b"<html>\n<title> - DISCUSSION DRAFT OF H.R., A BILL TO REQUIRE GREATER PROTECTION FOR SENSITIVE CONSUMER DATA AND TIMELY NOTIFICATION IN CASE OF BREACH</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\nDISCUSSION DRAFT OF H.R. ___, A BILL TO REQUIRE GREATER PROTECTION FOR \n   SENSITIVE CONSUMER DATA AND TIMELY NOTIFICATION IN CASE OF BREACH\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n           SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 15, 2011\n\n                               __________\n\n                           Serial No. 112-62\n\n\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                        energycommerce.house.gov\n\n\n                                _____\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n71-568 PDF                WASHINGTON : 2011\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n\n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n       FRED UPTON, Michigan\n              Chairman\nJOE BARTON, Texas                    HENRY A. WAXMAN, California\n  Chairman Emeritus                    Ranking Member\nCLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan\nED WHITFIELD, Kentucky               EDWARD J. MARKEY, Massachusetts\nJOHN SHIMKUS, Illinois               EDOLPHUS TOWNS, New York\nJOSEPH R. PITTS, Pennsylvania        FRANK PALLONE, Jr., New Jersey\nMARY BONO MACK, California           BOBBY L. RUSH, Illinois\nGREG WALDEN, Oregon                  ANNA G. ESHOO, California\nLEE TERRY, Nebraska                  ELIOT L. ENGEL, New York\nMIKE ROGERS, Michigan                GENE GREEN, Texas\nSUE WILKINS MYRICK, North Carolina   DIANA DeGETTE, Colorado\n  Vice Chairman                      LOIS CAPPS, California\nJOHN SULLIVAN, Oklahoma              MICHAEL F. DOYLE, Pennsylvania\nTIM MURPHY, Pennsylvania             JANICE D. SCHAKOWSKY, Illinois\nMICHAEL C. BURGESS, Texas            CHARLES A. GONZALEZ, Texas\nMARSHA BLACKBURN, Tennessee          JAY INSLEE, Washington\nBRIAN P. BILBRAY, California         TAMMY BALDWIN, Wisconsin\nCHARLES F. BASS, New Hampshire       MIKE ROSS, Arkansas\nPHIL GINGREY, Georgia                ANTHONY D. WEINER, New York\nSTEVE SCALISE, Louisiana             JIM MATHESON, Utah\nROBERT E. LATTA, Ohio                G.K. BUTTERFIELD, North Carolina\nCATHY McMORRIS RODGERS, Washington   JOHN BARROW, Georgia\nGREGG HARPER, Mississippi            DORIS O. MATSUI, California\nLEONARD LANCE, New Jersey            DONNA M. CHRISTENSEN, Virgin \nBILL CASSIDY, Louisiana                  Islands\nBRETT GUTHRIE, Kentucky\nPETE OLSON, Texas\nDAVID B. McKINLEY, West Virginia\nCORY GARDNER, Colorado\nMIKE POMPEO, Kansas\nADAM KINZINGER, Illinois\nH. MORGAN GRIFFITH, Virginia         \n\n                                  (ii)\n           Subcommittee on Commerce, Manufacturing, and Trade\n\n                       MARY BONO MACK, California\n                                 Chairman\nMARSHA BLACKBURN, Tennessee          G.K. BUTTERFIELD, North Carolina\n  Vice Chair                           Ranking Member\nCLIFF STEARNS, Florida               CHARLES A. GONZALEZ, Texas\nCHARLES F. BASS, New Hampshire       JIM MATHESON, Utah\nGREGG HARPER, Mississippi            JOHN D. DINGELL, Michigan\nLEONARD LANCE, New Jersey            EDOLPHUS TOWNS, New York\nBILL CASSIDY, Louisiana              BOBBY L. RUSH, Illinois\nBRETT GUTHRIE, Kentucky              JANICE D. SCHAKOWSKY, Illinois\nPETE OLSON, Texas                    MIKE ROSS, Arkansas\nDAVE B. McKINLEY, West Virginia      HENRY A. WAXMAN, California, ex \nMIKE POMPEO, Kansas                      officio\nADAM KINZINGER, Illinois\nJOE BARTON, Texas\nFRED UPTON, Michigan, ex officio\n\n\n\n\n\n\n\n  \n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Mary Bono Mack, a Representative in Congress from the State \n  of California, opening statement...............................    33\n    Prepared statement...........................................    34\nHon. Henry A. Waxman, a Representative in Congress from the State \n  of California, opening statement...............................    35\nHon. Cliff Stearns, a Representative in Congress from the State \n  of Florida, opening statement..................................    37\nHon. G.K. Butterfield, a Representative in Congress from the \n  State of North Carolina, opening statement.....................    38\nHon. Edolphus Towns, a Representative in Congress from the State \n  of New York, prepared statement................................   132\n\n                               Witnesses\n\nEdith Ramirez, Commissioner, Federal Trade Commission............    39\n    Prepared statement...........................................    42\n    Answers to submitted questions...............................   134\nJason D. Goldman, Counsel, Telecommunications & E-Commerce, U.S. \n  Chamber of Commerce............................................    78\n    Prepared statement...........................................    81\nRobert W. Holleyman, II, President and CEO, Business Software \n  Alliance.......................................................    89\n    Prepared statement...........................................    91\nStuart K. Pratt, President and CEO, Consumer Data Industry \n  Association....................................................    99\n    Prepared statement...........................................   101\nMarc Rotenberg, Executive Director, Electronic Privacy \n  Information Center.............................................   109\n    Prepared statement...........................................   111\n\n                           Submitted Material\n\nDiscussion draft.................................................     