient information in both paper and electronic form. Where
those systems fail, they must notify patients. Requiring HIPAA-
covered entities and their business associates to develop two
parallel compliance programs, set up by two different Federal
agencies, will be cumbersome and costly for both hospitals and
for patients, but it will not increase the security of patient
information.
We appreciate the Subcommittee's interest in these issues
and we thank you for the opportunity to testify.
[The prepared statement of Ms. Bianchi follows:]
Prepared Statement of the American Hospital Association
The American Hospital Association (AHA), on behalf of our nearly
5,000 member hospitals, health systems and other health care
organizations, and our 38,000 individual members, appreciates the
opportunity to share its views on the Data Security and Breach
Notification Act of 2010. This proposed legislation would require the
Federal Trade Commission (FTC) to establish regulations requiring a
broad range of entities, including many hospitals, to implement
security practices to protect personal information and to provide for
notification in the event of any security breaches of that information.
Hospitals already are regulated in this area. In the past, Congress
has recognized this by exempting hospitals from duplicate regulatory
requirements. We believe that a similar approach makes sense here.
My testimony will focus on the following:
The scope and requirements of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), and how
HIPAA protections for patient information recently have been
strengthened.
How the FTC and the Department of Health and Human Services
(HHS) currently operate parallel and separate rules for
security breaches.
Why this approach--exempting HIPAA covered entities from the
FTC rules--makes sense.
America's hospitals are dedicated to safeguarding the privacy of
their patients' medical information. The AHA and its members have
supported efforts by the Department of Health and Human Services (HHS)
to implement HIPAA. Under HIPAA, HHS has established detailed
requirements for how HIPAA covered entities must protect the privacy
and security of the patient information they maintain. These include
rules for notifying patients in the event of a security breach.
Hospitals are deeply familiar with the type of obligations proposed in
this legislation, and indeed already are subject to a very similar
regulatory framework.
HIPAA was first enacted in 1996. In 2009, Congress strengthened the
HIPAA privacy and security requirements as well as created a Federal
framework for data breach notification for HIPAA covered entities.
Under the HITECH Act--part of the American Recovery and Reinvestment
Act of 2009--HIPAA now contains stronger enforcement mechanisms and
higher penalties for noncompliance. State attorneys general now have
the power to bring enforcement actions under HIPAA, in addition to HHS.
The HITECH Act also gave more rights to patients. Patients now have an
even greater ability to control how their information is used and to
whom it is disclosed. Perhaps the most significant change under the
HITECH Act is that the HIPAA rules now apply not only to HIPAA covered
entities, but also directly apply to their subcontractors, known as
business associates.
The protections proposed under the Data Security and Breach
Notification Act duplicate those already in place under HIPAA. For
hospitals and other HIPAA covered entities this Act would require a
whole new set of compliance activities that largely mirror HIPAA. This
Act may also subject hospitals to two parallel sets of enforcement
activities; penalties could apply under each set of requirements.
Requiring HIPAA covered entities to establish compliance standards for
two different regulatory regimes will cost hospitals money. Because
hospitals already must meet HIPAA's stringent data security standards,
these additional compliance costs will not afford consumers any greater
protection.
Information Protected by HIPAA
The HIPAA privacy and security rules apply to ``protected health
information.'' Basically, this is health information that is held by a
HIPAA covered entity. It is information that either directly identifies
an individual or for which there is a reasonable basis to believe that
an individual could be identified. Protected health information
includes demographic information, like a person's name and address. It
includes payment information--such as credit card information or
checking account information--that a patient uses to pay for care.
Generally, all identifiable information about a patient that is held by
a hospital is protected health information and is governed by HIPAA.
For almost a decade, HIPAA has provided a comprehensive framework
for protecting the privacy and security of this patient information.
The AHA's members are experienced in taking the steps necessary--and
required by HIPAA--to protect patient information. The HIPAA
regulations include a number of components--most importantly, baseline
privacy regulations as well as security regulations that apply
specifically to electronic information. The privacy regulations under
HIPAA impose detailed rules about how a hospital may use patient
information and when and to whom a hospital may disclose that
information to another party.
For example, a hospital is allowed to use all of the information in
a patient's medical record to treat a patient. Not all information,
however, can be sent to a health plan to obtain payment for that care.
The privacy regulations contain rules for almost every circumstance.
There are rules about when a hospital can disclose patient information
to a subcontractor--or business associate. There are rules establishing
when a hospital must seek special permission from a patient before
using that patient's information, such as to conduct research. There
are rules for when and how patient information may be disclosed
pursuant to a subpoena. And there are rules about how the information
on minors and on deceased patients can be used. Hospitals simply do not
and cannot do anything with patient information without referring to
the HIPAA requirements.
HIPAA also contains security requirements. These are detailed
requirements for maintaining the security of electronic information.
HIPAA covered entities must put in place safeguards to protect the
confidentiality, integrity, and security of electronic protected health
information. As with the privacy requirements, these security
requirements cover virtually every circumstance under which patient
information is stored or transmitted electronically in the hospital
setting. For example, a hospital must have a process in place for
identifying and assessing reasonably foreseeable vulnerabilities in its
information systems. Corrective actions are required to address any
vulnerabilities identified.
HIPAA requires its covered entities to take a number of steps to
comply with the privacy and security regulations. Hospitals are
required to have detailed HIPAA policies and procedures and to train
their employees on those practices. They also must appoint a privacy
official and a security official responsible for managing the privacy
and security practices.
HIPAA Requirements for Security Breaches
In addition to detailed privacy and security regulations, the HIPAA
regulations include new rules for responding to security breaches. This
is a result of the HITECH Act. A HIPAA covered entity, such as a
hospital, is required to notify each individual whose information is
breached. For larger breaches--those involving the health information
of 500 or more individuals--a hospital also must notify the media. The
Secretary of HHS also must be notified of all breaches, big and small.
HHS posts a list of breaches on its website.
The HIPAA breach regulations include specific requirements for how
individuals must be notified. These reflect the requirements Congress
established under the HITECH Act. For example, individuals must be
notified of a breach without unreasonable delay, and no later than 60
days after the breach is discovered. The notice must be in writing; it
must describe the type of information breached and the steps
individuals should take to protect themselves from potential harm
resulting from the breach. HIPAA covered entities already are obligated
to carry out the kinds of security breach activities that this proposed
legislation requires.
Separate Rules for HIPAA and Non-HIPAA Entities
The HITECH Act established two parallel sets of rules for security
breaches. One is under HIPAA, governed by HHS. Another set of rules
covers a different kind of information--personal health records. These
are records that any one of us can set up on a publicly available
website to store our health information ourselves. They can contain
personal, sensitive information. But the information isn't protected by
HIPAA, because it is not maintained by a hospital or other HIPAA
covered entity. Instead, the information is maintained by the vendor of
the website and by the consumer. For these kinds of records, the
Federal Trade Commission has authority to set the rules.
These two sets of security breach rules don't overlap. This is
because, in the HITECH Act, Congress recognized that there is an
existing privacy framework for HIPAA covered entities. Congress
established a separate set of breach requirements under HIPAA and
excluded HIPAA covered entities from the new FTC requirements. The AHA
believes that this same approach makes sense going forward. Hospitals
already follow a strict set of requirements for protecting patient
information and for addressing security breaches.
Subjecting HIPAA covered entities and their business associates to
the Data Security and Breach Notification Act would require hospitals
to establish two parallel compliance programs, set up by two different
Federal agencies. One to meet the long-standing HIPAA requirements, and
another to comply with the FTC regulations that would be developed
under this legislation. Inevitably, this will increase a hospital's
compliance costs, but without increasing the security of patient
information. Hospitals already are responsible for protecting patient
information. Increased compliance costs have the effect of increasing
health care costs, a result none of us wants.
There also is the potential that hospitals would be subject to two
sets of penalties--one from HHS and one from the FTC--for the same
security incident. We understand that under the Act the FTC would have
the discretion to determine that HIPAA covered entities and their
business associates are deemed in compliance with the Act by virtue of
their HIPAA obligations. But even if the FTC takes this step, it is
possible that, where a HIPAA covered entity failed to comply with
HIPAA, it would be subject not only to the new and enhanced HIPAA
penalties, but also to the FTC's penalties.
We believe it also is in the best interest of consumers for HIPAA
covered entities and their business associates to be expressly exempted
from the Act. If a hospital is required to comply with both the FTC and
the HHS rules regarding security breaches, the hospital could be
required to send two letters to the same patient for the same security
incident. That simply doesn't make sense for patients, and it doesn't
increase the protection of their information. In order for consumer
notice of security breaches to be meaningful, it is important that
consumers not receive multiple notices of a single data breach. It will
be confusing for individuals to receive multiple letters about the same
breach. If there are too many notices, at some point, letters about
security breaches will become just more white noise. Consumers may end
up disregarding important information and fail to take steps to protect
against future harm or misuse of their information. Consumers should
receive a single notice for a single breach.
HIPAA covered entities and their business associates are fully and
vigorously regulated by HHS. They already are obligated to comply with
detailed requirements designed to protect the security of patient
information. Where those systems fail, they must notify patients of a
security breach, as HHS requires. An additional set of rules will be
cumbersome and costly, both for hospitals and for patients.
We appreciate the Subcommittee's interest in these issues and thank
you for the opportunity to testify.
Senator Pryor. Thank you.
I'll call on Senator Wicker for his opening statement.
STATEMENT OF HON. ROGER F. WICKER,
U.S. SENATOR FROM MISSISSIPPI
Senator Wicker. Thank you very much, Mr. Chairman, and
thank you to the witnesses. I was a little late because I was
in your seat in another hearing room in another building. But I
want to thank the Chair for holding this hearing and for his
dedication to this important issue of protecting sensitive
personal information. Data breaches over the last decade
highlight the need to examine the way businesses and nonprofits
currently protect consumer information. We should ensure that
strong security features are in place and that consumers
receive appropriate notification when a breach of their
information occurs, exposing them to identity theft and similar
threats.
Congress has been monitoring this issue for several years
and I appreciate your efforts, Mr. Chairman, in seeking a
comprehensive solution. Let me commit to you today, Mr.
Chairman, that I want to work with you before the end of this
Congress to co-sponsor a bill and to move it as far as we can
toward passage during this calendar year.
The collection of personal information about consumers
began as a commercial practice many years ago. Nevertheless,
advancements in technology, particularly the continuing
development of online commerce and the proliferation of
electronic data, increase the amount of personal information
that can be collected and maintained by companies and nonprofit
organizations. These advancements greatly enhance the
convenience for consumers in doing business all over the
country. But they also increase the possibility for personal
information to be unlawfully acquired and misused.
Data breaches can happen in many ways, ranging from
complicated computer schemes created by sophisticated hackers
to business records carelessly discarded in a dumpster, for
example, behind a store. No matter how the unlawful acquisition
of personal information occurs, it can present a real threat to
an individual's credit, finances, and peace of mind.
The legislation before us today represents a comprehensive
approach that would create a uniform standard throughout the
country. Currently, no single Federal standard exists for
guarding many types of consumer information.
