[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]



DISCUSSION DRAFT OF H.R. ___, A BILL TO REQUIRE GREATER PROTECTION FOR 
   SENSITIVE CONSUMER DATA AND TIMELY NOTIFICATION IN CASE OF BREACH

=======================================================================

                                HEARING

                               BEFORE THE

           SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 15, 2011

                               __________

                           Serial No. 112-62








      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov


                                _____

                  U.S. GOVERNMENT PRINTING OFFICE
71-568 PDF                WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001







                    COMMITTEE ON ENERGY AND COMMERCE

       FRED UPTON, Michigan
              Chairman
JOE BARTON, Texas                    HENRY A. WAXMAN, California
  Chairman Emeritus                    Ranking Member
CLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky               EDWARD J. MARKEY, Massachusetts
JOHN SHIMKUS, Illinois               EDOLPHUS TOWNS, New York
JOSEPH R. PITTS, Pennsylvania        FRANK PALLONE, Jr., New Jersey
MARY BONO MACK, California           BOBBY L. RUSH, Illinois
GREG WALDEN, Oregon                  ANNA G. ESHOO, California
LEE TERRY, Nebraska                  ELIOT L. ENGEL, New York
MIKE ROGERS, Michigan                GENE GREEN, Texas
SUE WILKINS MYRICK, North Carolina   DIANA DeGETTE, Colorado
  Vice Chairman                      LOIS CAPPS, California
JOHN SULLIVAN, Oklahoma              MICHAEL F. DOYLE, Pennsylvania
TIM MURPHY, Pennsylvania             JANICE D. SCHAKOWSKY, Illinois
MICHAEL C. BURGESS, Texas            CHARLES A. GONZALEZ, Texas
MARSHA BLACKBURN, Tennessee          JAY INSLEE, Washington
BRIAN P. BILBRAY, California         TAMMY BALDWIN, Wisconsin
CHARLES F. BASS, New Hampshire       MIKE ROSS, Arkansas
PHIL GINGREY, Georgia                ANTHONY D. WEINER, New York
STEVE SCALISE, Louisiana             JIM MATHESON, Utah
ROBERT E. LATTA, Ohio                G.K. BUTTERFIELD, North Carolina
CATHY McMORRIS RODGERS, Washington   JOHN BARROW, Georgia
GREGG HARPER, Mississippi            DORIS O. MATSUI, California
LEONARD LANCE, New Jersey            DONNA M. CHRISTENSEN, Virgin 
BILL CASSIDY, Louisiana                  Islands
BRETT GUTHRIE, Kentucky
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia         

                                  (ii)
           Subcommittee on Commerce, Manufacturing, and Trade

                       MARY BONO MACK, California
                                 Chairman
MARSHA BLACKBURN, Tennessee          G.K. BUTTERFIELD, North Carolina
  Vice Chair                           Ranking Member
CLIFF STEARNS, Florida               CHARLES A. GONZALEZ, Texas
CHARLES F. BASS, New Hampshire       JIM MATHESON, Utah
GREGG HARPER, Mississippi            JOHN D. DINGELL, Michigan
LEONARD LANCE, New Jersey            EDOLPHUS TOWNS, New York
BILL CASSIDY, Louisiana              BOBBY L. RUSH, Illinois
BRETT GUTHRIE, Kentucky              JANICE D. SCHAKOWSKY, Illinois
PETE OLSON, Texas                    MIKE ROSS, Arkansas
DAVE B. McKINLEY, West Virginia      HENRY A. WAXMAN, California, ex 
MIKE POMPEO, Kansas                      officio
ADAM KINZINGER, Illinois
JOE BARTON, Texas
FRED UPTON, Michigan, ex officio







  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Mary Bono Mack, a Representative in Congress from the State 
  of California, opening statement...............................    33
    Prepared statement...........................................    34
Hon. Henry A. Waxman, a Representative in Congress from the State 
  of California, opening statement...............................    35
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, opening statement..................................    37
Hon. G.K. Butterfield, a Representative in Congress from the 
  State of North Carolina, opening statement.....................    38
Hon. Edolphus Towns, a Representative in Congress from the State 
  of New York, prepared statement................................   132

                               Witnesses

Edith Ramirez, Commissioner, Federal Trade Commission............    39
    Prepared statement...........................................    42
    Answers to submitted questions...............................   134
Jason D. Goldman, Counsel, Telecommunications & E-Commerce, U.S. 
  Chamber of Commerce............................................    78
    Prepared statement...........................................    81
Robert W. Holleyman, II, President and CEO, Business Software 
  Alliance.......................................................    89
    Prepared statement...........................................    91
Stuart K. Pratt, President and CEO, Consumer Data Industry 
  Association....................................................    99
    Prepared statement...........................................   101
Marc Rotenberg, Executive Director, Electronic Privacy 
  Information Center.............................................   109
    Prepared statement...........................................   111

                           Submitted Material

Discussion draft.................................................     2

 
 DISCUSSION DRAFT OF H.R. ------, A BILL TO REQUIRE GREATER PROTECTION 
 FOR SENSITIVE CONSUMER DATA AND TIMELY NOTIFICATION IN CASE OF BREACH

                              ----------                              


                        WEDNESDAY, JUNE 15, 2011

                  House of Representatives,
Subcommittee on Commerce, Manufacturing, and Trade,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:30 a.m., in 
room 2322, Rayburn House Office Building, Hon. Mary Bono Mack 
(chairwoman of the subcommittee) presiding.
    Present: Representatives Bono Mack, Blackburn, Stearns, 
Bass, Harper, Lance, Cassidy, Guthrie, Olson, Pompeo, 
Kinzinger, Butterfield, Gonzalez, Dingell, Towns, Rush, 
Schakowsky, and Waxman (ex officio).
    Staff Present: Allison Busbee, Legislative Clerk; Paul 
Cancienne, Policy Coordinator, CMT; Brian McCullough, Sr. 
Professional Staff Member, CMT; Gib Mullan, Chief Counsel, CMT; 
Shannon Weinberg, Counsel, CMT; Michelle Ash, Democratic Chief 
Counsel; Felipe Mendoza, Democratic Counsel; and Will Wallace, 
Democratic Policy Analyst.
    Mrs. Bono Mack. Good morning. The subcommittee will now 
come to order. Today hackers and online thieves are giving more 
meaning to the phrase silent crime. It is my hope that we will 
join together, raise our voices and, like after Peter Finch in 
the movie ``Network,'' shout out the window, we are mad as 
hell, and we are not going to take this anymore. Americans 
deserve nothing less.
    [The discussion draft follows:]



 OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Mrs. Bono Mack. The chair now recognizes herself for an 
opening statement. Sophisticated cyber attacks are increasingly 
becoming the greatest threat to the future of electronic 
commerce here in the U.S. and around the world. That is why 
Congress must take immediate steps to better protect the 
personal online information of American consumers. It is time 
for us to declare war on identity theft and online fraud.
    The Secure and Fortify Electronic Data Act, which 
established uniform national standards for data security and 
data breach notification, is our opening shot. The SAFE Data 
Act builds on legislation passed by the House in 2009 but never 
acted upon in the Senate. Most importantly, it reflects the 
changing landscape of data breaches and data security since 
that time.
    It is an upgraded 2.0 version of data security legislation, 
encompassing many of the lessons learned in the aftermath of 
massive data breaches at Sony and Epsilon, which put more than 
100 million consumer accounts at risk, and those are just the 
ones that we know about.
    As subcommittee chairman, protection from identity theft 
and online fraud is one of my top priorities. Just last week 
Citigroup, which has the world's largest financial services 
network, revealed a security breach in which hackers obtained 
personal information from hundreds of thousands of accounts. 
According to law enforcement officials, the hackers were able 
to gain access to customer names, account numbers and contact 
information, such as e-mail addresses.
    Yesterday we learned that an external Web site operated by 
the Oak Ridge Nuclear Weapons Plant was victimized by a cyber 
attack, and earlier this week, the same group which claimed 
responsibility for attacks on Foxx, PBS and Sony also hacked 
the Senate's public Web site.
    In recent years carefully orchestrated cyber attacks 
intended to obtain personal information about consumers, 
especially when it comes to their credit cards, have become one 
of the fastest growing criminal enterprises here in the United 
States and across the world. The FTC estimates that nearly 9 
million Americans fall victim to identity theft every year, 
costing consumers and businesses billions of dollars annually.
    And the problem is only getting worse as these online 
attacks increase in frequency, sophistication and boldness. As 
I have emphasized throughout our previous hearings e-commerce 
is a vital and growing part of our economy. We should take 
steps to embrace and protect it, and that starts with robust 
cybersecurity.
    Most importantly, consumers have a right to know when their 
personal information has been compromised, and companies and 
organizations have an overriding responsibility to promptly 
alert them.
    To that end, the SAFE Data Act first requires companies and 
other entities that hold personal information to establish and 
maintain appropriate security policies to prevent unauthorized 
acquisition of the data.
    It also requires notification of law enforcement within 48 
hours after discovery of a breach, unless it was an accident or 
inadvertent and unlikely to result in harm.
    It requires companies and other entities to begin notifying 
consumers 48 hours after taking steps to prevent further 
breaches and determining who has to be notified.
    The SAFE Data Act also gives the FTC authority over 
nonprofits for purposes of this act only. These organizations 
often possess a tremendous amount of consumer information, and 
they have been subjected to numerous breaches in the past.
    At the same time, we want to work with those affected, as 
well as with the FTC, to make sure any new regulations are not 
burdensome for small businesses, especially during these 
difficult economic times.
    In addition, we are granting the FTC authority to write 
rules that take into account the size and the nature of the 
data that is being held online. Clearly, there are obvious 
differences between information brokers and local retail 
businesses, and the rules should reflect those differences.
    The proposed legislation also requires all covered 
businesses to establish a data minimization plan providing for 
the elimination of consumers' personal data that is no longer 
necessary for business purposes or for other legal obligations.
    And finally, the SAFE Data Act preempts similar State laws 
to create uniform national standards for data security and data 
breach notification. We learned during our recent hearings that 
consumer notification is often hampered by the fact that 
companies must first determine their obligations under 47 
different State regimes.
    At the end of the day I, believe this legislation will 
greatly benefit consumers, businesses and the U.S. economy. 
Given the growing importance of e-commerce in nearly 
everything, we do we can no longer afford to sit back and do 
nothing. The time for action is now.
    And at this point, the gentleman from--OK. And inform 
people that we do have an overflow room in 2123 for those 
standing who prefer to be sitting; again 2123 is the overflow 
room.
    So, at this point, I would like to recognize the gentleman 
from California, Mr. Waxman, for his opening statement.
    [The prepared statement of Mrs. Bono Mack follows:]

               Prepared Statement of Hon. Mary Bono Mack

    Sophisticated cyber attacks are increasingly becoming the 
greatest threat to the future of electronic commerce here in 
the United States and around the world, and that's why Congress 
must take immediate steps to better protect the personal online 
information of American consumers. It's time for us to declare 
war on identity theft and online fraud.
    The Secure and Fortify Data Act--which establishes uniform 
national standards for data security and data breach 
notification--is our opening shot.
    The SAFE Data Act builds on legislation passed by the House 
in 2009 but never acted upon in the Senate. Most importantly, 
it reflects the changing landscape of data breaches and data 
security since that time.
    It's an upgraded, 2.0 version of data security legislation, 
encompassing many of the lessons learned in the aftermath of 
massive data breaches at Sony and Epsilon, which put more than 
100 million consumer accounts at risk--and those are just the 
ones we know about.
    As Subcommittee Chairman, protection from identity theft 
and online fraud is one of my top priorities. Just last week, 
Citigroup--which has the world's largest financial services 
network--revealed a security breach in which hackers obtained 
personal information from hundreds of thousands of accounts.
    According to law enforcement officials, the hackers were 
able to gain access to customer names, account numbers and 
contact information such as e-mail addresses.
    Yesterday, we learned that an external Web site operated by 
the Oak Ridge Nuclear Weapons Plant was victimized by a cyber 
attack, and earlier this week--the same group which claimed 
responsibility for attacks on Fox, PBS and Sony--also hacked 
the Senate's public Web site.
    In recent years, carefully orchestrated cyber attacks--
intended to obtain personal information about consumers, 
especially when it comes to their credit cards--have become one 
of the fastest growing criminal enterprises here in the United 
States and across the world.
    The Federal Trade Commission estimates that nearly nine 
million Americans fall victim to identity theft every year, 
costing consumers and businesses billions of dollars annually. 
And the problem is only getting worse as these online attacks 
increase in frequency, sophistication and boldness.
    As I have emphasized throughout our previous hearings, E-
commerce is a vital and growing part of our economy. We should 
take steps to embrace and protect it--and that starts with 
robust cyber security.
    Most importantly, consumers have a right to know when their 
personal information has been compromised, and companies and 
organizations have an overriding responsibility to promptly 
alert them. To that end, the SAFE Data Act:
    Requires companies and other entities that hold personal 
information to establish and maintain appropriate security 
policies to prevent unauthorized acquisition of that data;
    Requires the notification of law enforcement within 48 
hours after discovery of a breach, unless that breach was an 
innocent or inadvertent breach unlikely to result in harm;
    And it requires companies and other entities to begin 
notifying consumers 48 hours after taking steps to prevent 
further breach and determining who has to be notified.
    The SAFE Data Act also gives the Federal Trade Commission 
authority over non-profits for purposes of this act only. These 
organizations often posses a tremendous amount of consumer 
information, and they have been subjected to numerous breaches 
in the past. At the same time, we want to work with those 
affected, as well as the FTC, to make sure any new regulations 
are not burdensome for small businesses--especially during 
these difficult economic times.
    In addition, we are granting the FTC authority to write 
rules that take into account the size and nature of the data 
that is being held online. Clearly, there are obvious 
differences between information brokers and local retail 
businesses--and the rules should reflect those differences.
    The proposed legislation also requires all covered 
businesses to establish a data minimization plan providing for 
the elimination of consumers' personal data that is no longer 
necessary for business purposes or for other legal obligations.
    And, finally, the SAFE Data Act preempts similar state laws 
to create uniform national standards for data security and data 
breach notification. We learned during our recent hearings that 
consumer notification is often hampered by the fact that 
companies must first determine their obligations under 47 
different state regimes.
    At the end of the day, I believe this legislation will 
greatly benefit consumers, businesses and the U.S. economy. 
Given the growing importance of e-commerce in nearly everything 
we do, we can no longer afford to sit back and do nothing. The 
time for action is now.

OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Mr. Waxman. Thank you, Madam Chairman.
    I have said this at our previous hearing, and I want to 
repeat it today: Data security is not a partisan issue; it is 
something all of us should care about.
    Last year, there were over 597 data breaches that affected 
over 12.3 million records. Last Congress, this committee worked 
together to pass with bipartisan support a data security bill 
introduced by Representative Rush. Our bill passed the House in 
December of 2009, but the Senate never took it up, so it was 
not completed.
    The bill we are considering today is based on our 
bipartisan House bill from the last Congress. It contains 
important provisions that require companies to secure 
consumers' personal data and notify them in the case of 
breaches.
    And I commend Chairman Bono Mack for using last year's 
bipartisan bill as a starting point. There are new provisions 
in the chair's draft that strengthen last Congress' bill. For 
example, the draft contains a potentially valuable new 
provision requiring companies to have plans to minimize 
personal data they retain on individuals.
    Unfortunately, there are some changes in the bill that I 
fear weaken the bill rather than strengthen it. And this is a 
mistake and one I hope we can fix as we consider this 
legislation.
    Let me raise some of the concerns I have: Under this 
legislation before us, Sony still would not have to notify its 
customers about its recent security breach. It did not restore 
the integrity of the data system for at least 43 days after 
Sony discovered the breach, and it still has not fully assessed 
the nature and scope of its breach. Notice is not required to 
the FTC and consumers under the draft until those steps have 
been completed.
    Well, that is far too long. It does little good to notify 
consumers after their identities have already been stolen and 
make them wait such a long period of time.
    This bill deletes key provisions on information brokers, 
which are companies that aggregate personal data about 
individuals and make a profit selling that personal 
information.
    It adds unnecessary burdens to the Federal Trade 
Commission's rulemaking process, making it more difficult for 
new pieces of data to be deemed, quote, personal.
    And there is significant ambiguity regarding the scope of 
personal information that a company is required to protect. 
Under this legislation companies, including an aggregator of 
data, are exempted from the requirements to safeguard personal 
information any time that same data can be found in various 
local county government buildings.
    Furthermore, this draft creates an uneven playing field 
with potentially stronger data security and breach notification 
requirements for retailers than for nonbank financial 
institutions. There is no reason why financial institutions 
should be subject to smaller penalties for violations than 
retailers.
    So I look at it as not a balanced bill overall. It gives 
businesses too many protections and consumers not enough. It 
preempts strong State laws and replaces them with a weak 
Federal one.
    I hope these deficiencies in the bill can be fixed, and I 
want to work with the chair and other members of this committee 
to pass as effective a bill as possible, and I am looking 
forward to the promised stakeholder process. Today's hearing 
will give us a chance to get further information about what a 
bill should and should not have in its details.
    We have a chance to pass meaningful legislation that 
actually could make a positive effect on everyone, and we 
shouldn't pass up this opportunity.
    I look forward to working with you, Madam Chair.
    Mrs. Bono Mack. I thank the gentleman.
    And the chair now recognizes Mr. Stearns for 2 minutes.

 OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    Mr. Stearns. Thank you, Madam Chairman.
    And thank you very much for calling this hearing. 
Obviously, as pointed out by yourself and the ranking member, 
Mr. Waxman, this is very important that we try to get a 
bipartisan support for this.
    When I was chairman of this subcommittee, I introduced the 
Data Act in 2005, 6 years ago, established to protect 
unauthorized access to consumer data. This bill was co-
sponsored by both sides when we marked it up, it was reported 
out of the full committee by unanimous consent.
    Now, obviously, I would have preferred that we started with 
my bill, which is, I think, a bipartisan support product of a 
broad understanding of the security issues back in 2005. Now we 
are working with possibly a slightly different focused bill, 
which could be good, that addresses the recent breaches that 
occurred both in Sony and Epsilon. I think we have to be 
concerned that we not overreact based upon those two cases.
    In both 2006 and 2009, there was bipartisan support for the 
Data Act that I had. Now we debate the SAFE Data Act, a bill 
that I am concerned has some very good points but also perhaps 
might be go too far in some other areas.
    Obviously, I will work with the subcommittee, the chair 
lady, to improve the bill so it can pass with bipartisan 
support, like we have done in the past, so that the committee 
and the full House have an opportunity to vote on this. And so 
I look forward to the debate, and I look forward to our 
witnesses.
    Thank you, Madam Chair.
    Mrs. Bono Mack. I thank the gentleman.
    The chair recognizes Mr. Olson for 1 minute.
    Mr. Olson. I thank the chair for her tenacious leadership 
in bringing forth this draft bill.
    I think there is strong agreement that we need to move 
forward with Federal data security legislation. Support for 
Federal legislation has been bipartisan. My colleague from 
Florida, Mr. Stearns, put forth a data security bill in the 
109th Congress, which Mr. Rush introduced in the 110th and 
111th Congresses.
    And now our chairwoman, Mrs. Bono Mack has put forth a bill 
in the 112th Congress.
    I appreciate all of the efforts to help move us forward on 
this important issue, and I hope we can arrive at a truly 
bipartisan balanced bill that protects consumers without 
putting unnecessary burdens on companies or hindering important 
uses of data.
    I look forward to continuing our discussion today and hope 
to be able to flesh out some issues that have been raised in 
testimony. I thank the chair and yield back my time.
    Mrs. Bono Mack. I thank the gentleman.
    And the chair recognizes Mr. Butterfield, the ranking 
member of the subcommittee, for 5 minutes.

OPENING STATEMENT OF HON. G.K. BUTTERFIELD, A REPRESENTATIVE IN 
           CONGRESS FROM THE STATE OF NORTH CAROLINA

    Mr. Butterfield. I thank the chairman and apologize for 
being late.
    The only thing I can say is don't try to go to Union 
Station at 10:00 on a Wednesday morning.
    Madam Chairman, thank you for holding today's hearing on 
the Secure and Fortify Electronic Data Act. This bill includes 
some of the same provisions that we saw in H.R. 2221, which 
passed the House in the 111th Congress.
    However, this draft also removes key consumer protection 
provisions that weaken the bill and make it less effective.
    Americans' embrace of technology have served as the impetus 
for rapid growth of online businesses and services. I can buy a 
car without ever seeing it in person. I can pay my bills from 
one Web site, and I do it monthly. And I can even have all my 
data reside in a cloud, so it is accessible from absolutely 
anywhere.
    In order for e-commerce to work, there must be data 
exchange between customer and businesses, including names, 
addresses, Social Security numbers, dates of birth and so on. 
The ability to conduct business in an online space is an 
amazing convenience. No one I know could do without it.
    But the failure of some of these businesses to protect 
their own network infrastructure and the information demanded 
of their customers has led to opening--to an opening for small 
but not insignificant group of criminals to exploit and profit 
from the data these companies hold. And even those with strong 
security systems in place must be vigilant and adaptable to new 
threats.
    During the 109th Congress and subsequent Congresses, 
members of this committee worked in a bipartisan fashion to 
develop the Data Accountability and Trust Act to address the 
issue of data security. In the last Congress, my friend and 
former chairman of the committee, subcommittee, Mr. Rush, 
introduced the data bill, which ultimately passed the House, 
but the Senate failed to act. That bill included special 
requirements for information brokers, including requiring 
brokers to submit security policies to the FTC and requiring an 
annual audit of broker security practices, among other things.
    Striking those key provisions from the bill significantly 
weakens the consumer protections it is supposed to provide. 
Further, the draft bill defines personal information to exclude 
information that is publicly available. In doing so, the bill 
gives the green light to data aggregators to continue with 
business as usual without being required to have any safeguards 
in place to protect the data.
    Madam Chairman, with over 2,500 data breaches having 
occurred since 2005, it is clear that the serious work of 
protecting consumers' data is something that has taken a back 
seat in Congress for too long. A Federal standard is important. 
I will say that again: A Federal standard is important, and the 
SAFE Data Act is a start. I am sorry we are not starting with 
the text that passed the House in the last Congress.
    Over the next few weeks, Madam Chairman, I hope you will 
work with me and my staff to strengthen this draft bill. 
Together we can ensure consumer protections while allowing 
businesses the flexibility to adapt their policies and 
procedures in today's rapidly evolving information age.
    So thank you for having this hearing. I thank the 
commissioner for her presence today. And I think I might 
reserve my time. I am told that the gentlelady from Illinois is 
coming. She is not here. I yield back.
    Mrs. Bono Mack. I thank the gentleman.
    I just want to remind and reinforce to the entire panel 
that we intend fully on having a bipartisan product to the best 
of our ability and that will be our goal.
    So now I would like to turn our focus to the witness table. 
We have two panels today. On the first panel, we are honored to 
have the Honorable Edith Ramirez, Commissioner at the FTC.
    Thank you very much for being here today. You will be 
recognized for 5 minutes to summarize your statement. And just 
to--I am sure you are familiar with the time clock, it is 
yellow, green, red, kind of concept. When the light turns 
yellow, that means you have 1 minute to start your close.
    So, at this point, we are happy to recognize you for your 
5-minute statement.
    Ms. Ramirez. Good morning.
    Mrs. Bono Mack. And, please, remember to turn your 
microphone on.

    STATEMENT OF EDITH RAMIREZ, COMMISSIONER, FEDERAL TRADE 
                           COMMISSION

    Ms. Ramirez. Good morning.
    Chairman Bono Mack, Ranking Members Butterfield and Waxman, 
and members of the subcommittee, I am Edith Ramirez, a 
Commissioner of the Federal Trade Commission. I appreciate the 
opportunity to present the commission's testimony on data 
security.
    I want to thank you, Chairman Bono Mack, and the committee 
for your leadership on this important issue.
    Before I continue I would like to note that my written 
testimony represents the views of the Federal Trade Commission, 
but my oral remarks and responses to questions are my own and 
may not reflect the views of the commission as a whole or of 
other commissioners.
    As the Nation's consumer protection agency, the FTC is 
committed to protecting consumer privacy and promoting data 
security in the private sector. If companies do not protect the 
personal information they collect and store, information could 
fall into the wrong hands, resulting in fraud and other harm 
and consumers could lose confidence in the marketplace.
    Although data security has recently been in the news, this 
is not a new priority for the FTC. To the contrary, for a 
decade, the FTC has undertaken substantial efforts to promote 
data security in the private sector through law enforcement, 
education, policy initiatives, and recommendations to Congress 
to enact legislation in this area.
    Since 2001, the FTC has brought 34 cases charging that 
businesses failed to appropriately protect consumers' personal 
information. This includes a final settlement the commission is 
announcing today against Ceridian Corporation, a large payroll 
processor. Ceridian's clients upload their employee sensitive 
information, including Social Security numbers and bank account 
numbers, which are stored on Ceridian's network. The FTC's 
complaint charged that Ceridian didn't maintain reasonable 
safeguards to protect this employee information. As a result, a 
hacker was able to gain access to it.
    The FTC's order requires Ceridian to implement a 
comprehensive data security program and obtain independent 
audits for 20 years.
    The commission also promotes better data security through 
consumer and business education. For example, on the consumer 
education front, we sponsor OnGuard Online, a Web site to 
educate consumers about basic computer security. Since its 
launch in 2005, there have been over 14 million unique visits 
to OnGuard Online and its Spanish language counterpart, Alerta 
en Linea.
    We also conduct outreach to businesses, especially small 
businesses, to provide practical advice about data security. 
The commission also engages in policy initiatives to promote 
data security.
    Last December, FTC staff issued a preliminary report 
proposing a new framework to improve consumer privacy and data 
protection. Among other things, the report advocates privacy by 
design, which includes several principles essential to data 
security. First, companies, no matter what their size, should 
employ reasonable, physical, technical and administrative 
safeguards to protect information about consumers. Second, 
companies should collect only that consumer information for 
which they have a legitimate business need. Third, businesses 
should retain data only as long as necessary to fulfill the 
business purpose for which it was collected and should promptly 
and securely dispose of data they no longer need.
    As to legislation, the commission generally supports 
Federal legislation, similar to your draft proposal, that would 
impose data security standards on companies and require 
companies in appropriate circumstances to notify consumers when 
there is a security breach. Reasonable security practices are 
critical to preventing data breaches, and if a breach occurs, 
prompt notification to consumers in appropriate circumstances 
can mitigate harm such as ID theft. For instance, in the case 
of a breach of Social Security numbers, notified consumers can 
request that fraud alerts be placed in their credit files, 
obtain copies of their credit reports and scrutinize their 
monthly account statements.
    The commission is pleased that your draft legislation 
includes civil penalty authority to deter violations, APA 
authority for rulemaking and jurisdiction over nonprofit 
entities for data security purposes. I would also like to note 
that both your draft legislation and the commission staff's 
recent privacy report underscore the importance of data 
minimization to sound data security practices.
    The FTC looks forward to working with this committee as it 
moves forward on the SAFE Data Act. Thank you, again, for 
inviting me to be here and for your leadership on these 
important issues, and I am pleased to answer any of your 
questions.
    [The prepared statement of Ms. Ramirez follows:]