2\n\n \n DISCUSSION DRAFT OF H.R. ------, A BILL TO REQUIRE GREATER PROTECTION \n FOR SENSITIVE CONSUMER DATA AND TIMELY NOTIFICATION IN CASE OF BREACH\n\n                              ----------                              \n\n\n                        WEDNESDAY, JUNE 15, 2011\n\n                  House of Representatives,\nSubcommittee on Commerce, Manufacturing, and Trade,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 10:30 a.m., in \nroom 2322, Rayburn House Office Building, Hon. Mary Bono Mack \n(chairwoman of the subcommittee) presiding.\n    Present: Representatives Bono Mack, Blackburn, Stearns, \nBass, Harper, Lance, Cassidy, Guthrie, Olson, Pompeo, \nKinzinger, Butterfield, Gonzalez, Dingell, Towns, Rush, \nSchakowsky, and Waxman (ex officio).\n    Staff Present: Allison Busbee, Legislative Clerk; Paul \nCancienne, Policy Coordinator, CMT; Brian McCullough, Sr. \nProfessional Staff Member, CMT; Gib Mullan, Chief Counsel, CMT; \nShannon Weinberg, Counsel, CMT; Michelle Ash, Democratic Chief \nCounsel; Felipe Mendoza, Democratic Counsel; and Will Wallace, \nDemocratic Policy Analyst.\n    Mrs. Bono Mack. Good morning. The subcommittee will now \ncome to order. Today hackers and online thieves are giving more \nmeaning to the phrase silent crime. It is my hope that we will \njoin together, raise our voices and, like after Peter Finch in \nthe movie ``Network,'' shout out the window, we are mad as \nhell, and we are not going to take this anymore. Americans \ndeserve nothing less.\n    [The discussion draft follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Mrs. Bono Mack. The chair now recognizes herself for an \nopening statement. Sophisticated cyber attacks are increasingly \nbecoming the greatest threat to the future of electronic \ncommerce here in the U.S. and around the world. That is why \nCongress must take immediate steps to better protect the \npersonal online information of American consumers. It is time \nfor us to declare war on identity theft and online fraud.\n    The Secure and Fortify Electronic Data Act, which \nestablished uniform national standards for data security and \ndata breach notification, is our opening shot. The SAFE Data \nAct builds on legislation passed by the House in 2009 but never \nacted upon in the Senate. Most importantly, it reflects the \nchanging landscape of data breaches and data security since \nthat time.\n    It is an upgraded 2.0 version of data security legislation, \nencompassing many of the lessons learned in the aftermath of \nmassive data breaches at Sony and Epsilon, which put more than \n100 million consumer accounts at risk, and those are just the \nones that we know about.\n    As subcommittee chairman, protection from identity theft \nand online fraud is one of my top priorities. Just last week \nCitigroup, which has the world's largest financial services \nnetwork, revealed a security breach in which hackers obtained \npersonal information from hundreds of thousands of accounts. \nAccording to law enforcement officials, the hackers were able \nto gain access to customer names, account numbers and contact \ninformation, such as e-mail addresses.\n    Yesterday we learned that an external Web site operated by \nthe Oak Ridge Nuclear Weapons Plant was victimized by a cyber \nattack, and earlier this week, the same group which claimed \nresponsibility for attacks on Foxx, PBS and Sony also hacked \nthe Senate's public Web site.\n    In recent years carefully orchestrated cyber attacks \nintended to obtain personal information about consumers, \nespecially when it comes to their credit cards, have become one \nof the fastest growing criminal enterprises here in the United \nStates and across the world. The FTC estimates that nearly 9 \nmillion Americans fall victim to identity theft every year, \ncosting consumers and businesses billions of dollars annually.\n    And the problem is only getting worse as these online \nattacks increase in frequency, sophistication and boldness. As \nI have emphasized throughout our previous hearings e-commerce \nis a vital and growing part of our economy. We should take \nsteps to embrace and protect it, and that starts with robust \ncybersecurity.\n    Most importantly, consumers have a right to know when their \npersonal information has been compromised, and companies and \norganizations have an overriding responsibility to promptly \nalert them.\n    To that end, the SAFE Data Act first requires companies and \nother entities that hold personal information to establish and \nmaintain appropriate security policies to prevent unauthorized \nacquisition of the data.\n    It also requires notification of law enforcement within 48 \nhours after discovery of a breach, unless it was an accident or \ninadvertent and unlikely to result in harm.\n    It requires companies and other entities to begin notifying \nconsumers 48 hours after taking steps to prevent further \nbreaches and determining who has to be notified.\n    The SAFE Data Act also gives the FTC authority over \nnonprofits for purposes of this act only. These organizations \noften possess a tremendous amount of consumer information, and \nthey have been subjected to numerous breaches in the past.\n    At the same time, we want to work with those affected, as \nwell as with the FTC, to make sure any new regulations are not \nburdensome for small businesses, especially during these \ndifficult economic times.\n    In addition, we are granting the FTC authority to write \nrules that take into account the size and the nature of the \ndata that is being held online. Clearly, there are obvious \ndifferences between information brokers and local retail \nbusinesses, and the rules should reflect those differences.\n    The proposed legislation also requires all covered \nbusinesses to establish a data minimization plan providing for \nthe elimination of consumers' personal data that is no longer \nnecessary for business purposes or for other legal obligations.\n    And finally, the SAFE Data Act preempts similar State laws \nto create uniform national standards for data security and data \nbreach notification. We learned during our recent hearings that \nconsumer notification is often hampered by the fact that \ncompanies must first determine their obligations under 47 \ndifferent State regimes.