I want to explore one aspect of the bill further with our
witnesses--the interaction between this legislation and data
security laws that are already in place. Many entities covered
by this bill already act under existing standards, such as the
security or notification procedures required in the Gramm-
Leach-Bliley Act and the HIPAA Act, as we've already received
testimony about.
I'm interested to hear from those entities represented here
today and from the FTC, who would be enforcing the new
regulations, how would the interplay between these laws work
and how can we ensure that we do not unintentionally create
unnecessary, dual, or even conflicting standards.
Another provision in this bill would impose additional
requirements on entities that are considered data brokers.
These entities possess large amounts of personal information
about consumers. Not surprisingly, as availability of personal
data has increased so has the market for businesses to gather
and utilize that data. It is important for us to learn more
today about how those specific provisions would affect data
brokers and their ability to keep data secure and take
appropriate measures when that data is breached.
So thank you to all of our witnesses for sharing your time
with us. I look forward to the questions and I want to work
with each of you to achieve a goal that I know we all share, to
ensure that sensitive personal information is protected.
Thank you.
Senator Pryor. Thank you.
Let me go ahead and start with you, Ms. Mithal, if I may.
You talked a little bit about the Rite-Aid case in your opening
statement. As I understand it, you worked with the Department
of Health and Human Services on that matter. Do you currently
under existing Federal law, do you have the authority to file
suit and did you do that in that case?
Ms. Mithal. Yes, we did, Mr. Chairman. One of the things
that we were very mindful of in that case is that we wanted to
leverage our authority and HHS's authority to get the broadest
possible relief for consumers without creating overlapping or
duplicative requirements. So for example, HHS was able to get a
civil penalty against the company under HIPAA. In our order
provisions we didn't get a civil penalty. But our order
provisions were much broader in the sense that they covered
employee information, and they also covered certain electronic
information that was not covered by the HHS order. So I think
we worked together to leverage our authority and make sure we
got the best result for consumers, without creating duplicative
requirements for businesses.
Senator Pryor. Can you tell us a little bit about the
ChoicePoint case? This has come up a couple times. If you could
just tell the Subcommittee what that is?
Ms. Mithal. Certainly. I think it was widely reported that
certain people were posing as others in order to get
information from ChoicePoint. ChoicePoint was covered by the
Fair Credit Reporting Act in that case, which requires an
entity to maintain reasonable procedures before providing
sensitive consumer report information to others. We alleged
that ChoicePoint did not maintain such reasonable procedures
and, because we were proceeding under the FCRA, we were able to
get civil penalties.
So we can get civil penalties if we sue a company under
FCRA, but we can't get civil penalties for our other data
security cases, such as in the Rite-Aid case.
Senator Pryor. You said in your opening statement that you
support the goals of this legislation. Are there areas in the
bill that you think we need to work on?
Ms. Mithal. Let me just mention one, Mr. Chairman. I think
with respect to the scope of the bill--and I think the Rite-Aid
case is a good example of this--the breach notification
provisions would only cover a breach of electronic information.
So for example, if a consumer's paper information were breached
there would be no breach notification required under the bill.
We would like to see the breach notification provisions
extended to paper as well as electronic records. As I
mentioned, in the Rite-Aid case they had just disposed of
information into open dumpsters, and we think that consumers
have a right to be informed in that case.
Senator Pryor. You said that you like the provisions in the
bill that allow the State attorneys general to I guess bring
actions. Tell the Subcommittee why you like that and why you
think that's important.
Ms. Mithal. Well, I think it's a model that has certainly
worked well in other areas of FTC enforcement. Under the Fair
Credit Reporting Act, we have concurrent enforcement authority
with the States. I believe that model has worked well. I
mentioned in my opening statement our case against LifeLock.
This was a case we brought together with 36 State attorneys
general, and we were able to get a broad set of relief and we
were able to get media publicity in both local markets as well
as nationally arising from that action.
Senator Pryor. Ms. Rusu, let me ask you about the State
attorneys general. I think in your statement you said that you
like the provision about the State attorneys general.
Ms. Rusu. Correct.
Senator Pryor. Could you elaborate on that?
Ms. Rusu. Sure. As far as we've seen, the State attorneys
general really have been at the forefront of the battle against
data breaches and identity theft. I think it may have to do
with the fact that they're a lot more plugged into what is
going on at the ground level. They're more likely to hear about
these issues, and a lot of times perhaps more able to meet with
the people and see what's happening right down at the ground
level.
So from past experience, from what we've seen, the State
attorneys general have really been the ones that have brought
these issues to public and national consciousness. We like this
model and we'd like it to continue.
Senator Pryor. Ms. Bianchi, did you say in your statement
whether you like the State attorneys general provision or not?
I don't recall you mentioning that.
Ms. Bianchi. The HIPAA rules do include, as a result of the
HITECH Act, enforcement power for State attorneys general. So
that's a new provision in the last year or so, and I understand
the Department of Health and Human Services is currently
working with the attorneys general to train them on HIPAA and
on how to identify and proceed with cases, and they're required
to coordinate with the Department in doing so.
Senator Pryor. Mr. Pratt, did you have any comment on the
State AG provision?
Mr. Pratt. Thank you, Mr. Chairman. I think the only point
we would make is we would like to continue some discussion
around the question of not simply the attorneys general's
powers, but the ability to name an official or agency of the
State, so it expands it. It seems to expand it beyond the
borders of just the attorney general him or herself, and I
think that's probably where we'd like to see a little more
discussion. I think we'd like to see that more limited. That
can otherwise invite maybe second-tier or third-tier litigation
that would probably confuse rather than help with a true
enforcement action.
Senator Pryor. Senator Wicker.
Senator Wicker. Do any of you want to talk about the
possibility of too much notification? The bill requires
notification of a covered breach to be provided unless there's
no reasonable risk of identity theft, fraud, or other unlawful
conduct. Some have expressed the concern that this will result
in notifications when there's little or no evidence that
unlawful conduct is likely to occur, but it's not technically
unreasonable to think it could.
Is there such a thing as too much notification? Do any of
you believe this is a legitimate concern? Raise your hands.
[A show of hands.]
Senator Wicker. Ms. Rusu, would you like to go first?
Ms. Rusu. First of all, the first point I'd like to make is
that we really do believe that consumers should be the ones to
decide what is important and what is not. The reason that we
are concerned about this is that if a company is the one that
gets to decide in every situation whether or not something is
relevant, whether it's not, then a lot of times we're worried
that they'll decide in their own best interests. Of course,
notification entails some costs, it entails negative public
image in the media.
So first of all, we think that consumers should be able to
decide whether this is something they want to act on, whether
this is something that they want to do in order to protect
themselves.
Second, however, we believe that these notifications should
really decrease as a result of this law. The real purpose
behind this seems to me to be providing incentives for
companies to put in place much better, much more responsible
data security practices, and if these data security practices
are implemented correctly we should see a much decreased number
of security breaches in general, and as a result we will
require a lot less notifications.
Senator Wicker. Ms. Mithal?
Ms. Mithal. I would certainly agree that overnotification
could be a concern. So for example, we wouldn't want consumers
to receive so many notifications that they become numb to them.
I don't think this bill is there. I think that certainly if
there is a breach and every time there is a breach a consumer
received a notification, it would be a problem. But I think
this bill sets a high enough threshold that overnotification
would not be a problem.
Senator Wicker. Mr. Pratt?
Mr. Pratt. I'm not sure there's a perfect science around
what words you choose for the trigger to send a notice. So I
would agree----
Senator Wicker. I was afraid of that.
Mr. Pratt. If I hire three lawyers, I get at least four
answers, I can assure you, and I'm billed for all of them.
We have seen other standards in other bills, for example
``significant risk of identity theft.'' I think it's a
worthwhile question because it is important to ensure that we
don't end up with overnotification. It means that the consumers
begin to simply file those notices in the same way that they
sometimes file GLB privacy notices, because they're not really
readable.
So yes, I think it's a good question. I'm not sure I have a
crystal ball to tell you perfectly what that answer is. I can
tell you that ``any other unlawful conduct,'' for example,
could mean a lot of different things, and so that alone expands
this trigger somewhat beyond the borders of other statutes that
we've seen in other States. We'd be happy after the hearing to
see if we couldn't bring together some better experience from
any of our members in terms of how different State statutes
have affected the trigger of the notice.
Senator Wicker. I think we would appreciate that.
Anyone else want to comment on that question? Yes, sir, Mr.
Bregman?
Mr. Bregman. I think it's important that the bill includes
provisions for the exclusion of data that has been rendered
unusable through encryption and careful key management from
notification. Without that, there could be significant
overnotification where there really is no risk. The
technologies will proceed to evolve and so it's important that
we use best state-of-the-art technologies and that could be
best determined probably by regulatory agencies and the
industry as technologies advance.
Senator Wicker. Mr. Pratt, you want to add?
Mr. Pratt. Senator, if I could just echo support for that.
That is a terribly important component of the bill. We
compliment you, Senator Pryor, for having included that in the
bill.
I'm not sure we feel that the best motivation for data
security is the low threshold of the trigger for a notice. It
is a clear roadmap for us to find a means of compliance, and
knowing that we have an ability to render data in a wide
variety of ways, not just simply using an encryption
technology, but using a wide variety of tools, is probably the
best motivator for us to find a way to simply not ever have to
send a notice because we are never breaching the kind of data
that would put a consumer at risk or a customer at risk in the
first place.
Senator Wicker. What about the risk of false notices? Could
the plethora of notifications make it easier for ne'er-do-wells
to submit false notices and then ask for information from
consumers? Does anybody worry about that?
Mr. Pratt. I can just tell you, in certain experiences in
certain States over the many decades I've worked in the
industry, we've seen false notices as a means of obtaining
sensitive personal information for purposes of perpetrating ID
theft. I think the TechAmerica testimony tells you that, of
course, there are the low-tech approaches, but there are also
the very, very high-tech approaches that pose different risks,
that are probably found on my laptop rather than in my mailbox.
But both forms of risk exist, and they exist today because
there are many State breach laws today in many States.
Senator Wicker. Well, the Chair's been very generous with
his time. Let me ask Mr. Pratt one other question. You believe
the bill's information broker provisions would actually harm
the industry's ability to use data for fraud prevention. Could
you elaborate on this? What services do you provide consumers
that might be negatively impacted by the inclusion of the
brokers in this legislation?
Mr. Pratt. Thank you, Senator. Fraud prevention and
location services are two types of tools that our members make
available in the marketplace, and I think our testimony, the
full testimony, tries to explain in a little more--with a
little more granularity what the problem is. The monolithic
application of accuracy standards or a standard for access and
correction would be wrong, and of course, Senator Pryor, your
bill doesn't attempt monolithic application. You do have some
exceptions. We feel that they're probably too rigid. It's hard
for us to be sufficiently omniscient to know what the next
product is and whether the current exception embraces our
ability to innovate and build that next product.
We would rather see--ultimately the question is who is the
information broker that we're trying to get to? Consumer
reporting agencies are regulated under the FCRA. Financial
institutions would be governed under GLB. A fraud prevention
tool--by the way, we wouldn't want to be compelled to disclose
a fraud prevention tool's data because you're disclosing the
recipe by which we prevent fraud. Senator Pryor, I know full
well that that's not what you want either, so we understand.
