b"<html>\n<title> - THE THREAT OF DATA THEFT TO AMERICAN CONSUMERS</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n             THE THREAT OF DATA THEFT TO AMERICAN CONSUMERS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n           SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              MAY 4, 2011\n\n                               __________\n\n                           Serial No. 112-44\n\n\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n\n\n\n      Printed for the use of the Committee on Energy and Commerce\n                        energycommerce.house.gov\n\n\n\n                                _____\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n70-740 PDF                WASHINGTON : 2011\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n\n\n\n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                          FRED UPTON, Michigan\n                                 Chairman\n\nJOE BARTON, Texas                    HENRY A. WAXMAN, California\n  Chairman Emeritus                    Ranking Member\nCLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan\nED WHITFIELD, Kentucky                 Chairman Emeritus\nJOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts\nJOSEPH R. PITTS, Pennsylvania        EDOLPHUS TOWNS, New York\nMARY BONO MACK, California           FRANK PALLONE, Jr., New Jersey\nGREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois\nLEE TERRY, Nebraska                  MICHAEL F. DOYLE, Pennsylvania\nMIKE ROGERS, Michigan                ANNA G. ESHOO, California\nSUE WILKINS MYRICK, North Carolina   ELIOT L. ENGEL, New York\n  Vice Chair                         GENE GREEN, Texas\nJOHN SULLIVAN, Oklahoma              DIANA DeGETTE, Colorado\nTIM MURPHY, Pennsylvania             LOIS CAPPS, California\nMICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois\nMARSHA BLACKBURN, Tennessee          CHARLES A. GONZALEZ, Texas\nBRIAN P. BILBRAY, California         JAY INSLEE, Washington\nCHARLES F. BASS, New Hampshire       TAMMY BALDWIN, Wisconsin\nPHIL GINGREY, Georgia                MIKE ROSS, Arkansas\nSTEVE SCALISE, Louisiana             ANTHONY D. WEINER, New York\nROBERT E. LATTA, Ohio                JIM MATHESON, Utah\nCATHY McMORRIS RODGERS, Washington   G.K. BUTTERFIELD, North Carolina\nGREGG HARPER, Mississippi            JOHN BARROW, Georgia\nLEONARD LANCE, New Jersey            DORIS O. MATSUI, California\nBILL CASSIDY, Louisiana              DONNA M. CHRISTENSEN, Virgin \nBRETT GUTHRIE, Kentucky              Islands\nPETE OLSON, Texas\nDAVID B. McKINLEY, West Virginia\nCORY GARDNER, Colorado\nMIKE POMPEO, Kansas\nADAM KINZINGER, Illinois\nH. MORGAN GRIFFITH, Virginia\n\n                                 _____\n\n           Subcommittee on Commerce, Manufacturing and Trade\n\n                       MARY BONO MACK, California\n                                 Chairman\nMARSHA BLACKBURN, Tennessee          G.K. BUTTERFIELD, North Carolina\n  Vice Chairman                        Ranking Member\nCLIFF STEARNS, Florida               CHARLES A. GONZALEZ, Texas\nCHARLES F. BASS, New Hampshire       JIM MATHESON, Utah\nGREGG HARPER, Mississippi            JOHN D. DINGELL, Michigan\nLEONARD LANCE, New Jersey            EDOLPHUS TOWNS, New York\nBILL CASSIDY, Louisiana              BOBBY L. RUSH, Illinois\nBRETT GUTHRIE, Kentucky              JANICE D. SCHAKOWSKY, Illinois\nPETE OLSON, Texas                    MIKE ROSS, Arkansas\nDAVID B. McKINLEY, West Virginia     HENRY A. WAXMAN, California (ex \nMIKE POMPEO, Kansas                      officio)\nADAM KINZINGER, Illinois\nJOE BARTON, Texas\nFRED UPTON, Michigan (ex officio)\n\n                                  (ii)\n\n\n\n\n\n\n\n\n\n\n\n\n\n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Mary Bono Mack, a Representative in Congress from the State \n  of California, opening statement...............................     1\n    Prepared statement...........................................     4\nHon. Henry A. Waxman, a Representative in Congress from the State \n  of California, opening statement...............................     6\nHon. G.K. Butterfield, a Representative in Congress from the \n  State of North Carolina, opening statement.....................     7\nHon. Cliff Stearns, a Representative in Congress from the State \n  of Florida, opening statement..................................     7\n    Prepared statement...........................................     9\n\n                               Witnesses\n\nDavid Vladeck, Director, Bureau of Consumer Protection, Federal \n  Trade Commission...............................................    10\n    Prepared statement...........................................    13\n    Answers to submitted questions...............................   114\nPablo Martinez, Deputy Special Agent in Charge, Criminal \n  Investigation Division, U.S. Secret Service....................    26\n    Prepared statement...........................................    28\n    Answers to submitted questions...............................   119\nEugene H. Spafford, Professor and Executive Director, Purdue \n  University Center for Education and Research in Information \n  Assurance and Security.........................................    37\n    Prepared statement...........................................    39\n    Answers to submitted questions...............................   120\nJustin Brookman, Director, Consumer Privacy Project, Center for \n  Democracy and Technology.......................................    59\n    Prepared statement...........................................    61\n    Answers to submitted questions...............................   124\n\n                           Submitted Material\n\nLetter, dated April 6, 2011, from subcommittee leadership to Ed \n  Hefferman, President and Chief Executive Officer, Alliance Data \n  Systems, Inc., submitted by Mrs. Bono Mack.....................    96\nLetter, dated April 18, 2011, from Jeanette Fitzgerald, General \n  Counsel, Epsilon Data Management, LLC, to subcommittee \n  leadership, submitted by Mrs. Bono Mack........................    98\nLetter, dated April 29, 2011, from subcommittee leadership to \n  Kazuo Hirai, Chairman, Sony Computer Entertainment America LLC, \n  submitted by Mrs. Bono Mack....................................   103\nLetter, dated May 3, 2011, from Kazuo Hirai, Chairman, Sony \n  Computer Entertainment America LLC, to subcommittee leadership, \n  submitted by Mrs. Bono Mack....................................   105\n\n \n             THE THREAT OF DATA THEFT TO AMERICAN CONSUMERS\n\n                              ----------                              \n\n\n                         WEDNESDAY, MAY 4, 2011\n\n                  House of Representatives,\n Subcommittee on Commerce, Manufacturing and Trade,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 9:30 a.m., in \nroom 2322, Rayburn House Office Building, Hon. Mary Bono Mack \n(chairwoman of the subcommittee) presiding.\n    Present: Representatives Bono Mack, Blackburn, Stearns, \nHarper, Lance, Cassidy, Guthrie, McKinley, Kinzinger, \nButterfield, Dingell, Schakowsky and Waxman (ex officio).\n    Staff Present: Paul Cancienne, Policy Coordinator, CMT; \nBrian McCullough, Senior Professional Staff Member, CMT; Carly \nMcWilliams, Legislative Clerk; Gib Mullan, Chief Counsel, CMT; \nAndrew Powaleny, Press Assistant; Shannon Weinberg, Counsel, \nCMT; Michelle Ash, Democratic Chief Counsel; Felipe Mendoza, \nDemocratic Counsel; and Will Wallace, Democratic Policy \nAnalyst.\n    Mrs. Bono Mack. Good morning. The subcommittee is now in \norder. And I would like to start by saying that a wise person \nonce said great challenges create great opportunities. As we \nbegin looking into the pervasive problems of cyber attacks and \ndata breaches, this is our subcommittee's great opportunity to \ncome up with new safeguards against identity theft.\n    The chair now recognizes herself for an opening statement.\n\n OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Today American consumers are under constant assault. As \nquickly and quietly as a wallet can be stolen by a skilled pick \npocket, your personal identity can be highjacked without you \nknowing it by online hackers. The Federal Trade Commission \nestimates that nearly 9 million Americans fall victims to \nidentity theft every year, costing consumers and businesses \nbillions of dollars annually. And those numbers are growing \nsteadily and alarmingly. In recent years, sophisticated and \ncarefully orchestrated cyber attacks designed to obtain \npersonal information about consumers, especially when it comes \nto their credit cards, have become one of the fastest growing \ncriminal enterprises here in the U.S. and across the world.\n    The boldness of these attacks and the threat that they \npresent to unsuspecting Americans was underscored recently by \nmassive data breaches at Epsilon and Sony. With 77 million \naccounts stolen, including some 10 million credit card numbers, \nthe data breach involving Sony's PlayStation network has the \npotential to become the Great Brinks Robbery of cyber attacks, \nand the take just keeps going up.\n    While the FBI and Secret Service, along with other law \nenforcement agencies, work around the clock to try and crack \nthe sensational case, we now learn that a second Sony online \nservice was also compromised during the same time period.\n    Computer hackers obtained access to personal information \nrelating to an additional 25 million customer accounts. That is \nmore than 100 million accounts now in jeopardy. Like their \ncustomers, both Sony and Epsilon are victims, too. But they \nalso must shoulder some of the responsibility for the stunning \nthefts, which shake the confidence of everyone who types in a \ncredit card number and simply hits enter. E-commerce is a vital \nand growing part of our economy. We should take steps to \nembrace and protect it, and that starts with robust \ncybersecurity.\n    As chairman of this subcommittee, I am deeply troubled by \nthese latest data breaches and the decision by both Epsilon and \nSony not to testify today. This is unacceptable. According to \nEpsilon, the company did not have time to prepare for our \nhearing, even though its data breach occurred more than a month \nago. Sony meanwhile says it was too busy with its ongoing \ninvestigation to appear.\n    Well, what about the millions of American consumers who are \nstill twisting in the wind because of the breaches? They \ndeserve some straight answers, and I am determined to get them.\n    For instance, how did the breaches occur? What steps are \nbeing taken to prevent future breaches? And what is being done \nto mitigate the affects of these breaches on American \nconsumers? Yet for me the single most important question is \nsimply this: Why weren't Sony's customers notified sooner of \nthe cyber attack? I fundamentally believe that all consumers \nhave a right to know when their personal information has been \ncompromised, and Sony as well as all other companies have an \noverriding responsibility to promptly alert them.\n    In Sony's case, company officials first revealed \ninformation about the data breach on their blog. That is right, \na blog. I hate to pile on, but in essence, Sony put the burden \non consumers to search for information instead of accepting the \nburden of notifying them. If I have anything to do with it, \nthat kind of halfhearted, half-baked response is not going to \nnot fly in the future. This ongoing mess only reinforces my \nlong-held belief that much more needs to be done to protect \nsensitive consumer information. Americans need additional \nsafeguards to prevent identity theft. And I will soon enter \nlegislation designed to accomplish this goal. My legislation \nwill be crafted around the guiding principle consumers should \nbe promptly informed when their personal information has been \njeopardized.\n    Clearly, as I have said, cyber attacks on the rise. \nAccording to the Privacy Rights Clearinghouse, over 2,500 data \nbreaches, involving some 600 million records, have been made \npublic since 2005. In fact, last month alone, some 30 data \nbreaches at hospitals, insurance companies, universities, \nbanks, airlines and governmental agencies impacted nearly 100 \nmillion records. And that is in addition to the massive \nbreaches at Epsilon and Sony.\n    The time has come for Congress to take decisive action. We \nneed a universal national standard for data security and data \nbreach notification, and we need it now.\n    While I remain hopeful that law enforcement officials will \nquickly determine the extent of these latest cyber attacks, \nthey serve as a reminder as well as a wake up call that all \ncompanies have a responsibility to protect personal information \nand to promptly notify customers when their information has \nbeen put at risk. We have the responsibility as lawmakers to \nmake certain that this happens.\n    [The prepared statement of Mrs. Bono Mack follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mrs. Bono Mack. And now I would like to recognize the \ngentleman from North Carolina, the ranking member of the \nsubcommittee, Mr. Butterfield, for 5 minutes for an opening \nstatement.\n    Mr. Butterfield. Let me thank the chairman for convening \nthis important hearing today and particularly thank the \nwitnesses for coming forward with your testimony. Before giving \nmy opening statements, I would yield such time as he may \nconsume to the former chairman of this committee, of the full \ncommittee and now the ranking member, the gentleman from \nCalifornia.\n    Mr. Waxman. Thank you very much, Mr. Butterfield. I \nappreciate your courtesy in allowing me to go ahead of you in \nan opening statement. I must go to another committee that is \nmeeting at the same time.\n\nOPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    I would like to thank Chairman Bono Mack for holding this \ntimely and important hearing. In the last month, we have seen \nsome serious private-sector data breaches that have affected \nmillions of Americans. Just last week, Sony revealed that \ninformation connected to 77 million customer accounts had been \ncompromised. And then, on Monday, Sony announced that even more \nconsumer information was breached. Data breaches threaten the \nfinancial well-being of individuals whose personal information \nis exploited to commit identify theft or fraud. There is no one \nsolution to these threats. Criminal hackers are targeting us \nevery minute.\n    Today we will hear from Federal law enforcement and how \nthey are attacking this problem. However, the private sector \nalso must step up to the plate. The private sector can and must \ndo a better job of safeguarding sensitive personal information.\n    Information is the currency of the digital economy, and it \nmust be secured. Just as a bank would not leave its vault \nunlocked and open to thieves, companies must secure information \nand keep it out of the hands of identify thieves and other \ncriminals. And when personal information is compromised, \ncompanies have an obligation to inform those individuals whose \ninformation was lost or stolen so that they can take steps to \ndetect and prevent identity theft or other harm.