\n    At the end of the day I, believe this legislation will \ngreatly benefit consumers, businesses and the U.S. economy. \nGiven the growing importance of e-commerce in nearly \neverything, we do we can no longer afford to sit back and do \nnothing. The time for action is now.\n    And at this point, the gentleman from--OK. And inform \npeople that we do have an overflow room in 2123 for those \nstanding who prefer to be sitting; again 2123 is the overflow \nroom.\n    So, at this point, I would like to recognize the gentleman \nfrom California, Mr. Waxman, for his opening statement.\n    [The prepared statement of Mrs. Bono Mack follows:]\n\n               Prepared Statement of Hon. Mary Bono Mack\n\n    Sophisticated cyber attacks are increasingly becoming the \ngreatest threat to the future of electronic commerce here in \nthe United States and around the world, and that's why Congress \nmust take immediate steps to better protect the personal online \ninformation of American consumers. It's time for us to declare \nwar on identity theft and online fraud.\n    The Secure and Fortify Data Act--which establishes uniform \nnational standards for data security and data breach \nnotification--is our opening shot.\n    The SAFE Data Act builds on legislation passed by the House \nin 2009 but never acted upon in the Senate. Most importantly, \nit reflects the changing landscape of data breaches and data \nsecurity since that time.\n    It's an upgraded, 2.0 version of data security legislation, \nencompassing many of the lessons learned in the aftermath of \nmassive data breaches at Sony and Epsilon, which put more than \n100 million consumer accounts at risk--and those are just the \nones we know about.\n    As Subcommittee Chairman, protection from identity theft \nand online fraud is one of my top priorities. Just last week, \nCitigroup--which has the world's largest financial services \nnetwork--revealed a security breach in which hackers obtained \npersonal information from hundreds of thousands of accounts.\n    According to law enforcement officials, the hackers were \nable to gain access to customer names, account numbers and \ncontact information such as e-mail addresses.\n    Yesterday, we learned that an external Web site operated by \nthe Oak Ridge Nuclear Weapons Plant was victimized by a cyber \nattack, and earlier this week--the same group which claimed \nresponsibility for attacks on Fox, PBS and Sony--also hacked \nthe Senate's public Web site.\n    In recent years, carefully orchestrated cyber attacks--\nintended to obtain personal information about consumers, \nespecially when it comes to their credit cards--have become one \nof the fastest growing criminal enterprises here in the United \nStates and across the world.\n    The Federal Trade Commission estimates that nearly nine \nmillion Americans fall victim to identity theft every year, \ncosting consumers and businesses billions of dollars annually. \nAnd the problem is only getting worse as these online attacks \nincrease in frequency, sophistication and boldness.\n    As I have emphasized throughout our previous hearings, E-\ncommerce is a vital and growing part of our economy. We should \ntake steps to embrace and protect it--and that starts with \nrobust cyber security.\n    Most importantly, consumers have a right to know when their \npersonal information has been compromised, and companies and \norganizations have an overriding responsibility to promptly \nalert them. To that end, the SAFE Data Act:\n    Requires companies and other entities that hold personal \ninformation to establish and maintain appropriate security \npolicies to prevent unauthorized acquisition of that data;\n    Requires the notification of law enforcement within 48 \nhours after discovery of a breach, unless that breach was an \ninnocent or inadvertent breach unlikely to result in harm;\n    And it requires companies and other entities to begin \nnotifying consumers 48 hours after taking steps to prevent \nfurther breach and determining who has to be notified.\n    The SAFE Data Act also gives the Federal Trade Commission \nauthority over non-profits for purposes of this act only. These \norganizations often posses a tremendous amount of consumer \ninformation, and they have been subjected to numerous breaches \nin the past. At the same time, we want to work with those \naffected, as well as the FTC, to make sure any new regulations \nare not burdensome for small businesses--especially during \nthese difficult economic times.\n    In addition, we are granting the FTC authority to write \nrules that take into account the size and nature of the data \nthat is being held online. Clearly, there are obvious \ndifferences between information brokers and local retail \nbusinesses--and the rules should reflect those differences.\n    The proposed legislation also requires all covered \nbusinesses to establish a data minimization plan providing for \nthe elimination of consumers' personal data that is no longer \nnecessary for business purposes or for other legal obligations.\n    And, finally, the SAFE Data Act preempts similar state laws \nto create uniform national standards for data security and data \nbreach notification. We learned during our recent hearings that \nconsumer notification is often hampered by the fact that \ncompanies must first determine their obligations under 47 \ndifferent state regimes.\n    At the end of the day, I believe this legislation will \ngreatly benefit consumers, businesses and the U.S. economy. \nGiven the growing importance of e-commerce in nearly everything \nwe do, we can no longer afford to sit back and do nothing. The \ntime for action is now.\n\nOPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Mr. Waxman. Thank you, Madam Chairman.\n    I have said this at our previous hearing, and I want to \nrepeat it today: Data security is not a partisan issue; it is \nsomething all of us should care about.