    Mrs. Bono Mack. Thank you very much.
    The chair now recognizes herself for 5 minutes for 
questioning. The first question I have, you state the 
commission's support for prompt notice to consumers. I think it 
is the crux of what we are all about here. What do you consider 
prompt, and do you think the consumer notification requirement 
in the legislation is quick enough?
    Ms. Ramirez. I believe that notification needs to be 
provided as soon as practicable. I do have some concerns about 
the provision relating to notification in the draft bill. And 
let me highlight the two key concerns. My first concern is that 
the bill requires that there be a risk assessment performed, 
and then, at the conclusion of that risk assessment, a company 
is then obligated to provide notification to consumers and to 
the FTC 48 hours, within 48 hours following that.
    My concern is that the requirement, that there is no 
deadline on which to complete a risk assessment, and therefore, 
that could take an indefinite amount of time. Without there 
being some type of limit that is placed on that, I think it 
places consumers at significant risk.
    Another concern that we have is that there is also no time 
limit that is placed in connection with law enforcement, that 
it could also be an open-ended deadline that could delay prompt 
notification to consumers. And again, there ought to be some 
form of a cut-off period to ensure that consumers received 
appropriate notification within an appropriate amount of time 
so that they can take steps to mitigate any harm that may 
result from a data breach.
    I would also like to emphasize that providing prompt notice 
to the FTC is also very critical, and in our view, notice to 
the FTC should be provided at the same time that it is provided 
to other law enforcement agencies.
    Mrs. Bono Mack. Thank you.
    And the FTC has experience under Gramm-Leach-Bliley with 
the implementation of the safeguards rule for financial 
institutions under its jurisdiction. The FTC also provided 
comprehensive guidance for entities to understand how they can 
comply with the rule. Do those guidelines provide a sufficient 
indication of the rules for data security the FTC would write 
under Section 2 of this legislation?
    Ms. Ramirez. I think they do provide good guidance to 
companies. In addition to the to particular enforcement matters 
and consent orders that the commission makes public, the 
commission provision many, many different resources online to 
companies so that they can take appropriate measures to 
adequately protect consumer information.
    Mrs. Bono Mack. So, under Section 2 security requirements 
of the draft legislation, does the FTC have the latitude to 
write rules that take into account the different types of 
entities, their level of sophistication and the amount of type 
of information they hold?
    Ms. Ramirez. It does. And we appreciate that authority 
being provided to the FTC to promulgate rules detailing those.
    Mrs. Bono Mack. Do you envision writing different rules or 
different guidance to address the concerns that a one-size-
fits-all approach is not appropriate?
    Ms. Ramirez. During the rulemaking process, we would be 
seeking input from stakeholders and fashioning rules that, in 
light of the input that we received, that we believe would be 
appropriate to protect consumer information.
    Mrs. Bono Mack. So do you see different standards, then, 
for information brokers and small nonprofits, for example?
    Ms. Ramirez. We believe that companies, no matter what the 
size, need to provide solid and good data security measures. At 
the same time, the standards that the FTC employees in its 
enforcement work is a reasonableness standard, so we do take 
into account the size of a company, the nature of the 
information that has been placed at risk and other factors that 
may weigh in on that calculus.
    Mrs. Bono Mack. Since we first started this process 6 years 
ago, 46 State laws have emerged. Nearly every one of them, 
including California, have exemptions from the definition of 
personal information for information made publicly available by 
the government and, in some cases, information made public by 
the media.
    The exemption included in this draft is confined to 
information made publicly available by the government.
    Have you seen any problems of unlawful activity associated 
with the publicly available information?
    Ms. Ramirez. Yes. We do have concerns about there being an 
exemption for public, for all public information. The 
difficulty is that these days there are data brokers that 
collect information that in the past, one would have to go to 
very significant measures to collect. You would have to go--you 
could go to the courthouse; you could collect information 
through other means. But data aggregators then aggregate this 
information and when the information, which may very well be 
public, is then collected, gathered and aggregated, it can then 
pose very unique privacy challenges. So we do have concerns 
about there not being a mechanism to address those issues 
relating to data brokers.
    Mrs. Bono Mack. You said privacy challenges. Do you mean 
security challenges?
    Ms. Ramirez. Security challenges.
    Mrs. Bono Mack. Thank you. All right.
    I yield back the 5 seconds of my time.
    And the chair recognizes Mr. Butterfield for 5 minutes.
    Mr. Butterfield. Thank you very much.
    Thank you, Commissioner. The Republican discussion draft 
makes a change from H.R. 2221 to the definition of personal 
information. That seems like a simple and minor change, but it 
actually is not. It excludes public record information from the 
definition of personal information.
    Given that technology has made access to an aggregation of 
numerous of types of records very cheap and easy the 
consequences of this change are quite significant. Before it 
became cheap and easy to store vast amounts of this information 
in one place, no one thought about going out and collecting 
these records. To see these records, you had to, as you said a 
moment ago, go from town hall to town hall or courthouse to 
courthouse and look at them one at a time. But now, millions 
and millions of records regarding millions of our constituents 
are being kept on servers usually belonging to information 
brokers.
    If you are a criminal wanting to do harm to lots of people 
in one swoop, the Republican discussion draft will be an 
advantage to you. This collection and aggregation in one place 
has changed the value of this information and its 
susceptibility to criminal misuse, and it concerns me that this 
draft bill leaves this information unprotected.
    Because of the change to the definition of personal 
information to exclude public record information, there is no 
longer an obligation to provide any protection at all for this 
information.
    Have I said it correctly, Commissioner, or have I 
misspoken?
    Ms. Ramirez. We agree with that concern yes.
    Mr. Butterfield. Do you believe that just because that 
information could have been collected elsewhere, a covered 
person should be relieved of the obligation to protect its 
information when they collect and aggregate the information in 
one place and make it more valuable and potentially more 
dangerous? Please help me with that.
    Ms. Ramirez. I believe that information, even if it is 
public information, if it is personal information of the 
consumer, that information ought to be protected, and there 
ought to be appropriate data security measures in place to 
protect it.
    Mr. Butterfield. All right.
    I want to take your attention to notification. Do you 
believe notification to consumers should also be required for 
breaches involving this kind of information?
    Ms. Ramirez. Yes.
    Mr. Butterfield. The Republican discussion draft, like H.R. 
2221 before it, provides the FTC, your commission, with the 
ability to modify the definition of personal information. Only 
information that is within the meaning of that term is covered 
by the bill's data security and breach notification 
requirements.
    But unlike 2221, the discussion draft seems to set up an 
overly burdensome and unclear process for modifying that 
definition. If the FTC wanted to change the definition for the 
purposes of either the data security or notification sections, 
it would have to find, among other things, that modification 
would not unreasonably impede Internet or other technological 
innovation or otherwise adversely affect interstate commerce, 
end of quote.
    Question, do you believe this language regarding 
impediments to innovation provides the FTC with much of a clear 
standard against which to determine whether a modification is 
appropriate?
    Ms. Ramirez. I do have concerns about the standards that 
are imposed. In addition to the limitation on changes to the 
definition that could impede innovation, as you mentioned, it 
also requires that the commission only make a change when there 
is a technological change at issue, and that is in connection 
with the data security piece of the proposed bill. So that does 
raise concerns because we feel there are issues with the 
definition of personal information. It is too narrow, and we 
would not be able to address those concerns.
    Mr. Butterfield. Well, what would you do? How would you 
make that determination if you were called upon to do so?
    Ms. Ramirez. Well, again, we would want to work with the 
committee on establishing an appropriate limitation. But let me 
articulate a couple of concerns that we have with the personal 
information limitation, in addition to the public records 
exemption.
    Two things: First, we believe that the financial, that the 
provision focuses solely on financial related information and 
doesn't take into account, for instance, other information that 
would be sensitive to a consumer. For instance, health 
information that would not otherwise be protected under HIPAA 
would not be covered by the language in the draft bill. So that 
would be a concern that we would not be able to address through 
the rulemaking that is provided in the draft bill.
    Mr. Butterfield. And what about the language that speaks to 
impeding innovation? I don't know how you define that.
    Ms. Ramirez. That would be a difficult standard also to 
apply, and so, arguably, rules by the commission could be 
challenged by parties arguing that the change in definition 
could impede the growth and make other arguments, so it would 
place an undue burden, we believe, on the commission.
    Mr. Butterfield. Thank you. I yield back.
    Mrs. Bono Mack. I thank the gentleman and want to thank him 
very much for pointing out the few bracketed points in the 
legislation where we specifically bracketed them because we, 
too, have questions in the draft, so I appreciate the 
clarification in your input, and I appreciate the gentleman 
taking the opportunity to raise that.
    The chair recognizes Mr. Stearns for 5 minutes.
    Mr. Stearns. Thank you, Madam Chair.
    One thing I just thought we would clear, that I think the 
Federal preemptions that it had in my bill in 2005 and the bill 
that passed in the Rush haven't changed. So as I understand, I 
just want to ask counsel, is that true that the Federal 
preemption have not changed, so that any criticism that would 
be brought from that side because of that, that they haven't 
changed at all?
    The Counsel. Yes, sir, that is correct.
    Mr. Stearns. Ms. Ramirez, as you are aware, in the bill, 
the Federal Trade Commission has the authority to change the 
very fundamental definition of personally identifiable 
information. So this gives you this broad latitude, I think a 
lot of us are a little concerned about. Do you think there is 
an opportunity where the Federal Trade Commission under any 
circumstances would trigger the need for them to alter, to 
update, to change that basic definition how it is currently 
drafted in the bill now, because you have got this definition 
that people understand in the bill, yet you have the authority 
to change it? Under what circumstances would you change it, and 
perhaps you could explain what would cause it?
    Ms. Ramirez. One circumstance that could arise is there 
could be changes in technology that could require additional 
information being needed.
    Mr. Stearns. But isn't personal identifiable information 
pretty much policy-neutral because it represents an 
understanding of the privacy of the individual?
    Ms. Ramirez. I think the precise scope may be hard to 
define. But the commission is absolutely willing to work with 
the committee to come up with a definition that would meet 
every one and satisfy everyone's concern. The current condition 
we believe is to narrow. We also believe that the ruling 
provided is too limited.
    I will say that the rulemaking process that the commission 
employs is a process by which we do seek input from 
stakeholders. And we believe that through that rulemaking 
process, we will be able to address any need for change, at the 
same time taking into account any concerns that you and others 
may have, Congressman.
    Mr. Stearns. Well, I think that probably if I was in 
industry, I would be concerned that the government, the 
Congress, is turning over this power to you and you might make 
these changes without a comment period. There might be changes 
that would affect a business that would make it much more 
difficult.
    Let me go on to my second question. In the bill, they added 
data minimization provisions. Now, this is something new from 
my bill, and also it is new from the Rush bill. How do you see 
this provision playing out? For members and people who don't 
understand, this is basically forcing industry to get rid of 
information that perhaps they would like to keep. It is not a 
decision they make, it is a mandated mandate, which is included 
in the bill, as I understand it. So I guess the question is, 
how do you see this provision playing out, and what role do you 
believe, if any, the FTC should have in ensuring that companies 
are complying? So you have this mandate; the companies might 
not agree, so if they don't do it, how are you going to check 
it, and how are you going to make them comply?
    Ms. Ramirez. What the commission advocates is that 
companies only retain information that they have a legitimate 
business need to retain.
    Mr. Stearns. And who determines that?
    Ms. Ramirez. And that they also only retain it for the time 
period they need it. I think we would apply a reasonableness 
standard.
    Mr. Stearns. What kind of standard?
    Ms. Ramirez. A reasonableness standard, which is a standard 
that the FTC has employed throughout the course of its 
enforcement in this arena.
    Mr. Stearns. So this reasonable standard in your mind is 
been pretty much established at the FTC so everybody in 
industry would understand today what it is?
    Ms. Ramirez. What I am saying is that the standard that 
would be applied would be a reasonableness standard, and I 
believe--it is an issue that may need to be fleshed out. And 
again, the commission is willing to work with the committee in 
order to do that. Any rulemaking that does take place would 
entail a comment period, absolutely entail a comment period. I 
believe that the FTC has a very solid track record in terms of 
its rulemaking. So I think this is an area, again, that the 
standard that the FTC has always applied in the area of data 
security is one of reasonableness, taking into account the 
nature of the information, how sensitive it is, the potential 
risks to consumer. So it would be a reasonableness standard 
that would be applied.
    Mr. Stearns. Do you think that Congress should set the 
broad outline for this data minimization provision and not give 
it any authority to the FTC, or do you think you need to have 
that authority to make that decision?
    Ms. Ramirez. I think it would be appropriate to give 
authority and flexibility to the FTC to provide additional 
guidance to companies as to how to effectuate those 
requirements.
    Mr. Stearns. Thank you.
    Mrs. Bono Mack. The gentleman's time is expired. The chair 
recognizes Mr. Waxman for 5 minutes.
    Mr. Waxman. Thank you, Madam Chair. Again, looking at this 
draft bill, I have some questions, so that we can get your 
input on it. As I look at the draft bill, there is a notice 
that must be given to the Federal Trade Commission and the 
consumers when there has been an electronic data breach. But it 
is only required after the covered person, the people who--a 
company who has the identifying information has done certain 
things in connection with the breach. The covered person must, 
one, assess the nature and scope of the breach, that makes 
sense, take steps to further prevent breach orunauthorized 
disclosure, and then, three, restore the integrity of the data 
system. Those clearly are the priorities for the company 
itself.
    After they have done all that, the covered person must 
determine the risk to the consumer. And after they have reached 
that conclusion, within 48 hours, they are supposed to give the 
notice to the FTC and the consumer. But there is no limit in 
this draft bill for how long a person can take to complete 
steps one, two and three. There is just no limit. The covered 
person, company, knows about a breach, could take a week, a 
year, maybe 5 years and then, within 48 hours of that, provide 
notice to the Federal Trade Commission and the consumers.
    The bill from the last Congress included an outer limit of 
60 days from the discovery of the breach to provide notice of 
the breach. That outer limit has been dropped from this 
discussion draft. If we were to include an outer limit, how 
long should that limit be, in your opinion.
    Ms. Ramirez. In my view, and the commission's view, is that 
the time for notification should be as soon as practicably 
possible. That may differ depending on the circumstances. I 
believe that 60 days should be at most an outer limit. Again, 
our view is that the sooner, the better. The sooner the notice 
is provided, the sooner that a consumer can take appropriate 
steps to protect and try to mitigate any harm that may result 
from a breach.
    I don't believe there is a particular number that I can 
give you sitting here today because it may depend on the 
circumstances, the nature of the breach, the size of the 
company, but I would say that 60 days would be at most an outer 
limit.
    Mr. Waxman. Sixty days would be an outer limit, but as soon 
as practicable?
    Ms. Ramirez. Yes.
    Mr. Waxman. That the information should go to the consumer 
that their identity has been compromised?
    Ms. Ramirez. That is correct.
    Mr. Waxman. A security leak. Thank you for that.
    The discussion draft provides an exemption from the bill's 
data security requirements for entities that are subject to 
data security requirements under different bills, the Gramm-
Leach-Bliley or the Health Insurance Portability and 
Accountability Act, for any activities governed by GLB and 
HIPAA. Now, this is a departure from last year's bill.
    Last year's bill only said that compliance with these two 
other statutes meant you were in compliance with the 
requirements of this legislation as it was drafted, provided 
that the requirements of GLB and HIPAA were similar or greater 
than those required under last year's bill. The language was 
not phrased as exemption for entities subject to FTC 
jurisdiction but rather as an alternative means of compliance.
    It is unclear to me whether under the draft bill, the 
Federal Trade Commission maintains the ability to enforce any 
data security requirements against those entities or if the 
safeguards in those other laws must meet or exceed those in the 
discussion draft. Do you believe that this exemption could 
potentially limit the Federal Trade Commission's enforcement 
abilities with respect to entities subject to the other two 
statutes, those other two statutes, and could you explain your 
answer to that?
    Ms. Ramirez. Under my reading of the bill, I do believe 
that it creates, potentially creates a gap in authority, 
because it does exempt entities that are subject to FTC 
jurisdiction from having breached notification requirements 
which are not required under Gramm-Leach-Bliley. So that is a 
concern about there being a potential gap in authority.
    Mr. Waxman. And do you believe this exemption could 
potentially lead to a disparity in the security requirements 
for nonbank financial institutions and everyone else under 
the----
    Ms. Ramirez. I do.
    Mr. Waxman. And what is your understanding of the effect of 
the phrase ``any activities governed by GLB or HIPAA'' on the 
scope of this exemption? What is the Gramm-Leach-Bliley 
activity, is that just issuing privacy notices? Is that 
following the FTC's safeguard rule, or is that marketing?
    Ms. Ramirez. Again, that activity-based exemption, it is a 
little bit unclear exactly how broadly it might be interpreted. 
But I think that the key point is that it does create a 
disparity between the obligations of certain financial 
institutions so that it is a concern about in connection with 
the authority that is provided.
    Mr. Waxman. Thank you.
    Madam Chair, I just want to point this out as an area where 
we need to work together to make sure that there is no 
ambiguity or poor drafting that would undermine what we are 
trying to do.
    Mrs. Bono Mack. I thank the gentleman very much. I agree 
with his questioning and agree with his assessment about where 
we can fortify the bill, and I look forward to working with you 
on that.
    And the chair is happy to recognize Mr. Olson for 5 
minutes.
    Mr. Olson. I thank the chair.
    Commissioner Ramirez, welcome. Thank you for your time 
today. As you know the SAFE Data Act would require an entity to 
begin to notify as promptly as possible, and that is a quote, 
individuals whose personal information was acquired or assessed 
in a breach following an assessment, and a notification should 
be based on risk of harm, not just on the fact that a breach 
had occurred. Otherwise, we may find ourselves in a situation 
where consumers are flooded with notices by companies, become 
desensitized, and then may not take action to protect 
themselves when there is a real risk due to a significant 
breach where personal identifiable information was stolen, and 
identity theft could occur.
    As currently drafted this legislation standard for risk is, 
quote, reasonable risk of harm. In response to my colleague 
Congressman Stearns' questions, you said that that is the 
standard that the FTC supports. Do you think consumers would be 
better served in the long run if the standard were changed to, 
``significant risk of harm''? And what in your opinion is the 
difference between a reasonable risk of harm and a significant 
risk of harm?
    Ms. Ramirez. I don't think that consumers would be better 
served if the standard were to be elevated to a significant 
risk. I think the key objective, as I understand it, of the 
draft bill is to ensure that consumers are appropriately 
protected if there is a breach. And my concern would be that by 
imposing a higher standard, that key objective would be 
undermined.
    So I think it is appropriate to apply a reasonableness 
standard. But my fear is that by using the word significant it 
might just be a standard that might be too high and that it 
would risk undermining the ability of consumers to take 
effective steps to protect themselves if there is a breach in 
security.
    Mr. Olson. And one more question, commissioner, a couple 