\n    I am hopeful this committee can again in a bipartisan \nfashion pass the Data Accountability and Trust Act, and work as \na team to get the Senate to follow suit. The DATA bill that was \npassed by last Congress creates two major security \nrequirements: One, an entity holding data containing personal \ninformation must adopt reasonable and appropriate security \nmeasures to protect such data; and two, that same entity must \nnotify affected consumers in the event of breach, unless the \nentity determines there is no reasonable risk of identity \ntheft, fraud or other unlawful conduct.\n    I look forward to today's hearings and working together to \nquickly repass the Data Accountability and Trust Act.\n    I yield back the balance of my time.\n\nOPENING STATEMENT OF HON. G.K. BUTTERFIELD, A REPRESENTATIVE IN \n           CONGRESS FROM THE STATE OF NORTH CAROLINA\n\n    Mr. Butterfield. Let me thank you, Mr. Waxman, for your \nleadership on this issue and your leadership on this committee.\n    In preparing for this hearing today, I was told by my staff \nthat well over 100 million consumer records have been \ncompromised as a result of breaches at Epsilon Data Management, \nan e-mail marketer, and at Sony's PlayStation and online \nentertainment networks. If that is indeed a fact, this is very, \nvery alarming. And so this hearing today is certainly very \nimportant.\n    I want to you know, Madam Chairman, that I stand ready to \nwork with you and our colleagues to pass strong bipartisan data \nsecurity legislation like the DATA bill that will prevent this \nfrom reoccurring.\n    I ask unanimous consent that my full statement be included \nin the record.\n    I yield back.\n    Mrs. Bono Mack. I thank the gentleman.\n    The chair recognizes Mr. Stearns from Florida for 3 \nminutes.\n\n OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF FLORIDA\n\n    Mr. Stearns. Thank you, Madam Chair. And let me also \ncompliment you on having this hearing.\n    I share your disappointment that Epsilon and Sony have not \nshown up. Obviously, they could provide us a lot of information \nthat perhaps some of our witnesses could not, and I think it \nultimately is their responsibility to explain it.\n    Madam Chair, as the chairman of the Oversight and \nInvestigation Committee I certainly would want to work with you \nto find out perhaps what really happened and perhaps to extend \na hearing on this on my subcommittee.\n    Let me also say to you, this is an issue that, in the 109th \nCongress, when I was chair of this subcommittee, I had a bill, \na data security bill, and this bill was H.R. 4127. It passed \nout of the subcommittee, bipartisan support. It passed out of \nthe full committee, bipartisan support. It did not pass the \nHouse, unfortunately, and so with your leadership, perhaps we \ncan get this through the House.\n    So I am very anxious to support you and help you in your \nendeavors to actually get a bill through the House and to the \nSenate. This is so important. If the data security bill that I \nhad in the 109th Congress had actually passed, which required \nentities which hold personal information to establish and \nmaintain appropriate security policies to prevent unauthorized \nacquisition of that data, so companies would have a data \nsecurity officer, and that officer would have the mandate and \nthe requirement to protect the information.\n    It was interesting that the issue is so important that \nbipartisan support in the 109th Congress was available. So \nsurely, I would think we could get bipartisan support again. I \nknow Mr. Rush, when he was chairman, he took the bill that we \nhad, and he offered it again. And I cosponsored that bill with \nhim. And now with a new majority and you, Madam Chair, the \nchairwoman, I think this is really a very important issue for \nyou and this subcommittee to make a stand, get the bill through \nthe subcommittee, through the full committee and try and get it \nthrough the House.\n    I think a lot of people are just staggered by what has \nhappened. And we should not delay. I think this hearing is \nimportant. I look forward to participating and also hearing \ntheir comments, but in the end, I think both parties agree that \nthis is something that should be answered with a bill that is \nsubstantive and bring in the jurisdiction of the Federal Trade \nCommission and others to help us out.\n    So, thank you, I yield back.\n    [The prepared statement of Mr. Stearns follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    \n    Mrs. Bono Mack. I thank the gentleman. And we would like to \nsay that we have one panel of witnesses joining us today. Each \nof our witnesses has prepared an opening statement that will be \nplaced into the record. Each of you will be given 5 minutes to \nsummarize the statement with your remarks.\n    On our panel, we have David Vladeck, director of the Bureau \nof Consumer Protection at the Federal Trade Commission. Also \ntestifying, we have Pablo Martinez, deputy special agent in \ncharge of the Criminal Investigative Unit for the U.S. Secret \nService. We have Dr. Gene Spafford, professor and executive \ndirector from Purdue University, Center for Education and \nResearch and Information Assurance and Security. And last but \nnot least, we have Justin Brookman, director of the Consumer \nPrivacy Project at Center for Democracy and Technology.\n    Good morning to each of you, and we welcome you. We are \nvery grateful that you are here with us this morning. If you \ncan keep track of the time by the time clocks that are on the \ntable, I am assuming.\n    Staff?\n    Oh, that is a new improvement, technology. OK, well, green, \nyellow and red, much like a stoplight. If you could keep your \neye on it, we would appreciate it.\n\n   STATEMENTS OF DAVID VLADECK, DIRECTOR, BUREAU OF CONSUMER \n PROTECTION, FEDERAL TRADE COMMISSION; PABLO MARTINEZ, DEPUTY \nSPECIAL AGENT IN CHARGE, CRIMINAL INVESTIGATIVE DIVISION, U.S. \n  SECRET SERVICE; JUSTIN BROOKMAN, DIRECTOR, CONSUMER PRIVACY \n  PROJECT, CENTER FOR DEMOCRACY AND TECHNOLOGY; AND EUGENE H. \n SPAFFORD, PROFESSOR AND EXECUTIVE DIRECTOR, PURDUE UNIVERSITY \nCENTER FOR EDUCATION AND RESEARCH IN INFORMATION ASSURANCE AND \n                            SECURITY\n\n    Mrs. Bono Mack. Mr. Vladeck, we recognize you for 5 \nminutes.\n\n                   STATEMENT OF DAVID VLADECK\n\n    Mr. Vladeck. Good morning, Chairman Bono Mack, Ranking \nMember Butterfield, and Members of the Subcommittee. I am David \nVladeck, director of the Federal Trade Commission's Bureau of \nConsumer Protection.\n    We appreciate the opportunity to present testimony here \nthis morning. The written statement is submitted on behalf of \nthe commission. This statement and my responses to questions \nrepresent my views.\n    As the Nation's consumer protection agency, the FTC is \ncommitted to protecting consumer privacy and promoting data \nsecurity in the private sector. We all know that data security \nis critically important to consumers. If companies do not \nsafeguard the personal information they collect and store, that \ninformation could fall into the wrong hands, resulting in fraud \nand other harm to consumers. And as more and more breaches take \nplace, there is a risk that consumers could lose confidence in \nthe marketplace.\n    As the commission's testimony makes clear, the commission \nunanimously supports legislation that would require companies \nto implement reasonable security policies and procedures. The \ncommission also supports legislation that would require \ncompanies to notify consumers in appropriate circumstances when \nthere is a security breach so that consumers can take steps to \nprotect themselves.\n    By enacting legislation, Congress would also send a clear \nmessage that all companies that hold consumer information, \nincluding common carriers and nonprofit organizations, must \ntake responsible and appropriate measures to safeguard that \ninformation and must notify consumers if their information has \nbeen exposed in a breach.\n    A data security statute would establish the standards that \ncompanies must adhere to and, by empowering the Federal Trade \nCommission to seek civil penalties for violations, would deter \npoor security practices. These statutory provisions would \nreduce the incidence of identity theft and other financial \nharms, saving consumers from the hardships that ensue when \nthere is a breach.\n    The commission's testimony also describes our efforts to \npromote data security, which focuses on three activities: \nEnforcement cases against companies that fail to provide \nadequate security; education for consumers and businesses; and \npolicy initiatives to promote better data security.\n    Enforcement: We have brought more than 30 law enforcement \nactions against businesses that fail to protect consumers' \npersonal information, including two actions we announced just \nyesterday. In the first case, Ceridian, a large payroll \nprocessing company that maintains highly sensitive payroll \ninformation, failed to take reasonable measures to prevent an \nintruder from hacking into Ceridian's payroll processing \nsystem. The hacker compromised personal information, including \nSocial Security numbers and financial account information of \napproximately 28,000 employees of Ceridian's small business \ncustomers.\n    In the second case, Lookout Services a company offering a \nWeb-based application to assist employers in verifying their \nemployees' eligibility to work in the United States had weak \npractices in Web application vulnerabilities. As a result, an \nemployee of a Lookout customer was able to gain unauthorized \naccess to Lookout's entire customer database, which includes \nhighly sensitive information, including Social Security \nnumbers, dates of birth, passport numbers, alien registration \nnumbers, drivers licenses, military identification numbers and \nso forth.\n    The orders entered in both cases require the companies to \nimplement comprehensive data security programs and obtain \nindependent audits for 20 years. Orders of this kind are \nstandard in our data breach cases, and I underscore, we are not \nauthorized to seek civil penalties in these cases, so we rely \non injunctive relief.\n    The commission also promotes data security practices \nthrough extensive use of consumer and business education. For \nexample, our Web sites designed to educate consumers about \nbasic security, computer security, have recorded more than 14 \nmillion unique visits. And our business education touches on a \nwide range of issues, from P2P file sharing, which I know is of \nparticular interest to the chair and to copier data security.\n    We also engage in policy actions. We published a staff \nreport in December proposing a new framework for privacy which \ncalls on companies to build privacy and data security into the \ndesign of goods and services, to maintain reasonable safeguards \nfor consumer data, to limit the data they collect, to retain \ndata for only so long as they have a legitimate business need \nto do so.\n    In closing, we thank the chair for holding this important \nhearing, and we look forward to working with you and your \ncolleagues on data security. Of course, we would be happy to \nanswer any questions, thank you.\n    [The prepared statement of Mr. Vladeck follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mrs. Bono Mack. Thank you very much, Mr. Vladeck.\n    Mr. Martinez, you are recognized for 5 minutes.\n\n                  STATEMENT OF PABLO MARTINEZ\n\n    Mr. Martinez. Good morning.\n    Mrs. Bono Mack. And would you please, excuse me, turn on \nyour microphone?\n    Mr. Martinez. Good morning, Madam Chair.\n    Good morning, Madam Chair, Ranking Member Butterfield and \ndistinguished members of the subcommittee. Thank you for the \nopportunity to testify on the role of the Secret Service in \ncyber investigations.\n    In February 2010, the Department of Homeland Security \ndelivered a Quadrennial Homeland Security Review which \nestablished a framework for Homeland Security missions and \ngoals and underscored the need for safe and secure cyberspace.\n    As a vital component of DHS, we work to support the \ndepartment's mission to safeguard cyberspace. Through a greater \nunderstanding of how the criminal world operates, the Secret \nService has developed strategies that have a tremendous impact \nin terms of disrupting and dismantling underground networks. We \nuse this knowledge of criminal networks to adapt our response \nto the challenges posed by financial crimes in the 21st \ncentury.\n    Breaking up criminal networks requires a highly coordinated \nlaw enforcement approach focused on constant innovation and \ntactics to meet these emerging threats. The Secret Service \ncontinually develops the technical expertise to track down and \nsuccessfully infiltrate, investigate and prosecute with our \npartners cyber criminals who pride themselves on their \nknowledge and technical prowess. In many cases, law enforcement \nhas learned the tricks and techniques that cyber criminals use \nto hide their identities and their crimes and in turn develop \ncountermeasures that allow the perpetrators to be apprehended \nand prosecuted.\n    A central component of our approach is the training \nprovided through our Electronic Crimes Special Agent Program, \nwhich gives our special agents the tools they need to conduct \ncomputer forensic examinations on electronic evidence obtained \nfrom computers, personal data assistance and other electronic \ndevices.\n    To date, more than 1,400 special agents are ECSAP trained. \nIn fact, the Secret Service values this training so highly that \nthe basic level is now incorporated as a part of the curriculum \nthat all special agent trainees receive at our James J. Riley \ntraining center.\n    The training we provide, however, extends past our agents \nto others in the public sector. To further address cyber crime, \nwe continue to train State and local law enforcement through \nour National Computer Forensic Institute initiative.\n    Since 2008 the, Secret Service has provided training to 932 \nState and local law enforcement officials, prosecutors and \njudges. The Secret Service's commitment to sharing information \nand best practices is perhaps best reflected through the work \nof our 31 electronic crime task forces, two of which are \nlocated overseas in Rome, Italy, and London, England.\n    Our domestic and foreign partners benefit from the \nresources, information, expertise and advance research provided \nby our international network of members. The Secret Service \ncontinues to undertake complex cases that require a large \ninvestment of time and actively targets individuals who take \npart in criminal activities regardless of where they are \nphysically located. To coordinate these investigations at the \nheadquarters level, the Secret Service has enhanced our cyber \nintelligence section to identify transnational cyber criminals \ninvolved in network intrusions, identity theft, credit card \nfraud, bank fraud and our computer-related crimes.\n    In the past 2 years, CIS has directly contributed to the \narrest of 41 transnational cyber criminals who were responsible \nfor the largest network intrusion cases ever prosecuted in the \nUnited States. These intrusions resulted in the theft of \nhundreds of millions of credit card numbers and the financial \nloss of approximately $600 million to financial and retail \ninstitutions. These cases are complicated and directly impact \nthe lives of millions of American citizens.