\n    Last year, there were over 597 data breaches that affected \nover 12.3 million records. Last Congress, this committee worked \ntogether to pass with bipartisan support a data security bill \nintroduced by Representative Rush. Our bill passed the House in \nDecember of 2009, but the Senate never took it up, so it was \nnot completed.\n    The bill we are considering today is based on our \nbipartisan House bill from the last Congress. It contains \nimportant provisions that require companies to secure \nconsumers' personal data and notify them in the case of \nbreaches.\n    And I commend Chairman Bono Mack for using last year's \nbipartisan bill as a starting point. There are new provisions \nin the chair's draft that strengthen last Congress' bill. For \nexample, the draft contains a potentially valuable new \nprovision requiring companies to have plans to minimize \npersonal data they retain on individuals.\n    Unfortunately, there are some changes in the bill that I \nfear weaken the bill rather than strengthen it. And this is a \nmistake and one I hope we can fix as we consider this \nlegislation.\n    Let me raise some of the concerns I have: Under this \nlegislation before us, Sony still would not have to notify its \ncustomers about its recent security breach. It did not restore \nthe integrity of the data system for at least 43 days after \nSony discovered the breach, and it still has not fully assessed \nthe nature and scope of its breach. Notice is not required to \nthe FTC and consumers under the draft until those steps have \nbeen completed.\n    Well, that is far too long. It does little good to notify \nconsumers after their identities have already been stolen and \nmake them wait such a long period of time.\n    This bill deletes key provisions on information brokers, \nwhich are companies that aggregate personal data about \nindividuals and make a profit selling that personal \ninformation.\n    It adds unnecessary burdens to the Federal Trade \nCommission's rulemaking process, making it more difficult for \nnew pieces of data to be deemed, quote, personal.\n    And there is significant ambiguity regarding the scope of \npersonal information that a company is required to protect. \nUnder this legislation companies, including an aggregator of \ndata, are exempted from the requirements to safeguard personal \ninformation any time that same data can be found in various \nlocal county government buildings.\n    Furthermore, this draft creates an uneven playing field \nwith potentially stronger data security and breach notification \nrequirements for retailers than for nonbank financial \ninstitutions. There is no reason why financial institutions \nshould be subject to smaller penalties for violations than \nretailers.\n    So I look at it as not a balanced bill overall. It gives \nbusinesses too many protections and consumers not enough. It \npreempts strong State laws and replaces them with a weak \nFederal one.\n    I hope these deficiencies in the bill can be fixed, and I \nwant to work with the chair and other members of this committee \nto pass as effective a bill as possible, and I am looking \nforward to the promised stakeholder process. Today's hearing \nwill give us a chance to get further information about what a \nbill should and should not have in its details.\n    We have a chance to pass meaningful legislation that \nactually could make a positive effect on everyone, and we \nshouldn't pass up this opportunity.\n    I look forward to working with you, Madam Chair.\n    Mrs. Bono Mack. I thank the gentleman.\n    And the chair now recognizes Mr. Stearns for 2 minutes.\n\n OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF FLORIDA\n\n    Mr. Stearns. Thank you, Madam Chairman.\n    And thank you very much for calling this hearing. \nObviously, as pointed out by yourself and the ranking member, \nMr. Waxman, this is very important that we try to get a \nbipartisan support for this.\n    When I was chairman of this subcommittee, I introduced the \nData Act in 2005, 6 years ago, established to protect \nunauthorized access to consumer data. This bill was co-\nsponsored by both sides when we marked it up, it was reported \nout of the full committee by unanimous consent.\n    Now, obviously, I would have preferred that we started with \nmy bill, which is, I think, a bipartisan support product of a \nbroad understanding of the security issues back in 2005. Now we \nare working with possibly a slightly different focused bill, \nwhich could be good, that addresses the recent breaches that \noccurred both in Sony and Epsilon. I think we have to be \nconcerned that we not overreact based upon those two cases.\n    In both 2006 and 2009, there was bipartisan support for the \nData Act that I had. Now we debate the SAFE Data Act, a bill \nthat I am concerned has some very good points but also perhaps \nmight be go too far in some other areas.\n    Obviously, I will work with the subcommittee, the chair \nlady, to improve the bill so it can pass with bipartisan \nsupport, like we have done in the past, so that the committee \nand the full House have an opportunity to vote on this. And so \nI look forward to the debate, and I look forward to our \nwitnesses.\n    Thank you, Madam Chair.\n    Mrs. Bono Mack. I thank the gentleman.\n    The chair recognizes Mr. Olson for 1 minute.\n    Mr. Olson. I thank the chair for her tenacious leadership \nin bringing forth this draft bill.\n    I think there is strong agreement that we need to move \nforward with Federal data security legislation. Support for \nFederal legislation has been bipartisan. My colleague from \nFlorida, Mr. Stearns, put forth a data security bill in the \n109th Congress, which Mr. Rush introduced in the 110th and \n111th Congresses.\n    And now our chairwoman, Mrs. Bono Mack has put forth a bill \nin the 112th Congress.