more. Does the commission see the concerns about the dangers of 
over-notification or, as my 14-year-old daughter and 11-year-
old son would say, spam?
    Ms. Ramirez. In my view, the greater danger is that 
consumers not be provided adequate notice to protect themselves 
against data breaches, so I don't believe that over-
notification is a serious issue. I would be more concerned 
about not providing adequate protection if the standard were to 
be elevated.
    Mr. Olson. I am sure that we can agree that there is some 
balance there between over-notification and timely 
notification?
    Ms. Ramirez. That is right. And I believe the 
reasonableness standard accommodates that.
    Mr. Olson. OK. Thanks for that. And one final question, why 
does the FTC feel so strongly about obtaining authority over 
nonprofits and universities for data security breaches?
    Ms. Ramirez. The issue there is that, regardless of the 
nature of the particular entity, if the entity does have 
personal information about a consumer and there is a data 
breach, there is harm to the consumer regardless of whether 
that entity is either a nonprofit or a for-profit entity. So 
that distinction, in our view, would not provide adequate 
protection. So we are pleased to see that the draft bill does 
provide coverage for nonprofits.
    Mr. Olson. Yes, ma'am. Well, I am hearing some concerns 
from the nonprofit sector and the universities about this 
provision, and I would like to work with you forward and work 
with the chairman to resolve these concerns back home for the 
people I represent.
    Ms. Ramirez. We would be pleased to do so.
    Mr. Olson. Thank you, ma'am. I yield back my time.
    Mrs. Bono Mack. I thank the gentleman. And the chair 
recognizes Mr. Gonzalez for 5 minutes.
    Mr. Gonzalez. Thank you very much, Madam Chairwoman.
    To my colleagues who have worked on this for the past few 
years, again, just that we continue down this road and haven't 
been successful yet, we passed things out of the House, and 
then we can't say that much about controlling anything that the 
Senate does, but it does mean that we will not be moving timely 
and aggressively.
    To Mr. Stearns, thank you for his leadership. I still 
remember way back then, Cliff, when we used to say, don't 
collect it if you can't protect it. Remember we used to say 
that? And I think we are still saying that. And what has 
transpired since that time is that we haven't had the 
safeguards. We haven't had the review and the protections, of 
course. And we have just had--what have we had? We have had 
more breaches. I would like to think that had we had something 
in place, we would not have had the occurrences that have 
transpired recently.
    Commissioner Ramirez, thank you very much for being here 
today. My questions are going to go to information brokers. And 
I do want to compare past efforts with the present effort, and 
hopefully, we can even improve what we have in the initial 
draft. H.R. 2221 had a lot as it related to information 
brokers. And I just want to get your opinion as to whether any 
new version of legislation should maybe also include some of 
these responsibilities that information brokers should be 
charged with. We had accuracy access and dispute resolution 
aspects or provisions when it came to brokers, but I am going 
to be a little more specific on some things that I believe at 
this early date the draft would not include, and I am going to 
ask whether you think it would be important that we would 
include these particular provisions: 2221 required information 
brokers to submit its security policies to the FTC, is that a 
good idea?
    Ms. Ramirez. I think generally data security brokers need 
to be covered under any appropriate legislation, just as any 
other entity would be. If they collect information about a 
consumer, they ought to be covered.
    Mr. Gonzalez. 2221 permitted the FTC to conduct an audit or 
require each information broker to conduct an audit of its 
security practices, good provision?
    Ms. Ramirez. Again, I think the data security measures that 
apply to other entities ought to apply equally to data brokers, 
because any entity that collects, gathers and uses personal 
information of consumers need to have appropriately protective 
data security measures.
    Mr. Gonzalez. Maybe even more so since that is your primary 
objective and activity, is it not, as opposed to someone else 
that, again, relative to their own commercial transaction may 
require certain information that is personal in nature and 
needs to be protected? But we are talking about information 
brokers. The very purpose of their existence is to do what?
    Ms. Ramirez. I understand the point. All I am trying to say 
is that all entities that gather information that is personal 
to consumers create a potential risk of harm when there is a 
data breach. So, from the commission's perspective, we don't 
want to draw distinctions. If an entity collects and uses 
consumer information there ought to be appropriate data 
security measures and absolutely they ought to apply to data 
brokers.
    Mr. Gonzalez. And that is the reason it was in 2221, and we 
would agree with you of course. The last two, because I have 
about a minute and a half, required the FTC to promulgate rules 
requiring information brokers to establish measures 
facilitating the investigation of breaches. Would that be 
important?
    Ms. Ramirez. Yes.
    Mr. Gonzalez. And lastly, prohibit information brokers from 
pretexting, the practice of obtaining information through false 
representations?
    Ms. Ramirez. Yes.
    Mr. Gonzalez. Thank you very much.
    And I yield back Madam Chair.
    Mrs. Bono Mack. I thank the gentleman.
    And the chair recognizes Mr. Pompeo for 5 minutes.
    Mr. Pompeo. Thank you, Madam Chairman.
    Thank you for being here today, Ms. Ramirez. You talked 
about your concern for the exemption for publicly available 
information that you said that now with current technology, it 
has increased the value of that information. Can you give me an 
example of what you are thinking of?
    Ms. Ramirez. I think there are a number of companies that 
gather information about consumers because it may aid, for 
instance, in connection with advertising and online behavioral 
advertising in particular. I know that the Wall Street Journal 
series has identified a number of companies that do this. It is 
an area that is of significant concern to the commission. And 
again, regardless of the fact that the information may be 
publicly available, given that it is now aggregated and it can 
be accessed technologically and much more easily, it raises 
significant data security concerns.
    Mr. Pompeo. And what kind of information are you concerned 
about? Is it addresses? Tell me what it is that is publicly 
available that you are concerned about this aggregation of this 
information in the hands of these people you think are going to 
do harm.
    Ms. Ramirez. It could be addresses. It could be names, 
family members that reside in a house. That combined with other 
information could potentially lead to security concerns.
    Mr. Pompeo. Thank you.
    I want to come back to something Congressman Stearns was 
speaking of. He was talking about the definition in the draft 
of legitimate business purposes. And if I understood your 
testimony correctly, you want to retain the authority, that you 
want the FTC to retain the authority to define that, that is to 
say we are going to apply a reasonableness standard, is that 
correct?
    Ms. Ramirez. That is right.
    Mr. Pompeo. Forgive me for my skepticism. I have been 16 
years in business, and when the Federal Government says, don't 
worry, we will be reasonable, it causes alarm bells to go off 
in my head.
    Ms. Ramirez. Perhaps it might help if I can articulate a 
concern. In many of these data breach cases, we find that 
information has been maintained for very lengthy periods of 
time when in fact the company really had no reason to maintain 
that information. So that is why we, and I personally, believe 
that companies need to take greater care in ensuring that the 
consumer information that they maintain is needed. And if it is 
no longer needed, they should dispose of that information 
safely; otherwise, it just increases the potential for harm 
should there be a breach.
    Mr. Pompeo. Suppose a company had some information, and 
they had no real current use for it, but they thought there 
might be value in that information 20 years from now. They 
might be able to sell their business, and somebody else might 
be able to use that information, but they couldn't touch today 
what exactly it is they thought the value of that was. But a 
legitimate business person, at least in that business owner's 
mind was, you know, I think there is value there. I worked to 
get that information. I obtained that information lawfully, and 
I now possess it, and I would just like to hang onto it because 
I think there may a good lawful use of that information 
sometime down the road. Would you consider that, after 10 or 20 
years, would you consider that a legitimate business purpose in 
retaining that information?
    Ms. Ramirez. I would be concerned that--there are many 
companies that do make that statement. My concern is that that 
is at odds with the desire to have adequate security. Because, 
again, the more that you keep information, the greater danger 
that it creates. So I am not going to sit here and say, it can 
only be after 5 years. I think there needs to be an appropriate 
assessment under particular facts and circumstances. But what 
we do advocate and I personally believe is that companies need 
to take a greater look at their practices, at their data 
security practices, to ensure that they minimize the possible 
risks of harm to consumers.
    Mr. Pompeo. Right. I am not speaking to their practices in 
terms of securing that data. I am simply speaking to their 
desire to hold onto this thing that they view as their 
property, this thing that they have paid for and worked for and 
worked really hard to maintain, and they are engaged in the 
most capable security process you can imagine; they have not 
had a breach, and all they want to do is hold onto their 
property. But as I hear you, there is some risk that the FTC is 
going to come in and say, sorry, not legitimate?
    Ms. Ramirez. No. Again, I think the standard to be applied 
is reasonableness. I think what the FTC and I personally 
believe is that companies simply need to take a stronger look 
and ask the question, do we really truly need this information, 
and not just simply use the concept of, oh, we may need it down 
the line without care to ask important questions about whether 
that information is entirely needed.
    Mr. Pompeo. Great. Thank you.
    Ms. Ramirez. And again, our focus is on information. I can 
just give you an example. I highlighted one case today, 
Ceridian, where Social Security numbers were being retained for 
a period when they were no longer needed in that particular 
instance. Again, there was no need to maintain those.
    Mr. Pompeo. And when you say needed, you mean, in your 
mind, as opposed to in the company's mind?
    Ms. Ramirez. The company no longer had reason to maintain 
those Social Security numbers, and unfortunately, there was a 
breach, and it created significant risk of harm to consumers.
    Mr. Pompeo. Thank you. My time is expired.
    Thank you, Madam Chairman.
    Mrs. Bono Mack. I thank the gentleman.
    The chair is pleased to realize the chairman emeritus of 
this committee, Mr. Dingell, for 5 minutes.
    Mr. Dingell. Thank you, Madam Chairman. Welcome, 
Commissioner Ramirez. I will be asking yes and no questions so 
I would appreciate your cooperation because time is short. Now, 
the draft legislation pending, our consideration exempts 
entities that must comply with the Gramm-Leach-Bliley Act or 
GLBA. The Federal Trade Commission's role to implement the data 
privacy requirements of GLBA is known as the safeguard rule, is 
that correct?
    Ms. Ramirez. Yes.
    Mr. Dingell. Now, Commissioner, does the safeguard rule 
require that covered entity, that a covered entity under the 
jurisdiction of the FTC notify a consumer of a data breach 
within a certain period of time, yes or no?
    Ms. Ramirez. No, it does not.
    Mr. Dingell. Commissioner, so an entity regulated by FTC 
that is covered under GLBA, but not the draft bill, is under no 
statutory or regulatory obligation to notify consumers of a 
data breach within a time certain; is that correct?
    Ms. Ramirez. Yes.
    Mr. Dingell. Now, it would seem to me that we should 
consider removing the draft bill's GLBA exemption as well as to 
include H.R. 2221 60-day backstop notification in the interests 
of improving consumer protection. Now, the draft bill allows 
the Commission to modify the definition of the term ``personal 
information'' according to the Administrative Procedure Act, or 
APA, which I applied. I am worried, however, though, that the 
bill imposes vague conditions on the Commission to be satisfied 
before it could commence a rulemaking.
    I fear that the effect would be that the Commission may 
never amend the definition of ``personal information.''
    Now, Commissioner, has the Commission examined this matter 
and, if so, does the Commission share my opinion on the matter?
    Ms. Ramirez. We do have concerns about the ability of the 
FTC to modify the definition of ``personal information'' as I 
articulated earlier in my testimony.
    Mr. Dingell. Now, I would request that the Commission 
submit its comments for the record. Would you do that for us, 
please, on this question?
    Ms. Ramirez. Yes, of course.
    Mr. Dingell. Now, I understand the draft bill does not 
treat data brokers any different from other entities that 
collect and store personal information. This is a change from 
H.R. 2221, which by the way passed the House overwhelmingly, 
which describes additional requirements for data brokers.
    The bill does not contain provisions that allow consumers 
to have reasonable access to information data brokers who 
collect information about them; is that correct?
    Ms. Ramirez. Yes.
    Mr. Dingell. Now, Commissioner, does the Commission believe 
that brokers should be subject to more stringent data security 
and breach notification requirements than other entities that 
collect and store personal information; yes or no?
    Ms. Ramirez. In my view, yes.
    Mr. Dingell. Would you submit such amplification of that as 
you might deem appropriate?
    Ms. Ramirez. Yes.
    Mr. Dingell. Now, Commissioner, does the Commission believe 
that consumers should have a statutory right to reasonable 
access of the personal information that data brokers collect 
about them; yes or no?
    Ms. Ramirez. In my view, yes.
    Mr. Dingell. And I believe you would say that that is the 
only way you are going to assure that they will have that right 
to access; is that right?
    Ms. Ramirez. In my view, yes.
    Mr. Dingell. Now, Madam Chairman, I appreciate your work on 
the bill so far, and I want to thank you for these hearings.
    As my questions have indicated, I believe there are parts 
of the bill that can be improved. I stand by to work with you 
and am ready to assist you and the rest of our colleagues in 
order to report a bipartisan consensus bill that offers 
consumers the best protections possible. And I would observe, 
just quickly once more, the FTC has substantial experience in 
the protection of personal privacy from data collectors and 
things of that kind; is that not so, Madam Commissioner?
    Ms. Ramirez. Yes.
    Mr. Dingell. So, Madam Chairman, I thank you for the 
courtesy and I yield back the balance of my time, which 
constitutes 37 seconds. Thank you.
    Mrs. Bono Mack. I thank the gentleman very much and 
recognize Mr. Guthrie for 5 minutes.
    Mr. Guthrie. Thank you very much. Thank you, Madam 
Commissioner, for being here.
    I appreciate this and this is a serious issue that we have 
to address, and it looks like there is going to be significant 
work to do this in a way that is bipartisan. And I really 
didn't even think about this, and Mr. Pompeo said, but, you 
know, some of the things I learned when I was involved in the 
State legislature, involved in writing law and so forth, is 
that we have got to be as clear as we can because you see 
things--and just an example, you know, laws written 50, 60 
years ago today are being used to, I think, doing 
interpretations by agencies that were never intended.
    And so we just want to be careful that we are not just 
dealing with each other, and we know each other, and we know 
each other are thinking, but we have got to think what is going 
to happen as we go down the road.
    And so in that, you know, I say, you have been there, and 
we had SEC here before and they said, well, we are trying to 
solve uncertainty. This may have to be decided in court if what 
we are doing is right. So when we look at words like 
``reasonable'' and ``significant risk,'' ``reasonable risk,'' 
just kind of understanding what we are thinking. And so I know 
we talk about reasonable risk in data security and significant 
risk.
    And if you would kind of talk about the differences in 
those two and the cost of complying with this, I guess, for a 
business or in the level of security for consumers. We have got 
to decide, give this consumer the security they have, with the 
business having the knowledge or the certainty of what it is 
going to cost them to do, so they can plan and move forward.
    So just the difference in reasonable and significant risk, 
in your mind, I guess.
    Ms. Ramirez. In my mind, the concern that I had was that 
using the word ``significant'' would elevate the standards and 
the result would be that it would undermine protection to the 
consumer. The FTC has applied a reasonableness standard 
throughout its enforcement history in this arena, and it really 
does depend on the particular circumstances.
    We would like to take into account, again, the nature of 
the information that might be at issue, the size of the 
company, the costs that might be involved. So I believe that 
taking a flexible approach allows us to fashion the right 
balance between the costs and burdens that may be imposed on 
business, as well as making sure that we have robust protection 
for consumers.
    Now, I also want to highlight that the cases that the 
agency has brought in this arena have been--have related to 
very basic and fundamental failures in data security. These 
have not been close calls, so I hope that provides some 
assurance to those who may have concerns.
    Mr. Guthrie. Yes. I am not an attorney, I did have one law 
school class, and the questions on tests aren't usually the 
obvious things, and that is where--usually there is some area 
that that is why it ends up in court; not that it is clear that 
somebody had data for 20 years, had Social Security numbers, 
had no need for them, and somebody breached them and took them.
    As a matter of fact, at the expense of what a breach costs 
a company, I wouldn't want to hold on to that information 
more--if I didn't have a purpose or a need for it.
    And I want to hit one thing and I will yield back. You 
talked earlier about the time for notification was too long, I 
guess in the draft you thought was too long. Did you say what 
you thought was reasonable for that, or what you suggest?
    Ms. Ramirez. Our view is that notification ought to be 
provided as soon as practically feasible because, again, the 
circumstances may change. In certain situations it may be 
appropriate to have a short requirement of just a few days. In 
other situations, there may be a need for a company to take 
more time to write--to provide notifications.
    So I think there ought to be an outer limit, and I have 
suggested that 60 days would be an outer limit but, again, that 
is an outer limit. Our view is the sooner, the better, because 
that allows consumers to take appropriate steps to mitigate any 
potential harm.
    Mr. Guthrie. Oh, I agree with that. The difference is how 
we define--that is how we define it, so yes.
    Ms. Ramirez. And, again, I think it is important to 
preserve some flexibility because it may differ depending on 
particular facts and circumstances.
    Mr. Guthrie. Yes. I think there was one testimony in a 
previous hearing trying to figure out what happened, and they 
were trying to go through that. But you are right, because I 
mean, I would want to know as soon as practicable. Those were 
those words, you argued ``practical'' or ``practicable,'' 
right?
    Ms. Ramirez. Or ``feasible.''
    Mr. Guthrie. But you are right. That is absolutely right. 
So I appreciate that look forward to working with the 
chairwoman and thank you for your courtesy.
    Mrs. Bono Mack. I thank the gentleman. For not being a 
lawyer, you sure play one well on TV.
    The chair is happy to recognize Ms. Schakowsky for 5 
minutes.
    Ms. Schakowsky. Thank you, Madam Chairman.
    Let me just say that this committee has a history of 
working in a bipartisan basis, and the House did pass out H.R. 
20--is it 21--whatever that brush bill was that I was a 
cosponsor of.
    Ms. Ramirez. H.R. 2221.
    Ms. Schakowsky. And, you know, we worked very closely 
together and, as Mr. Stearns says, it has been going on since 
2005. I am so hopeful that we will be able to craft a bill. I 
feel confident that we will be able to craft a bill. In some 
respects this draft is even better, the quickness of certain 
notification. But we need to focus on, I think, where those 
differences are.
    So let me just ask a couple of questions, Ms. Ramirez.
    The Republican discussion draft includes language that I am 
concerned could have a narrowing effect that we don't totally 
understand. The draft narrows application of the bill's data 
security and notification requirements to persons engaged in 
interstate commerce with personal information, quote, ``related 
to that commercial activity.''
    So let's take someone, a company like Amazon that is in the 
business of selling books. And in that process it generally 
collects your full name, address, credit card number and 
security code. But what if they also ask you for your Social 
Security number? I don't think they need that to sell a book. 
And if they did ask you for it, it probably wouldn't be to sell 
you that book. And what about other information that isn't at 
this time within the meaning of personal information like an IP 
address?
    I know this is a fairly technical point so you may not have 
an answer right now, but to the extent you can, do you know how 
the FTC would interpret and implement this phrase, quote, 
``related to that commercial activity''?
    Ms. Ramirez. I think we would interpret it to be 
coextensive with our jurisdiction over entities that engage in 
interstate commerce. I think it would be relatively broadly 
interpreted. Again, the precise scope of the definition is an 
area that we are happy to work with the committee to ensure 
that we assist in the committee coming up with a suitable 
definition that addresses the concerns that have been 
articulated today.
    Ms. Schakowsky. Well, I am just worried that it is 
ambiguous language, and we may want to work with you and work 
with the committee to tighten that up.
    Ms. Ramirez. And we would absolutely be pleased to work 
with you on that language.
    Ms. Schakowsky. Great. Here we are, H.R. 2221 from the last 
Congress and the Republican discussion draft of the SAFE Data 
Act require notice to the FTC and consumers of an electronic 