Your staff has been wonderful about allowing us to have a
chance to talk about that.
With a locator tool, it's really fairly irrelevant. Neither
fraud tools nor location tools are used to make a decision
about me. They are tools that are used to investigate. They are
tools used to prevent crime. We see at least in those two cases
where an information broker provision and the way it's
structured would potentially impinge on the operation of those
tools, on future innovation, and actually we still think
overlap potentially with current laws that are in place today.
Senator Wicker. Thank you.
Senator Pryor. Senator Klobuchar, are you ready?
STATEMENT OF HON. AMY KLOBUCHAR,
U.S. SENATOR FROM MINNESOTA
Senator Klobuchar. I certainly am.
Senator Pryor. All right. You're up.
Senator Klobuchar. Thank you very much.
Thank you, everyone. I'm sorry, I was over at a Judiciary
Committee hearing, actually on this same, somewhat in the same
subject, on fraud enforcement and some of the difficulties with
prosecuting complicated cases. And certainly data security is a
growing problem, with no easy solution.
I personally have heard from a number of Minnesota
businesses. Actually, Senator Thune and I have a bill on peer-
to-peer file sharing software and the issues with that, and I
came across a number of victims in our State. I was actually
quite surprised at the stories, including one involving a home
garden center, where this woman actually just went home to work
at home on her shared payroll documents. She didn't know her
kids had installed one of these programs, and the next thing
she knew her employees, a number of them were victims of
identity theft because all of their personnel data was on the
computer, the kids' program took it.
I think there are an estimated 10 million Americans per
year whose identities are stolen. So I am excited about the
work we're doing here. I think it's very important.
My first question would be of you, Ms. Mithal, and that is
about these companies that are smaller. I think it's even
harder for them to deal with it. While they may not be the
major targets, but roughly a third of all data breaches happen
at companies of less than 100 people. These companies, as I
said, don't have that technical know-how. Will this legislation
allow the FTC to tailor their regulations so they don't apply
the same requirements to a company of 10 versus a company of
10,000? And should the size of the company matter?
Ms. Mithal. Thank you, Senator. I agree with your comment.
I think the size of the company should matter, and I think the
bill imposes a reasonable security requirement on companies.
The reasonableness in that requirement would include such
things as the sensitivity of the data at issue, the cost of
fixing a problem, and the cost--and the size of the business.
So I think costs are definitely included in the calculus in the
bill.
Senator Klobuchar. OK.
Ms. Rusu, most consumers don't have the ability to evaluate
a company's claim to good data security, because I know I've
seen things that say that and you don't know, should I get on
this website or not. How will establishing minimum data
security requirements level the playing field for consumers and
companies?
Ms. Rusu. I think first of all what we need to work on is,
like you mentioned, providing notices that are readable to the
average consumer. I think today the disclosures that are
provided by companies are perhaps readable to someone who's
graduated law school. So simplifying those notices is crucial,
it is extremely important.
I think it's also important for notifications of breach to
provide language that is very, very, simple, and clear. I think
that a lot of times there's a tendency to provide too much
information and this is where we get to the overnotification
problem. When there's a long list of paragraphs that the
consumer can barely get through, that's going to hinder their
ability to take action. So simplifying language and helping
consumers, regular day to day consumers, understand what these
policies are will be a first big step.
Senator Klobuchar. Very good.
Mr. Pratt, I think using a national standard here when so
many of these issues, problems, easily cross State borders,
makes sense to me. Do your members often have to comply with
numerous State regulations and would establishing a national
standard help?
Mr. Pratt. The easy answer is yes. A national standard does
two things. Larger companies, of course, go out and hire a
major law firm and ask those lawyers in that firm to set up a
grid so they understand all the different State laws, and then
they design their notification strategy around I guess the
highest threshold that each State statute might require for
those States where consumers are the subject of the breach.
Yes, a single national standard would make that easier.
Most importantly, though, when I get calls from my smaller
corporate members they have a much harder time complying with
those breach notification requirements because, of course, they
have to ask me, what law firm should I hire in order to get a
chart, in order to understand how to do it? So that's really
important.
I would like to step back and also say that the
scalability, so, Mr. Chairman, the scalability of the standards
for security I think is an excellent component of the proposal,
because it is important to acknowledge a smaller business with
a lower threshold of risk should design a strategy that's
appropriate for the risk. The FTC has done a good job of
producing small business guidance in that regard as well. It's
been beneficial for our members.
Senator Klobuchar. Very good.
Ms. Bianchi, I know he turned to you about a large law
firm. I used to work at one, so don't worry about it.
Just from the Hospital Association, Minnesota, as you know,
is a mecca of health care, and Mayo has done some amazing
things with sharing data, actually, within the Mayo system as a
way of establishing costs and other things, that is actually
one of the hallmarks of how they've been able to keep costs
down and quality up. It's actually a model we want to use
nationally. We had some issues with legislation and fights at
midnight at one point, not health care, believe it or not,
before that, about sharing information.
Do you want to talk a little bit about this--this will be
my last question--from a hospital perspective and if you think
this would be helpful, to have a national standard?
Ms. Bianchi. Hospitals certainly really already have at
least a national standard in place with respect to HIPAA. HIPAA
establishes a floor. There are more restrictive State laws, but
I think we certainly support a Federal standard. I think our
concern really is that we're already subject to one.
Senator Klobuchar. Right. You're concerned about another
one.
Ms. Bianchi. Right. So it's a concern about a second set of
standards that would really in many ways duplicate the
standards that hospitals have been operating under for several
years, and hospitals certainly take these issues very
seriously. We're just concerned about their compliance costs
associated with parallel regulations.
Senator Klobuchar. The other thing, just to get back to my
point that I was making, was there are always issues where we
want to be able to share data, not only for patients, so that
one doctor in an emergency room will be able to access that
data. I found that to be a huge issue and a problem. Then the
second, again, would be what I was talking about, was sharing
underlying medical information so you can figure out, how are
we ever going to know how cost-effective a certain surgery is
or a certain treatment is if we're not able to compile that
data and figure that out as we look at how we reduce costs in
health care.
Do you want to comment about that?
Ms. Bianchi. Sure. I think that's obviously a critical
issue coming out of health reform and out of ARRA and HITECH.
The Department of Health and Human Services, as the result of
Congress's action in those laws, is enormously invested in
developing a national network of health information. Health
information does have some special issues associated with it.
One of the things that components of HHS have spent a lot of
time on is worrying about the privacy and security of
information in the context of developing this national network.
So I think it's important for those two sides of HHS to be
able to work together to make health information available to
improve quality and bring down costs, but at the same time not
jeopardize the privacy and security of individual information.
That is a challenge and HHS really has the expertise to do this
in the health care context.
Senator Klobuchar. Very good.
Anyone else want to enter into the fray?
[No response.]
Senator Klobuchar. Thank you very much.
Senator Pryor. All right, thank you.
Let me, Ms. Bianchi, sort of pick up with you in a little
bit of a follow-up on a previous answer that you gave. You
talked about HIPAA and HITECH and other laws. Is it your
position that the existing Federal laws, whatever they may be,
really cover every instance of data breach or data security for
the hospitals?
Ms. Bianchi. For HIPAA-covered entities, HIPAA provides a
very comprehensive set of security requirements, privacy
requirements. They're very detailed. They are scalable, so that
a rural single provider office, single doctor's office, doesn't
have to do the same things that a large hospital network would
need to do.
But it is a very comprehensive system. It really is, I
think, the best standard that we have now for data security
and, particularly as the result of HITECH, a model for--many of
the components of this bill really track the HIPAA standard. So
yes, I do think it provides a very comprehensive system
framework.
Senator Pryor. Mr. Pratt, let me ask you. We've talked a
little about having a national standard for information
security, etcetera. In your opening statement you talked a
little bit about this idea of double jeopardy, how your folks
might be subject to two different laws or more and have to
maybe send out multiple notices.
Could you talk a little bit more with the Subcommittee
about that? You talked about the term ``in compliance with''
and you also talked about this idea of ``where subject to.''
Could you tell us a little bit more about that?
Mr. Pratt. Thank you, Mr. Chairman. In several places it's
encouraging, the structure and the approach that you've taken,
and it appears that the goal would be in fact to achieve some
alignment between the requirements of this statute, to fill in
the gap where there is no statute in place. So if there's no
HIPAA in place, this kind of fills in the gap.
In our view, if there's no FCRA in place this statute would
fill in the gap, or similarly under the Gramm-Leach-Bliley Act,
two statutes that we tend to live and work with every day. If
the test, however, of determining whether or not I'm exempt is
that I'm in compliance with another statute--and of course,
every company works to be in compliance, but every company may
find from time to time that they are not. You can simply go to
the FTC website and you'll see an investigation of some company
for not having been in compliance.
That's the whole purpose of that law. Where you're not in
compliance, there are penalties and consequences for that
statute. So our only point would be to replace the phrasing
``in compliance with'' with the phrasing ``subject to.'' In
other words, I am subject to a standard of law that is similar
to the one that you have outlined here, as opposed to I'm in
compliance with.
Of course I'm going to be in compliance with it. If I'm a
consumer reporting agency under FCRA, I'd better be complying,
and that is true under the Gramm-Leach-Bliley Act. And by the
way, that would be true to the extent that our member would run
a business that would now have to comply with the requirements
of this statute as well.
And we're happy to comply with all three of those statutes
and to protect data relative to the sensitive personal
information in all three cases. We just want to know that we
don't end up with the tripwire being because you fell out of
compliance you now are supposed to be in compliance over here
as well. And there might be some differences in compliance
requirements, so now it's almost an ex post facto application
of duties that I was not first subject to, but I'm only subject
to because I failed in some way relative to the duty that I had
over here with this statute that is the primary statute that
governs me, FCRA, GLB.
So we just simply are urging the Committee to adjust the
approach to the exception so that they make it clear that if
you're subject to the Fair Credit Reporting Act we would simply
make the argument FCRA would require similar standards,
therefore we are in compliance with and exempt from. And if we
are subject to the Gramm-Leach-Bliley Act and the safeguards
rule in the Gramm-Leach-Bliley Act, we have a substantially
similar set of requirements and therefore we're exempt from
this, but we're of course not exempt from GLB.
In no case are we asking to be somehow exempt from
something that would allow us to therefore be sloppy with
sensitive personal information.
Senator Pryor. I understand the distinction you're trying
to make.
Ms. Bianchi, let me ask you. On HIPAA, as I understand
HIPAA--and I know HIPAA's fairly comprehensive--I don't think
it covers employee data, does it?
Ms. Bianchi. It covers--it can in some cases, but mostly
no, it does not, it does not cover employee data.
Senator Pryor. Do you think the hospital should be subject
to this law we're proposing for employee data purposes?
Ms. Bianchi. I think to the extent that hospitals have
information that is not part of their covered entity and is not
subject to the requirements of HIPAA, that certainly hospitals
support robust security standards. I think the importance would
be for the exemption to be with respect to all protected health
information, and where that does include employee information
that that also would be covered under that.