\n    I appreciate all of the efforts to help move us forward on \nthis important issue, and I hope we can arrive at a truly \nbipartisan balanced bill that protects consumers without \nputting unnecessary burdens on companies or hindering important \nuses of data.\n    I look forward to continuing our discussion today and hope \nto be able to flesh out some issues that have been raised in \ntestimony. I thank the chair and yield back my time.\n    Mrs. Bono Mack. I thank the gentleman.\n    And the chair recognizes Mr. Butterfield, the ranking \nmember of the subcommittee, for 5 minutes.\n\nOPENING STATEMENT OF HON. G.K. BUTTERFIELD, A REPRESENTATIVE IN \n           CONGRESS FROM THE STATE OF NORTH CAROLINA\n\n    Mr. Butterfield. I thank the chairman and apologize for \nbeing late.\n    The only thing I can say is don't try to go to Union \nStation at 10:00 on a Wednesday morning.\n    Madam Chairman, thank you for holding today's hearing on \nthe Secure and Fortify Electronic Data Act. This bill includes \nsome of the same provisions that we saw in H.R. 2221, which \npassed the House in the 111th Congress.\n    However, this draft also removes key consumer protection \nprovisions that weaken the bill and make it less effective.\n    Americans' embrace of technology have served as the impetus \nfor rapid growth of online businesses and services. I can buy a \ncar without ever seeing it in person. I can pay my bills from \none Web site, and I do it monthly. And I can even have all my \ndata reside in a cloud, so it is accessible from absolutely \nanywhere.\n    In order for e-commerce to work, there must be data \nexchange between customer and businesses, including names, \naddresses, Social Security numbers, dates of birth and so on. \nThe ability to conduct business in an online space is an \namazing convenience. No one I know could do without it.\n    But the failure of some of these businesses to protect \ntheir own network infrastructure and the information demanded \nof their customers has led to opening--to an opening for small \nbut not insignificant group of criminals to exploit and profit \nfrom the data these companies hold. And even those with strong \nsecurity systems in place must be vigilant and adaptable to new \nthreats.\n    During the 109th Congress and subsequent Congresses, \nmembers of this committee worked in a bipartisan fashion to \ndevelop the Data Accountability and Trust Act to address the \nissue of data security. In the last Congress, my friend and \nformer chairman of the committee, subcommittee, Mr. Rush, \nintroduced the data bill, which ultimately passed the House, \nbut the Senate failed to act. That bill included special \nrequirements for information brokers, including requiring \nbrokers to submit security policies to the FTC and requiring an \nannual audit of broker security practices, among other things.\n    Striking those key provisions from the bill significantly \nweakens the consumer protections it is supposed to provide. \nFurther, the draft bill defines personal information to exclude \ninformation that is publicly available. In doing so, the bill \ngives the green light to data aggregators to continue with \nbusiness as usual without being required to have any safeguards \nin place to protect the data.\n    Madam Chairman, with over 2,500 data breaches having \noccurred since 2005, it is clear that the serious work of \nprotecting consumers' data is something that has taken a back \nseat in Congress for too long. A Federal standard is important. \nI will say that again: A Federal standard is important, and the \nSAFE Data Act is a start. I am sorry we are not starting with \nthe text that passed the House in the last Congress.\n    Over the next few weeks, Madam Chairman, I hope you will \nwork with me and my staff to strengthen this draft bill. \nTogether we can ensure consumer protections while allowing \nbusinesses the flexibility to adapt their policies and \nprocedures in today's rapidly evolving information age.\n    So thank you for having this hearing. I thank the \ncommissioner for her presence today. And I think I might \nreserve my time. I am told that the gentlelady from Illinois is \ncoming. She is not here. I yield back.\n    Mrs. Bono Mack. I thank the gentleman.\n    I just want to remind and reinforce to the entire panel \nthat we intend fully on having a bipartisan product to the best \nof our ability and that will be our goal.\n    So now I would like to turn our focus to the witness table. \nWe have two panels today. On the first panel, we are honored to \nhave the Honorable Edith Ramirez, Commissioner at the FTC.\n    Thank you very much for being here today. You will be \nrecognized for 5 minutes to summarize your statement. And just \nto--I am sure you are familiar with the time clock, it is \nyellow, green, red, kind of concept. When the light turns \nyellow, that means you have 1 minute to start your close.\n    So, at this point, we are happy to recognize you for your \n5-minute statement.\n    Ms. Ramirez. Good morning.\n    Mrs. Bono Mack. And, please, remember to turn your \nmicrophone on.\n\n    STATEMENT OF EDITH RAMIREZ, COMMISSIONER, FEDERAL TRADE \n                           COMMISSION\n\n    Ms. Ramirez. Good morning.\n    Chairman Bono Mack, Ranking Members Butterfield and Waxman, \nand members of the subcommittee, I am Edith Ramirez, a \nCommissioner of the Federal Trade Commission. I appreciate the \nopportunity to present the commission's testimony on data \nsecurity.\n    I want to thank you, Chairman Bono Mack, and the committee \nfor your leadership on this important issue.\n    Before I continue I would like to note that my written \ntestimony represents the views of the Federal Trade Commission, \nbut my oral remarks and responses to questions are my own and \nmay not reflect the views of the commission as a whole or of \nother commissioners.