data breach only if the covered person has determined that the 
breach, quote, ``presents a reasonable risk of identity theft, 
fraud or other unlawful conduct.''
    I know that others have asked this, but I wonder if one 
more time, do you believe this trigger for notification, based 
on reasonable risk, et cetera, is appropriate?
    Ms. Ramirez. I do. I think that the standard of reasonable 
risk gives it appropriate flexibility to accommodate both the 
need to protect consumers, as well as the need to take into 
account any burdens, excessive burdens on business.
    Ms. Schakowsky. And it falls on the covered person to 
determine whether or not the trigger has been--for notification 
to the FTC and consumers--has been met. Do you believe it is 
appropriate for the covered person to make the ultimate 
determination about the risk posed to consumers from a data 
breach and whether notice to the FTC and consumers is required; 
and, if not, who should make that determination and how should 
they go about doing that?
    Ms. Ramirez. That is a serious concern that we have. We 
believe that the FTC ought to be notified at the same time as 
other law enforcement agencies so that we can also examine the 
issue and determine if there ought to be notification that may 
differ from the determination that is made by the company.
    Ms. Schakowsky. Thank you. And, finally, in the few seconds 
I have, H.R. 2221 would require notice to law enforcement, the 
FTC, and consumers in the event of a data breach involving 
electronic records. There is no requirement for notice in the 
event of a data breach involving paper records.
    Do you believe the scope of the notification requirement 
should be expanded to include data breaches involving paper 
records?
    Ms. Ramirez. I do. I believe that paper records can also 
pose serious concerns and risks to consumers.
    Ms. Schakowsky. Thank you, and I yield back at zero.
    Mrs. Bono Mack. I thank the gentlelady. The chair--I was 
going to give Christmas presents that equaled per seconds, like 
Christmas gifts would be valued by the size and the amount of 
time you give back.
    The chair is happy to recognize Mr. Harper for 5 minutes.
    Mr. Harper. Thank you, Madam Chairman, and thank you, 
Commissioner, for being here and giving us your insight into 
this.
    If I could just talk a little bit more about reasonable 
risk or significant risk, and you have indicated you support 
the reasonable risk standard.
    How do you define that reasonable risk? What do you see 
that being?
    Ms. Ramirez. I think if the information that is at issue is 
potentially going to be misused, can be misused to harm 
consumers, I think that there ought to be a presumption that 
there ought to be notification.
    Again, I do--I do want to highlight that the agency has 
done significant work in this arena and our enforcement actions 
and consent orders that we have entered into, I think, can 
elaborate more fully on the situations that we have found where 
action was necessary. So, but again, I think there needs to be 
flexibility; I think reasonableness accomplishes that, and I 
would be concerned about changing that standard.
    Mr. Harper. So you said the Commission has done significant 
work versus reasonable work?
    Ms. Ramirez. We have great experience in the area of data 
security.
    Mr. Harper. Right. So how would we vary with significant? 
If the standard was significant risk, how would you view that 
different than reasonable risk?
    Ms. Ramirez. I think it is a flexible concept, and I don't 
have any magic words to articulate here today, but I think, in 
my mind, the key is how do we best protect consumers. And if 
that is the aim of the legislation, I believe that we ought to 
err in favor of protecting consumers, given that we know that 
the incidence of identity theft and data breach, by the way, is 
one significant cause, of, again, identity theft continues to 
be such a significant concern.
     It is the most--we have received the most complaints 
relating to identity theft than any other complaint, and that 
has been in the last decade, so it remains a very significant 
concern.
    Mr. Harper. So ``reasonable'' would be in the eye of the 
beholder in some instances, is how we define this.
    Ms. Ramirez. No. I believe that you can establish objective 
standards. The reasonableness of the concept that is, you know, 
well and defined in many different areas and used in many 
different areas of law, so I think it is one that can be 
employed in a way that I think would address concerns. I think 
it maintains appropriate flexibility and allows one to balance 
potentially competing interests.
    Mr. Harper. Yes. And I know as we go through the discussion 
draft and we look at it, there is going to be that discussion 
between reasonable and significant risk. You know, of course, 
as you know in the practice of law, some-- you will have 
preponderance of the evidence, or, in a criminal case, beyond a 
reasonable doubt, but also there is clear and convincing.
    So I think you are going to have that tug back and forth 
between reasonable and significant, wanting to protect the 
consumers but also looking at how the businesses will deal with 
this. So, you know, I appreciate your input on that.
    As we look at the notification of when you believe FTC 
should be notified, you believe they should be notified at the 
same time as law enforcement. Is that what you have stated?
    Ms. Ramirez. I do, yes.
    Mr. Harper. OK. And what period of time do you think is the 
optimum time for you to get that notification?
    Ms. Ramirez. I think as soon as the breach takes place. I 
am now not remembering if the bill is specific on that point, 
but essentially at the very outset, when other law enforcement 
agencies are notified.
    Mr. Harper. When we look at that specific time limit, you 
know, these are certainly a great concern, as you have stated 
and as we know, data breach is something that everybody is 
concerned about and with this age that we have.
    So tell me why you believe that the FTC should be notified 
prior to the consumers?
    Ms. Ramirez. As a law enforcement agency, I think it is 
important that the FTC be provided prompt notification so that 
it can take appropriate action if necessary.
    In addition, I think that waiting for the outcome of a 
particular company to engage in its own risk assessment risks a 
situation where a company may perhaps conclude that 
notification won't be necessary to consumers. The FTC may have 
a different view of it. It may provide an additional level of 
assurance as protection for consumers.
    Mr. Harper. Well, let me end with this quickly. Do you 
believe that this legislation, that it will address the current 
and evolving environment with respect to cloud computing?
    Ms. Ramirez. I am sorry, could you repeat that?
    Mr. Harper. Do you think that this legislation 
appropriately addresses the current and evolving environment 
with respect to cloud computing?
    Ms. Ramirez. I do. I think, again, cloud computing is, of 
course, the wave of the future. But the data security methods 
ought to apply to cloud computing, just as they do with other 
methods of storage.
    Mr. Harper. Thank you. With that, I yield back.
    Mrs. Bono Mack. I thank the gentleman. The chair recognizes 
Dr. Cassidy for 5 minutes.
    Mr. Cassidy. Ms. Ramirez, the examples of health info which 
are not covered by HIPAA, can you give me those?
    Ms. Ramirez. Let me give you an example from one of the 
matters that the FTC handled, the Eli Lilly matter, which 
involved the release of information about individuals who had 
used Prozac. HIPAA only covers particular entities such as 
hospitals, doctors' offices.
    Mr. Cassidy. So a noncovered entity, if you will.
    Ms. Ramirez. It would be a noncovered entity; correct.
    Mr. Cassidy. Now, you--so this may answer my next question. 
It seems, as I am trying to understand this, that you in effect 
have two sets of data, one with unique identifiers and the 
other that is gained from publicly accessible information that 
you have a similar concern, even though it might not have a 
unique identifier; is that correct?
    Ms. Ramirez. Well, it is not the issue of a unique 
identifier. Again, when it comes to public records, our concern 
is that once you compile information and you gather information 
that in the past might have been very difficult to collect, 
once it is collected at one place, that can then raise very 
serious concerns.
    Mr. Cassidy. So what are those concerns?
    Ms. Ramirez. When you have data aggregators that are 
gathering information about----
    Mr. Cassidy. Well, I understand what a data aggregator is, 
I understand that. They get all the data about mortgages being 
sold in Washington, D.C.
    Ms. Ramirez. One example could be that they may have 
information that might--can be given to a payday lender, for 
instance, because they have information that may reveal--have 
indications about income level. That information can then be 
used by a payday lender or someone who aims to engage in some 
type of fraudulent activity.
    Mr. Cassidy. Now, a payday lender is not inherently 
fraudulent?
    Ms. Ramirez. No, no, no, no, no. But my point is it can be 
used by persons who may want--seek to misuse that information, 
so it is very important that that information----
    Mr. Cassidy. But that is true of all information in a free 
society; correct? I am nervous about limiting access to 
publicly available information, and I don't necessarily 
disagree with you, but it always seems like we should have a 
bias towards openness, knowing that those--so why should we not 
have this bias towards openness if it is not being used by a 
fraudulent entity and if it is publicly available otherwise?
    Ms. Ramirez. The key is to ensure that appropriate measures 
are taken to protect the information that has been aggregated. 
You then--you now have an ability with these data aggregators 
who have gathered just a treasure trove of information that, 
again, previously may not have been easily accessible.
    Mr. Cassidy. You keep saying that, and I understand that. I 
understand that issue. What I don't know is what danger you see 
with that. And I am asking openly.
    Ms. Ramirez. So the danger can be that it can be misused 
for a number of reasons.
    Mr. Cassidy. But I guess all information could be misused. 
All information can be misused. And so I am just trying to 
understand.
    Ms. Ramirez. So the fundamental point is that that 
information needs to be protected; and if that information, if 
there has been a breach, the consumer ought to be notified. And 
in the case of data brokers, I believe that there ought to be 
some additional requirements where a consumer may have access 
to that----
    Mr. Cassidy. Just so I understand better, because clearly I 
am struggling, can you give me a specific example of--and just 
so I can understand--again, I am not challenging, I am trying 
to understand--a specific example of where a data aggregator 
had data that was breached that did not include a Social, did 
not include a credit card number or a security code, it was 
just like, you know, Bill Cassidy, the Congressman from Baton 
Rouge, and he has got three kids and et cetera, et cetera. Are 
you with me?
    Ms. Ramirez. Let me give you one example. Information 
relating to income, for instance, is information that might be 
gathered or somehow ascertained through the access of publicly 
available information.
    Mr. Cassidy. Now I am told, when I suddenly saw all these 
catalogs that I was getting back from people who send catalogs, 
that they looked at my census track and said, oh, he is in a 
pretty good census track, and so therefore I started getting an 
incredible number of catalogs. Now, are we going to restrict 
the ability of someone to know what census track I live in?
    Ms. Ramirez. No, but I think you can provide access rights 
so that if, for instance--again let me go back to----
    Mr. Cassidy. Now the access rights is a separate issue. The 
access rights, I gather from Mr. Dingell's thoughts, and it 
actually seems--I can see some use in that.
    But, again, I am wondering, what is the inherent damage----
    Ms. Ramirez. We would not be restricting the ability to 
gather the information that was publicly available. We would 
simply want there to be adequate security measures to protect 
the information, and we would want there to be notification to 
the consumer in appropriate circumstances. And in light of 
potential misuse of information, additional requirements such 
as access may be one way of addressing. But I am not advocating 
that there be a limitation on the ability----
    Mr. Cassidy. As the risk of losing my Christmas presents, I 
will say, though, that it almost seems that if you have one 
with credit card numbers and Socials and medical, you know, 
military identification numbers, that clearly should be in its 
own silo.
    The other seems--the other seems, I am not sure--and I am 
sure there is going to be an expense in terms of being in the 
silo. The other seems to me to be inherently less, I don't 
know, onerous as regards the protective measures taken, because 
it doesn't have the same import if somebody knows I have got 
three kids and live in the census track as opposed to knowing 
my Social.
    Ms. Ramirez. My apologies if I haven't been able to fully 
articulate the potential risks that we see, and my staff is 
very happy to work with you to provide some additional 
information if I have not been able to answer your question 
adequately.
    Mr. Cassidy. If you will do that. And, again, I would just 
understand. If you all send it to me, I would appreciate it.
    Thank you. I yield back.
    Mrs. Bono Mack I thank the gentleman. I recognize Mr. Rush 
for 5 minutes.
    Mr. Rush. I want to thank you, Madam Chairman. We have 
known for several Congresses now that mass MEGA data breaches 
could and will occur. And we have had the vision to introduce 
legislation to make these breaches more difficult to perpetuate 
and that would make consumers as close to whole as possible 
when they piece back together their personal lives and 
identities.
    The DATA Accountability and Trust Act that I reintroduced 
in May, along with Congressman Barton and Congresswoman 
Schakowsky, is essentially the same bill that was passed out of 
this committee in December of 2009, in the 111th Congress, as 
H.R. 2221. That bill passed out of the House on suspension and 
was then referred to the Senate Commerce Committee.
    When I became chair of this subcommittee in the 110th 
Congress, I introduced H.R. 958, which has since been shaped to 
keep up with online and network technologies and emerging 
formats for storing consumer data. These technologies and 
formats improve consumers' lives and make new and exciting 
business efforts and revenue models viable. But it has been 
important in our approach to remain technologically neutral, so 
that we don't pick winners and losers, and also cognizant--and 
remain cognizant of the unique natures of the business models 
and realities involving what the bill defines as ``service 
providers,'' ``information brokers,'' and ``fraud databases.''
    Madam Commissioner, I only have a few minutes and so I am 
going to ask you a few questions, and I intend to ask each 
panel these questions. So if I could get a yes or no answer, 
that would certainly help me. And if I don't get to ask the 
questions, I have some that I will refer to you in writing for 
the record.
    Should commercial entities that do business in interstate 
commerce be required under Federal law to protect individuals' 
personal information by securing it and protecting it from 
improper access?
    Ms. Ramirez. Yes.
    Mr. Rush. And when these entities contract with a third 
party to maintain that personal data, should they be further 
required to establish and implement information, security 
policies, and procedures?
    Ms. Ramirez. Yes.
    Mr. Rush. Should the FTC be authorized to prescribe what 
those policies and procedures ought to be?
    Ms. Ramirez. Yes.
    Mr. Rush. Should personal information be defined to include 
an individual's first name or initial and last name, or 
address, or phone number, in combination with any--with any one 
or more of the following. An individual's Social Security 
number?
    Ms. Ramirez. I believe that that would be too narrow a 
definition.
    Mr. Rush. I have got a number of them, yes or no. Yes or 
no.
    Ms. Ramirez. No.
    Mr. Rush. A driver's license number?
    Ms. Ramirez. No.
    Mr. Rush. A passport number, military number, or similar 
identification number issued on a government document for 
verifying identity?
    Ms. Ramirez. No.
    Mr. Rush. A financial account number?
    Ms. Ramirez. No.
    Mr. Rush. A credit card number?
    Ms. Ramirez. No.
    Mr. Rush. A debit card number?
    Ms. Ramirez. No.
    Mr. Rush. Or any security, access code, or password needed 
to access the account?
    Ms. Ramirez. No.
    Mr. Rush. Should information brokers be required to submit 
their data security policies to the FCC?
    Ms. Ramirez. Yes.
    Mr. Rush. Should information brokers be required to 
establish procedures that consumers may follow to review and, 
if necessary, dispute the accuracy of their personal data?
    Ms. Ramirez. In my view, yes.
    Mr. Rush. Thank you very much. You have been very kind and 
helpful.
    With that, Madam Chair, I yield back the balance of my 
time.
    Mrs. Bono Mack. The chair recognizes Mrs. Blackburn for 5 
minutes.
    Mrs. Blackburn. Thank you, Madam Chair, and thank you for 
being here with us today.
    I want to stay with this personally identified information, 
because I think that gets to kind of the crux of the matter 
when you talk to our constituents and you look at how they have 
reacted to what has transpired with the Sony breach and the 
amount of time that was required to inform people there. You 
can go back as far as the TJX breach and the amount of time and 
the inconvenience that was caused to individuals there.
    So I think that what we have to do is that our goal should 
be to define this legislation in a way that is very clear and 
very meaningful to our constituents and to policymakers. And I 
know Mr. Stearns talked about FTC control and authority, and 
some people believe that we should not give the FTC the control 
to make the policy. Specifically, the FTC with the rulemaking 
process and having the ability to set what is personally 
identified information is a very powerful tool, and there are 
many that think we should define that in law and not give it to 
the FTC.
    So I want to stay with this. I want you to define for me, 
just go down the tick list of--as making rules, what you would 
put sequence, what would be personally identified information, 
how you would sequence that in the rulemaking authority.
    Ms. Ramirez. I think the touchstone here is information 
that can be uniquely tied to an individual. I am afraid that I 
just can't rattle off a list here, but my staff is very happy 
to work with you to articulate in more specific terms. But, 
again, the key would be information that can then be used to 
identify someone. And I believe it would be broader than the 
definition that is currently used in the draft bill.
    Mrs. Blackburn. OK. What I would like for you all to do, 
then, is to submit that to us in writing, because I think this 
is an area where we are going to need to focus, put some 
attention on what this is, who owns that online presence; is it 
becoming more important to our constituents? And we hear from 
them daily on the privacy issue, on the data searching, the 
data selling, all of these issues that are becoming 
intertwined, even with the piracy issue and the intertwining 
that is there.
    So to say a unique tie may be a simple, concise answer to 
give, but it does not provide the depth that we are going to 
need and have as we go through this. So I would ask you to do 
that.
    OK. The chair talked about declaring war on identity theft 
and online fraud, and I think she is exactly right on this 
because--and I agree with her on this, and our constituents 
look at this as a virtual marketplace that is out there. And 
they look at the relationship they have had with brick-and-
mortar retails and entities and then with click-and-mortar 
businesses and also virtuals. So let's talk about people who 
have become the victim of identity theft. What services do you 
think should be made available to them? People realize a free 
credit report doesn't cut it. Credit monitoring doesn't cut it.
    So tell me what you think for those that have been harmed 
by identity theft. What services should be available for them?
    Ms. Ramirez. I do think that credit monitoring is an 
important aspect of the protection, but I also think it is 
incumbent--what the consumer will need to do is to be very 
vigilant, monitoring all of their financial accounts, 
monitoring their billing statements, and if they see anything, 
so that----
    Mrs. Blackburn. So the personal responsibility aspect.
    Ms. Ramirez. That is an element of it. And we provide 
guidance to consumers about what they ought to do and the steps 
that they ought to take.
    Mrs. Blackburn. So you see the FTC's role more as providing 
guidance on that.
    Ms. Ramirez. In terms of--consumer education is a 
significant piece of what the FTC does, and we do provide 
significant information to consumers, helping them take steps 
if their identity has been stolen or there is a risk of that, 
what steps they can take to protect themselves.
    Mrs. Blackburn. OK. Let me ask you one other thing. The 
bill that we are considering, should it apply to government 
systems?
    Ms. Ramirez. The bill should apply to commercial activity. 
That is the jurisdiction that the FTC has to commercial 
entities, so that is the scope of our jurisdiction.
    Mrs. Blackburn. And you don't think we should apply it to 
government entities?
    Ms. Ramirez. It is an area that is outside the scope of 
what the FTC does.
    Mrs. Blackburn. I respect that answer. Thank you very much. 
I yield back.
    Mrs. Bono Mack. I thank the gentlelady very much.
    With that, we have concluded the first panel. We want to 
thank our witness very much for her in-depth and very 
thoughtful answers today.
    I will say to the audience, we are going to take a 5-minute 
break while we reseat the second panel, but to remind people 
that there is an overflow room in 2123 for anybody who would 
prefer to sit rather than stand.
    So, again, Commissioner Ramirez, thank you very much for 
your time today.
    Ms. Ramirez. Thank you.
    Mrs. Bono Mack. See you all in 5 minutes.
    [Recess.]
    Mrs. Bono Mack. All right. If the subcommittee could come 
to order once again. If the gentleman in the corners could 
please take your seats.
    On our second panel we have four witnesses who are deeply 
engaged on the issue of cybersecurity.
    Testifying are Jason Goldman, Counsel, Telecommunications & 
E-Commerce, U.S. Chamber of Commerce; Robert Holleyman, 
President and CEO of the Business Software Alliance; Stuart 
Pratt, President and CEO of the Consumer Data Industry 
Association; and Marc Rotenberg, Executive Director for the 
Electronic Privacy Information Center.
    Good afternoon, gentlemen. Thank you all for coming. You 
will each be recognized for 5 minutes. To help you keep track 
of the time there is a time clock in front of you, and green, 
red, yellow, you know what they mean. Yellow means 1 minute to 
get to the conclusion of your testimony.