\n    At all levels, law enforcement is also having some success \nin getting the legal system to recognize the seriousness of \nlosses stemming from online financial crime. And this fact is \nreflected in the lengths of some of the prison sentences levied \nagainst these defendants. As a result of Secret Service's \nsuccessful investigation into the network intrusion of \nHeartland Payment Systems, which I describe in more detail in \nmy written remarks, the three suspects in the case were \nindicted for various computer-related crimes. The lead \ndefendant in the indictment plead guilty and was sentenced to \n20 years in Federal prison.\n    There is little doubt that the possibility of serving 20 \nyears in prison will provide a much greater deterrent than \nsentences typically seen in such cases a decade ago.\n    Madam Chair, Ranking Member Butterfield, and distinguished \nmembers of the subcommittee, the Secret Service is committed to \nour mission of safeguarding the Nation's cyber infrastructure \nand will continue to aggressively investigate cyber- and \ncomputer-related crimes to protect American consumers and \ninstitutions from harm.\n    This concludes my prepared statement. Thank you again for \nthis opportunity to testify on behalf of the Secret Service.\n    [The prepared statement of Mr. Martinez follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mrs. Bono Mack. Thank you, Mr. Martinez.\n    Dr. Spafford, you are recognized for 5 minutes.\n\n                STATEMENT OF EUGENE H. SPAFFORD\n\n    Mr. Spafford. Madam Chair, Ranking Member Butterfield, \nMembers of the Committee, I have been working in the field of \ninformation security for about 30 years, and I am speaking with \nthat background and also as chairman of USACM, which is the \nPublic Policy Council of the ACM, which is the world's largest \neducational and scientific computing society. And we have a \nnumber of members who work in security, privacy, and electronic \ndata. So we have a great deal of expertise in this arena.\n    And our knowledge of this is that this is a very \nsignificant problem. We have seen this as a growing area of \nconcern over a number of decades, and certainly the data that \nhas been presented, what you have heard, what you have seen, \nindicates that the problem is getting worse. It is not only a \nnational problem but, as Mr. Martinez just said, an \ninternational problem.\n    We would like to point out that it is a problem not only \nfor private firms but also for government agencies. There is \ndata that is held by government agencies and databases, and \nsome of it is privileged information because government is in a \nposition to collect particularly sensitive data, and that is \noften compromised and released.\n    The Privacy Rights Clearinghouse maintains a database where \nthey track various forms of data breaches and releases. And \naccording to their figures, it is averaged approximately 100 \nmillion records per year for the last 6 years running have been \nreleased. Interestingly, the Sony breaches this year have \ntotaled 100 million all on their own. So we are well ahead of \nthat record just based on those releases by themselves.\n    If we combine that with a study that was done by the \nPonemon Institute, it indicates that for companies having these \nbreaches, they cost approximately $214 per record to clean up \nafter the breaches. We come up with a figure of $21 billion per \nyear in costs to clean up after the breaches on average. And \nthose costs are being passed on to the consumers.\n    Along with that, we then have all of the costs for the \nvarious fraud, law enforcement investigation, other kinds of \nlosses piled onto that and all of the losses for unreported \nbreaches and other losses that are unreported.\n    So it is possible that the losses to the American public \nand the American economy could be as high as $100 billion per \nyear from these breaches.\n    I will note that there was a story in the New York Times \ntoday that some of the credit card fraud underground bulletin \nboard groups are worried that the massive loss of credit cards \nfrom the Sony breach may be depressing the price, the \nunderground price, for credit cards by a factor of 5 or 10 \nbecause it will reduce the cost on the black market trading \nprice of credit card numbers. So perhaps there is some good to \nbe had from the Sony breach.\n    Looking at the problem realistically, disclosure \nnotification laws help at some level after the fact because it \ndoes help victims take some action to protect their identity \nand to protect against some of their information being used \nillegally. However, it does not solve all of the problem.\n    Law enforcement has made some gains, but they are not \nadequately resourced. We certainly do not have enough in the \nway of forensic tools. There is more need for research there, \nand there certainly is a need for more law enforcement agents \nand resources for prosecution.\n    But more importantly, there are the preventative aspects. \nWe don't have enough in the way of requirements on companies to \ntake the preventative measures to prevent the kinds of \ndisclosures that are occurring. In large part, that is because \nsecurity is not viewed as something that returns a value. It is \nnot something that adds to the bottom line. It takes away from \nthe bottom line. Companies don't like to invest in security. \nThey don't understand the risk involved by not investing in \nsecurity. And those that do understand some of the risk in \ntight economic times are willing to play the risk. They believe \nthey may not be hit by the problem. So when they are and they \nhave to pay the cost, they pass that along to their customers \nand to the rest of society. That is where all of this large \nexpense comes from.\n    So among the recommendations we have are, first of all, \nminimize the amount of data that is kept by these companies. \nSecond, age the data. They shouldn't keep the data any longer \nthan they absolutely need to. Many companies keep a great deal \nof data simply because they think it might be useful some day. \nThey should have sound security practices in place, and there \nare a number that are known that companies don't apply. We urge \nyou to make sure that government databases are covered equally, \nthe same as private databases, in any regulations, so that all \nare covered by any appropriate regulations.\n    And there are a number of others that are in my written \ntestimony. I would be happy to answer any questions, and USACM \nand our experts would be happy to help you in any way.\n    [The prepared statement of Mr. Spafford follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mrs. Bono Mack. Thank you, Dr. Spafford.\n    Mr. Brookman, you are recognized for 5 minutes.\n\n                  STATEMENT OF JUSTIN BROOKMAN\n\n    Mr. Brookman. Thank you, Madam Chair, in today's hearing. \nThe Center for Democracy and Technology is extremely pleased--\n--\n    Mrs. Bono Mack. Is your microphone on?\n    Mr. Brookman. Is it on now?\n    Mrs. Bono Mack. Very good, thank you. A little closer, it \nhelps.\n    Mr. Brookman. CDT is extremely pleased to see the \nsubcommittee is placing such a high priority on protecting \nconsumers' personal information in an increasingly complex data \neconomy. We very much appreciate the chair's leadership in this \narea.\n    Data security breaches are, sadly, nothing new for most \nconsumers, but as more and more industry players get access to \nmore and more consumer data and storage costs continue to get \nlower and lower, consumers, it is clear, are increasingly at \nrisk for loss of their personal data.\n    Now, fortunately or unfortunately, depending on how you \nlook at it, strong law already does exist to require companies \nto put into place reasonable security measures and to notify \nconsumers in the event of a breach.\n    The FTC, as Director Vladeck, explained has applied its \nunfairness authority to require companies to adopt reasonable \nsecurity measures, not just for financial information but for \nnonfinancial information as well. And a considerable majority \nof States require notification to consumers in the event of a \nbreach that could result in a monetary loss.\n    I understand the subcommittee is considering legislative \nsolutions in order to address the issues of data security and \ndata breach. From our perspective and from a consumer \nperspective, we believe that Federal legislation should not \nmerely replicate the existing protections that are out there \nfor consumers but should be significantly strengthened to offer \ngreater protections.\n    For example, the FTC's authority to get--for enforcing in \npoor data security practices could be put specifically into law \nto be more clear, but they would be stronger if the FTC were \ngiven greater resources to bring more cases and the ability to \nget civil penalties for persons who violate section 5 of the \nFTC Act.\n    Similarly, we believe that data breach notification laws \nwould be improved if they were to enact the full range of full, \nfair information practice principles, not merely security and \nnotification after the fact.\n    As an initial matter considering legislative solutions, our \nfirst advice would be do no harm. While it is clear that the \nexisting legal framework is insufficient to protecting \nconsumers, they do offer strong protections, without which we \nthink consumers would be worse off. CDT has testified \npreviously positively about the DATA act referenced by \nRepresentative Stearns. We did so because we believed it was a \nstrong bill and, with some minor revisions, could be as strong \nas the best State laws, but it also offered consumers something \nthey didn't already have, which is the rights of access to data \nstored by data brokers, so we thought it would be a net \npositive for consumers.\n    We believe also that whatever law is passed should allow \nStates to continue to innovate and to bring--to pass new \nconsumer protections for consumers. It is important to remember \nthat it was in the laboratories of the States that the idea of \ndata breach notification came up, because the relatively narrow \nprecise preemption language in Gramm-Leach-Bliley, and CDT \nwould be skeptical of any law that prohibited similar State \ninnovations for consumer protection.\n    But fundamentally, we believe the most effective way to \nsafeguard consumer data would be to enact the comprehensive \nprivacy protection legislation that implements the full range \nof fair information practice principles. These do not \nnecessarily prevent data breaches from occurring, but they \nwould, I believe, significantly mitigate their effects. And one \nidea--one of these principles is the idea of data minimization. \nCompanies should only collect the data they need to accomplish \na specific purpose, and they should get rid of it when it is no \nlonger valuable. And I think it is fair to say, as Dr. Spafford \npointed out, this is really honored in the breach today. \nCompanies request and retain data without notice to the \nconsumers on the chance it may become valuable to them one day.\n    One example from the recent data breaches is I think \nindicative. Walgreens was hit by a data breach in 2010, in \nDecember. They had to send notices not just to current \ncustomers but also folks who have had previously unsubscribed \nfrom receiving their e-mails, and they didn't explain why they \nretained those e-mail addresses in the first place.\n    And then, just last month, as part of the Epsilon data \nbreach, Walgreens was again hit by a data breach incident. \nAgain, previous customers who had previously unsubscribed had \ntheir information exposed to the hackers.\n    Similarly, it was reported just last night that as part of \nthe Sony online data breach incident, 10,000 credit card \nnumbers were accessed from ``an outdated database going back to \n2007.'' I guess the good news from that is that only 900 of \nthose credit cards numbers were still active, but it remains a \nlegitimate question why those numbers were being stored in the \nfirst place.\n    And I know as a result of Epsilon data breach, I got notice \nfrom at least one company who I had not done business with in \nalmost 6 years and who I had unsubscribed from as well.\n    We believe that a comprehensive privacy law that requires \nreasonable data minimization, that requires companies to \nactually tell consumers what they are doing with their data, \nand gives consumers meaningful choice about how that data is \nshared and transferred would be the most effective policy means \nto limit the consequences of data security breaches.\n    We look forward to continuing to engage with the members of \nthe subcommittee on appropriate legislative solutions, and I \nlook forward to your questions.\n    [The prepared statement of Mr. Brookman follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mrs. Bono Mack. Thank you very much, Mr. Brookman.\n    The chair now recognizes herself for 5 minutes for the \nfirst round of questions.\n    I would like to start with Mr. Vladeck. According to \nreports, Sony took nearly a week before notifying consumers--\ncustomers about the cyber attack. How long does a typical \ncompany that has been subjected to a data breach need before it \nnotifies its customers? And what is the average time that is \nnecessary to make a determination and to inform consumers that \ntheir information may have been breached?\n    Mr. Vladeck. We share the concern I think of everyone in \nthis room; the consumers need to be notified as promptly as \npossible. There are two practical exigencies that sometimes \ndelay notification. One, there is a need that the company patch \nwhatever hole there is in their system before the breach is \nmade public. And second, it sometimes takes the company some \ntime to understand what information has been accessed and who \nneeds to be notified of the breach. We think this should happen \nas soon as practical, and in the prior legislation, for \nexample, there was an outer limit set at 60 days. I don't know \nwhether that is the right date or not.\n    I can't answer your question about common practices. Data \nbreaches vary so much that it is hard to extract a general \nrule. The smaller the breach, typically the quicker the \nnotification can go out. But in a massive breach where the \ncompany may still be trying to patch up its system if it is \nstill operating--and Sony, one of the systems was not--you do \nworry about notification before the company has had an \nopportunity to plug the hole. But I think that we all would \nagree that consumers need to be notified as swiftly as possible \nso that they can take action to protect themselves.\n    Mrs. Bono Mack. Thank you.\n    Mr. Martinez, a couple of questions, can you briefly \nexplain to me the difference from why the FBI might be involved \nas opposed to your agency?\n    Mr. Martinez. Yes. The statute most used to prosecute cyber \ncriminals is 18 U.S.C. 1030, which is a computer fraud statute. \nThe Secret Service shares concurrent jurisdiction with the FBI \non those types of investigations.