\n    As the Nation's consumer protection agency, the FTC is \ncommitted to protecting consumer privacy and promoting data \nsecurity in the private sector. If companies do not protect the \npersonal information they collect and store, information could \nfall into the wrong hands, resulting in fraud and other harm \nand consumers could lose confidence in the marketplace.\n    Although data security has recently been in the news, this \nis not a new priority for the FTC. To the contrary, for a \ndecade, the FTC has undertaken substantial efforts to promote \ndata security in the private sector through law enforcement, \neducation, policy initiatives, and recommendations to Congress \nto enact legislation in this area.\n    Since 2001, the FTC has brought 34 cases charging that \nbusinesses failed to appropriately protect consumers' personal \ninformation. This includes a final settlement the commission is \nannouncing today against Ceridian Corporation, a large payroll \nprocessor. Ceridian's clients upload their employee sensitive \ninformation, including Social Security numbers and bank account \nnumbers, which are stored on Ceridian's network. The FTC's \ncomplaint charged that Ceridian didn't maintain reasonable \nsafeguards to protect this employee information. As a result, a \nhacker was able to gain access to it.\n    The FTC's order requires Ceridian to implement a \ncomprehensive data security program and obtain independent \naudits for 20 years.\n    The commission also promotes better data security through \nconsumer and business education. For example, on the consumer \neducation front, we sponsor OnGuard Online, a Web site to \neducate consumers about basic computer security. Since its \nlaunch in 2005, there have been over 14 million unique visits \nto OnGuard Online and its Spanish language counterpart, Alerta \nen Linea.\n    We also conduct outreach to businesses, especially small \nbusinesses, to provide practical advice about data security. \nThe commission also engages in policy initiatives to promote \ndata security.\n    Last December, FTC staff issued a preliminary report \nproposing a new framework to improve consumer privacy and data \nprotection. Among other things, the report advocates privacy by \ndesign, which includes several principles essential to data \nsecurity. First, companies, no matter what their size, should \nemploy reasonable, physical, technical and administrative \nsafeguards to protect information about consumers. Second, \ncompanies should collect only that consumer information for \nwhich they have a legitimate business need. Third, businesses \nshould retain data only as long as necessary to fulfill the \nbusiness purpose for which it was collected and should promptly \nand securely dispose of data they no longer need.\n    As to legislation, the commission generally supports \nFederal legislation, similar to your draft proposal, that would \nimpose data security standards on companies and require \ncompanies in appropriate circumstances to notify consumers when \nthere is a security breach. Reasonable security practices are \ncritical to preventing data breaches, and if a breach occurs, \nprompt notification to consumers in appropriate circumstances \ncan mitigate harm such as ID theft. For instance, in the case \nof a breach of Social Security numbers, notified consumers can \nrequest that fraud alerts be placed in their credit files, \nobtain copies of their credit reports and scrutinize their \nmonthly account statements.\n    The commission is pleased that your draft legislation \nincludes civil penalty authority to deter violations, APA \nauthority for rulemaking and jurisdiction over nonprofit \nentities for data security purposes. I would also like to note \nthat both your draft legislation and the commission staff's \nrecent privacy report underscore the importance of data \nminimization to sound data security practices.\n    The FTC looks forward to working with this committee as it \nmoves forward on the SAFE Data Act. Thank you, again, for \ninviting me to be here and for your leadership on these \nimportant issues, and I am pleased to answer any of your \nquestions.\n    [The prepared statement of Ms. Ramirez follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mrs. Bono Mack. Thank you very much.\n    The chair now recognizes herself for 5 minutes for \nquestioning. The first question I have, you state the \ncommission's support for prompt notice to consumers. I think it \nis the crux of what we are all about here. What do you consider \nprompt, and do you think the consumer notification requirement \nin the legislation is quick enough?\n    Ms. Ramirez. I believe that notification needs to be \nprovided as soon as practicable. I do have some concerns about \nthe provision relating to notification in the draft bill. And \nlet me highlight the two key concerns. My first concern is that \nthe bill requires that there be a risk assessment performed, \nand then, at the conclusion of that risk assessment, a company \nis then obligated to provide notification to consumers and to \nthe FTC 48 hours, within 48 hours following that.\n    My concern is that the requirement, that there is no \ndeadline on which to complete a risk assessment, and therefore, \nthat could take an indefinite amount of time. Without there \nbeing some type of limit that is placed on that, I think it \nplaces consumers at significant risk.\n    Another concern that we have is that there is also no time \nlimit that is placed in connection with law enforcement, that \nit could also be an open-ended deadline that could delay prompt \nnotification to consumers. And again, there ought to be some \nform of a cut-off period to ensure that consumers received \nappropriate notification within an appropriate amount of time \nso that they can take steps to mitigate any harm that may \nresult from a data breach.\n    I would also like to emphasize that providing prompt notice \nto the FTC is also very critical, and in our view, notice to \nthe FTC should be provided at the same time that it is provided \nto other law enforcement agencies.