It's really a concern about not being subject to two
different sets of rules for the same set of information.
Senator Pryor. Right. I appreciate that.
Mr. Bregman, I'm not going to let you off the hook. Maybe
you thought I wasn't going to ask you any questions and you
were going to slip the noose. But I have a few for you.
Senator Klobuchar. ``Slip the noose''?
Senator Pryor. Let me ask about your view of whether we
should extend a law like this to nonprofits. I don't know if
you mentioned that in your opening statement, but to schools
and nonprofits, et cetera; is that in your view good policy?
Mr. Bregman. I think it is good policy. If you look at the
data, a large amount of data breach occurs from the nonprofit
sector, where they do have sensitive data. And I don't think
this legislation would impose an undue burden on them.
Senator Pryor. I think in your statement you talked about
personally identifiable information and the definition of that.
Would this definition effectively capture the trigger for
breach notification to the affected consumers where
appropriate?
Mr. Bregman. I think the intent is that personally
identifiable information would be subject to this to the extent
that it's not rendered unusable through technical means, such
as encryption or other alternative accepted technologies.
Senator Pryor. Do you like the way we've tried to set the
trigger in our legislation, or could you improve on that? Or do
you know enough about the bill to comment on that?
Mr. Bregman. Well, to the extent I understand the bill, I
think it's reasonably set at this point.
Senator Pryor. Ms. Rusu, in your statement you talked about
``unusable'' and ``unreadable'' data. You mentioned that data
can sometimes be reconstructed in some way. I think I know what
you mean by that, but tell me what you mean by that and what a
viable solution there might be?
Ms. Rusu. A lot of times data can initially appear
encrypted, it can initially appear unusable or unreadable, but
subsequently by using certain technologies that data could be
reconstructed and actually re-attributed to the person to whom
it belongs and then used for identity theft.
So really our recommendation is that, together with the
FTC, we work toward identifying those types of methods of
encryption that really do render the data unusable and
unreadable to the extent that it cannot be reconstructed.
Senator Pryor. I asked Mr. Bregman a few minutes ago about
extending the law to nonprofits and I assume that--I understand
that Consumers Union is for that. But does Consumers Union
think that there should be any exceptions to that? Is there
anybody you think ought to be exempted or excepted?
Ms. Rusu. Exempted from the nonprofit requirement?
Senator Pryor. Right.
Ms. Rusu. I would be happy to get back to you in writing on
that, if possible.
[The information referred to follows:]
Consumers Union believes that it is important to require both non-
profit and private sector entities to protect the security of the
personal consumer data they maintain and to provide breach notice.
Consumers face the same risks, whether their data is compromised by
for-profit or non-profit entities. While we are certainly cognizant of
the fact that many non-profits may not have the resources to provide
notification or credit monitoring, we believe that the bill's
provisions exempting such action due to excessive cost are sufficient.
Senator Pryor. Did you have any questions?
Senator Klobuchar. Just one more follow-up with Mr.
Bregman. I know that the Verizon business risk team, working
with the United States Secret Service, recently released their
2010 report on security breaches, and I think one of the most
surprising findings of the report was that 96 percent of
breaches were avoidable through simple or intermediate data
security controls. Is this consistent with your experience and
would provisions in the Data Security and Breach Notification
Act that require companies to implement basic data security
practices address many of these problems?
Mr. Bregman. Absolutely. The vast majority of data breaches
are avoidable through good practices, good data hygiene, and
good IT practices. I think this legislation would put
organizations on notice that, in the absence of that, they're
going to have to make breach notification and they may be
subject to other sanctions.
I think the important point is that as we look at the
methodologies to avoid data loss and data breach, those methods
and techniques will change over time. So it's important not to
try to define specific technologies in the legislation, but
rather to assure that Federal regulators, in consultation with
industry, will regularly update the best practices and make
those the metrics for whether a company is in compliance.
Senator Klobuchar. Ms. Rusu?
Ms. Rusu. I'd also like to add that I think the strong
point of this bill is not only to get companies to employ those
best practices, but also to expand their practices toward data
minimization and data retention limits. I think a lot of times
maybe companies will realize that, if we're amassing this huge
amount of data and we're keeping it in perpetuity, we may be
subject to a lot more requirements. There is a much higher risk
of losing it through data breach. So perhaps part of those best
practices will be setting data retention limits or minimizing
the amount of data the companies collect.
Senator Klobuchar. The Cyber Protection Informed Users Act
I mentioned that I have introduced with Senator Thune, focuses
on some of the file sharing software and allows for users to be
clearly notified that it's on their computer, so that they have
a chance to opt out. Do you see this file sharing as a growing
data security problem, Mr. Bregman, if you want to answer?
Mr. Bregman. I think it is. I think it's really an example
of a broader issue of particularly consumers taking advantage
of technologies without having a deep understanding. You
mentioned in an earlier question that, how do we help consumers
understand whether the techniques being used by companies are
adequate, and I think that's an example where we would hope
that consumers could look to Federal regulators to evaluate and
essentially apply that stamp of approval that this set of
technologies has been tested and meets those needs. And those
technologies will change rapidly in the marketplace.
Senator Klobuchar. I just think people would be surprised
that their kid can put something on their computer that--I
speak as a mother of a 15-year-old--that their kid can just put
something on the computer that will allow all the stuff they
put on there to be shared with a bunch of people. I think it's
pretty shocking and that we have to get that information out
there to them.
All right, thank you very much.
Thank you, Chairman.
Senator Pryor. Thank you, Senator Klobuchar. It's always
good to have you here.
Let me ask really just a couple of last questions. First,
for Mr. Pratt. Do you think that consumers should have the
ability to have access to their information, to go in and clean
it up? And I guess, how would that work?
Mr. Pratt. OK, fair enough. Let's start with what we
definitely know, and that is, where data is used to make a
decision about me I should always have access. I should have
access before the data is used, any time I wish to see it. Of
course, that occurs here in the U.S. primarily because the data
is being used in the context of the Fair Credit Reporting Act.
So any type of decision for eligibility is likely an FCRA
transaction of some sort. So I have the right of access today.
If you're talking about a fraud prevention tool, as I
discussed earlier, I think that would be different. Yes, some
of my information might be in a database that includes
confirmed fraudulent applications that have been pooled
together by a variety of large insurance and financial
institutions who are trying to stop future fraud. That kind of
information doesn't really--we don't want to clean up that
information. We actually want to know about the combinations of
data that were used to attempt to prevent the fraud. We don't
want to disclose that we have all of that data and that we have
certain pattern analyses that we then deploy at the point of
the next application.
So the answer to that would be no. But remember, the fraud
prevention tool doesn't stop the transaction. The fraud
prevention tool just raises a yellow flag and says to the end
user: You should take additional steps to verify the consumer.
That's what we want. We want the additional steps to be taken
so the identity theft is stopped at the point of sale.
A location service is yet again different. That's about
possibilities. I am a law enforcement agency in a small town in
the U.S., but I'm trying to investigate a crime and I'm looking
at--I'm trying to locate possible witnesses, or I am trying to
locate somebody who has skipped on a parole, and I use the tool
to locate relatives, locate friends, see previous addresses at
which the individual lived, and these are part of my
investigative tools.
But we wouldn't want somebody to be able to sever, quote
unquote, ``clean that up,'' so that the noncustodial parent
who's not paying child support can figure out a way to uncouple
themselves from their responsibility.
So a locator service is again, not a tool that stops a
transaction or affects how I, as the real person, get to do
business. But they are used in different ways.
So, I guess those are just good examples of how the fair
information practice of access is appropriate to some types of
data uses and it's inappropriate to others. I think that's
pretty consistent globally, that fair information practices are
not applied monolithically to the nature of the data, but to
some extent to the use of the data.
Senator Pryor. Ms. Mithal, did you have any comments on
behalf of the FTC about consumers cleaning up their data?
Ms. Mithal. Yes. I would absolutely agree with Mr. Pratt
that consumers should have access to data when it's used to
deny them benefits or used for eligibility purposes. We do note
that we had these three public roundtables and one of the
things we learned is that consumers may be denied benefits that
don't fall within the Fair Credit Reporting Act. So I think
there are certain holes in the Swiss cheese that we want to
fill with, potentially with an access provision similar to what
you have in the legislation.
So for example, I'm Maneesha Mithal. I don't have a
criminal record, but if somebody denies me a benefit based on
the fact that their database shows that I had a criminal
record, I might want access to that and the ability to correct
it. Even if it's not used for credit or employment purposes, I
might just not want that to be out there. So that's why we
think the access and correction provisions you have in the
legislation could alleviate that concern.
Senator Pryor. Yes, sir, Mr. Pratt?
Mr. Pratt. So I guess just to add to that. The reason that
we're asking for this provision to be struck is not because we
want to just stick our head in the sand and ignore the kind of
question that Ms. Mithal has just raised, but that it's an idea
that deserves a good deal more scrutiny. What we try to put
forward in our testimony is that we just don't know who is that
type of entity that we're trying to target. And the way the
definition is structured and the way the language of the
section is structured, I don't think we're close yet to knowing
how to apply that, who is that entity and what kind of entity
are we trying to track down, on-line, off-line, and so on.
It's a worthwhile dialogue. We're not afraid to have that
dialogue. We're happy to have that dialogue. We just think that
it's one that--this is a less matured, less fully understood
provision than data security and security breach notice, where
we have a very clear understanding and a plethora of hearings
and an understanding of what it is and why it's important to
get that part of the job done.
Senator Pryor. Listen, I want to thank all of you for being
here today and all your preparation and your time involved in
getting here and testifying today. We really appreciate it.
What we're going to do is we're going to leave the record
open for a week. We actually, may actually try to mark up this
bill next week, so we're going to encourage our Senators to get
any follow-up questions that they may have to you ASAP and
encourage you to get those back ASAP if at all possible. So we
continue to work on this and, as Senator Wicker said a few
moments ago, he wants to continue to work on this with us. We
hope this is very much a bipartisan group effort as we go
through the process.
So I want to thank you all for being here and thank you for
coming before the Subcommittee today. With that, we will
adjourn.
[Whereupon, at 3:48 p.m., the hearing was adjourned.]
A P P E N D I X
Prepared Statement of Hon. John D. Rockefeller IV
Thank you, Senator Pryor, for holding this hearing, and I want to
commend you for your continued, excellent stewardship of the Consumer
Protection Subcommittee.
In today's economy, a vast array of businesses and organizations
maintain information about consumers. When a person buys a book online,
the company asks for the name, address and credit card information from
the individual. When a student pays his or her tuition, a college may
collect that student's debit card information. Employers gather
information about their employees, including background data, and their
bank account number for direct deposit. All these entities store
consumers' personal information in databases--some of which are well
protected and some of which are not. Every day, consumers run the risk
that the entities holding their information will suffer a data breach,
and their information will be compromised by no fault of their own.
Data breaches plague businesses and organizations, putting millions
of consumers at risk. According to the Privacy Rights Clearinghouse,
over half a billion data records have been compromised by unauthorized
access to consumer databases since 2005. In 2009 alone, there were 498
data breaches involving 222 million sensitive records.