 STATEMENTS OF JASON D. GOLDMAN, COUNSEL, TELECOMMUNICATIONS & 
E-COMMERCE, U.S. CHAMBER OF COMMERCE; ROBERT W. HOLLEYMAN, II, 
PRESIDENT AND CEO, BUSINESS SOFTWARE ALLIANCE; STUART K. PRATT, 
PRESIDENT AND CEO, CONSUMER DATA INDUSTRY ASSOCIATION; AND MARC 
 ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION 
                             CENTER

    Mrs. Bono Mack. So at this point in time we are going to 
recognize Mr. Goldman for 5 minutes, and please remember to 
turn your microphone on and bring it close to your mouth.

                 STATEMENT OF JASON D. GOLDMAN

    Mr. Goldman. Good afternoon, Chairwoman Bono Mack, Ranking 
Member Butterfield, and other distinguished members of the 
subcommittee. I am Jason Goldman, Telecommunications & E-
Commerce Counsel of the U.S. Chamber of Commerce, the world's 
largest federation, business federation, representing the 
interests of more than 3 million businesses and organizations 
of every size, sector, and region.
    On behalf of the Chamber and its members, I thank you for 
the opportunity to testify here today regarding the discussion 
draft of the SAFE Data Act.
    We live in an information economy. Today, Chamber members 
of all shapes and sizes communicate with employees, existing 
consumers, potential consumers, and business partners around 
the world. They use data to spur sales and job growth, enhance 
productivity, enable cost savings and improve efficiency.
    Global and U.S. data usage are skyrocketing. In today's 
tough economy, businesses depend more than ever on having 
beneficial and trusted relationships with their customers. 
Therefore, there is no question that protecting sensitive 
customer information should be a priority for all businesses 
that collect and store this data, and the customers deserve to 
be promptly notified if a security breach has put them at risk 
of identity theft, fraud, or other harm.
    The Chamber supports the enactment of meaningful Federal 
data security legislation that would implement national data 
security standards to protect against the unauthorized access 
to sensitive personal information about businesses' customers, 
and breach notification requirements to notify customers when a 
significant risk to them may result from a security breach. At 
the same time, the Chamber urges policymakers to ensure that 
any legislation in this area does not hinder innovation and 
beneficial uses of the data.
    The Chamber appreciates the willingness of the subcommittee 
to work with us in legislation aimed at accomplishing this 
goal. The Chamber only recently got this text of the SAFE Data 
Act, so our comments are based on our initial read and may 
change as we continue to vet the bill through our membership.
    The United States has a national economy. And almost every 
State has enacted various data security and breach notification 
provisions, many of which differ from one another in material 
ways. This patchwork of State laws not only makes compliance 
difficult for businesses, but it can also create confusion for 
customers who receive notices from many sources.
    The Chamber supports the preemption of State information 
security and related liability laws to create a national 
uniform standard that will create regulatory certainty and 
minimize compliance costs for businesses that operate in 
multiple States.
    The Chamber has long advocated for a notice requirement 
that avoids the dangers of over-notification. As was discussed 
in the previous panel, the Chamber worries that if needlessly 
alarmed, customers may take actions that are not warranted and 
are a waste of their time.
    Alternatively, more worrisome, customers that are flooded 
by these notices may be falsely lulled into inactivity and not 
take proper action when the risk is justified.
    Therefore, the Chamber is pleased that the draft bill 
recognizes that the notification should be based on risk of 
harm, not just on the mere fact that data breach occurred.
    The Chamber agrees that notification of breach is not 
necessary where the data has been rendered unusable, 
unreadable, orindecipherable by different methods such as 
encryption, redaction, or access controls.
    The Chamber also recommends the inclusion of a threshold 
number of individuals requiring notification that would trigger 
notification to the FTC.
    The Chamber agrees that consumers should be notified in a 
timely manner after the occurrence of a reportable breach. 
However, given the complexities of dealing with a data breach, 
the Chamber recommends that the draft be modified to allow 
companies a reasonable amount of time to notify consumers, 
rather than a specific time frame.
    Furthermore, to catch cybercrooks and other criminals, as 
well as to ensure the safety of our Nation, the Chamber 
supports the revisions in the draft bill permitting delay of 
notification for law enforcement or national security purposes. 
Along with that, the Chamber recommends inclusion of language 
in the bill that identifies which specific agencies would 
trigger that exception or would have been able to enact that 
exemption.
    Regarding liability, the Chamber is concerned about the 
application of a daily fine as it relates to the bill's 
security requirements. If any entity is found liable for 
violating the data minimization requirement, is every day the 
entity maintains records that should have been destroyed 
throughout all of their data bases a multiplier penalty?
    The Chamber appreciates the revisions on the data broker 
provisions that were discussed in the panel earlier.
    On enforcement, the Chamber is concerned about enabling 
State attorneys general to impose 50 different enforcement 
regimes that will undermine the uniformity of this act and make 
compliance extremely difficult. At the very least, the draft 
bill should curtail the ability of State attorneys general to 
utilize private outside contingency attorneys to enforce this 
act or to litigate claims on behalf of their constituents.
    Also the Chamber appreciates the tech-neutral provision in 
the act that says the FTC should implement in a tech-neutral 
manner. And, last, the Chamber does appreciate the inclusion of 
a prohibition of the no private right of action.
    With that, thank you, and I am happy to answer any 
questions.
    Mrs. Bono Mack. Thank you, Mr. Goldman.
    [The prepared statement of Mr. Goldman follows:]



    Mrs. Bono Mack. Mr. Holleyman, you are recognized for 5 
minutes.

              STATEMENT OF ROBERT W. HOLLEYMAN, II

    Mr. Holleyman. Chairwoman Bono Mack, Mr. Butterfield, 
members of the committee, Business Software Alliance strongly 
supports the enactment of a national data security and data 
breach notification law. We believe that that is important to 
build trust and confidence in the digital economy.
    This is now the fourth Congress to consider data breach 
legislation, and we are grateful for the opportunity that we 
have had to work with the members of this committee to advance 
a bill.
    The time to act is now. The need is clear, as are the 
solutions. BSA endorses the key elements of the SAFE Data Act 
that are before us today. We support requiring organizations 
that hold sensitive personal information to implement 
reasonable security procedures. And the draft bill takes into 
account an organization's size, the scope of its activities, 
and the costs involved.
    We support creating incentives to adopt strong security 
measures. The draft bill will promote the use of technologies 
such as encryption, which render data unusable, unreadable, or 
indecipherable to thieves if they manage to steal it. We 
support an approach that avoids unnecessarily alarming or 
confusing consumers, and the draft bill accomplishes that by 
only requiring notification when there is a risk of identity 
theft, fraud, or unlawful activity.
    Finally, we support the bill's establishment of a uniform, 
national framework with Federal enforcement preempting today's 
patchwork of State laws.
    We hear about new data breaches almost daily. One group, 
the Privacy Rights Clearinghouse, has recorded more than 2,500 
of them since 2005, involving more than 530 million individual 
records. In many cases these records include data that are 
useful to identify individuals and then exploited by thieves, 
such as Social Security, credit card, or driver's license 
numbers.
    Surveys indicate that these breaches are causing consumers 
to question the security of online transactions, and that is 
especially troubling, because we are in the middle of an 
exciting new wave of innovation with the emergence of cloud 
computing. Cloud computing offers tremendous new opportunities 
for economic growth and efficiency. It allows businesses and 
organizations to reinvent their back office operations and will 
give users access to their data and services from any device, 
whether they are at home, at the office, or on the road.
    We cannot allow breaches to erode confidence in the cloud 
environment or the Internet economy, and for years BSA members 
have been working hard to protect data from cybercriminals. BSA 
members are leaders in providing new security solutions and 
themselves invest in reducing vulnerabilities and protecting 
the integrity of their technology.
    BSA members are developing cutting-edge security solutions 
that are employed by businesses and consumers to defend against 
the evolving and the very real threats. And BSA has led the 
fight against the use of illegal software, not only because it 
drains revenues from American companies, but also because 
pirated software commonly includes malicious computer code that 
hackers and other criminals use to steal data. Importantly, BSA 
members are at the forefront of the cloud revolution, which 
creates new opportunities to better store data behind strong 
security walls.
    As this committee understands, Congress also has a 
responsibility. In the absence of a national law, States have 
enacted their own data breach notification requirements. 
Unfortunately, this has resulted in inconsistency that is 
unwieldy for business and confusing for consumers. We need a 
uniform national framework that better protects consumers and 
also, as this bill does, promotes effective security measures.
    I testified before this committee 2 years ago about the 
need for a national data breach law. Since then, another 250 
million sensitive records have been breached.
    Madam Chairman, I commend you and your colleagues for 
drafting this bill. I urge Congress to pass a Federal data 
breach law this year. And the BSA and I look forward to working 
with you and members of this committee to make that a reality.
    Mrs. Bono Mack. Thank you very much, Mr. Holleyman.
    [The prepared statement of Mr. Holleyman follows:]



    Mrs. Bono Mack. Mr. Pratt, you are recognized for your 5 
minutes.

                  STATEMENT OF STUART K. PRATT

    Mr. Pratt. Madam Chairman, Ranking Member Butterfield, and 
members of the subcommittee. My name is----
    Mrs. Bono Mack. Excuse me, is that microphone on?
    Mr. Pratt. It is. I will pull it closer.
    Mrs. Bono Mack. Thank you.
    Mr. Pratt. Madam Chairman--is it working?
    Mrs. Bono Mack. If the light is on. I can't necessarily 
tell, but the people in the back really care that they will 
hear well.
    Mr. Pratt. I am President and CEO of the Consumer Data 
Industry Association. We appreciate the opportunity to testify 
today.
    For more than a decade, CDIA has been on record as 
supporting the enactment of a inform Federal standard for both 
security of sensitive personal information and notification of 
consumers where there is a significant risk of identity theft.
    With this in mind, we applaud the focus of this hearing. 
Your committee's leadership is key to finding the right path 
forward. CDIA's members support the proactive approach you have 
taken by circulating a discussion draft in order to build the 
much-needed consensus. It is the right step to take.
    You have asked us to comment on the discussion draft known 
as the SAFE Act, or SAFE Data Act. So, first, CDIA is very 
encouraged by the essential structure of the draft bill. Risks 
to sensitive consumer data are best addressed with two key 
pillars:
    First, sensitive personal data must be secured. The draft 
proposal appropriately empowers the Federal Trade Commission to 
write scalable regulations relative to data security, much as 
the FTC and bank agencies have done for financial institutions 
governed by the Gramm-Leach-Bliley Act. CDIA members support 
this approach.
    Second, consumers must be notified when sensitive personal 
information about them has been lost or stolen. Again, our 
member support notification where, for example, there is a 
significant risk of harm for the consumer, such as the 
likelihood of becoming a victim of the crime of identity theft.
    Within these two key pillars are many provisions which are 
well thought out and deserve to be highlighted. For example, 
the discussion draft establishes strong incentives for U.S. 
businesses to adopt strategies to reduce risks by rendering 
data unusable, unreadable, orindecipherable. These incentives 
are appropriately technology-neutral and thus will spur 
innovation in the design of systems that will ultimately 
protect data about consumers.
    The draft properly includes a risk-based trigger for 
determining when a notice must be sent, which ensures that we 
as consumers receive relevant and timely notices, rather than a 
deluge of notices through which we need to sift to find the one 
that is meaningful.
    While the draft urges speedy notification of consumers, it 
acknowledges the need for law enforcement to engage with 
private sector and, in some cases, to delay such notices, but 
not to allow delays that are unduly long.
    We are pleased that the draft's proposals solve the problem 
of overlapping laws with regard to data security. Fully 
exempting persons who are subject to the data security 
requirements of Title 5 of the Gramm-Leach-Bliley Act ensures 
that CDIA members, both large and small, are in the very best 
position to successfully comply with the law and, most 
importantly, to be successful in securing sensitive personal 
information about consumers.
    We encourage the committee to adopt a similar subject to 
standard with regard to persons who are already held 
accountable for data breach notification duties under Federal 
laws, regulations, or agency guidance.
    Ensuring a truly uniform national standard for both data 
breach notification and data security is essential to the 
success of the draft the proposal. To this end, we applaud the 
inclusion of section 6. As the committee continues to refine 
the discussion draft, we encourage it to consider a subject 
matter approach to preemption to ensure that the standard is 
truly uniform.
    Regarding the content of notices, let me make just a couple 
of points:
    First, we thank you for the inclusion of language in 
section 3(e), which makes it clear that the person who 
experienced the breach and who is notifying consumers is the 
one who pays for the credit reports to which the consumer is 
entitled.
    Second, for the sake of consumers, we request that the bill 
be amended to require those who are sending out breach notices 
to more than 5,000 individuals, to notify consumer reporting 
agencies in advance so that our members can appropriately 
prepare to handle the spike in volume.
    Further, all persons issuing notices must verify the 
accuracy of the contact information included. Our members have 
at times discovered that breach notices issued by others had 
incorrect toll-free numbers listed, which is a disservice to 
consumers.
    In terms of definitions, we are glad that section 5(7)(A) 
establishes the definition for the term ``personal 
information.'' Having a definition is clearly necessary to 
ensure that all persons affected by the scope of the bill 
understand the type of data which must be protected. Section 
5(7)(B) properly excludes public records from that definition.
    Our members are concerned with the inclusion of section 
5(7)(C) which allows the FTC to alter the definition. We 
believe the definition as proposed is adequate and should be 
set by the Congress.
    In closing, let me congratulate you on a very strong 
discussion draft that is unencumbered by ancillary issues. The 
committee is on the right track, and we look forward to 
supporting its efforts to protect consumers' sensitive personal 
information. Thank you.
    Mrs. Bono Mack. Thank you, Mr. Pratt.
    [The prepared statement of Mr. Pratt follows:]



    Mrs. Bono Mack. Mr. Rotenberg, 5 minutes.

                  STATEMENT OF MARC ROTENBERG

    Mr. Rotenberg. Thank you, Madam Chair, Mr. Rush, members of 
the committee. My name is Mark Rotenberg. I am the Executive 
Director of the Electronic Privacy Information Center, and I 
teach privacy law at the Georgetown Law Center, and I thank you 
very much for holding this hearing today.
    It is actually difficult to overstate the problem of 
security breaches in the United States. In fact, as your 
earlier hearings have demonstrated, these risks are far-
reaching and they impact millions of consumers,, in May, more 
than 200,000 customers of Citigroup, and 100 million users of 
the PlayStation Network also had information improperly 
accessed.
    And if I can make an additional point for you this morning, 
these problems are going to get worse. We are moving more of 
our personal data from our laptops, our devices, and our 
desktop computers into the cloud where they can be more easily 
accessed by others. You are going to hear more and more about 
security breaches.
    You are also going to learn that the attacks are becoming 
more sophisticated. Not only do we have to now contend with 
phishing, which seeks to obtain sensitive personal data, we now 
have to contend with what is called spear phishing, which means 
identifying particular users and using some information about 
them, such as their home address, to get additional information 
that makes possible identity theft, financial fraud, and so 
forth.
    So at the outset, my sense would be that given the fact 
that the House last year had passed a strong measure, the 
problems are getting worse and likely to continue to do so. I 
would have started there and tried to figure out how to improve 
that bill. And in that spirit, I actually wanted to commend you 
for incorporating the data minimization provision in the draft 
bill.
    I think this is a very important safeguard that not only 
limits the risk at the outset by telling companies, you know, 
really think if you need to have Social Security numbers on 
health club members, for example, because if you lose control 
of that information, you have created a risk. So you reduce the 
risk at the outset. But in the circumstances where the 
information isn't properly accessed, there is less exposure to 
customers, so that is also an important safeguard. And I am 
very glad to see that incorporated in the draft measure that 
you circulated, as well as the effort to reduce the time period 
for notification.
    Because one of the other things that we have learned based 
on the Citibank experience and the Sony experience is not 
surprising. These companies are reluctant to notify their 
customers when they have a problem, and that is why legislation 
is so important for companies to tell customers that there is a 
problem and that you are going to need to act on this 
information. So I think the fact that you have limited that 
time period is very important.
    Now, in my written testimony, I made some additional 
suggestions, and I will try to highlight the key points in 
particular about questions that have been raised by the members 
during the earlier part of this hearing with Commissioner 
Ramirez.
    I noticed for example, Dr. Cassidy had asked this question: 
Well, why should we have a public information, you know, 
requirement if that data is already out there? Can't we kind of 
put that in a separate category and not have to notify people? 
And I think the answer is obvious.
    There is a big difference between someone breaking into a 
database to get someone's home address and someone finding the 
home address in a publicly accessible file. And the reason, of 
course, is that there is intent behind the break-in to go after 
the person whose home address has been obtained. And the fact 
that it might be accessible somewhere else should hardly make 
people feel good about the fact that it can be categorized as 
public information.
    So I would take away that exception that says that somehow 
companies get a free pass if it is information that can be 
obtained somewhere else, and therefore they don't have to worry 
about people breaking in who get access to it. I think the home 
address information makes obvious the problem.
    There has been some discussion about how do we define 
personally identifiable information. It is a very difficult 
problem. It comes up in almost every privacy bill. I think a 
very good starting point is to say, simply, personally 
identifiable information is information that identifies or 
could identify a person, and then include by way of 
illustration, including but not limited to many of the 
provisions you have in your bill. So it is a Social Security 
number, it is a bank account number, it is a person's name, it 
is a home address. But it could also be an IP address; in other 
words, the fixed Internet address associated with their laptop 
or their mobile device. That very well could be personal 
identifiable information.
    Their Facebook user ID could also be personally 
identifiable information. In fact, that is exactly what 
contributed to one of the concerns about app access to 
Facebook-based information.
    On this critical question of preemption, I completely 
understand why my colleagues at this table would favor national 
standard. It is quite sensible from their perspective. But I 
would urge you to look very closely at some of these strong 
State measures that would be effectively overwritten if a weak 
Federal standard is established.
    Those bills are important, and even in States like 
California, where they thought they had it right the first time 
on financial data, they had to come back later and deal with 
medical breach notification as well.
    Thank you very much.
    Mrs. Bono Mack. Thank you, and I apologize that I did not 
pronounce your name correctly. Mr. Rotenberg. Correct?
    Mr. Rotenberg. Thank you.
    Mrs. Bono Mack. Thank you.
    [The prepared statement of Mr. Rotenberg follows:]