\n    Mrs. Bono Mack. Thank you.\n    And the FTC has experience under Gramm-Leach-Bliley with \nthe implementation of the safeguards rule for financial \ninstitutions under its jurisdiction. The FTC also provided \ncomprehensive guidance for entities to understand how they can \ncomply with the rule. Do those guidelines provide a sufficient \nindication of the rules for data security the FTC would write \nunder Section 2 of this legislation?\n    Ms. Ramirez. I think they do provide good guidance to \ncompanies. In addition to the to particular enforcement matters \nand consent orders that the commission makes public, the \ncommission provision many, many different resources online to \ncompanies so that they can take appropriate measures to \nadequately protect consumer information.\n    Mrs. Bono Mack. So, under Section 2 security requirements \nof the draft legislation, does the FTC have the latitude to \nwrite rules that take into account the different types of \nentities, their level of sophistication and the amount of type \nof information they hold?\n    Ms. Ramirez. It does. And we appreciate that authority \nbeing provided to the FTC to promulgate rules detailing those.\n    Mrs. Bono Mack. Do you envision writing different rules or \ndifferent guidance to address the concerns that a one-size-\nfits-all approach is not appropriate?\n    Ms. Ramirez. During the rulemaking process, we would be \nseeking input from stakeholders and fashioning rules that, in \nlight of the input that we received, that we believe would be \nappropriate to protect consumer information.\n    Mrs. Bono Mack. So do you see different standards, then, \nfor information brokers and small nonprofits, for example?\n    Ms. Ramirez. We believe that companies, no matter what the \nsize, need to provide solid and good data security measures. At \nthe same time, the standards that the FTC employees in its \nenforcement work is a reasonableness standard, so we do take \ninto account the size of a company, the nature of the \ninformation that has been placed at risk and other factors that \nmay weigh in on that calculus.\n    Mrs. Bono Mack. Since we first started this process 6 years \nago, 46 State laws have emerged. Nearly every one of them, \nincluding California, have exemptions from the definition of \npersonal information for information made publicly available by \nthe government and, in some cases, information made public by \nthe media.\n    The exemption included in this draft is confined to \ninformation made publicly available by the government.\n    Have you seen any problems of unlawful activity associated \nwith the publicly available information?\n    Ms. Ramirez. Yes. We do have concerns about there being an \nexemption for public, for all public information. The \ndifficulty is that these days there are data brokers that \ncollect information that in the past, one would have to go to \nvery significant measures to collect. You would have to go--you \ncould go to the courthouse; you could collect information \nthrough other means. But data aggregators then aggregate this \ninformation and when the information, which may very well be \npublic, is then collected, gathered and aggregated, it can then \npose very unique privacy challenges. So we do have concerns \nabout there not being a mechanism to address those issues \nrelating to data brokers.\n    Mrs. Bono Mack. You said privacy challenges. Do you mean \nsecurity challenges?\n    Ms. Ramirez. Security challenges.\n    Mrs. Bono Mack. Thank you. All right.\n    I yield back the 5 seconds of my time.\n    And the chair recognizes Mr. Butterfield for 5 minutes.\n    Mr. Butterfield. Thank you very much.\n    Thank you, Commissioner. The Republican discussion draft \nmakes a change from H.R. 2221 to the definition of personal \ninformation. That seems like a simple and minor change, but it \nactually is not. It excludes public record information from the \ndefinition of personal information.\n    Given that technology has made access to an aggregation of \nnumerous of types of records very cheap and easy the \nconsequences of this change are quite significant. Before it \nbecame cheap and easy to store vast amounts of this information \nin one place, no one thought about going out and collecting \nthese records. To see these records, you had to, as you said a \nmoment ago, go from town hall to town hall or courthouse to \ncourthouse and look at them one at a time. But now, millions \nand millions of records regarding millions of our constituents \nare being kept on servers usually belonging to information \nbrokers.\n    If you are a criminal wanting to do harm to lots of people \nin one swoop, the Republican discussion draft will be an \nadvantage to you. This collection and aggregation in one place \nhas changed the value of this information and its \nsusceptibility to criminal misuse, and it concerns me that this \ndraft bill leaves this information unprotected.\n    Because of the change to the definition of personal \ninformation to exclude public record information, there is no \nlonger an obligation to provide any protection at all for this \ninformation.\n    Have I said it correctly, Commissioner, or have I \nmisspoken?\n    Ms. Ramirez. We agree with that concern yes.\n    Mr. Butterfield. Do you believe that just because that \ninformation could have been collected elsewhere, a covered \nperson should be relieved of the obligation to protect its \ninformation when they collect and aggregate the information in \none place and make it more valuable and potentially more \ndangerous? Please help me with that.\n    Ms. Ramirez. I believe that information, even if it is \npublic information, if it is personal information of the \nconsumer, that information ought to be protected, and there \nought to be appropriate data security measures in place to \nprotect it.\n    Mr. Butterfield. All right.