The consequences of these breaches are grave: identity theft,
depleted savings accounts, a ruined credit score, and trouble getting
loans for cars, homes and kids are just some of the effects.
To minimize data breaches, deter identity theft and protect
consumers, Senator Pryor and I introduced S. 3742, the Data Security
and Breach Notification Act of 2010. The legislation establishes needed
protections for consumers, while at the same time providing regulatory
certainty to businesses.
In S. 3742, Senator Pryor and I address the dangers of data
breaches and identity theft by imposing two key mandates on businesses
and nonprofit organizations that maintain large consumer databases.
First, the bill requires these businesses and organizations to adopt
security protocols to reasonably protect their databases from
unauthorized access. Second, the bill requires breached entities to
notify all affected consumers of data breaches in a timely manner--
unless there is no reasonable risk of identity theft or harm to
consumers.
The bill also imposes new requirements on information brokers--the
companies that amass, organize, and sell vast amounts of American
consumers' information to third party buyers for a profit.
Specifically, the Data Security and Breach Notification Act of 2010
gives consumers the right to know what data information brokers are
collecting on them; and the right to correct any inaccuracies they may
find.
It is important to note that our bill represents a carefully
crafted compromise between consumer groups and the business community.
On the one hand, consumers get strong protections and aggressive
enforcement by states' attorneys general. On the other hand, the bill
creates national standards that facilitate interstate commerce; and the
Federal Trade Commission is provided with regulatory flexibility to
accommodate technical complexities and small business concerns.
The Commerce Committee has twice reported data security legislation
out of Committee. Both times the Senate has failed to take it up on the
floor. I fully intend to report this bill out of the Commerce Committee
in next week's markup, and it is my sincere hope that this time--the
third time--is the charm. The House has passed data security
legislation on voice vote. I hope we can achieve a similar result in
the Senate.
______
Prepared Statement of the Confidentiality Coalition
The Confidentiality Coalition thanks the Senate Commerce, Science
and Technology Committee for the opportunity to submit a statement for
the record on the ``Data Security and Breach Notification Act of 2010''
(S. 3742). The Confidentiality Coalition is composed of a broad group
of hospitals, medical teaching colleges, health plans, pharmaceutical
companies, medical device manufacturers, vendors of electronic health
records, biotech firms, employers, health produce distributors,
pharmacy benefit managers, pharmacies, health information and research
organizations, patient groups, and others \1\ founded to advance
effective patient confidentiality protections.
---------------------------------------------------------------------------
\1\ A list of the Confidentiality Coalition members is attached to
this letter.
---------------------------------------------------------------------------
The Coalition's mission is to advocate policies and practices that
safeguard the privacy of patients and healthcare consumers while, at
the same time, enabling the essential flow of information that is
critical to the timely and effective delivery of healthcare,
improvements in quality and safety, and the development of new
lifesaving and life-enhancing medical interventions. The
Confidentiality Coalition is committed to ensuring that consumers and
thought leaders are aware of the privacy protections that are currently
in place. And, as healthcare providers make the transition to a
nationwide, interoperable system of electronic health information, the
Confidentiality Coalition members believe it is essential to replace
the current mosaic of sometimes conflicting state privacy laws, rules,
and guidelines with a strong, comprehensive national confidentiality
standard.
As such, the Confidentiality Coalition believes that the privacy of
patients' health information is of the utmost importance. Nothing is
more important to engendering trust in the healthcare system than a
comprehensive set of privacy protections for personal health
information. That said, we have concerns that S. 3742 would result in
health information being governed needlessly by two entities--the
Federal Trade Commission (FTC) under the current Senate bill and the
Department of Health and Human Services (HHS) under the Health
Insurance Portability and Accountability Act (HIPAA).
The Data Security and Breach Notification Act of 2010 would require
the Federal Trade Commission (FTC) to establish regulations requiring a
broad range of entities, including healthcare organizations, to
implement security practices to protect personal information and to
provide for notification in the event of any security breaches of that
information. The protections proposed by S. 3742 unnecessarily
duplicate the protections already in place under HIPAA, and would
likely have disruptive effects on the normal business activities of
healthcare organizations by altering current and accepted practices
across the industry. In other words, the legislation would create a
parallel and inconsistent enforcement mechanism for the healthcare
industry, which is already subject to comprehensive and effective
privacy and security regulation at both the Federal and state levels.
Accordingly, we encourage a clear statement in this legislation
that exempts healthcare companies that are HIPAA ``covered entities''
\2\ and their ``business associates'' \3\ from the reach of this new
legislation. This clarification would preserve the careful lines drawn
by the HIPAA privacy and security rules and would permit the healthcare
industry to continue to provide services to members and patients
without the need to dramatically alter its current (and already heavily
regulated) arrangements. We view this exemption as appropriate to avoid
substantial disruption of the important work conducted by healthcare
organizations on behalf of patients and consumers.
---------------------------------------------------------------------------
\2\ 45 CFR 160.103 Covered entity means: (1) A health plan; (2) A
health care clearinghouse; (3) A health care provider who transmits any
health information in electronic form in connection with a transaction
covered by this subchapter.
\3\ 45 CFR 160.103 Business associate means, with respect to a
covered entity, a person who: (i) On behalf of such covered entity or
of an organized health care arrangement (as defined in 164.501 of this
subchapter) in which the covered entity participates, but other than in
the capacity of a member of the workforce of such covered entity or
arrangement, performs, or assists in the performance of: (A) A function
or activity involving the use or disclosure of individually
identifiable health information, including claims processing or
administration, data analysis, processing or administration,
utilization review, quality assurance, billing, benefit management,
practice management, and repricing; or (B) Any other function or
activity regulated by this subchapter; or (ii) Provides, other than in
the capacity of a member of the workforce of such covered entity,
legal, actuarial, accounting, consulting, data aggregation (as defined
in 164.501 of this subchapter), management, administrative,
accreditation, or financial services to or for such covered entity.
---------------------------------------------------------------------------
Discussion
The Confidentiality Coalition applauds Congress' effort to require
entities holding sensitive consumer information to develop a
comprehensive data compliance protection plan and adhere to strict
breach reporting requirements. While we understand and support these
goals in connection with currently unregulated arenas, these goals--and
the consumer risks they are designed to address--have already been
addressed for the healthcare industry. The healthcare industry is
heavily regulated in its privacy and security obligations. These
obligations have been in place since 2003 under HIPAA, and recently
have been revised and expanded through the Health Information
Technology for Economic and Clinical Health (HITECH) Act of the
American Recovery and Reinvestment Act (P.L. 111-5).
The HIPAA privacy and security rules apply to ``protected health
information''--health information that is held by a HIPAA covered
entity. It is information that either directly identifies an individual
or for which there is a reasonable basis to believe that an individual
could be identified. Protected health information includes demographic
information, such as a person's name and address. It includes payment
information--such as credit card information or checking account
information--that a patient uses to pay for care. Generally, all
identifiable information about a patient that is held by a HIPAA
covered entity is protected health information and, therefore, governed
by HIPAA.
The HIPAA regulations include a number of components--most
importantly, baseline privacy regulations as well as security
regulations that apply specifically to electronic information. These
HIPAA/HITECH provisions impose specific requirements on covered
entities to provide notice to patients and members of all uses and
disclosures of personal information obtained in the course of providing
services to these individuals. In addition to the detailed privacy
notice, the HIPAA/HITECH rules impose specific consent obligations,
with certain areas where consent is assumed (primarily, the core
healthcare purposes of treatment, payment, and healthcare operations),
certain areas where use and disclosure is permitted without the need
for consent (such as certain public health disclosures or disclosures
in connection with litigation), and other areas--essentially, all other
disclosures--where a specific, detailed individual ``authorization'' is
required.
``Marketing'' in connection with the healthcare industry also is
heavily regulated and limited--both through the original HIPAA rules
and through new, stricter, provisions in the HITECH Act. These rules
address the specific operations of healthcare companies and under these
rules, most marketing activities require a specific patient
authorization. The only marketing activities that are permitted without
authorization are those that the Department of Health and Human
Services (HHS) has deemed to be useful and appropriate for consumers in
the healthcare industry. The HHS Office of Civil Rights has
jurisdiction to enforce these provisions (including expanded new
penalties created by the HITECH Act). In addition, the HITECH Act
authorizes state Attorneys General to enforce the HIPAA rules.
As evidenced above, the HIPAA privacy and security rules provide a
comprehensive privacy and security framework for HIPAA covered
entities. Initially, ``business associates'' under HIPAA--those
companies that provide services to HIPAA covered entities--were
regulated through contracts with these covered entities. Now, as a
result of the HITECH law, these business associates also are directly
subject to privacy and security requirements, subject to primary
enforcement by HHS, and face the same penalties as covered entities for
non-compliance. Thus, all organizations handling protected health
information are subject to the same stringent requirements and
penalties for violations or breaches of this information.
Accordingly, while HIPAA does not apply to all entities that might
collect, use, or disclose health-related information,\4\ HIPAA does
create a comprehensive set of standards and an overall enforcement
protocol for those entities--both covered entities and business
associates--who are regulated directly under the HIPAA rules. Moreover,
as a result of the HITECH law, both covered entities and business
associates face significantly increased exposure for violations of
these rules, as well as the ongoing possibility of criminal penalties.
---------------------------------------------------------------------------
\4\ The Coalition supports efforts by Congress and the Federal
Trade Commission to evaluate appropriate privacy and security
obligations for these unregulated healthcare entities or for uses and
disclosures of sensitive healthcare information that are outside the
scope of HIPAA.
---------------------------------------------------------------------------
Therefore, for these covered entities and business associates,
regulation under HIPAA/HITECH is both comprehensive and substantial.
HIPAA/HITECH incorporates a wide range of standards for the use and
disclosure of health information, creating specific rules for all
aspects of the operations of the covered entities and their business
associates. Moreover, the HIPAA Security Rule imposes perhaps the most
significant set of security-related requirements imposed by law under
any standard.
In addition to detailed privacy and security regulations, the
HITECH Act includes new rules for responding to security breaches.
HIPAA covered entities and their business associates are required to
notify each individual whose information is breached. For larger
breaches--those involving the health information of 500 or more
individuals--these organizations also must notify the media. The
Secretary of HHS also must be notified of all breaches, large and
small. HHS posts a list of breaches on its website.
The HIPAA breach regulations include specific requirements for how
individuals must be notified. These reflect the requirements Congress
established under the HITECH Act. For example, individuals must be
notified of a breach without unreasonable delay, and no later than 60
days after the breach is discovered. The notice must be in writing; it
must describe the type of information breached and the steps
individuals should take to protect themselves from potential harm
resulting from the breach. Thus, HIPAA covered entities already are
obligated to carry out the kinds of security breach activities that S.
3742 requires.
With these standards in place, we have significant concerns about
the risks and burdens of creating unnecessary additional obligations
related to breach notices for healthcare entities. S. 3742 would create
a new and inconsistent set of obligations on both notice and consent
for the healthcare industry. We recognize that there is language
addressing entities in ``compliance with any other Federal law that
requires such covered entity to maintain standards and safeguards for
information security and protection of personal information in the
legislation (in the section entitled ``Treatment of Entities Governed
by Other Law''), but the effect of this language as drafted is unclear.