    Mrs. Bono Mack. As a student of how John Dingell does his 
questioning, I am going to try this myself and recognize myself 
for the first 5 minutes with a ``yes'' or ``no'' required out 
of each of you, and we can go down the line starting with Mr. 
Goldman and around and around.
    So yes or no, Mr. Goldman, is the existence of so many 
State standards an impediment to faster consumer notification?
    Mr. Goldman. Yes.
    Mr. Holleyman. Yes.
    Mr. Pratt. Yes.
    Mr. Rotenberg. Should not be.
    Mrs. Bono Mack. Is preemption necessary to speed up the 
consumer notification?
    Mr. Goldman. Yes.
    Mr. Holleyman. Yes.
    Mr. Pratt. Yes.
    Mr. Rotenberg. No.
    Mrs. Bono Mack. Would a single Federal standard lessen the 
risk of over-notification and decrease the number of 
unnecessary notices sent every year?
    Mr. Goldman. Yes.
    Mr. Holleyman. Yes.
    Mr. Pratt. Yes.
    Mr. Rotenberg. No.
    Mrs. Bono Mack. Do you think consumers can become 
desensitized to risk if they receive too many notifications?
    Mr. Goldman. Yes.
    Mr. Holleyman. Yes.
    Mr. Pratt. Yes.
    Mr. Rotenberg. Yes.
    Mrs. Bono Mack. Do you believe there is a problem with 
over-notification that can adversely affect consumers even if 
it may be erring on the side of caution with consumers' 
benefits?
    Mr. Goldman. Yes.
    Mr. Holleyman. Yes.
    Mr. Pratt. Yes.
    Mr. Rotenberg. No.
    Mrs. Bono Mack. Do businesses ever err on the side of 
notifying consumers even if they may not be required to do so, 
because wading through 46-plus standards is too difficult or 
time-consuming?
    Mr. Goldman. Yes.
    Mr. Holleyman. Yes.
    Mr. Pratt. Yes.
    Mr. Rotenberg. I don't know.
    Mrs. Bono Mack. Should companies who no longer need it keep 
sensitive information such as credit card numbers or dates of 
birth in perpetuity?
    Mr. Goldman. Would you repeat the question? Sorry.
    Mrs. Bono Mack. Should companies who no longer need it keep 
sensitive information such as credit card numbers or dates of 
birth in perpetuity?
    Mr. Goldman. ``It depends'' is not an answer, right? No.
    Mr. Holleyman. I would say no.
    Mr. Pratt. No.
    Mr. Rotenberg. No.
    Mrs. Bono Mack. Should every data breach trigger a notice 
to consumers?
    Mr. Goldman. No.
    Mr. Holleyman. No.
    Mr. Pratt. No.
    Mr. Rotenberg. Yes.
    Mrs. Bono Mack. Should information made available by 
Federal, State, or local governments in accordance with the 
law, and thus otherwise be publicly available, be considered 
personal information?
    Mr. Goldman. No.
    Mr. Holleyman. I would not take a position on that.
    Mr. Pratt. No.
    Mr. Rotenberg. Yes.
    Mrs. Bono Mack. Should the FTC have the ability to modify 
the definition of PDI?
    Mr. Goldman. No.
    Mr. Holleyman. I would say our answer would be yes.
    Mr. Pratt. No.
    Mr. Rotenberg. Yes.
    Mrs. Bono Mack. Should entities that are governed by 
explicit information security and breach notification 
requirements of other Federal laws enforced by other agencies 
also be subject to FTC enforcement under this draft?
    Mr. Goldman. No.
    Mr. Holleyman. No.
    Mr. Pratt. No.
    Mr. Rotenberg. Yes.
    Mrs. Bono Mack. Should all entities, regardless of their 
size or the scope of personal data they hold, be subject to the 
same data security requirement rules for section 2 of this 
legislation?
    Mr. Goldman. No.
    Mr. Holleyman. We have not taken a position on that.
    Mr. Pratt. No.
    Mr. Rotenberg. No.
    Mrs. Bono Mack. Thank you. And do you believe regulation of 
the collection and use of data is a data security issue?
    Mr. Goldman. Yes.
    Mr. Holleyman. Yes.
    Mr. Pratt. No.
    Mr. Rotenberg. Yes.
    Mrs. Bono Mack. Do you think encrypted data that is 
breached should require notification?
    Mr. Goldman. No.
    Mr. Holleyman. No.
    Mr. Pratt. No.
    Mr. Rotenberg. Yes.
    Mrs. Bono Mack. And lastly, should State attorney generals 
have the ability to enforce this law.
    Mr. Goldman. No.
    Mr. Holleyman. Yes.
    Mr. Pratt. No position.
    Mr. Rotenberg. Yes.
    Mrs. Bono Mack. Is your organization a nonprofit 
organization?
    Mr. Goldman. Yes.
    Mr. Holleyman. Yes.
    Mr. Pratt. Yes.
    Mr. Rotenberg. Yes.
    Mrs. Bono Mack. Does your organization maintain personal 
information of the sort that would be covered by this bill?
    Mr. Goldman. I don't know.
    Mr. Holleyman. Yes, for our employees.
    Mr. Pratt. Yes.
    Mr. Rotenberg. Yes.
    Mrs. Bono Mack. Do you agree with the proposal to allow the 
FTC to regulate in this area?
    Mr. Goldman. Yes.
    Mr. Holleyman. Yes.
    Mr. Pratt. Yes.
    Mr. Rotenberg. Yes.
    Mrs. Bono Mack. And now just the wild card, to throw it 
out: Do you believe political campaigns should be covered as 
well?
    Mr. Goldman. No comment.
    Mr. Holleyman. Would consider it.
    Mr. Pratt. No position.
    Mr. Rotenberg. Yes.
    Mrs. Bono Mack. Thank you. All right. That went rather 
well.
    Mr. Goldman, you suggest change in the time frame from 48 
hours to a reasonable time frame would guard against over-
notification and consumer overreaction. If notification is tied 
to risk of harm, how do we risk over-notification?
    Mr. Goldman. I think it comes down to, again, we are 
extremely concerned about over-notification, and specifically 
it depends what kind the breach is. I mean, this is one of the 
things I mentioned in my testimony, is that if you, for 
example, have an employee steal information for another 
employee, that is sort of a one-on-one breach; so does that 
trigger the whole breach mechanism that is included as part of 
this? So I think it sort of depends on a case-by-case basis, is 
what I would say.
    Mrs. Bono Mack. Thank you.
    And Mr. Rotenberg, you recommend that Congress define PII 
and not permit the FTC to further amend that definition--I 
mean, excuse me; Mr. Pratt, this question is for you. But is it 
wise to lock anything into stone when it comes to technology? 
Could there be advances in technology that would enable 
seemingly innocuous pieces of information to become the tool of 
fraudsters?
    Mr. Pratt. As an industry that deals with a lot of that 
information that is sensitive and as an industry that secures 
that information today, I mean, we are comfortable with the 
structure that you have in place. We do think it encompasses 
the types of data that expose consumers to a degree of risk. 
And I think even some of the examples that Mr. Rotenberg has 
given, we would disagree with those, that those are necessarily 
new and different risks that might have to be accounted for 
subsequently. So we still stand by the position that we believe 
Congress should work out its definition and give businesses a 
stable marketplace in which to then compete and build the 
products and services.
    Mrs. Bono Mack. Thank you. My time is expired. I look 
forward to a second round of questioning, and now recognize Mr. 
Butterfield for 5 minutes.
    Mr. Butterfield. I thank the chairman. Information brokers 
possess huge data profiles on a staggering number of Americans, 
nearly all of them--nearly all of whom do no business with 
these brokers. These brokers invest time and money to uncover 
personal details and, without knowledge or consent, they sell 
this information to the highest bidder. It appears that 
American consumers have no free market method of showing 
disapproval if they feel their personal information is being 
misused or to correct any inaccuracies in the profiles. It is 
in situations like these where it becomes prudent to enact laws 
that empower consumers, giving them the tools they need to 
control their personal data.
    Mr. Rotenberg, do you believe, sir, that consumers should 
be able to access the information that brokers hold about them 
upon their request?
    Mr. Rotenberg. Yes, I do, Mr. Butterfield. And I do so for 
precisely the reason that you explained, which is that there is 
no one-to-one relationship between the consumer and the 
information broker. They are a third party, which means the 
consumer actually doesn't otherwise know what information they 
would have.
    Mr. Butterfield. When a broker possesses information. Who 
actually owns that data?
    Mr. Pratt. Well, of course the broker would claim that they 
do. But what they do with the data has an enormous impact on 
the individual. It can determine employment, it can determine 
whether they get an apartment, a Federal contract. A whole 
range of activity in the United States is today deeply impacted 
by the information that information brokers have about us and 
they make available to others.
    Mr. Butterfield. Do you believe that consumers should be 
able to dispute inaccurate information that brokers hold on 
them?
    Mr. Rotenberg. Yes I do. The information brokers have 
become the modern-day equivalent of the credit reporting 
agency. And Congress figured out 40 years ago the credit 
reporting agencies were holding financial reports on consumers 
that impacted their ability to get loans and start businesses. 
Information brokers are playing a similar role today. 
Individuals should have a right to dispute what is in that 
record.
    Mr. Butterfield. H.R. 2221, the data security bill approved 
by the House last Congress, that Mr. Rush and others had their 
fingerprints on but which the Senate failed to act, contained 
various requirements on how information brokers must interact 
with consumers seeking to access their personal information or 
resolve a dispute about its accuracy or misuse.
    In lieu of complying with these requirements, brokers were 
given an alternative procedure that they could follow; namely, 
providing individuals with the option to completely opt out of 
having their personal info used for marketing purposes. Neither 
the special requirements on information brokers nor the 
alternative opt-out procedure are included in the Republican 
discussion draft as we can discern.
    In the absence of a Federal law mandating simple opt-out 
procedures, brokers have generally not provided them. However, 
in a perverse turn the data broker, U.S. Search, Incorporated, 
recently tried to fill the gap by telling consumers that for 
$10 it would lock their record so that others could not see 
them or buy them. The FTC soon found this promise was entirely 
false. In March the Commission reached a settlement where the 
company agreed to refund all fees charged and avoid 
misrepresentations in the future.
    Again, Mr. Rotenberg, do you believe that it is currently 
too difficult for consumers to opt out of information broker 
databases?
    Mr. Rotenberg. Yes, I do, Mr. Butterfield. I think this is 
an area where there needs to be legislative safeguards.
    Mr. Butterfield. Can you discuss how difficult it is to 
remove one's information from a broker's database in regards to 
broker retailers?
    Mr. Rotenberg. Well, the broker business model relies, of 
course, on the collection of detailed information about 
consumers without their knowledge. It is not the consumers 
providing information. And that information gains commercial 
value as it is shared with more third parties. The consumer has 
no ability to interact to limit those transactions. So the 
simple answer to your question is, it is very difficult--it is 
very difficult I think for consumers to play any meaningful 
role in what information brokers do with information about 
them.
    Mr. Butterfield. I see your point. And let me just throw it 
over to the chairman and yield to her.
    Mrs. Bono Mack. I appreciate the gentleman yielding to me 
very much at a strange time.
    I just want to reiterate to the panel and the subcommittee 
that we are also looking at privacy. And to the degree that we 
can separate the privacy debate from the data breach debate, it 
all will be helpful for us as lawmakers to understand that the 
two, although very similar in this case, they might be 
different. So I just wanted to throw that out for you all, to 
point out when you see it as a privacy issue beyond data 
breach, that would be helpful.
    Mr. Butterfield. That is a very important distinction, and 
I thank the chairman for making that comment. My time is 
expired. I yield back.
    Mrs. Bono Mack. Thank you very much, Mr. Butterfield. And 
the chair is happy to recognize Mr. Stearns for 5 minutes.
    Mr. Stearns. Thank you Madam Chair.
    Mr. Goldman, the chairlady talked about this 48 hours 
breach. And Mr. Goldman, you had indicated that you have more 
preference for a reasonable, I think you indicated----
    Mr. Goldman. Correct.
    Mr. Stearns. Are there cases where, for example, we could 
move the 48 hours to, let's say 96 or 72, that you would feel 
more comfortable with, rather than 48 hours; or is it a 
fundamental idea in your mind that every company is different; 
one is a small company, one is a large company, the situation 
in which it occurs is different, so in fact to put a mandate of 
48 hours as a time frame might not be applicable? So maybe you 
might want to explore that.
    Mr. Goldman. Sure. I mean, from talking to some of our 
members that have experienced, unfortunately, some of these 
breaches, they are talking that it can take anywhere from a few 
days, to even 100 days or more, to get to the bottom of it. So 
that is why we are very leery of putting a time frame on it.
    I guess H.R. 2221 included, I think, a 60-day time frame. I 
don't think we generally supported that bill, but I don't think 
we fully vetted that 60-day requirement, so I would have to get 
back to you on that. But I think generally we are concerned 
about making sure that businesses have the ability to properly 
react without having a time frame guide their actions.
    Mr. Stearns. Can you give me a specific example from one of 
your members where a 48-hour time frame would be harmful or 
very difficult to accomplish?
    Mr. Goldman. Well, I think from reading the press reports, 
I will speak to this. In one of the cases that recently 
occurred the company said, originally said, that the credit 
card data was compromised. And it turns out that credit card 
data was not compromised.
    Mr. Stearns. So it took them some time to figure it out?
    Mr. Goldman. It took them some time, but in the meantime 
they notified and told customers that their credit card data 
was compromised. So in the meantime you have customers 
canceling their credit cards, going through the inconvenience 
of canceling their credit card and having to get new credit 
cards. And it is even more of an inconvenience if you have 
monthly fees automatically charged to your credit card, because 
then you have to contact those vendors, and it just gets very 
complicated.
    So I think from the consumer point of view, I would like to 
make sure before I go through that hassle that I actually have 
to.
    Mr. Stearns. And so when you use the language 
``reasonable'' time period, that gives them that flexibility?
    Mr. Goldman. I would say so.
    Mr. Stearns. And Mr. Rotenberg, you don't agree with this. 
As I understand it, you think that 48 hours. But based upon 
what Mr. Goldman said, is there a possibility where there are 
situations where a company, particularly you mentioned this 
credit card company, that if they go out and scare all their 
members within this 24- or 48-hour period, these people all 
start canceling their credit cards, when actually when they do 
the investigation there was not a breach? Is that a good 
example or do you think that his example is----
    Mr. Rotenberg. If I may clarify, Congressman, not only do I 
stay by the 48-hour rule, I actually disagree with the 
characterization of your first witness. I know a fair amount 
about what happened in this Citigroup breach matter. In fact, 
there was credit card information disclosed; it was account 
holder name information and it was the account number 
information. Now, it was not the security code and it was not 
the expiration number. And the conclusion was drawn that 
therefore the risk was somewhat--somewhat less than they 
initially thought. But the risk was very real and it was 
important for people to be notified.
    Mr. Stearns. But would you also agree with what Mr. Goldman 
says, that every company is different and sometimes this breach 
when they are going to look at perhaps thousands and millions 
and tens of thousands, that it is possible that they can't do 
it in 48 hours, and there might be some idea, maybe not 48 and 
96, there might be a reasonable time period; wouldn't you agree 
on that?
    Mr. Rotenberg. I appreciate the difficulty, and there is no 
doubt there is a real burden on companies when they have to 
notify customers, and they are understandably reluctant to. But 
there is a problem, and I don't think we can diminish the 
problem by----
    Mr. Stearns. OK. I want to go on. I have another question.
    Mr. Goldman. Just to clarify, I was not referring to 
Citibank, just to clarify.
    Mr. Stearns. OK. Also in the bill it talks about personal 
identifiable information, and we had some questions on that. Is 
there any--are any of you concerned about the definition of 
personal identifiable information? Can a company adequately 
understand that definition so that they can actually conclude 
when it comes to data minimization what they should take out?
    I guess my question is, Mr. Goldman, are you concerned 
about the FTC and how they interpret these terms and what 
impact the legislation would have dealing with data 
minimization?
    Mr. Goldman. Yes, we are concerned about the ability of the 
FTC to expand its definition of what PII means. I think we are 
comfortable with the definition that is in the draft bill as 
is. We worry about the inclusion of Internet protocol 
addresses, we worry about inclusion of user names. So I think, 
yes, we are definitely worried about the expansion, the 
possibility of expansion authority.
    Mr. Stearns. Thank you, Madam Chair.
    Mrs. Bono Mack. I thank the gentleman. The chair now 
recognizes Mr. Rush for 5 minutes.
    Mr. Rush. I want to thank you, Madam Chair.
    Mr. Holleyman, you said in your testimony, and I hope that 
I am accurate in my paraphrasing, that security breach 
notifications should be required in instances where there is 
reasonable risk of identity theft, fraud, or unlawful conduct. 
You suggest that these limits are needed to help reduce 
excessive notifications which might lead to mass anxiety and 
panic among consumers. But as Mr. Rotenberg pointed out, 
phishing and spear fishing was the two examples of fraud and 
unlawful conduct likely to result in most, if not all, 
instances of large-scale breaches.
    So should the scale of the breach be a dispositive factor 
in determining whether consumers also receive immediate 
notification?
    Mr. Holleyman. Thank you, Mr. Rush. A good question. I 
think we believe that there should be notification triggered 
when there is a significant risk of a harm. We think that the 
important provisions in this bill, however, are the ones that 
encourage industry to adopt security measures, using encryption 
or other technologies that would render the information 
indecipherable or unreadable; and that that is actually, at the 
end of the day, the most important safeguard because that, when 
it is affected--if that information is obtained but the 
criminal can't do anything with that information, then we 
believe that you should not have to notify consumers, because 
it is that excessive notification that we believe raises 
consumers' concerns unnecessarily. And what the market should 
be doing is driving people to store data in unreadable format 
so that when breaches occur--and they will--the criminal can't 
do anything with that data.
    Mr. Rush. Do the other three witnesses agree with that?
    Mr. Pratt. We strongly agree, though, that one of the--and 
this was true of your bill as well, Congressman, and that is 
the incentive to render the data unusable is probably one of 
the most critical provisions of the current draft of the bill 
that you had passed last year. It is the one that we focus on 
as an industry every day, it is the one that we take most 
seriously. Because the strong incentive is not to notify people 
that you have lost data, whether it is a criminal act or some 
other failing, but to have protected it in the first place. I 
mean, that is always first. Protect it in the first place. Find 
the best technology to do it when the data is at rest, when the 
data is in transmission. That is really critical.
    Mr. Rush. Mr. Pratt, you argue in your testimony for 
advance notice of a security breach presumably at the same time 
as when notice is given to the FTC. Would such a model favor 
your members over other similar parties who don't make the 
definitional cut as, quote, ``data broker,'' end of quote?
    Mr. Pratt. The reason we are requesting notice--and I am 
not sure we are saying that it has to occur concurrent with 
notification of law enforcement or the FTC--we are just 
simply--we have call centers, and when a letter goes out and 
says, call the credit bureau and order a credit report, we have 
to make sure that we have the right staff, we have to make sure 
that we have the right pipes open for the online access or the 
telephonic access, even the mail processing access. And we have 
to normalize systems. We understand what our normal pattern is.
    But a very, very large data breach creates aberrant 
patterns which create spikes of activity. We just want to be 
able to serve the consumer and ensure that they get the credit 
report that they want, or ensure that the telephone is picked 
up on time, which is what they expect. So that really is the 
reason why we are asking for that.
    Mr. Rush. Can any of the other witnesses conceive how such 
a model might impede the FTC's ability to investigate and 
enforce under the law? Any other witnesses? All right.
    OK, let me ask Mr. Rotenberg. Mr. Rotenberg, can you please 
elaborate further on why you believe this definition of 
personal information is too narrow and why you believe it 
should be defined as information that, quote, ``identifies or 
could identify a particular person,'' end quote.
    Mr. Rotenberg. Well, I think the definition that I proposed 
followed with examples, which are included in the bill, is 
common sense. We think of personal information as information 
that identifies someone, or could identify them, and then the 
examples are good. But I also know, based on some of the recent 
experiences with data breaches, that an IP address poses a risk 
because it can be personally identifiable.
    The Facebook user ID posed a risk because it was user 
identifiable. So the list helps people understand. But if the 
list is limited, I think we have a problem.
    Mr. Rush. Thank you, Madam Chair. I yield back the balance 
of my time.
    Mrs. Bono Mack. Thank you, Mr. Rush. And the chair 
recognizes Mr. Olson for 5 minutes.
    Mr. Olson. I thank the chair, and I would like to welcome 
the witnesses. And I really appreciate your perspectives on an 
issue which has only become more pervasive in the future, just 
as Mr. Rotenberg eloquently stated in his opening statement.
    My first two questions are for you, Mr. Goldman. What is 
the Chamber's view of the carveout for entities already covered 
in the Gramm-Leach-Bliley? Is this an adequate, explicit 
carveout?
    Mr. Goldman. We didn't take a position in our testimony. 
But generally we have supported carveouts for entities that are 
already covered by other laws, so there is not duplicative laws 
and they can figure out which agency they are better regulated 
under. So, yes, that is my answer.
    Mr. Olson. OK. Thank you for that answer. And as currently 
drafted, the legislation standard for risk is a reasonable risk 
of harm. When I asked our witness on a previous panel, the FTC 
commissioner, Ms. Ramirez, she stated that the FTC thought that 
reasonable risk was the right standard, because erring on the 
side of notification overrides some sort of desensitation of 
the public.
    And could you elaborate on why the Chamber believes that 
consumers will be better off if the standard were changed to 
significant risk of harm?
    Mr. Goldman. Sure. The Chamber does support a significant 
risk standard because we are worried, I guess as I stated in my 
opening comments, about two possibilities where customers are 
over-notified and they just ignore it, and then when a real 
risk occurs they don't take any action; or they get a notice 
and get--and sort of reactneedlessly, and so they cancel their 
credit card. So both--I mean both extremes. So we prefer to 
have the significant risk standard.
    Mr. Olson. Thank you for that answer. And then I have got a 
round of questions for all four of the witnesses. And we will 
start off with you, Mr. Rotenberg, just to give Mr. Goldman a 
break here. But if you or one of your member companies suffered 
from a security breach, how would the proposed SAFE Data Act 
change their response and how would it better help consumers 
avoid identity theft?
    Mr. Rotenberg. Congressman, we actually don't have member 
companies. But I will say that many of the elements that are 
currently in the bill we have actually tried to follow over the 
years. For example, this goal of data minimization we think is 
a very good way to protect people online, and we have for a 
number of years taken steps to limit the amount of personal 
information that we collect. We collect information we need to 
provide the services that we provide, but we don't collect 
excessive information.
    Mr. Olson. Thank you. Mr. Pratt.
    Mr. Pratt. Our members are regulated first on the data 
breach notification side by the 47 or 48 State statutes that 
are out there today. So establishing a Federal standard I think 
would give us an easier route to compliance. But we would be 
notifying consumers, just as we do today, under those State 
statutes. And all of our, almost all of our members are 
financial institutions under the Gramm-Leach-Bliley Act. And so 
we are already complying with a data security regime which is 
called the Safeguards Rule.
    And so for most of our members it would not be a remarkable 
change. In fact, even where our members have sensitive data 
that isn't otherwise regulated under GLB, for example, we build 
enterprise-wide data security. There is no reason to segregate 
out some data and treat it differently from other information, 
so it is built enterprise-wide.
    Mr. Olson. Thank you for that answer. Mr. Holleyman.
    Mr. Holleyman. I can't speak for any individual member 
company. But I can say that all of our companies are involved 
in trying to build greater security into their products in 
companies who provide tools to consumers and businesses to 
secure their environments. And certainly in supporting the 
concepts of this bill, we recognize that they are ones that we 
would be subject to. And our members with that are completely 
welcoming this legislation, again with some fine-tuning we 
would like to see. But we think it is important to act, and 
important to act this year.
    Mr. Olson. Thank you, sir. And finally, Mr. Goldman.
    Mr. Goldman. Sir, with the uniform national standard it 
would make it easier for our companies to comply, versus the 
current situation of having to comply with 46, 47 State rules. 
Also a lot of our companies are covered by other laws such as 
GLB or HIPAA.
    Mr. Olson. Well, thank you for that question. As a Navy 
guy, I can say to all four of you that we may not be hitting 
the bull's-eye but we are hitting the target.
    Finally, one question for the four of you. This proposed 
legislation would require an entity to conduct an assessment 
upon discovering a breach.
    Do you or one of your member companies, with all due 
apologies, Mr. Rotenberg, already conduct assessments? I think 
I know the answer. And how would this requirement and its 
timing impact your ability--your company's ability to members 
to resolve a security breach?
    Mr. Rotenberg. I will take a pass.
    Mr. Pratt. I can't speak specifically, because today those 
assessments would be dictated by the State laws that are out 
there which dictate different standards. That is one of the 
reasons why a national standard would be helpful in terms of 
assessing a data breach risk.
    If I could just take 1 minute to speak to this GLB 
exception. It is important to have this exception, because data 
security in this bill is a good idea, and our members are happy 
to live under a new data security regime for part of our 
businesses which might not otherwise be regulated. But if our 
members, small or large, are regulated by the Gramm-Leach-
Bliley Act, we are only asking that we just operate in tandem, 
that we have the same data security provision under GLB.
    That is why that exception is so important, though, because 
it means I don't have overlapping requirements between two 
different standards. And for small businesses, in particular in 
our membership, that is an important thing, because they don't 
necessarily have a general counsel on staff that is going to 
advise them all the time.
    Mr. Olson. Thank you for that. Mr. Holleyman.
    Mr. Holleyman. Because our members oftentimes provide 
technologies that are used to prevent breaches, we also have a 
lot of experience in helping identify breaches when they occur. 
And we know through that, that the nature of the breach may 
differ, the amount of time to make the assessment may differ, 
and we support the provisions of the bill that are flexible, 
depending on the nature of the breach and the size of the 
enterprise.
    Mr. Olson. Thank you. And finally, Mr. Goldman.
    Mrs. Bono Mack. Excuse me, we need to move on. We are a 
minute over.
    Mr. Olson. That was yield back time that I didn't have, but 
I yield back the balance of my time.
    Mrs. Bono Mack. I appreciate that very much, and am happy 
to recognize Mr. Kinzinger for 5 minutes.
    Mr. Kinzinger. Thank you, Madam Chairman. And I will say as 
an Air Force guy, we hit the bull's-eye on the target every 
time, so I think that is important to note.
    Mr. Olson. You don't want to go there, my friend.
    Mr. Kinzinger. I appreciate all four of you in your 
assistance in helping us draft, I think, this very important 
piece of legislation. Some of this stuff has been touched on a 
little bit, but I want to make sure we are getting all the 
questions answered that we need.
    For the three, Mr. Holleyman, Pratt, and Rotenberg, and 
then I guess Mr. Goldman, if you want to jump in on this too. 
Let me ask, in the current draft, if a company is unable to 
detect a breach over the course of several months due to 
insufficient security techniques, it does not appear that they 
necessarily face harsher penalties for that.
    Do you believe that this legislation should include 
reasonable standards or methods for detecting breaches, and 
penalties for those companies that fail to reach those 
standards?
    Mr. Rotenberg. Yes, I think it is an excellent point. It 
would be a good change.
    Mr. Pratt. We haven't actually asked our members that 
question, but maybe we could follow up with you and give you an 
answer to that. I would say in general, though, that the data 
security requirements that the FTC writes today are broad, they 
are enforced aggressively, and they would imply that you have 
to have sufficient security standards, not just simply to 
protect against, but to detect possible intrusions.
    And I know even the association I run has stood up several 
major platforms where we have had intrusion detection systems 
that operate concurrently with other forms of protection of the 
data itself, so it is fairly common.
    Mr. Kinzinger. And for those kinds of systems are they 
pretty foolproof?
    Mr. Pratt. Well, I don't think anything is foolproof. It is 
a moving target. And I think that is very important for all of 
you--all of you all know this because of the cybersecurity 
issues that you probably learned about in other hearings; and 
that is, it is a moving target. So they are always hitting 
targets, but they are different targets.
    Mr. Kinzinger. Right. I understand.
    Mr. Pratt. But it is critical. And so when you look at 
these security requirements that are imposed on U.S. 
businesses, they are written flexibly enough to account for 
ongoing assessment of risk. That is one of the key components. 
We are comfortable with that. Because we would agree, by the 
way, as well that it is a business necessity that we protect 
the data that we have, that we use the best technologies, that 
we look at new risk.
    Our members, for example, participate in the ISAC, which is 
the Information Sharing and Analysis Center that is operated by 
Treasury in order to see what kind of cybersecurity risks are 
out there, so we exchange information.
    Mr. Kinzinger. Mr. Holleyman.
    Mr. Holleyman. We certainly support the framework that this 
bill outlines. I want to get back to you on some of the 
specifics, particularly around newer concepts like 
minimization. They are important but we have to canvas our 
members. We do believe that this bill is important because it 
not only deals with the issue of notification of breaches after 
the fact, but it puts in place obligations related to securing 
data. Again, those obligations, and when businesses do that up 
front, that is going to minimize the need for notifications, 
the excessive notification. So that is an important addition to 
the concept of this bill.
    Mr. Kinzinger. Did you want to jump in on this?
    Mr. Goldman. I have to go back to our members and ask, but 
generally companies are very concerned about reputational harm. 
So they are going to take, you know, for liability purposes and 
reputation purposes, they are going to take the best practices 
they can imagine.
    Mr. Kinzinger. And just quickly.
    Mr. Pratt. Just one point. And that is data security 
involves access control. Access control would almost inherently 
require or at least implicitly require some sort of intrusion 
detection system, because otherwise you are not controlling 
access. So I think even if it is not expressly stated, it is 
built into the access control concept.
    Mr. Kinzinger. OK. And as we talked about, getting into the 
boy-who-cried-wolf issue--and if we can keep this real brief 
for all of you--this draft could give a company an exceedingly 
long period of time to notify customers in a breach of high 
severity.
    Do you believe we should look into creating kind of tiers 
of risk, so if there is a high level of risk for the consumer, 
that notification be treated differently than that of a more 
moderate risk? Should we have obviously different tiers on 
that?
    Mr. Rotenberg. Congressman, I think that is an attractive 
idea, but it would actually end up adding a layer of complexity 
to an already serious problem. And I think it is notable when 
we have these extreme breach problems with Citibank, Sony, and 
others, very sophisticated companies, a large number of 
customers, here we are more than a month later and we still 
don't fully know the extent of the harm.
    So while I appreciate the approach, I would try to go for a 
single simple standard. I think it is easier to manage.
    Mr. Kinzinger. And if you just, very quickly, because I 
have one more quick question and 20 seconds.
    Mr. Pratt. I would have to get back to you on that. We 
don't have a position on that right now.
    Mr. Kinzinger. OK.
    Mr. Holleyman. We believe your issue can be best addressed 
by using the term ``significant risk'' in the bill.
    Mr. Kinzinger. And then, Mr. Goldman, do you believe that 
the legislation should more clearly define the size and scope 
of companies that must develop a security plan?
    Mr. Goldman. Yes. I mean, specifically--well, I will go 
back to what I said before, was that when it talks about the--
you know, if you have a breach, you know, it depends on the 
size of the breach; and in terms of the company, yes. I mean, 
small businesses obviously are going to have much different 
capabilities to respond than a larger-size business, yes.
    Mr. Kinzinger. And I yield back my negative time. Thank 
you, Madam Chairman.
    Mrs. Bono Mack. Thank you very much, Mr. Kinzinger. And 
gentlemen, I would like to express the gratitude of all of the 
members of our subcommittee for your time today and thank you 
for your willingness to engage with us on this very important 
discussion. I think there are a lot of great ideas and 
willingness to come together with a great bill.
    I want to reiterate again my desire for a bipartisan 
product, and believe that Mr. Butterfield and I can accomplish 
that goal. I am very hopeful for that.
    I would also like to say that I was hoping for a second 
round of questions but time has gotten the better of us here. 
So I note that I will have some further questions in writing to 
send to all of you. And I would like to remind the members that 
they all have 10 business days to submit questions for the 
record, and would ask the witnesses to please respond promptly 
to any questions they receive.
    Mrs. Bono Mack. So again, as the recent spate of high-
profile, eye-popping data breaches point to the need for new 
safeguards to better protect sensitive online consumer 
information. It is a huge challenge and I know that we can get 
this done by working together.
    So thank you all very much for your time today. And with 
that, the hearing--the subcommittee is adjourned.
    [Whereupon, at 1:05 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