\n    However, with investigations that deal with national \nsecurity or terrorism that are cyber-related, the FBI is the \nlead agency in those efforts. And for the NCIJTF, they lead the \ngovernment or law enforcement's efforts in state-sponsored or \nnational security type investigations. We have a representative \nthere.\n    When it comes to criminal matters, we have concurrent \njurisdiction, so it is--a lot of times it depends on the \nrelationship that either the specific company might have with \neither law enforcement agency, whether it is through some type \nof working group or task force or cyber task force where that \ncompany might reside. So, for example, the Secret Service has \n29 domestic electronic crime task forces, and one of the things \nwe ask our people to do is develop those relationships with \nthese private-sector companies so that that relationship is \nthere prior to the incident happening. The last thing we want \nis for that sort of when the fire goes off, that is the first \ntime you meet the firemen. We want there to be a relationship, \nand there are a lot of things that we both, us and the FBI, do \nwith private-sector companies to try to develop those points of \ncontacts prior to an intrusion happening.\n    Mrs. Bono Mack. As I understand it, though, you are \ninvolved with Epsilon but not with Sony. Can you explain that \nto us briefly?\n    Mr. Martinez. Yes. Unfortunately, we can't comment on \nongoing investigations. I can't comment on the Sony \ninvestigation because that is being lead by the FBI.\n    All I can say with regard to the Epsilon investigation, \nbecause it is still ongoing, is that they did notify us early \non in the investigation and have cooperated so far with the \nSecret Service in that investigation.\n    Mrs. Bono Mack. Thank you, Mr. Spafford--excuse me, Doctor. \nCan you speak a little bit to Mr. Vladeck's answer about \nnotification for consumers within--I think we are puzzled with \nthe 60-day time line. To me it seems reasonable that the \nconsumer should know immediately, that there is no greater \nprotector of one's own identity than the person himself. Can \nyou speak a little bit to the 60-day time line?\n    Mr. Spafford. Well, after an intrusion or breach has \noccurred, it is necessary to find out--after an incident has \noccurred, it is necessary to determine what records have been \naccessed to determine who needs to be contacted and what \ninformation was possibly taken to be able to inform the \nindividuals what information might be at risk and perhaps give \nthem information as to how to protect that.\n    Unfortunately, not every organization keeps the kinds of \nrecords that would allow them to determine that. It is also \noften the case that when evidence has been found that some kind \nof incident has occurred, that doesn't necessarily tell them \nhow long that incident has been ongoing. They just detect that \nit has happened, but they don't know how far back it goes. So \nthey have to very often pull records, do so forensic \ninvestigation. It may take a while to determine how many \npeople, how far back the records go, how much data it takes, \nand that is not something that can occur instantaneously.\n    Mrs. Bono Mack. Excuse me, Doctor, I am sorry to cut you \noff, but I have run out of time, so we will come back to a \nsecond round of question.\n    The chair recognizes Mr. Butterfield for 5 minutes.\n    Mr. Butterfield. I thank the chairman.\n    In the last Congress, the House passed H.R. 2221, the Data \nAccountability and Trust Act. We all know that. This bipartisan \nbill has built up widespread support across Congress for its \ngoal of reducing the number of data breaches and providing new \nrights to individuals whose personal information is compromised \nwhen a breach occurs.\n    First question to Mr. Vladeck: Sir, if H.R. 2221, if it is \npassed into law and it gives the FTC new authority and \nresponsibility, can you talk for a minute about the limitations \nyou are under now with regard to information security and how \nsuch a law, if enacted, could strengthen FTC's hand with regard \nto breaches?\n    Mr. Vladeck. Thank you, yes.\n    It would strengthen our hand in at least three ways. First, \nI think the key insight in the proposed legislation is that it \nwould for the first time erect a national standard requiring \nbusinesses that hold sensitive personal information to take \nreasonable and rigorous safeguards to protect it. And so, for \none thing, there would be a congressionally dictated standard \nby which we could judge the performance of companies that hold \nonto personal information.\n    Second, there would be a national breach notification \nstandard, which would encompass a broad range of companies who \nmay not be subject to all State and other laws. It would cover \na broader range of activities.\n    And third, we would have civil penalty authority. At the \nmoment, we can place companies that have failed to protect \nconsumer information under order to ensure that they don't \nviolate consumer privacy again. But that doesn't involve \ngeneral deterrence. It doesn't send a signal to other companies \nthat they have to step up to the plate and protect consumer \ninformation.\n    Mr. Butterfield. Thank you.\n    Let me direct it to Mr. Brookman.\n    Mr. Brookman, I agree with you that we need more front-end \ndata security measures, so that the need for breach \nnotification actually diminishes. Your written testimony \ndiscusses support for 2221 for that model and the need for \nproper incentives for industry to take data security seriously. \nCan you elaborate more for me? Are you suggesting that the \nincentive be fear of enforcement?\n    Mr. Brookman. Yes, I think that is a very important \nincentive. I think in Dr. Spafford's testimony, he talks about \nhow companies just don't----\n    Mrs. Bono Mack. Excuse me, Mr. Brookman. Would you please--\n--\n    Mr. Brookman. I apologize. Companies don't think about this \nvery seriously in advance. The FTC has somewhat on an ad hoc \nbasis said that their prohibition on unfair practices means \nthat it is the case that companies must exercise reasonable \nsecurity. I am not entirely sure how well that has sunk into \ncorporate America. Even more recently, they have expanded their \nconcept of data security, not just to financial information but \nto things like e-mail addresses instead. And that was in their \nwhat I think was a very strong and important settlement with \nthe Twitter case.\n    I would like to see H.R. 2221 or whatever it looks like in \nthe next iteration to expand their concept of personal \ninformation, not just to financial information but to other \npotentially personal information as well, such as e-mail \naddresses or else things like the Epsilon breach actually \nwouldn't be affected by it. Companies should have to have \nreasonable security measures in place to do that. I think the \nFTC is getting there. I think with sporadic enforcement just \nmerely because of limited resources is not entirely clear to \nthe rest of the world that is in fact the law. Putting it into \nlaw I think would be an important thing, especially with the \nthreat of civil penalties behind it to give it a punch.\n    Mr. Butterfield. Well, let me ask you this, how do we \nensure that a company is holding on to personal data as long as \nnecessary? Each company has different needs; how can we measure \nthat?\n    Mr. Brookman. Yes, it is a very tricky issue. This is one \nof the criticisms of the Boucher-Stearns privacy bill--draft \nprivacy bill that came out last year. It prescribed a hard 180-\nday or maybe an 18-month cap on holding all personal data. And \nsome companies were like, that makes sense for us; maybe in \nbehavorial advertising, that is a good idea. Data brokers, \nmaybe not; maybe they should have to maintain the data for \nlonger. So we have supported a safe harbor model for \nlegislation such that companies who have similar business \ninterests can get together and propose for our industry, hey, \nlet's all agree to hold onto data for 180 days, 6 months, \ncouple weeks, depending on the scenario, so they don't feel at \na competitive disadvantage to hold onto data just because their \ncompetitors might be doing the same thing.\n    Mr. Butterfield. All right. Let me go back to the other \nend. What about Hill Newspaper CQ Today reported earlier this \nweek that the White House proposal on cyber security will be \ncirculated later this month. The article explains that it calls \nfor a Federal standard for notification about data breaches and \na stronger role for the Department of Homeland Security. \nSpecial Agent Martinez, what role would the Secret Service \nhave, if you know, and what other agencies at DHS would have a \nrole?\n    Mr. Martinez. Sir, the Secret Service, along with other \nexecutive agencies, has been working with the administration on \na comprehensive cybersecurity legislation. And specifically in \nthe area of data breach, I think a couple of things that that \nlegislation needs to have is notice to consumers but also \nnotice to the government, so that we can take appropriate \nactions. And also some type of safe harbor provision for \ncompanies that are adhering to the right practices.\n    In addition to the enforcement part, which would be handled \nby the Secret Service as part of the Department of Homeland \nSecurity, the National Protection and Programs Directorate of \nDHS where US-CERT and the NCSD and some of the other cyber \nentities sit, like the national cyber security division, they \nwould also be involved in cyber intrusions in part with respect \nto the----\n    Mr. Butterfield. Five seconds left.\n    Mr. Vladeck, what role would FTC have, if you know?\n    Mr. Vladeck. Well, we would hope we would have authority to \nenforce data breaches as we currently do, to enforce failures \nto inform consumers promptly of data breaches, and we would \nhope we would get civil penalty authority----\n    Mr. Butterfield. Thank you.\n    I yield back.\n    Mrs. Bono Mack. I thank the gentleman.\n    And the chair recognizes the vice chair of the \nsubcommittee, Ms. Blackburn, for 5 minutes.\n    Mrs. Blackburn. Thank you.\n    And thank you all for being here I appreciate that we are \nhaving this hearing today. I think one of the things we can all \nagree on is that giving consumers the tools that are necessary \nto protect their virtual you, if you will, their virtual online \npresence, is going to be an imperative.\n    Mr. Brookman, you just spoke to this in your brief \ncomments.\n    I want to go to Dr. Spafford, if I could. I appreciate that \nyou start with recommendations to us and basically summarize \nthings. I think that the thing that is of concern to me is when \nit comes to notification, it basically looks as if what is \nhappening is a culture of damage control by not doing these \nexpediently. And I think we all realize that the technology is \nthere for almost instant notification and allowing individuals \nto know.\n    Now I am one of those that would prefer to see the industry \nmove forward with some best practices and some standards on how \nto deal with not only the data security issue but also the \nprivacy issue. And whether you are looking at the Epsilon case \nor the Sony case or the Android aps, the Skype case this week, \nwhat we see is an intrusion and an invasion into an \nindividual's privacy because of a breach that has taken place \nin a relationship that they have.\n    Dr. Spafford, moving to your recommendations on page 16 of \nyour presentation, basically what you are saying is minimize \nthe data, age the data, provide anonymity to the consumer, and \nthen you get down to talking about consent. Let's move to that \nand talk about that for just a second. When you have consumer \nconsent, should you also allow a consumer an eraser switch so \nthat if the company does not eliminate the data, then the \nconsumer has the ability to go in and say, you know, whether it \nis 90 days or 180 days, that they can remove their data? \nWhere--is that a recommendation that you all would consider \nworkable or plausible?\n    Mr. Spafford. It depends upon the organization. There are \nsome circumstances where the information may need to be kept \nand the user may not be able to remove it because of--there may \nbe other reasons, for health reasons for instance, or there may \nbe contractual reasons that it really needs to be kept, but \nthat certainly could be something that--for commercial reasons, \nmarketing reasons, the user may have that right or should have \nthat right to have that removed.\n    Mrs. Blackburn. OK, all right.\n    Mr. Martinez, we have--we continue to talk about companies \nbeing breached. And I find it so interesting that we don't talk \nas much about penalties for the hackers and those that are \nactually the cyber snoops in committing these crimes. And it \nseems like that is what gets moved to the bottom of the \nconversation. And I would like to--for you just to talk a \nlittle bit about that. You mentioned the computer fraud \nstatute, but it seems as if the perpetrators of the crimes, the \nhackers themselves, is where we should put more of our \nemphasis.\n    Mr. Martinez. Thank you. In recent years, we have really \nseen an increase in the amount of sentencing that these hackers \nare getting. For example, in the TJ or the Heartland Payment \nSystems case, TJX, we saw a sentence of 20 years for that \nindividual. Recently, in another case that we recently did, an \nindividual was sentenced to 25 years.\n    We believe these actions are having a deterrent factor, and \none of the reasons we believe so, for the last 2 years, we have \ncollaborated with Verizon business on the data breach \ninvestigative report that talks about not only data breaches \ninvestigated by the Secret Service but also those that Verizon \nbusinesses responded to. One of the things we have seen and it \nis mentioned in the study is that we are now seeing these \ncriminals--in the past, they had always attacked financial \nservices type companies because of the large volume of \nfinancial information they had, like processors and financial \ninstitutions. What we see now as the main targets are the \nhospitality and the retail industry. And we believe the reason \nfor that is because of the deterrent factor that some of the \nsentences are having.\n    So, for example, instead of trying to breach into a system \nthat has 150 million financial accounts, they are going now \nafter 10 or 12 smaller ones that have smaller amounts because \nof the fact that they might face a higher sentence were they to \nbe apprehended for the larger breach. So we believe that these \nsentences have increased and are having some form of a \ndeterrence.\n    Mrs. Blackburn. I know I am out of time. I will look \nforward to a second round.\n    Mrs. Bono Mack. I thank the gentlelady.\n    And the chair recognizes Ms. Schakowsky for 5 minutes.\n    Ms. Schakowsky. Thank you, Madam Chairman.\n    Dr. Vladeck, you mentioned the need for a civil penalty \nauthority to protect consumers. I am wondering if you have seen \na draft of a civil penalty authority. There was discussion \nearlier I think about the White House proposal on cybersecurity \nthat is going to be circulated this month. Do you know if there \nis a draft of a civil penalty authority?\n    Mr. Vladeck. I know there is a draft. I don't know how far \nalong the drafting is. I know that at least in that draft there \nis authority for us to assess civil penalties of the \nappropriate cases, yes.