Therefore, to the extent that this legislation applies to healthcare
entities and their business associates, we believe strongly that these
provisions would require fundamental changes in the healthcare industry
without any identified need or specific rationale.
The HIPAA rules--particularly with the additional obligations
imposed by the HITECH Act--create a challenging set of standards for
any affected healthcare entity. To apply different or additional
standards to this information would create significant additional cost
and unneeded complexity.
Also, there is no need for an additional regulator to oversee these
obligations. The Department of Health and Human Services has primary
authority under these rules, with a significant new set of enforcement
tools in its arsenal. There is no need for FTC to enter this arena to
provide additional (and potentially inconsistent) regulatory oversight.
To the extent that Congress wants FTC to have any involvement at all in
the regulation of health information, it should limit this involvement
(if any) to those entities that are outside the HIPAA/HITECH structure.
Congress should not permit the FTC to regulate those companies--whether
a covered entity or a business associate--who already face regulation
by HHS and the Attorneys General around the country.
Therefore, we encourage Congress to amend S. 3742 by crafting a
clear and explicit exemption for personal information held by covered
entities and their business associates that is already protected and
regulated by HIPAA. Specifically, Congress should ensure that there is
an explicit statement in the legislation that entities covered by HIPAA
and their business associates are exempt to the extent that the
information they hold is protected and regulated by HIPAA. This
specific language should recognize that the privacy and security
practices of the healthcare industry already are heavily regulated,
with principles designed to facilitate the appropriate use and
disclosure of healthcare information for appropriate purposes. Any
change to these rules in legislation that is focused on the activities
of the healthcare industry would be duplicative at best and disruptive
and damaging for patients at worst.
We look forward to working with you as this bill moves through the
legislative process and hope you can address the concerns we have
raised. The Confidentiality Coalition appreciates the opportunity to
continue our discussion with you on this legislation. If you have any
questions or would like further information, please contact Tina Olson
Grande, Sr. Vice President for Policy, at the Healthcare Leadership
Council and Executive Director of the Confidentiality Coalition
([email protected]).
2010 Steering Committee Membership
Aetna
American Hospital Association
America's Health Insurance Plans
Association of Clinical Research Organizations
Blue Cross Blue Shield Association
CVS Caremark
Federation of American Hospitals
Greenway Medical Technologies
Gundersen Lutheran
Health Dialog
Healthcare Leadership Council
IMS Health
Marshfield Clinic
McKesson Corporation
Medco
National Association of Chain Drug Stores
Pharmaceutical Care Management Association
Pharmaceutical Research and Manufacturers of America
Premier, Inc.
Prime Therapeutics
Texas Health Resources
VHA
Walgreens
Wellpoint
General Membership
ACA International
Adheris
American Academy of Nurse Practitioners
American Benefits Council
American Clinical Laboratory Association
American Electronics Association
American Managed Behavioral Healthcare Association
Amerinet
AstraZeneca
American Pharmacists Association
Ascension Health
Association of American Medical Colleges
Baxter Healthcare
BlueCross BlueShield of Tennessee
Catalina Health Resource
CIGNA Corporation
Cleveland Clinic
College of American Pathologists
DMAA: The Care Continuum Alliance
Eli Lilly
ERISA Industry Committee
Food Marketing Institute
Fresenius Medical Care
Genentech, Inc.
Genetic Alliance
Genzyme Corporation
Health Care Service Corporation
Humana, Inc.
Intermountain Healthcare
Johnson & Johnson
Kaiser Permanente
Mayo Clinic
Medical Banking Project
Medtronic
Merck
MetLife
National Association of Health Underwriters
National Association of Manufacturers
National Association of Psychiatric Health Systems
National Community Pharmacists Association
National Rural Health Association
Novartis
Pfizer
Quest Diagnostics
SAS
Siemens Corporation
Society for Human Resource Management
State Farm
TeraDact Solutions Inc.
Trinity Health
U.S. Chamber of Commerce
Wal-Mart
Wolters Kluwer Health
______
Response to Written Questions Submitted by Hon. Mark Pryor to
Maneesha Mithal
Question 1. What is the risk that a data breach poses to consumers
in today's economy?
Answer. Data breaches pose many risks to consumers, including the
risk of stalking, identity theft, or other unlawful practices such as
fraud.\1\ For certain kinds of information, such as health information,
data breaches may also cause reputational harm. For companies, data
breaches can cause consumers to lose confidence in them.
---------------------------------------------------------------------------
\1\ There is limited data regarding the incidence of these harms.
However, the FTC is aware that some identity theft is caused by data
breaches. According to a survey conducted on behalf of the FTC in 2006,
about 11 percent of identity theft victims reported that they knew
their information was stolen from a company. See Federal Trade
Commission, 2006 Identity Theft Survey Report (Nov. 2007), available at
http://www.ftc.gov/os/2007/11/SynovateFinalReport
IDTheft2006.pdf.
Question 2. Are consumers concerned about identity theft these
days?
Answer. Yes. Unfortunately, identity theft remains a major concern
for consumers. The Commission estimates that as many as 9 million
Americans have their identities stolen each year. Indeed, the
Commission has received more consumer complaints about identity theft
than any other category of complaints every year since 2002.
Identity theft has serious repercussions for victims. While some
identity theft victims can resolve their problems quickly, others spend
hundreds of dollars and many days repairing damage to their good name
and credit record. Some consumers victimized by identity theft may lose
out on job opportunities, or be denied loans for education, housing, or
cars because of negative information on their credit reports. In rare
cases, they may even be arrested for crimes they did not commit.
Question 3. What is the average cost per incident of a data breach
in the United States?
Answer. According to an annual study conducted by the Ponemon
Institute, the average cost of a data breach to companies was $204 per
compromised customer record in 2009. The study indicates that the
average total cost to companies of a data breach incident rose from
$6.65 million in 2008 to $6.75 million in 2009. These costs may include
expenses for detection of the breach, engaging forensic experts,
notification of consumers, free credit monitoring subscriptions, the
economic impact of lost or diminished customer trust, and legal
defense.\2\
---------------------------------------------------------------------------
\2\ Ponemon Institute, 2009 Annual Study: Cost of a Data Breach
(Jan. 2010), available at http://www.ponemon.org/local/upload/fckjail/
generalcontent/18/file/US_Ponemon_CODB_
09_012209_sec.pdf.
Question 4. Do you believe that companies should be required to
maintain appropriate safeguards protecting sensitive consumer data?
Answer. Yes. If companies do not maintain appropriate safeguards to
protect the personal information they collect and store, that
information could fall into the wrong hands, resulting in fraud and
other harm, and consumers could lose confidence in the marketplace.
Accordingly, the Commission has undertaken substantial efforts to
promote data security in the private sector through law enforcement,
education, and policy initiatives. For example, on the law enforcement
front, the Commission has brought 29 enforcement actions since 2001
against businesses that fail to implement reasonable security measures
to protect consumer data.
Question 5. What are the most necessary provisions of this
legislation? Currently, how well are consumers protected against
identity theft, fraud and other harm?
Answer. The Commission believes that several provisions of the
legislation are important. First, the Commission supports the
requirement that a broad array of entities implement reasonable
security policies and procedures, including both commercial enterprises
and nonprofits. Problems with data security and breaches affect
businesses and nonprofit organizations alike. Thus, requiring that this
broad array of entities have reasonable security policies and
procedures is a goal that the Commission strongly supports.
Second, the Commission supports the breach notification provisions
of the bill. Indeed, various states have already passed data breach
notification laws which require entities to notify affected consumers
in the event of a data breach. Notice to consumers may help them avoid
or mitigate injury by allowing them to take appropriate protective
actions, such as placing a fraud alert on their credit file or
monitoring their accounts. In addition, breach notification laws have
further increased public awareness of data security issues and related
harms, as well as data security issues at specific companies.\3\ Breach
notification at the Federal level would extend notification nationwide
and accomplish similar goals.
---------------------------------------------------------------------------
\3\ See, e.g., Samuelson Law, Technology, & Public Policy Clinic,
University of California-Berkeley School of Law, Security Breach
Notification Laws: Views from Chief Security Officers (Dec. 2007),
available at http://www.law.berkeley.edu/files/cso_study.pdf; Federal
Trade Commission Report, Security in Numbers: SSNs and ID Theft (Dec.
2008), available at http://www.ftc.gov/os/2008/12/P075414ssnreport.pdf.
---------------------------------------------------------------------------
Third, the Commission supports the legislation's robust enforcement
provisions, which would: (1) give the FTC the authority to obtain civil
penalties for violations \4\ and (2) give state attorneys general
concurrent enforcement authority.\5\
---------------------------------------------------------------------------
\4\ This recommendation is consistent with prior Commission
recommendations. See Prepared Statement of the Federal Trade Commission
Before the S. Comm. on Commerce, Science, and Transportation, 109th
Cong. (Jun. 16, 2005), available at http://www.ftc.gov/os/2005/06/
050616databreaches.pdf; Prepared Statement of the Federal Trade
Commission Before the S. Comm. on Commerce, Trade, and Consumer
Protection, 111th Cong. (May 5, 2009), available at http://www.ftc.gov/
os/2009/05/P064504peertopeertestimony.pdf; Prepared Statement of the
Federal Trade Commission Before the Subcomm. on Interstate Commerce,
Trade, and Tourism of the S. Comm. on Commerce, Science, and
Transportation Committee, 110th Cong. (Sep. 12, 2007), available at
http://www.ftc.gov/os/testimony/070912reauthorizationtestimony.pdf;
Prepared Statement of the Federal Trade Commission Before the S. Comm.
on Commerce, Science, and Transportation, 110th Cong. (Apr. 10, 2007),
available at http://www.ftc.gov/os/testimony/
P040101FY2008BudgetandOngoingConsumerProtectionandCompetitionProgramsTes
timonySena
te04102007.pdf. These recommendations also were made in an April 2007
report released by the President's Identity Theft Task Force, which was
co-chaired by the Attorney General and the FTC Chairman, as well as in
a report on Social Security numbers released in December 2008. See The
President's Identity Theft Task Force Report, Sep. 2008, available at
http://idtheft.gov/reports/IDTReport2008.pdf; FTC Report,
``Recommendations on Social Security Number Use in the Private
Sector,'' (Dec. 2008), available at http://www.ftc.gov/opa/2008/12/
ssnreport.shtm.
\5\ This recommendation is consistent with prior Commission
recommendations. See The President's Identity Theft Task Force,
``Combating Identity Theft: A Strategic Plan,'' (Apr. 2007), available
at http://www.idtheft.gov/reports/StrategicPlan.pdf.
---------------------------------------------------------------------------
With respect to current protections, the Commission enforces
several laws and rules imposing data security requirements, including
the Commission's Safeguards Rule under the Gramm-Leach-Bliley Act
(``GLB''), the Fair Credit Reporting Act, and the FTC Act. However, at
present, in most of the cases the Commission brings, it cannot obtain
civil penalties. I believe the provision allowing FTC to seek civil
penalties for violations of S. 3742 would have a significant additional
deterrent effect.