               Prepared Statement of Hon. Edolphus Towns

    Thank you Chairman Bono-Mack and Ranking Member Butterfield 
for holding this legislative hearing today on ``The SAFE Data 
Act''. The issue of data theft has plagued consumers in our 
country for several years and currently there is no 
comprehensive federal law that would require companies that 
hold consumer's personal information to implement reasonable 
measures to protect that data. It is my hope that this hearing 
will reinforce the need to protect consumers
    against fraudulent activity that target an individual's 
personal information. With the advent of cloud computing and 
the increased volume of online purchasing, data security must 
be at the forefront of consumer protection.
    In the previous Congress members from both sides of the 
isle took the lead on this issue and acted in a bipartisan 
effort to reduce the number of data breaches while at the same 
time empowering consumers with new rights whenever personal 
information is compromised. Unfortunately time was not on our 
side and the Senate was unable take on this issue of data theft 
before the end of the 111th Congress. Data theft still remains 
a very large burden for the American consumer that must be 
addressed by legislative action from this committee. 
Unfortunately the discussion draft before us today falls short 
of the commitment needed to ensure that the personal 
information of hard working Americans are kept safe.
    Recent media reports pertaining to data breaches at the 
Sony Corporation, Epsilon Data Management and Gawker Media help 
to reinforce the need for congress to act once again in a 
bipartisan manner. I look forward to hearing from our witnesses 
today about how they have been dealing with this important 
issue. I also look forward to working with my colleagues on 
this committee to ensure that data security measures and 
protocols are enhanced in this congress to protect the American 
people.
    Thank you Madam Chair, I yield back my time.
                              ----------                              





                                 