\n    Ms. Schakowsky. Have you any expectation on when you might \nsee that draft?\n    Mr. Vladeck. None.\n    Ms. Schakowsky. OK. So you have just heard that that \nincludes----\n    Mr. Vladeck. We have been shown a draft, and that draft did \ncontain a civil penalty provision.\n    Ms. Schakowsky. So you have seen a draft.\n    Mr. Vladeck. Yes, a draft, but the process is ongoing.\n    Ms. Schakowsky. That was my question. OK.\n    Let me also ask any of you this, I am a cochair of a House \nDemocratic task force on seniors, senior citizens, and I am \nparticularly concerned about cyber criminal attempts to prey on \nolder Americans. And I wonder if any of you could speak to that \nthreat and to any efforts that are being made to protect, \nparticularly vulnerable people, like seniors.\n    Mr. Vladeck. If I may, we have seen a spike in prize and \nsweepstake scams aimed at senior citizens. I was in Chicago on \nMonday. One of your staff members was at our hearing, and it is \nquite clear that scammers are targeting the elderly, defined as \npeople over 60, which worries me a little.\n    Ms. Schakowsky. Are you taking it personally?\n    Mr. Vladeck. I am taking it very personally. Targeting \npeople of that age group for particularly prize and sweepstake \nscams. This is all on the Internet, and increasingly there is a \nphishing element. There is a spear phishing element. They know \nsomething about that person that makes the scam particularly \nappealing. We are working with our colleague organizations to \ndo both public information and to do enforcement work in this \narea.\n    Ms. Schakowsky. Is it the scam itself that they are after, \nor are they looking for information about the individual? I \nmean, are they trying to get people to pay money to participate \nin a sweepstakes or both?\n    Mr. Vladeck. Both. And what they often do is say you have \nwon a million dollars; you just need to pay a penalty--you just \nneed the taxes or a customs fee, and they will often send a \nfake check. It is cashed, and then the person who has been \nscammed sends, typically wires, money abroad. They never see \nobviously their winnings, but they are out whatever the value \nof the check was.\n    Ms. Schakowsky. Thank you.\n    Let me finally ask a bit about Sony and the security \nbreach, the information breach there was.\n    Professor Spafford, I know you don't have any specific \nknowledge about what Sony did or did not do to protect the \npersonal information that it collected from consumers, but in \nyour testimony, you say, ``Some news reports indicate that Sony \nwas running software that was badly out of date and had been \nwarned about that risk.'' And I have seen some news reports \nabout the Sony breach, and truthfully, it seems like a lot of \nthem come from blogs and press releases from Sony. So this is \nthe first time I am really hearing about the potentially \noutdated software and ignored warnings.\n    Sony was actually invited today but declined to appear, and \nEpsilon declined the subcommittee's invitation to testify as \nwell. So I am just wondering if you can discuss the problems \nwith that software and any of the information that lead to you \nmake that statement?\n    Mr. Spafford. On a few of the security mailing lists that I \nread, there were discussions that individuals who work in \nsecurity and participate in the Sony network had discovered \nseveral months ago while they were examining the protocols on \nthe Sony network to examine how the games worked, they had \ndiscovered that the network servers were hosted on Apache Web \nservers. That is a form of software. But they were running on \nvery old versions of Apache software that were unpatched and \nhad no firewall installed, and so these were potentially \nvulnerable, and that they reported these in an open forum that \nwas monitored by Sony employees but had seen no response and no \nchange or update to the software.\n    Ms. Schakowsky. How long ago was that?\n    Mr. Spafford. That was 2 or 3 months prior to the incident \nwhen the break-ins occurred.\n    Ms. Schakowsky. Thank you. I yield back.\n    Mrs. Bono Mack. The Chair recognizes Mr. Harper for 5 \nminutes.\n    Mr. Harper. Thank you, Madam Chair, and I certainly \nappreciate you holding this very timely hearing on this topic. \nAnd I certainly appreciate the witnesses being here to give \ntheir insight.\n    And Dr. Vladeck, the first question I would have for you \nis, you know when you look at the expense that many companies \ngo through to try to put in a system that is secure and works--\nand let's say that it is--how long can we say that it will \nremain secure as technology improves and changes? And with \nthat, is there a set time period that it would need to be \nupdated, or is it just an as-needed. And what do you recommend \nin that situation?\n    Mr. Vladeck. We provide a lot of advice to businesses on \nour Web site. And businesses use that, those resources, \nconstantly. But our basic advice is inventory what you have, \nassess risks, don't collect information you don't need. For the \ninformation you do have--and this going to Sony-- protect \nagainst viruses, spyware, constantly be vigilant to make sure \nthe patches you need to put in place are installed promptly, \ndiscard information when you are done, and put someone in \ncharge. This is an ongoing, dynamic process.\n    And one of the things I think, the key insights of the \nfirst piece of legislation, Mr. Stearns' legislation, was the \nneed to start building an infrastructure to protect data. And \nthat is an ongoing process. You can't check it every 6 months, \nlike you might do the oil in your car. It is something you need \nto be vigilant about.\n    Mr. Harper. As you look at what you are working on, how do \nyou coordinate and keep in synch with all of the State \nattorneys general on what they are trying to do and what you \nare trying to do? How do you coordinate that?\n    Mr. Vladeck. I think when there are data breaches, we \ngenerally take the lead on investigations. Many States have \nrequirements that consumers be notified. But they don't \ninvestigate and then take action when the breach was the result \nof, in our view, truly substandard data security measures.\n    But we do keep the States informed. We recently settled a \ncase against Lifelock for data security violations, as well as \nothers, and in that case we coordinated with 35 State attorneys \ngeneral. But in terms of the hardcore investigation, I think \nthe key is that we take the lead on those.\n    Mr. Harper. Mr. Martinez, on both the Epsilon and Sony \nmatters, I know you are limited on what you can tell us, but \ncan you tell us how long it took from the time the breach was \ndetected until the time consumers were notified? Is that \nsomething you can share?\n    Mr. Martinez. I am not sure. Again, we didn't investigate \nthe Sony intrusion or are not investing it. And on the Epsilon, \nI am not sure what that information is. I can get back to you.\n    Mr. Harper. And when we are looking at all of the breaches, \nwe certainly--the first thought we have is that it is going to \nbe somebody who is there for financial gain, to access the \naccount info, the personal info, or perhaps sell that data to \nsomeone. How much of it would you say is directly attributable \nto terrorist activity as opposed to what we consider the basic \ncriminal?\n    Mr. Martinez. Unfortunately, sir, all of those matters are \nhandled by the FBI. So I think that would be a question better \nanswered to by them.\n    Mr. Harper. And certainly I know that it goes to the FBI, \nbut you know there is the whole of all of the breaches, so what \npercentage do you think comes to you and what percentage goes \nto the FBI? I mean, that would be my question.\n    Mr. Martinez. With regards to criminal?\n    Mr. Harper. How much of it would you say of the overall pie \nis related to terrorist activity?\n    Mr. Martinez. Again, I couldn't speak to what percentage is \nrelated to terrorist activities. I believe there are a lot of \nthe intrusions and a lot of the ones that this committee has \nbeen talking about today are criminal in nature.\n    Mr. Harper. Mr. Brookman, I know we are about out of my \ntime here, but we talk about--we certainly hear in the news \nwhat has been detected. We know what we learn, what goes out in \nthe press. What would you imagine--I know it is just \nspeculation, but what would you imagine goes undetected?\n    Mr. Brookman. I mean, most of the State data breach laws \nreally only require notification in the event of a chance of \nfinancial breach. And the States vary. Some of them say notify, \nunless you can pretty much prove that nothing went wrong. Some \nof them require some thought that there might be harm. And if I \nlost my credit card, if I was a business and lost my credit \ncard numbers, I really have no reason to know those were used. \nSo I think those go undetected.\n    I think a lot of the things like what happened with \nEpsilon, because it is personal information, it is not \nfinancial information, there is no requirement for those \ncompanies to come out and say, Hey, we lost your e-mail \naddress; and, to the contrary, are intended not to do that. So \nI think a lot goes on under the radar that we don't know about.\n    Mr. Harper. I yield back.\n    Mrs. Bono Mack. The Chair recognizes Mr. Stearns for 5 \nminutes.\n    Mr. Stearns. Thank you, Madam Chair.\n    Mr. Vladeck, when I did the bill in the 109th Congress, I \nthink there were probably less than 30 States that had passed \ndata security legislation and now there are 46, I am told. What \nI am curious, it would seem to me with almost the entire United \nStates adopting--each State adopting legislation--wouldn't that \nbe incentive enough for companies like Sony and Epsilon \nworrying about their reputation and the civil litigation--I \nmean, why would this occur, based upon 46 States already having \nlegislation?\n    Mr. Vladeck. Well, I think there are two reasons. One is \nthe State laws do not do what you propose, which is to require \ngood, underlying security. And to me, one of the key insights \nof your legislation was that we need to do that on a national \nbasis. Congress needs to step in and say to people, holding \ncompanies, holding on to sensitive consumer legislation, Look, \nyou need to take reasonable security measures.\n    The second is, and as the statistics today have sort of \ndriven home, there are an awful lot of data breaches that have \nbeen made public. I am not sure the reputational hit these \ncompanies take necessarily is strong enough general incentive \nto make them step up to the plate.\n    Time and again, we investigate substantial companies and we \nfind very outdated, outmoded, and insecure practices. And so I \nthink the proof is in the marketplace. There are still, by my \nmeasure, way too many breaches, and breaches caused by the kind \nof failures that Dr. Spafford is talking about, failure to \npatch known vulnerabilities. In the Ceridian case, the \nvulnerability there was well known to the company, there were \nfree patches available, and the company quickly acknowledged \nthat it had been asleep at the switch.\n    Mr. Stearns. We had in our legislation, Federal preemption. \nWe worked out the language. Jan Schakowsky was the ranking \nmember so it was bipartisan.\n    How would you change that bill from the 109th Congress, \ncoming out of this subcommittee? Would you have Federal \npreemption again in the bill and would you also change it in \nany dramatic way?\n    Mr. Vladeck. Well, let me say two things. One is the \nCommission is generally supportive for preemption. That is, the \nFederal standard should be the floor, States should be free if \nthey saw fit to provide----\n    Mr. Stearns. Because right now in these 46 States, a \ncompany like Sony could be sued in 46 States.\n    Mr. Vladeck. That would be true. I think regardless, but I \nwould also point out that the civil cases involving security \nbreaches have not fared particularly well.\n    But in terms of the bill that emerged last year, we were \ngenerally supportive, but we would prefer, as Mr. Brookman has \nsuggested, to expand the definition of ``harm.'' One concern \nwas the definition of harm referred to financial loss or other \nunlawful acts. It would not have covered geolocation data, \ninformation about health status, or, for example, information \nabout children. And we think that the concept of harm needs to \nbe broadened to reflect the kinds of breaches that we have seen \nand the kinds of concerns that we think are broadly shared.\n    Mr. Stearns. One of the things that I was struggling with \nis: So a corporation sets up a data security officer to do \nthat. How do you make sure that that data security officer is \ncomplying, and is there a frequent way that you could do it? \nAnd I thought through the free market, you could have something \nlike accounting firms that would just on their own, develop to \nsay we will come in and do private audits.\n    But the question is how much should the government get \ninvolved to make sure that that data security officer is \nactually complying with Federal Trade Commission requirements; \nbecause everybody will say--the janitor could be the national \nsecurity officer, the elevator operator. Bingo, we are all \ndone. But how do we as legislators and you as the jurisdiction \nensure that that is actually happening?\n    Mr. Vladeck. I mean your auditing illustration is a good \none. When we put companies under order, we require them to \ndevelop a very detailed privacy policy to appoint a responsible \nofficial which we hope has the credentials of a Dr. Spafford \nand not a janitor. And we have outside firms that are qualified \nto do this audit every 2 years to make sure the company is \nliving up to its promise.\n    And as an enforcement tool, if there is a chief privacy \nofficer who is required to ensure the plan is being \nimplemented, if there is another breach, I suspect that not \nonly would we sue the company but we might sue the responsible \nofficial. In that case, it would be the chief privacy officer.\n    So there are ways of holding people accountable. One of the \ninsights of the bill is you need somebody responsible within \nthe company. And we think that is very important.\n    Mr. Stearns. My time has expired but, Madam Chair, if there \nis somebody else on the panel that would like to comment on my \nquestions. Is that possible? Mr. Martinez, Dr. Spafford, Mr. \nBrookman.\n    Mrs. Bono Mack. We are going to have a second round to be \nmore fair to the more junior members to allow that in the \nsecond round.\n    So the Chair recognizes Mr. Guthrie for 5 minutes.\n    Mr. Guthrie. Thank you very much. Thank you for being here \ntoday on this important hearing and thank you, Madam \nChairwoman, for holding this.\n    This is really to both Mr. Vladeck and Mr. Martinez. The \ncore of the problem, is it typically improperly secured \ninformation from people who are holding the data, or is it the \ncriminal networks that are just a step ahead? They figure it \nout. Somebody could be vigilant in what they are doing and \nsomebody just figures out a way around their system.\n    What are you seeing? Is it just sloppy corporate side, or \ndata holders, or is it the other? I know it is probably a \ncombination of both. What do you see the most?