Question 6. Which provisions in my bill do you support most
strongly?
Answer. As noted above, the Commission supports the legislation's
effort to require a broad array of entities to implement reasonable
security policies and procedures, the creation of a breach notification
requirement at the Federal level, and the legislation's robust
enforcement provisions. Of all the provisions, perhaps the most
beneficial is the provision giving the FTC the authority to enforce
civil penalties against entities that do not maintain reasonable
security. Such penalties would provide a strong incentive for companies
to maintain adequate data security.
Question 7. I understand that the Commission in the past has
publicly supported and even recommended to Congress the enactment of
Federal legislation enhancing data security across private industry. Do
you also support applying data security requirements to other covered
entities--such as nonprofits, as covered in my bill--that also maintain
sensitive consumer data?
Answer. Yes. It is important that nonprofits that collect
consumers' personal information are covered by the bill because
problems with data security and breaches affect businesses and
nonprofit organizations alike. Indeed, many of the breaches that have
been reported in recent years have involved nonprofit universities, for
example. From consumers' perspective, the harm from a breach is the
same whether their information was disclosed by a nonprofit or a
commercial entity. Requiring reasonable security policies and
procedures of this broad array of entities is a goal that the
Commission strongly supports.
Question 8. Have there been instances in which nonprofits leaked
consumers' information making those consumers vulnerable to subsequent
fraud or identity theft?
Answer. Yes. A number of sources publicly report data breaches that
have occurred at nonprofits. For example, the Identity Theft Resource
Center \6\ and Privacy Rights Clearinghouse \7\ both list incidents of
recent data breaches that include numerous non-profit organizations.
---------------------------------------------------------------------------
\6\ See http://www.idtheftcenter.org/artman2/publish/lib_survey/
ITRC_2008_Breach_List
.shtml.
\7\ See http://www.privacyrights.org/data-breach#CP.
---------------------------------------------------------------------------
______
Response to Written Questions Submitted by Hon. Mark Pryor to
Ioana Rusu
Question 1. What is the risk that a data breach poses to consumers
in today's economy?
Answer. The most palpable risk posed by data breach to consumers is
that of identity theft and fraud, either at the time of the breach or
later, as the compromised information is sold and resold. When
consumers' personal information is compromised in this way, a bad actor
could appropriate that information and use it to obtain credit and
government services, among other benefits.
Identity theft and fraud, however, are not the only harms posed by
data breaches. Even though a consumer's personal information is not
ultimately used to commit identity theft or fraud, the simple fact that
his or her information is now freely floating in the marketplace and
the consumer has no control over its use reduces consumer confidence in
the marketplace. If consumers exchange their personal information for
services provided by a certain company, and that company ultimately
loses control of that information, consumers may be less willing to
reveal personal information to vendors in future transactions.
Consumers should be able to engage in the marketplace with confidence,
knowing that their information is being safely and responsibly guarded
by marketplace actors.
Question 2. What is the average cost per incident of a data breach
in the United States?
Answer. According to the Ponemon Institute Annual Cost of a Data
Breach study conducted in 2009, the average cost of a data breach in
2008 cost companies an average of $202 per compromised record--of which
$152 pertains to indirect cost including abnormal turnover or churn of
existing and future customers.\1\ Despite an overall rise in total data
breach cost over the past 4 years, Ponemon Institute indicates that
direct costs appear to be declining slightly from a high of $54 in 2006
to a low of $50 in 2008.\2\
---------------------------------------------------------------------------
\1\ ``Fourth Annual U.S. Cost of Data Breach Study,'' Ponemon
Institute, January 2009 .
\2\ Id.
---------------------------------------------------------------------------
Consumers Union believes that a robust notice of breach requirement
supports business investment in improved data protection, saving
consumers the time, effort and cost incurred in dealing with a data
breach, and saving companies the cost of future breaches.
Question 3. Are consumers concerned about identity theft these
days?
Answer. Yes, we believe that consumers are extremely concerned
about identity theft and fraud today.
In December 2009, Mintel Comperemedia reported that nearly half of
adults polled (46 percent) were worried about someone stealing money
from their bank accounts or stealing their identities.\3\
---------------------------------------------------------------------------
\3\ ``Recession increases people's fear of identity theft,'' Mintel
Comperemedia, December 29, 2010 .
---------------------------------------------------------------------------
In addition, in February 2010, the Federal Trade Commission
published the Consumer Sentinel Network Data Book for 2009.\4\ In this
report, the FTC aggregated and compiled all consumer complaints
received during 2009 through a number of avenues, including FTC
hotlines and complaints filed with the Better Business Bureau and the
U.S. Postal Service. The number one consumer complaint category during
calendar year 2009 was identity theft: a total of 278,078 consumers (or
21 percent of all reported claims) were affected.\5\
---------------------------------------------------------------------------
\4\ ``Consumer Sentinel Network Data Book for January-December
2009,'' Federal Trade Commission, February 2010 .
\5\ Id.
---------------------------------------------------------------------------
This data seems to indicate that consumers remain justifiably
concerned about identity theft and identity fraud.
Question 4. Do you believe that companies should be required to
maintain appropriate safeguards protecting sensitive consumer data?
Answer. Consumers Union strongly believes that companies should be
required to maintain appropriate safeguards protecting sensitive
consumer data. When entities require or induce consumers to provide
personal information in exchange for receiving a good or service, those
entities must also ensure that the personal information they store and
use is handled in a secure and responsible manner. Consumer confidence
in the marketplace will decrease if consumers believe their information
can easily be lost or stolen.
Question 5. What are the most necessary provisions of this
legislation? Currently, how well are consumers protected against
identity theft, fraud and other harm?
Answer. A number of states already require notification of data
breach. However, the requirements differ from state to state, and many
of the laws take different approaches vis-a-vis the risk threshold.
The data broker provision, which requires defined entities to
maximize the accuracy and accessibility of their records, as well as to
provide consumers with a process to dispute information, is a
particularly necessary provision of this legislation, as this issue has
not been uniformly addressed at the state level.
In addition, we appreciate the balanced approach this bill takes
toward risk, allowing entities to circumvent the notification
requirements only when there is ``no reasonable risk of identity theft,
fraud, or other unlawful conduct.'' While some state laws do go even
further by completely eliminating the risk threshold altogether, we
believe the approach of this bill is sufficiently balanced to protect
consumers.
The provision granting enforcement authority to state attorneys
general and other state officials is also particularly necessary and
important. So far, state attorneys general have been at the forefront
of the battle against identity theft. Giving state officials
enforcement authority means placing more cops on the beat, thus
increasing chances that bad behavior will be singled out and punished.
Question 6. Which provisions in my bill do you support most
strongly?
Answer. Consumers Union strongly supports S. 3742. We believe this
bill will allow consumers to better protect themselves and limit loss
resulting from data breach, as well as provide incentives for
compliance to put in place responsible information security practices.
The provisions which we believe will best achieve these purposes are:
1. The requirement that both for-profit and non-profit entities
put in place responsible information security policies;
2. The bill's notification provisions, which require
notification to consumers within 60 days of the breach;
3. The bill's requirement that all entities provide 2 years of
free credit reports or credit monitoring in case of breach;
4. The bill's focus on information brokers, and its
requirements that such brokers maximize accuracy and access to
records, as well as providing a way for consumers to dispute
information; and
5. The provision allowing state Attorneys General and other
state officials or agencies to bring enforcement actions
against any entity violating this bill.
Question 7. Does Consumers Union believe it is important to require
both non-profit and private sector entities to protect the security of
the personal consumer data they maintain and to provide breach notice?
Is the scope of the bill appropriate in your view?
Answer. Consumers Union believes that it is important to require
both non-profit and private sector entities to protect the security of
the personal consumer data they maintain and to provide breach notice.
Consumers face the same risks when personal data is compromised,
regardless of whether the breach is associated with a for-profit or
non-profit entity. While we are certainly cognizant of the fact that
many non-profits may not have the resources to provide notification or
credit monitoring, we believe that the bill's provisions exempting such
action due to excessive cost are sufficient.
______
Response to Written Questions Submitted by Hon. Mark Pryor to
Stuart K. Pratt
Question 1. What is the risk that a data breach poses to consumers
in today's economy?
Answer. CDIA believes that data breaches often do pose a risk to
consumers, and that if there is a significant risk of harm, consumers
should be notified of that risk. However, there are also many types of
data breaches that do not pose specific risks to consumers, and in
those cases, providing a notice to consumers could be counter-
productive.
Specifically, CDIA agrees with the FTC, that:
``[t]he challenge is to require notices only when there is a
likelihood of harm to consumers. There may be security breaches
that pose little or no risk of harm, such as a stolen laptop
that is quickly recovered before the thief has time to boot it
up. Requiring a notice in this type of situation might create
unnecessary consumer concern and confusion. Moreover, if
notices are required in cases where there is no significant
risk to consumers, notices may be more common than would be
useful. As a result, consumers may become numb to them and fail
to spot or act on those risks that truly are significant. In
addition, notices can impose costs on consumers and on
businesses, including businesses that were not responsible for
the breach. For example, in response to a notice that the
security of his or her information has been breached, a
consumer may cancel credit cards, contact credit bureaus to
place fraud alerts on his or her credit files, or obtain a new
driver's license number. Each of these actions may be time-
consuming for the consumer, and costly for the companies
involved and ultimately for consumers generally.'' \1\
---------------------------------------------------------------------------
\1\ Prepared Statement of the Federal Trade Commission Before the
S. Comm. on Commerce, Science, and Transportation, 109 Cong. (Jun. 16,
2005), available at http://www.ftc.govios/2005/06/
050616databreaches.pdf.
Question 2. Are consumers concerned about identity theft these
days?
Answer. Although CDIA has not reviewed any recently conducted
polling on this issue, we believe that anecdotal evidence and press
accounts demonstrate that some consumers are concerned about identity
theft.
Question 3. What is the average cost per incident of a data breach
in the United States?
Answer. CDIA does not have any basis to draw an estimate.
Question 4. Do you believe that companies should be required to
maintain appropriate safeguards protecting sensitive consumer data?
Answer. Yes, CDIA has testified in favor of such requirements, as
long as they are a true national standard that focuses on safeguarding
sensitive personal information, scaled appropriately for size and type
of company and sensitivity of data.
However, as I stated in my testimony, ``While CDIA's members
support the creation of a national standard for data security, we
believe that it is also critical that such a standard not interfere
with the operation of other Federal laws which already exist. To
accomplish this, additional work must be done to fine-tune the
exception in the current bill, intended to avoid duplicative and
potentially confusing requirements.''
Question 5. What are the most necessary provisions of this
legislation? Currently, how well are consumers protected against
identity theft, fraud and other harm?
Answer. While CDIA supports the data security and breach
notification provisions in this legislation, we believe that the most
important provisions are the information broker provisions because if
these provision are retained, their inclusion undermines the
effectiveness of the bill, and could expose consumers and businesses to
increased risk of identity theft, fraud and other harm.
CDIA is not in a position to comment on how well consumers are
currently protected, but we strongly believe that if the ``information
broker'' provisions of this legislation are not removed, the ability of
companies to fight identity theft, fraud and other harm could be
severely compromised, as the effectiveness of the tools that CDIA
members provide to assist companies in these endeavors could be
weakened.
Question 6. Which provisions in my bill do you support most
strongly?
Answer. While CDIA supports the data security and breach
notification provisions in this legislation, we believe that he
inclusion of the information broker provisions undermines the
effectiveness of the bill, because if these provision are retained,
their inclusion undermines the effectiveness of the bill, and could
expose consumers and businesses to increased risk of identity theft,
fraud and other harm. Therefore, CDIA urges you to strike these
provisions from the legislation.
Further, as I stated in my testimony: ``While CDIA's members
support the creation of a national standard for data security, we
believe that it is also critical that such a standard not interfere
with the operation of other Federal laws which already exist. To
accomplish this, additional work must be done to fine-tune the
exception in the current bill. Allowing a company to be exempt from a
data security standard only when it is `in compliance with' a similar
standard found in another law imposes two sets of duties, two sets of
costs and two sets of liability on that company. For CDIA's largest and
smallest businesses this is an unnecessary burden. For our smallest
businesses this duty likely increases the costs of the Errors and
Omissions insurance policies which have to cover this dual liability
risk. We urge the Committee to adjust the exception so that is not an
`in compliance with' test and to instead use a `subject to' test.''
Question 7. To what extent should your members be required to
protect sensitive personal information?
Answer. CDIA members take their responsibility to protect sensitive
consumer information seriously, whether they are required to do so
under law or not. They have developed sophisticated methodologies to
ensure that the data that they hold is protected.
In terms of legal requirements, CDIA members that operate as
financial institutions under GrammLeach-Bliley are required to protect
sensitive information. Other legal requirements, such as Section 5 of
the FTC Act, also bind our members, even where they may not fall into
the GLB data protection requirements, and CDIA companies take their
responsibility to protect data seriously.
Question 8. Is a national standard for information security
requirements necessary in your view? If so, why?
Answer. CDIA believes that a national information security standard
would be helpful, but is not necessary. Specifically, there are already
46 states that have enacted some form of data security requirement, and
we believe that an additional Federal requirement is necessary only to
the extent that it fully and completely establishes a real national
standard and preempts these state laws.
Question 9. How should businesses dispose of sensitive consumer
information?
Answer. CDIA believes that the appropriate standards for disposal
have been established through Section 628 of the Fair Credit Reporting
Act (FCRA), and the accompanying regulations. We would urge the
Committee to retain that language.
______
Response to Written Questions Submitted by Hon. Mark Pryor to
Melissa Bianchi
Question 1. What is the risk that a data breach poses to consumers
in today's economy?
Answer. The AHA has not undertaken any independent and/or
systematic research specifically about this issue. Rather, we typically
rely on--and are very aware of--publically available information about
data breaches, including the likely incidence and impact of breaches
both generally and in the health care field. A recent study, 2010 Data
Breach Investigations Report, conducted by the Verizon Business RISK
team in cooperation with the United States Secret Service (available at
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-
report_
en_xg.pdf), for example, found that healthcare accounts for only about
3 percent of data breaches.
HHS is now collecting and displaying information on data breaches
of unsecured PHI under new expanded HIPAA requirements mandated by
HITECH. The new requirements obligate HIPAA covered entities to report
such breaches to HHS in addition to providing notice to affected
individuals and, for larger breaches, the media. Specifically, if the
breach involves more than a total of 500 individuals, regardless of
their residency, the covered entity must notify the Secretary of HHS
concurrently with the required notification sent to the affected
individuals as well as notify the media. For all other breaches, the
covered entity must maintain a log documenting the breaches that occur
during the year and submit that log to HHS no later than 60 days after
the end of each calendar year. HHS' breach notification rule also
requires the Secretary to post on the HHS Website a list of breaches
involving more than 500 individuals. This list must identify each
covered entity involved in the breach where the unsecured PHI of more
than 500 individual is acquired or disclosed. Such information will be
helpful in understanding the incidence and impact of data breaches and
effective strategies for reducing their occurrence and mitigating their
impact.
Question 2. Are consumers concerned about identity theft these
days?
Answer. Again, the AHA has not undertaken any independent and/or
systematic research specifically about the issue, and we typically rely
on publicly available information that suggests consumers generally
remain concerned about identity theft. The AHA and its member hospitals
share patients' concerns about identity theft, especially about the
unique impact of identity theft in the health care delivery context.
For hospitals and other health care providers, identity theft
creates concerns for patient safety and quality of care; and,
accordingly, hospitals and health care providers take the issue very
seriously. In addition to the financial harm associated with other
types of identity theft, identity theft in health care creates real
risks of patients receiving improper medical care and may endanger
patients' health because of inaccurate entries in their medical
records. Patients who are victims of identity theft also may have their
insurance depleted, become ineligible for health or life insurance, or
risk becoming disqualified from some jobs.
Question 3. What is the average cost per incident of a data breach
in the United States?
Answer. Again, the AHA has not undertaken any independent and/or
systematic research specifically about the issue, and we typically rely
on publicly available information.
Question 4. Do you believe that companies should be required to
maintain appropriate safeguards protecting sensitive consumer data?
Answer. The AHA believes that it is important for companies to take
appropriate measures to protect sensitive consumer information.
Hospitals already do this as part of their HIPAA compliance
obligations. HIPAA requires hospitals and other covered entities to
implement detailed protocols for protecting the privacy and security of
the patient information they maintain. HIPAA includes rules for
notifying patients in the event of a security breach. Under the
Security Rule, for example, a hospital must maintain the
confidentiality, integrity, and availability of electronic protected
health information that it creates, receives, maintains, or transmits.
In practice these terms have the following meanings:
confidentiality--preventing disclosure of EPHI to
unauthorized persons or processes;
integrity--preventing unauthorized alteration or destruction
of EPHI; and
availability--ensuring that EPHI is accessible and useable
when needed by authorized persons.
The Security Rule also requires the performance of a entity-wide
risk analysis of all information systems that handle electronic
protected health information and the implementation of a risk
management program that includes security measures to reduce the
identified risks to a reasonable and appropriate level. Hospitals also
must periodically update security measures as necessary and appropriate
to enhance the security of patient information and address new and
emerging security threats. These are only a few of the HIPAA Security
Rule's comprehensive requirements.
Question 5. What are the most necessary provisions of this
legislation? Currently, how well are consumers protected against
identity theft, fraud and other harm?
Answer. The legislation would provide consumers with better
protection of their personal information held by a wide range of
entities, similar to the protection already afforded personal
information held by HIPAA covered entities. In the hospital setting,
patient information--including demographic information, Social Security
Numbers and financial information--already is well protected. HIPAA has
mandated comprehensive protection of patient information for nearly a
decade. Under the HITECH Act, Congress recently strengthened the HIPAA
privacy and security requirements as well as HHS' ability to enforce
HIPAA. The HITECH Act also increased penalties for noncompliance and
gave state attorneys general the ability to enforce HIPAA directly as
well as establish a Federal framework for data breach notification for
HIPAA covered entities. As a result of the HITECH Act, business
associates of HIPAA covered entities also are directly subject to
HIPAA's provisions. This means that protected health information held
by business associates also is protected under HIPAA's comprehensive
framework.
Question 6. Which provisions in my bill do you support most
strongly?
Answer. The AHA and its members support robust privacy protections
for personal information. As applies to hospitals, however, we believe
that the protections proposed under the Data Security and Breach
Notification Act duplicate those already in place under HIPAA. We
believe that the provisions of this Act are wholly duplicative of
compliance requirements imposed by HIPAA and, therefore, that any
provisions in the bill are unnecessary as applied to the protected
health information held by HIPAA covered entities and their business
associates.
Question 7. Can you think of any instances in which it might be
important for hospitals to follow the security safeguards and
requirements outlined in S. 3742?
Answer. Protected health information held by hospitals and other
HIPAA covered entities, as well as by their business associates,
already is protected by HIPAA. The protections proposed in S. 3742
mirror the HIPAA protections. Subjecting HIPAA covered entities to S.
3742 would require hospitals to establish two separate compliance
programs--one for HIPAA, and one to comply with the FTC rules
established under S. 3742. This will increase compliance costs for
HIPAA covered entities--costs likely to ultimately be borne by patients
in the form of higher health care costs. These additional compliance
requirements, however, will not increase the protection of consumer
information. The requirements proposed under S. 3742 are not more
robust than HIPAA and will not afford consumers any greater protection.
In some cases, hospitals do not maintain certain employee
information as part of their HIPAA covered functions. These hospitals
may instead maintain this information separate from their health care
component. In these cases, the personal information of hospital
employees (other than information held by a hospital's self-funded
health plan, which is protected by HIPAA) would not be considered
protected health information and would not be protected by HIPAA. Where
this employee information resides outside of the sphere of HIPAA
protection, we believe it would be appropriate to apply the protections
of S. 3742 that apply to personal information held by employers
generally.
______
Consumer Data Industry Association
Washington, DC, December 7, 2010
Senator Roger Wicker,
Washington, DC.
Dear Senator Wicker,
I again appreciate the opportunity to testify before the Senate
Commerce Committee regarding S. 3742, The Data Security and Breach
Notification Act of 2010, and I am writing today to follow up on the
questions you asked about the breach notification trigger.
CDIA has polled our members and some of the law firms which often
advise companies which have been the victim of a crime resulting in the
breach of sensitive personal information, and the one constant that
they report is that there is no means of determining how individual
state triggers operate due to the fact that breaches are multi-state
and so decisions don't pivot off of an individual state's notice
trigger. One very experienced outside counsel makes the following
point:
``The best way to prevent extraneous notices from being sent would
be a robust and uniform trigger appropriately tailored to areas where
there is a significant risk of identity theft.''
CDIA agrees with this.
The question of the trigger is one way of measuring the likelihood
of notices being sent, but not the only one. If the definition of
sensitive personal information is very broad, for instance, then this
too affects the frequency with which notices are sent. CDIA continues
to disagree with giving the FTC regulatory powers which allow it to add
to the statutory definition of sensitive personal information which,
when breached, would lead to a breach notice. The definition of
``harm'' could also have an impact on the number and usefulness of
breach notification notices. For instance, as indicated by the
Consumers' Union witness at the hearing, they are moving toward a
theory that most types of data losses, including the loss of de-
identified data, should give rise to a notice. They also testified that
most breaches of data should result in notices.
I hope the above is of some help to you as you consider both the
question of the threshold for a trigger and also the scope of the
definition of the data associated with breaches. CDIA also remains very
concerned about the data broker provisions and continues to believe
that this section must be dropped from the bill in its entirety in
order to even consider moving a uniform standard for data breach
notification and data security.
CDIA continues to support passage of an appropriately structured
breach notification duty and a duty to secure sensitive personal
information, but only if there is a true national standard and not just
a 51st standard that layers into the various state laws.
Thank you for your consideration.
Sincerely,
Stuart K. Pratt,
President and CEO.