\n    Mr. Martinez. Yes, sir. It is a combination of both. I will \njust real quickly go through some of the statistics on this \nrecent study that we just did with Verizon business. Ninety-two \npercent of the attacks were not highly difficult, and 96 \npercent of their breaches were avoidable through simple or \nintermediate controls. I think our panel members here have told \nyou--have brought up a lot of recommendations. So a lot of \ntimes it is that some of these security measures that should be \nin place just aren't fully implemented.\n    And although we do have criminals that are highly \nsophisticated--and we have seen the amount of attacks due to \nhacking increase--a lot of these attacks, though, could have \nbeen avoidable had just best practices been applied.\n    Mr. Guthrie. So you are saying that 96 percent I know \nessentially could have been avoided if it had been reasonable \nand rigorous?\n    Mr. Martinez. Correct.\n    Mr. Guthrie. Is that the same?\n    Mr. Vladeck. I don't know that I would quantify it that \nway, but many of the breaches that we see are due to laxity or \njust foolishness. For example, we have sued both Rite Aid and \nCVS for taking patient employee records and throwing them into \nunsecured dumpsters. You don't need to be a smart criminal to \ngo dumpster diving.\n    But we have seen also sophisticated hacks of the kind Mr. \nMartinez is talking about. And in those cases, we do an \ninvestigation, but we don't pursue civil enforcement because, \nyou know, we don't want to be playing ``gotcha.'' This is not a \nstrict liability regime.\n    Mr. Guthrie. I guess the question is, if you have a \nstandard of reasonable and rigorous, and there is somebody \nalways getting a step ahead through technology, then you always \nhave to update your reasonable rigorous.\n    But it sounds like you could eliminate over 90 percent of \nthe problems we have had just by having a reasonable policy in \nplace.\n    I guess you are saying it is being stored. Obviously \nthrowing stuff in a dumpster is not reasonable. But you are \nseeing clear differences.\n    Mr. Vladeck. But also not applying the patches that the \ncompany is sending you to fix a known vulnerability, in our \nview that is not any different than leaving the door of the \nvault right open.\n    Mr. Guthrie. FTC--and you are doing consumer education, I \nknow, as a part of this. But this is a little outside of this, \nbut it is a little bit within the realm of what we are talking \nabout. The other day I got a phone call: ``This is your bank. \nWe have had a problem with your account. Give us your account \nnumber'' and whatever. Of course, I hung up. But a lot of \npeople don't. And this is what Ms. Schakowsky is talking about. \nAnd particularly I guess he is somebody that I know elderly \nthat would--oh, I have got to fix my bank account, and all of a \nsudden there is something.\n    Are you focusing on that area? Is that your area? What are \nyou doing?\n    Mr. Vladeck. Yes and yes.\n    You know, we are principally the antifraud agency and that \nis the kind of classic fraud that we are fighting every day. \nAnd there are an awful lot of people who have taken advantage \nof the economic downturn. People are more vulnerable to fraud \nwhen they are in financial jeopardy. And there are fraudsters \nthat are out in force taking advantage of the most vulnerable. \nAnd that is what we spend a lot of our time on.\n    Mr. Guthrie. If I have a few seconds left, I will go back \nto Mr. Stearns.\n    Dr. Spafford, in your testimony you are talking about the \ncost of the breach. I guess my question is, as a business, if \nthe cost is going to be so expensive, why wouldn't I invest up \nfront? Is the problem that the costs on the business are up \nfront, but the cost of the breach is spread out like societal? \nIs that the issue? When you said $214 per breach, that is not \nborne by the company. Is that societal? I think you said $214. \nI didn't write it down.\n    Mr. Spafford. The cost was a result of the study that was \ndone. And that cost was per record, $214 per record.\n    Mr. Guthrie. Cost in the company that allowed the breach to \nhappen?\n    Mr. Spafford. Yes. To the company. That cost was cost of \nnotification, cost of cleanup, cost of outside auditors, legal \ncosts.\n    Mr. Guthrie. So businesses are not aware of these costs? \nSeems like if I was a business and that was my liability--I \nmean, I am wondering why they are not going in that direction.\n    Mr. Spafford. That is correct. The businesses don't realize \nwhat it is going to cost them.\n    Mr. Guthrie. Or they have a known cost here and hopefully \nnot another cost there.\n    Mr. Spafford. That is correct.\n    Mr. Guthrie. Mr. Stearns, I don't know if you got time.\n    Mr. Stearns. I thank the gentleman for his courtesy. I will \nwait for the second time around.\n    Mrs. Bono Mack. I appreciate that, gentlemen.\n    And the chair recognizes Mr. McKinley for 5 minutes.\n    Mr. McKinley. Thank you, Madam Chairman.\n    I am curious about this whole issue, because I have not \nbeen a victim that I know of. Have any of you four been victims \nof a breach?\n    Mr. Vladeck. Yes.\n    Mr. Brookman. Yes\n    Mr. Spafford. Yes.\n    Mr. Martinez. Yes.\n    Mr. McKinley. All four of you.\n    How does a company know that it has been breached? Do the \nlights go on?\n    I mean, I had a real life before I came to Washington, and \nwe had a firm with a hundred employees. Would our IT person \nhave seen a breach? Would he have seen something flashing? How \ndo we know we were breached? You all keep talking about these \nlarger companies. What about the real America, the small \nbusinesses?\n    Mr. Brookman. Before I joined CDT, I worked for the New \nYork Attorney General's Office and I worked in the Internet \nBureau. And in conjunction with the Consumer Fraud Bureau, we \nwould get these notifications from smaller companies that said, \noops, we lost a lot of data. In our experience, a lot of it was \nwe lost a computer. Maybe even a half was like someone put \ntheir computer in their car, and this is not just small \ncompanies too, this is how the Veterans Affairs famous breach \nhappened. Someone put a lot of data in the laptop, left it in \nthe back seat of their car with the window open, and someone \ntook it. And they don't know. There is a very strong chance in \nthat scenario the person wouldn't look for the file and know \nwhat to do. But the fact of the matter is you have a large \nnumber of consumer records that are gone now to someone who \ndoes have access to it, and you don't know how they are being \nused.\n    Mr. McKinley. Yes.\n    Mr. Spafford. Another possibility is that someone comes in \nin the morning and they discover in the record on their system \nthat it has been accessed from an account in Eastern Europe or \nChina or South Africa. And that person has downloaded \nmegabytes' worth of information off the system, including the \nentire customer database, and that is certainly not someone who \nhas legitimate access to the system.\n    Mr. McKinley. How do you know they have access?\n    Mr. Spafford. Because there is a record of it. There is an \naudit trail of that information.\n    Mr. McKinley. Every small company would have that?\n    Mr. Spafford. Not every company, but some would. So there \nis a record, and the company, if they turned on that record-- \nor it is possible that a business partner or someone else would \nsay we found a copy of your entire customer record on our \nmachine, and how did it get here? Somebody must have left it \nhere. And so you often discover this because it got out and \nsomebody found a copy of it.\n    Mr. McKinley. I am still not clear on that. I am going to \nhave to live with this a little longer and maybe ask more \nquestions every time. I still think what I have heard were a \nlot of larger firms, a lot more records; but smaller firms \nare--I am trying to understand what their point is, because I \nhave never--not that I know of, knock on wood--have been \nbreached, so I don't know what they are looking for and I don't \nknow with our former firm what type of security we have for \nthat.\n    But I think it was at the end you said something about if \nyou have been breached, and the notification that the consumers \ntake appropriate action. What is appropriate action? It has \nhappened. Are they supposed to get a new credit card or what \nare--what is appropriate action for the 70-year old lady on \nMain Street if somebody notifies her; what action is she \nsupposed to take? Do they tell her.\n    Mr. Vladeck. Generally the breach notifications do tell her \nwhat action to take. And our Web site and others provide that \nbasic information.\n    Mr. McKinley. They are not going to go to your Web site.\n    Mr. Vladeck. The breach notification should tell her what \naction to take. So if someone has hacked e-mail addresses, she \nwill be alerted that she may get these e-mails from her bank \nasking her to provide account information. These are phishing \nattacks. I don't think they would be described in those \ntechnical terms. But I think she would be warned if there was \ncredit card information--she may be told to look at her account \ninformation, to engage in credit monitoring where they may be--\nor the company might provide credit monitoring for her.\n    There are steps people can take to minimize the risk of \nloss. And one point of data notification or breach notification \nis to provide individual notice to every consumer about what \nthe appropriate steps that consumers should take to protect his \nor her interest.\n    Mr. McKinley. Thank you. Whatever this bill comes out, I \nhope there are some ways to get down to the grassroots level \nhow we can deal with this.\n    Mrs. Bono Mack. Thank the gentleman.\n    Round two, I recognize myself for 5 minutes.\n    Dr. Spafford, your testimony supports legislation that \nwould apply to all entities that collect personal information, \nincluding the government. Do you think the government is ahead, \nequal, or behind the private sector in data security practices, \nand what about universities and nonprofits also in that regard?\n    Mr. Spafford. I think the government and many nonprofits \nhave good security in some places and very poor security in \nothers. I have testified at hearings in previous years for \nlosses of information at the Veterans Affairs. There was an \noccasion there where it was just mentioned, laptops being lost. \nThere have been occasions where databases have been breached, \neven in the military, and information taken. There have also \nbeen a number of cases where the systems are very well \nprotected.\n    At universities, some are very well protected, some are \nwide open, and student records are regularly disclosed. \nCharities, businesses, it is across the board. Some are very \ngood; some, unfortunately, are not.\n    Mrs. Bono Mack. Thank you.\n    Mr. Brookman, as the subcommittee knows, we submitted a \nletter to Sony, and we have the responses as of late last \nnight. And I looked at them this morning to share something \nwith you that they do have in their letter to us.\n    We asked them about new security measures. They responded \nthey are implementing new security measures that include--they \nhave added automated software monitoring and configuration \nmanagement to help defend against new attacks; they have \nenhanced levels of data protection and encryption; they have \nenhanced ability to detect software intrusions in the network. \nAnd Mr. McKinley was asking, and they have also included in \nthat, unauthorized access and unusual activity patterns. But if \nthese are just a few of the new safety precautions, my question \nis, given how many consumer records were at risk, why weren't \nthese measures in place before?\n    Mr. Brookman. I think that is an excellent question. As I \nsaid in my testimony, it just boggles my mind that they are \nleaving open access to the 2007 database of credit card \ninformation that apparently they weren't even using. It just \nhappened to be a legacy system. This is something the FTC said \na lot of good things about. A lot of times, it is more \nexpensive for a company to go in and erase data than leave it \nlying around.\n    We, in talking to the companies, have tried to get them to \nuse privacy by design and security by design to build these \nconcepts into products from the ground up. But sadly, in so \nmany places it is not someone's job to go up and delete legacy \ndata.\n    I was very interested in the suggestion of Vice Chair \nBlackburn about the idea of an eraser button. I think it is a \nvery strong idea. If I have a direct relationship with a \ncompany and I want to end my relationship, I should be able to \ndelete that data. I think it is a very strong idea, recognizing \nRanking Member Butterfield's idea that it is hard for Congress \nto, say, keep data for so long because it really varies across \nindustries. Giving consumers the power to say, Hey, go ahead \nand delete that now I think it is a very good idea.\n    Mrs. Bono Mack. Dr. Spafford, you were speaking of the \nvulnerability that was known to many, I guess, via the \nblogosphere somewhere. I am assuming you are speaking about the \nSan Diego facility, that some speculate there was a breach, or \nthey are saying it was an AT&T service center in San Diego \nwhere there is a known vulnerability. But if there are known \nvulnerabilities, what do we do with the policy that minimizes \nthese sort of physical locations and vulnerabilities?\n    And I think my question would be better directed to Mr. \nMartinez or Mr. Vladeck about known vulnerabilities in a system \nand our ability to protect those physical locations that have--\nagain, known to the bad guys, but it seems we are always sort \nof behind the bad guys in our limits to stop them from what \nthey are doing.\n    Mr. Martinez. Like I stated earlier, a lot of times what we \nsee when we do investigations. And again, this collaborative \nstudy that we have conducted, what it shows is that 96 percent \ncould have been avoidable through simple intermediate controls \nmeeting. If there were a hundred servers that the company \nowned, they possibly patched 99 of them but forgot to patch \nthat last one. So an instance like that one could create the \nhavoc that we see.\n    Mrs. Bono Mack. So you are saying it is all corporate \nresponsibility at that point, correct?\n    Mr. Martinez. What I am saying is no matter the size of the \ncompany or who it is, you really have to be diligent in your \nsystems. It is not about being compliant for that moment. You \nhave to maintain that diligence and maintain and monitor your \nsystem on that constant basis.\n    Mrs. Bono Mack. Mr. Vladeck, with my remaining 25 seconds, \nI think it is important you spoke to the concept of harm. And I \nthink it is critical, and I think people don't understand what \nit means to have been hacked or have your personal information \nstolen until it has happened.\n    You mentioned geolocation, your kids and health records. \nCan you speak a little bit more about the vulnerabilities \nbeyond somebody might just buy something on my credit card? I \nthink people need to understand what the crimes could be.\n    Mr. Vladeck. I don't know whether these would be crimes, \nand that is why we are concerned about the definition that was \nin 221. One harm was other unlawful action. But, for example, \nEli Lilly, in one of the first cases we did, sent out an e-mail \nblast which associated particular patients with Prozac. Now, \nthat is a reputational harm that I think most people would like \nto avoid. They don't know whether Eli Lilly committed a crime. \nBut people ought to be notified in those kinds of \ncircumstances. It just struck us in CVS and Rite-Aid, they were \ndumping prescription records in dumpsters. People ought to know \nwhen that happens, even if the act of dumping them is not a \ncrime.\n    Geolocation data could be used for stalking. It could be \nused for other purposes.\n    And so when the committee reexamines this legislation, we \nurge them to take a somewhat broader view of what constitutes \nharm in this area.\n    Mrs. Bono Mack. Thank you.\n    The chair recognizes Mr. Butterfield for 5 minutes.\n    Mr. Butterfield. Thank you.\n    Technology evolves rapidly, and what is cutting-edge \ntechnology today is obsolete tomorrow. The Sony press releases \nhave stated that consumers' credit card information was \nencrypted. In addition, Sony stated yesterday in The Hill \nnewspaper that passwords were protected using a hash function, \nand described as a shortened version of full encryption.\n    The data breach provision in the bill that we passed last \nyear established a presumption that no reasonable risk of harm \nexists following a breach if the data is encrypted.\n    Dr. Spafford, do you agree or disagree with that?\n    Mr. Spafford. Sir, I disagree, because it is possible that \ndisclosure could also include the password necessary to decrypt \nthose passwords, and that would mean that they could then be \ndecrypted and read as well.\n    Encryption all by itself is not a solution. It has to be \nsuch that encrypted material can also not be read.\n    Mr. Butterfield. Are there any technologies that you \nbelieve can be given such a presumption?\n    Mr. Spafford. Certainly there are. There are some forms of \nencryption that could be appropriately used if the key material \nis kept separate, for instance. But one has to look at the \noverall risk of whether or not the protected material would be \ndisclosed if that material were breached.\n    Mr. Butterfield. Of course, encryption has its downside, \nbut do you still believe it is the gold standard?\n    Mr. Spafford. Some kinds are. Some forms of encryption can \nbe broken fairly trivially. Some forms of encryption are fairly \ngood and some are not. And some previous versions--in some \nprevious versions of legislation that were introduced in this \ncommittee, we have sent letters about problems with encryption. \nAnd I would be happy to provide copies of those to you later.\n    Mr. Butterfield. Special Agent Martinez, in your testimony \nyou describe a strong working relationship with the FBI which, \nyou state, works through the National Cyber Investigative Joint \nTask Force to lead the Federal Government's response to online \nnational security threats. Now, I imagine that there is some \nfuzziness around cyberthreats to businesses, and that some of \nthese could also be threats to national security. That is \nprobably part of the reason why there is a task force and why \nyour agency is involved. I understand that businesses, not the \ngovernment, own most of the network computer infrastructure. It \nis the private sector that controls and is responsible for vast \nswaths of the network, of the financial system, power \ngeneration, and our electricity grid.\n    Given your experience in dealing with intrusions into \nprivate sector computing assets, is the private sector doing \nenough to guard the security and integrity of networked \ncomputers?\n    Mr. Martinez. I think there is always more that we can do, \nsir. I think from what you've seen today, from some of the \ntestimony today, and from some of the intrusions that we are \nactually discussing, there is still a lot more that needs to be \ndone. And I think what is important is that the public sector \nneeds to collaborate with the private sector in making sure \nthat we improve our security.\n    Mr. Butterfield. Would you extend that to the Federal \nGovernment?\n    Mr. Martinez. Yes, and I believe there are already steps \nthat have already been taken within the Federal Government to \ndo that.\n    Mr. Butterfield. Special Agent, in your testimony you also \ndescribed your relationship with the United States Computer \nEmergency Readiness Team. According to your testimony, that \ngroup defends against cyber intrusions on the dot.gov domain \nand shares information and collaborates with State and local \ngovernments and industry.\n    Insofar as you participate in partnerships and information \nsharing with businesses, can you please describe this \nrelationship a bit more?\n    Mr. Martinez. Yes. And I think it would be better explained \nby U.S. Serve. They have taken the role of remediation and \nmitigation, so when there is an incident that occurs, a lot of \ntimes what we will do is we will encourage the private sector \npartners to reach out to U.S. Serve so that they can come up \nwith a mitigation plan or best practices and so forth.\n    I would say in the last year or so, we have really improved \nour efforts trying to do that, working with U.S. Serve and \nhaving them take the lead in remediation and mitigation efforts \nafter intrusion.\n    Mr. Butterfield. All right. Thank you. I yield back.\n    Mrs. Bono Mack. The chair recognizes Mr. Stearns for 5 \nminutes.\n    Mr. Stearns. The gentleman from North Carolina makes a good \npoint. When you look across the Federal Government, it is \nalmost a sector-by-sector approach in dealing with the \ngovernment. I know serving on the Veterans Affairs, there were \nbreaches of huge, in number of veterans, when a computer was \ntaken home and the information was breached.\n    The staff has pointed out that there are examples for the \nVeterans Affairs, they had the Veterans Affairs Information \nSecurity Act, but that just applies to the Veterans Affairs. \nYou had the Federal Information Security Management Act which, \nagain, is sector by sector. So a thing that this committee \nwould have to struggle with is also how to go about deciding \nwhat would apply to the Federal Government.\n    Mr. Vladeck, do you think there should be a small business \nexemption for this, because I heard from--a lot of small \nbusinesses say, I don't want the overlay of a data security \nofficer; and how much is this going to cost me? It is more \nregulation.\n    So the question is, is there a possibility that a small \nbusiness of, let's say, less than a hundred employees, less \nthan 50 employees, there would be sort of a modified approach, \nor do you think the whole thing should apply to them, too.\n    Mr. Vladeck. I think we need to separate out the various \nrequirements of the legislation. We did not support a small \nbusiness exemption from the data security requirements. We \nthought that----\n    Mr. Stearns. That was crucial.\n    Mr. Vladeck. That was crucial. What we did support was \nrulemaking for the Commission to determine when small \nbusinesses should be granted waiver from the provisions \nrelating to the payment for monitoring credit reports following \na breach. And I think that was the objection raised by small \nbusiness at the time. And we favored some flexibility that \nwould be determined after a public rulemaking, and perhaps \nexemptions would be authorized pursuant to that rulemaking.\n    Mr. Stearns. Dr. Spafford, there is some some talk about \ncloud computing here in the House, and we no longer have our \nservers and hard disks and so forth. If a company moves toward \ncloud computing storage, is that more safe or less safe, in \nyour opinion, keeping the servers proprietary and protected?\n    Mr. Spafford. It depends on where the cloud storage is and \nhow well it is protected, because you are putting your records \non computing resources that are stored somewhere else and \nprotected by someone else. If you have a private cloud, then \nthat is within your corporate domain or within Congress here, \nprotected here. But if you are using it outsourced, you may not \neven know where it is and how it is protected.\n    A concern that I mention in my testimony is that some cloud \nservice providers may actually have their storage located \noutside the country. And so if that storage is compromised, we \nhave a whole new set of problems, because now that storage is \nnow outside----\n    Mr. Stearns. We don't really have reciprocity laws with \ncountries outside, so it gets more difficult.\n    Mr. Spafford. It gets considerably more difficult.\n    Mr. Stearns. So if the information is breached, then where \ndo people go to sue? I guess you would still go to the holding \ncompany of the major corporation.\n    Mr. Spafford. That is beyond my area of expertise. Mr. \nBrookman or Mr. Martinez or anyone else want to comment on this \ncloud computing?\n    Mr. Martinez. Yes, sir. Think of it this way. The crime \nscene now, like Dr. Spafford just said, the crime scene now \ndoes not become the server farm located at a building in a \ncrime scene. Now, part of it could be in the Philippines, part \nof it could be in Mexico, and part of it could be in Los \nAngeles. So it makes it much more difficult for law enforcement \nto take action and obtain that information. Specifically when \nwe have to go overseas, now there is a whole other trigger of \nrequirements or things we need to do, such as Mitchell legal \nassistance treaties, and the question then becomes do we have \ntreaties with countries where some of this information resides?\n    Mr. Brookman. I would just say in response to that, I think \nin many cases it may well be the case that a cloud computing \nserver will offer better privacy and security for you. \nEspecially in the case maybe of the small business who doesn't \nhave a technical know-how of how to protect this data or what \nthe latest cutting edge in encryption techniques are. I think \nin that scenario, it may well make sense, maybe some marginal \nsignificant security benefits from using a third-party service \nprovider. On the other hand, in the recent news, the Epsilon \nwas a third-party provider whose job was knowing how to do mass \nmarketing, and obviously it is not a fail-safe.\n    Mr. Stearns. Yes.\n    Mr. Vladeck. I just wanted to say that we have encountered \nthis issue already in our enforcement efforts. And our position \nis that U.S. companies, when they are storing data involving \nU.S. citizens or U.S. transactions, they are responsible to us \neven if the date is stored in a cloud computer offshore. And we \nhave made that quite clear.\n    We haven't tested in the courts. But we are quite confident \nthat we would be able to assert our authority in those kinds of \ninstances. I think Mr. Martinez' concerns may be more \ncomplicated than ours.\n    Mr. Stearns. Thank you, Madam Chair.\n    Mrs. Bono Mack. Thank you gentleman.\n    The chair recognizes Mr. Lance for 5 minutes.\n    Mr. Lance. Thank you, Madam Chair. And good morning to the \npanel.\n    Dr. Spafford, in its letter to the subcommittee, Sony said \nthat it acted with care and caution. And I am wondering if that \nis the case, why wouldn't Sony notify consumers as soon as it \nshut down its network.\n    Mr. Spafford. Well, sir, I don't have full access to all of \nthe details of what was required for them to gather the \ninformation as to what happened to determine what individuals \nwere involved and what law enforcement needs were involved for \nthem to gather evidence before notifying people.\n    Certainly they also were in a state where they had to be \nsure that they had closed all of the vulnerabilities before \nnotifying individuals, I would assume. And so those factors \nprobably introduced a lag into the notification.\n    Mr. Lance. Is there anyone else on the panel who might be \nwilling to comment on that? I know it is speculative. Is there \nanybody else who would be interested in commenting on that?\n    And another area. Agent Martinez, in its letter, Sony also \nsays that it believes it has identified how the breach \noccurred. From your perspective and your expertise, why do law \nenforcement officials need a window of opportunity, so to \nspeak, to investigate a data breach before consumers are \nnotified?\n    Mr. Martinez. Sir, I can't speak specifics to the Sony. I \ncan tell you based on our experience in previous cases, there \ncould be times where, through an operation that we are actually \nconducting an active investigation, we actually are the ones \nwho find the breach and report it to the company. So in certain \ninstances, we work with the company, and a lot of States have \nenacted the delay in notification for law enforcement purposes, \nbecause what we don't want to have happen is something the \ncompany does could impact the investigation and then possibly \nhurt the investigation and not allow us to apprehend the \nindividual.\n    But what we always do is work with these companies. And in \ninstances where we do need some form of delay in notification, \nwe try to minimize that as much as possible so the company can \nmake the notification it needs.\n    Mr. Lance. I yield back the balance of my time to you, \nMadam Chair.\n    Mrs. Bono Mack. I thank the gentleman. I will graciously \ntake you up on your 2-minute and 30-second offer.\n    Mr. Dingell is on his way down here, and I would like to \nask questions until he gets here, so he can participate.\n    But I want to say this has been a very insightful hearing. \nAnd each member has brought up I think different complexities \nin understanding how they see these problems.\n    Ms. Schakowsky, when she specifically brought up the threat \nto seniors, I hadn't thought about that. The Sony Play Station, \nwe all thought about perhaps a little bit younger generation \nand the risks to them. And I want to reiterate, although she is \nnot here, I will continue to work with her and explore the \nsenior angle, and with the FTC as well.\n    And I want the thank and congratulate the members who have \nworked on this legislation previously, and certainly we have \ncome a long way. 2005, I don't know many people were talking \nabout cloud computing, and yet we are today.\n    So I think understanding briefly the cloud, the FTC will \nhave the authority to go out at servers that are based \noffshore. But do we also risk over-legislating in sending more \noffshore if we are not careful?\n    I will go to either Mr. Martinez or Mr. Vladeck.\n    Mr. Vladeck. I don't think, frankly, this legislation is \ngoing to affect cloud computing. I think companies are \nmigrating to the cloud. I think servers are networked to the \npoint where the physical location of the server is much less \nimportant than the kind of security it provides. And the legal \nregimes I think will adapt.\n    So we have not gotten pushback from companies that we have \ninvestigated where there was an issue about whether the data \nwas physically within the United States territory or not.\n    In Ciridian, Ciridian is a global company. And we ended up \nsettling the case in a way that makes it crystal clear that its \naccounts for U.S. companies or for other companies that are \nemploying people in the United States are covered, regardless \nof where physically the computer may be, where the server may \nbe.\n    Mrs. Bono Mack. Thank you. Briefly. I just had a great \nquestion.\n    Dr. Cassidy, do you have a question immediately for the \npanel?\n    Mr. Cassidy. I do.\n    Mrs. Bono Mack. The chair recognizes Dr. Cassidy for 5 \nminutes.\n    Mr. Cassidy. I don't know quite who asked this. I was in \nanother committee hearing, so I apologize if somebody has \nalready answered this.\n    Let me start with Mr. Brookman. Mr. Brookman, I am driving \nto my in-laws. There is a wreck; pop open my cell phone, and it \ntells me the congestion on the freeway. It is pretty \nimpressive. Then I read an article--to show how broad-minded I \nam--on MSNBC's Web site about how this location data is \napparently stored forever. I am sitting there thinking, well, \nthat is great, I can see where I am at any given time, and if \nthere is a red zone up ahead and I need to get off on a side \nroad. On the other hand, why should whomever, Google or Apple, \nkeep this forever? What thoughts do you have?\n    Mr. Brookman. There are definitely wonderful secondary uses \nof location data that Google and Apple all use this for. I \nthink the map example is a great example. There are ways to do \nthat that are not privacy-invasive. They have to remember that \nit is me for a little bit, so they have to see it is my car \nstopped on the Beltway, moving 5 miles per hour. But they can \nforget that after an hour, and there are things they can do to \nnot have to remember that it is me, my entire life.\n    I think the recent Apple story about storing location \ninformation up to a year resident on your phone, for what seems \nto be a marginal performance improvement and to increase \nbattery life, I think it is a great example of maybe not \nthinking through privacy by design. And the concept from the \nbeginning, this engineer thought, Hey, it would be a great idea \nif you had all of the cell towers that are nearby you stored in \nthe phone, so if--instead of checking back to Apple to say, \nWhere am I, you can check back to your phone, not really \nthinking this is kind of a permanent log of everywhere I have \nbeen in the last year, that I might not want someone like a \nhacker or someone to get their hands on.\n    I think a lot of companies have taken the idea of location \npermission seriously, so I am glad that Android and Google and \nMicrosoft and RIM phones, they do ask, Hey, is it cool to use \nyour location right now? I still think they are working through \nsome of the secondary usage issues because you can create \nreally detailed logs about people in ways they would not \nexpect.\n    Mr. Cassidy. OK. Now I am insensitive to it, and I am \nlooking at my phone and I am logging onto a map, and there pops \nup that sort of, you know, ``Click here after you have read \n16,000 pages of legalese to proceed.'' But this time I actually \nread a little bit of it. And this is totally optional, and all \nI was doing was giving them permission to store my data. Sure, \nit gives them the patina, the fig leaf of being careful about \nmy data, but in reality it was a trick. I was thinking that \nthis is, you know-- I am not going to, whatever, rip-off their \ncopyright, but indeed it was, no, we can sacrifice your \nprivacy.\n    So what kind of protections? Put it this way. I am just \ncoming across this because I am driving in Mobile, Alabama. But \nI am assuming the people on the Commission have thought about \nthis. What is the best way to address this?\n    Mr. Vladeck. There are two responses. One, for the purposes \nof data security, we have already discussed what we think would \nbe an important amendment to the prior legislation, which is to \ntalk about geolocation data, the disclosure of geolocation data \nas a result of a breach, as a harm that would trigger the \nnotification requirements. Because if your geolocation data \nwhere you have been for the last 2 years----\n    Mr. Cassidy. Which, by the way, I am not defensive of, just \nto be sure of that.\n    Mr. Vladeck. No implication at all. You ought to be \nnotified of that.\n    Mr. Cassidy. Do we need legislation that says, Thou shalt \nnot keep this beyond X number days?\n    Mr. Vladeck. The Commission is very concerned about \ngeolocation data. We are engaged in it--for example, the review \nof the Children's On-Line Privacy Protection Act. And one \nquestion that we have asked is how should we treat geolocation \ndata? In our private report issued in December, we made clear \nthat we viewed geolocation data as sensitive data that requires \nheightened protections.\n    Mr. Cassidy. But my specific question is, should we have a \nrule or a law that says, Thou shalt not keep this beyond X-\nnumber of days?\n    Mr. Vladeck. The Commission has not taken a formal position \non that, other than to underscore the sensitivity of that data, \nand I can't--\n    Mr. Cassidy. What would be an argument against? I was only \naware of it because I stumbled across a Web site I don't \nnormally read.\n    Mr. Vladeck. Part of our concern of course is the notice \nand consent in ``scare quotes'' that is extracted in the kind \nof situation that you are talking about is not significant, is \nnot substantial. We are worried about those.\n    Mr. Cassidy. So, again, I guess, what is the argument \nagainst that? I am asking anybody.\n    Mr. Vladeck. I think there would be two arguments. One is \nfunctionality. The data is being retained really to enhance the \nfunctionality----\n    Mr. Cassidy. Although Mr. Brookman suggests that that is a \nshort-term functionality benefit.\n    Mr. Vladeck. That is correct. But I am making the arguments \non the other side. Not my arguments.\n    So the argument is, one is functionality. The other is it \nhelps their analytics. They help to protect the kind of \nservices----\n    Mr. Cassidy. Precisely my point.\n    Mr. Vladeck. I am not disagreeing with you. You asked that \nI at least rehearse the arguments that you will hear. And those \nare the two basic arguments that you will hear.\n    Mr. Brookman. I think there are cases where it may be \nreasoned. I am always scared about proscribing a law, like you \nmust delete after a certain period of time. But there are uses \nof data where it might be reasonable for it to be tied to me \nfor a period of time. If I have a traffic program on my \ncomputer and I want my computer to--my phone to remember where \nI go, to give me the optimized directions, that could be a \nlegitimate use of my data. People use these programs like \nfoursquare and looped, and places to check into places to maybe \novershare, but to create a very permanent log of all of the \nplaces they have been. Some people like that.\n    I think I have used a similar Trip Advisor feature that \nsays, Hey, I have been to this place and that place and I have \nchecked in through my phone.\n    I think it depends on the usage. If you really do want to \ncreate a Hey, this is where I have been, to tell the world, I \ndon't necessarily want to get in the way of that and tell \npeople they can't do it.\n    Mr. Cassidy. So perhaps the solution is to be a little bit \nless tricky in terms of the do we have your permission, and so \nit is clear, to record your data for in perpetuity by clicking \nhere.\n    Mr. Brookman. I absolutely agree with that, that you should \nbe very clear about the usage you are taking their data for. \nAnd before you share it to another person, you should be very \nclear in getting permission for that as well, and not just \nburied on paragraph 40, the terms of service, but up front in a \nclear way. FCC has done some great writing on what it means.\n    Mrs. Bono Mack. The chair recognizes Mr. Dingell for 5 \nminutes.\n    Mr. Dingell. I thank you for your courtesy and commend you \nfor holding this hearing. I particularly appreciate your \nkeeping the hearing open for me.\n    To all witnesses this will be a ``yes'' or ``no'' answer, \nstarting on your right and on my left.\n    First of all, sir, do you believe the current industry \nefforts with respect to ensuring data security are sufficient? \nYes or no.\n    Mr. Vladeck. I would say no.\n    Mr. Martinez. I would say no.\n    Mr. Spafford. No.\n    Mr. Brookman. No.\n    Mr. Dingell. Members of the panel, again to all witnesses, \ncan such efforts be improved or do you believe that the \nCongress should pass comprehensive security legislation? First \nquestion is, can efforts be improved? And the second one is, \nshould the Congress pass comprehensive security data, data \nsecurity legislation?\n    Mr. Vladeck. Yes, as to both parts of the question.\n    Mr. Dingell. Sir?\n    Mr. Martinez. Yes to both.\n    Mr. Dingell. Sir?\n    Mr. Spafford. Yes to both\n    Mr. Dingell. Sir.\n    Mr. Brookman. Yes to both, if legislation is strong enough.\n    Mr. Dingell. Gentlemen, you are being very patient. We have \na lot to get across in very limited amount of time so your \ncourtesy is very much appreciated.\n    Gentlemen, I understand that the comprehensive data \nsecurity requirements do not at this time exist in the United \nStates. Rather, there exists a patchwork of Federal and State \nlaw and regulations that impose varying requirements on \ndifferent people. Should Federal data security requirements \nsupersede State requirements; yes or no.\n    Mr. Vladeck. I can't use a yes or no. Yes, to the extent \nthey are not as substantial as Federal requirements, they \nshould be at least the floor.\n    Mr. Dingell. Sir?\n    Mr. Martinez. Sir, I believe there should be a national \nstandard for data breach reporting.\n    Mr. Dingell. Sir?\n    Mr. Spafford. Without knowing what the standards are, I \ncan't answer.\n    Mr. Dingell. Sir?\n    Mr. Brookman. If they are strong enough to allow for State \ninnovation, yes.\n    Mr. Dingell. Would I be fair in assuming, however, that the \npanel thinks that we need a lot of work to assure that we \nachieve the standards needed of a national character? Am I \ncorrect on that, sir?\n    Mr. Vladeck. Yes, sir.\n    Mr. Dingell. Sir?\n    Mr. Martinez. Sir, I think there has been a lot of work for \nseveral years on multiple different types of data breach on \nlegislation introduced in all different types of committees, \nand I believe the administration is real close to presenting to \nCongress a package that was worked on by multiple executive \nagencies.\n    Mr. Dingell. Thank you. I believe I have given you a little \nmore friendly question this time, sir.\n    Mr. Spafford. Yes.\n    Mr. Dingell. Sir?\n    Mr. Brookman. Yes.\n    Mr. Dingell. Gentlemen, this is always a question we run \ninto. Further, in the light of Federal fiscal constraints, \nshould State attorneys general be allowed to enforce Federal \ndata security requirements; yes or no?\n    Mr. Vladeck. Yes.\n    Mr. Martinez. Can you repeat the question?\n    Mr. Dingell. Should Federal fiscal restraints be able to be \nenforced by State attorneys general?\n    Mr. Martinez. I am not sure about if I am qualified to \nanswer that.\n    Mr. Dingell. I will not press you on it.\n    Sir?\n    Mr. Spafford. I am not sure if I am qualified to answer \nthat, but I think so.\n    Mr. Dingell. Sir?\n    Mr. Brookman. Absolutely.\n    Mr. Dingell. All again, gentlemen, do you believe that the \nFederal data security legislation should include the \nflexibility for the Federal Trade Commission to update \nrequirements in order to keep pace with the advancements in \nthreats to data security; yes or no?\n    Mr. Vladeck. Yes.\n    Mr. Dingell. Sir?\n    Mr. Martinez. Yes.\n    Mr. Dingell. Sir?\n    Mr. Spafford. Yes.\n    Mr. Dingell. Sir?\n    Mr. Brookman. Yes.\n    Mr. Dingell. This one to Mr. Vladeck. Do you believe the \nFTC's Magnuson-Moss rulemaking procedures would stifle the \nCommission's ability to write rules that keep pace with \ntechnical advancements in threats to data security; yes or no?\n    Mr. Vladeck. Yes.\n    Mr. Dingell. Again, Mr. Vladeck, do you want to give a \ncomment? Do you believe that the FTC should be allowed to write \ndata security regulations according to the Administrative \nProcedure Act? You will understand that there is quite a \ndifference between the two standards for rule writing.\n    Mr. Vladeck. Yes, I do. And yes, to the extent we are given \nrulemaking authority, we would ask strongly that it be \nconferred under the Administrative Procedure Act.\n    Mr. Dingell. Thank you. To all witnesses, does the Federal \nTrade Commission currently have the resources with which to \nimplement and enforce comprehensive data security requirements; \nyes or no?\n    Mr. Vladeck, if you please.\n    Mr. Vladeck. We always need more resources.\n    Mr. Dingell. If you please, sir.\n    Mr. Martinez. I would defer to the FTC regarding the \nresources.\n    Mr. Dingell. A wise move.\n    Mr. Spafford. I do not, no.\n    Mr. Dingell. If you please, sir.\n    Mr. Brookman. They could do it, but they could use more.\n    Mr. Dingell. To all witnesses who have demonstrated \nextraordinary patience here, if you felt no, in that case what \nadditional authorization would the FTC require to enforce such \ndata security requirements? It would be perfectly appropriate \nif you were to submit this for the record at a future and \ncomfortable time.\n    Mr. Vladeck. We currently have a relatively small staff \nworking on privacy issues relative to other agencies, but it is \nan important part of our mission, and we are a small agency \nwhich would benefit greatly from having enhanced resources in \nthis area.\n    Mr. Dingell. Mr. Martinez?\n    Mr. Martinez. Again, I would defer to the FTC.\n    Mr. Dingell. Doctor?\n    Mr. Spafford. I would defer to the FTC.\n    Mr. Dingell. And the last witness?\n    Mr. Brookman. Larger staff and penalty authority and \ndefinitely APA rulemaking would be tempered.\n    Mr. Dingell. Gentlemen, you have been most patient. Madam \nChairman, you have given me a minute and 34 seconds more than I \nam entitled to.\n    Mrs. Bono Mack. I thank the gentleman, and I am quite \nimpressed with his ability to pack a wallop in 5 minutes with \nso many yeses and noes.\n    I ask unanimous consent to include the Sony and Epsilon \ncorrespondence in the record of this hearing. Without \nobjection, so ordered.\n    [The information follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mrs. Bono Mack. And I just want to sum up by saying that \nprior to 2005, we didn't spend a whole lot of time as a Nation \ntalking about the dangers of data breaches. Things have sure \nchanged in a hurry. We have gone from a stolen laptop \ncontaining 260,000 customers' records to a sophisticated \ncriminal cyber attack on a worldwide network containing more \nthan 100 million customer records. And this begs the important \nquestion, if we don't do something soon, what is next and where \ndoes it end?\n    So I would like to remind members that they have 10 \nbusiness days to submit questions for the record and ask the \nwitnesses to please respond promptly to any questions they \nreceive.\n    Mrs. Bono Mack. Again, I thank our witnesses very much for \nyour help today. And the hearing is now adjourned.\n    [Whereupon, at 11:30 a.m., the subcommittee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n                                 <all>\n\x1a\n</pre></body></html>\n"