\n    I want to take your attention to notification. Do you \nbelieve notification to consumers should also be required for \nbreaches involving this kind of information?\n    Ms. Ramirez. Yes.\n    Mr. Butterfield. The Republican discussion draft, like H.R. \n2221 before it, provides the FTC, your commission, with the \nability to modify the definition of personal information. Only \ninformation that is within the meaning of that term is covered \nby the bill's data security and breach notification \nrequirements.\n    But unlike 2221, the discussion draft seems to set up an \noverly burdensome and unclear process for modifying that \ndefinition. If the FTC wanted to change the definition for the \npurposes of either the data security or notification sections, \nit would have to find, among other things, that modification \nwould not unreasonably impede Internet or other technological \ninnovation or otherwise adversely affect interstate commerce, \nend of quote.\n    Question, do you believe this language regarding \nimpediments to innovation provides the FTC with much of a clear \nstandard against which to determine whether a modification is \nappropriate?\n    Ms. Ramirez. I do have concerns about the standards that \nare imposed. In addition to the limitation on changes to the \ndefinition that could impede innovation, as you mentioned, it \nalso requires that the commission only make a change when there \nis a technological change at issue, and that is in connection \nwith the data security piece of the proposed bill. So that does \nraise concerns because we feel there are issues with the \ndefinition of personal information. It is too narrow, and we \nwould not be able to address those concerns.\n    Mr. Butterfield. Well, what would you do? How would you \nmake that determination if you were called upon to do so?\n    Ms. Ramirez. Well, again, we would want to work with the \ncommittee on establishing an appropriate limitation. But let me \narticulate a couple of concerns that we have with the personal \ninformation limitation, in addition to the public records \nexemption.\n    Two things: First, we believe that the financial, that the \nprovision focuses solely on financial related information and \ndoesn't take into account, for instance, other information that \nwould be sensitive to a consumer. For instance, health \ninformation that would not otherwise be protected under HIPAA \nwould not be covered by the language in the draft bill. So that \nwould be a concern that we would not be able to address through \nthe rulemaking that is provided in the draft bill.\n    Mr. Butterfield. And what about the language that speaks to \nimpeding innovation? I don't know how you define that.\n    Ms. Ramirez. That would be a difficult standard also to \napply, and so, arguably, rules by the commission could be \nchallenged by parties arguing that the change in definition \ncould impede the growth and make other arguments, so it would \nplace an undue burden, we believe, on the commission.\n    Mr. Butterfield. Thank you. I yield back.\n    Mrs. Bono Mack. I thank the gentleman and want to thank him \nvery much for pointing out the few bracketed points in the \nlegislation where we specifically bracketed them because we, \ntoo, have questions in the draft, so I appreciate the \nclarification in your input, and I appreciate the gentleman \ntaking the opportunity to raise that.\n    The chair recognizes Mr. Stearns for 5 minutes.\n    Mr. Stearns. Thank you, Madam Chair.\n    One thing I just thought we would clear, that I think the \nFederal preemptions that it had in my bill in 2005 and the bill \nthat passed in the Rush haven't changed. So as I understand, I \njust want to ask counsel, is that true that the Federal \npreemption have not changed, so that any criticism that would \nbe brought from that side because of that, that they haven't \nchanged at all?\n    The Counsel. Yes, sir, that is correct.\n    Mr. Stearns. Ms. Ramirez, as you are aware, in the bill, \nthe Federal Trade Commission has the authority to change the \nvery fundamental definition of personally identifiable \ninformation. So this gives you this broad latitude, I think a \nlot of us are a little concerned about. Do you think there is \nan opportunity where the Federal Trade Commission under any \ncircumstances would trigger the need for them to alter, to \nupdate, to change that basic definition how it is currently \ndrafted in the bill now, because you have got this definition \nthat people understand in the bill, yet you have the authority \nto change it? Under what circumstances would you change it, and \nperhaps you could explain what would cause it?\n    Ms. Ramirez. One circumstance that could arise is there \ncould be changes in technology that could require additional \ninformation being needed.\n    Mr. Stearns. But isn't personal identifiable information \npretty much policy-neutral because it represents an \nunderstanding of the privacy of the individual?\n    Ms. Ramirez. I think the precise scope may be hard to \ndefine. But the commission is absolutely willing to work with \nthe committee to come up with a definition that would meet \nevery one and satisfy everyone's concern. The current condition \nwe believe is to narrow. We also believe that the ruling \nprovided is too limited.\n    I will say that the rulemaking process that the commission \nemploys is a process by which we do seek input from \nstakeholders. And we believe that through that rulemaking \nprocess, we will be able to address any need for change, at the \nsame time taking into account any concerns that you and others \nmay have, Congressman.\n    Mr. Stearns. Well, I think that probably if I was in \nindustry, I would be concerned that the government, the \nCongress, is turning over this power to you and you might make \nthese changes without a comment period. There might be changes \nthat would affect a business that would make it much more \ndifficult.\n    Let me go on to my second question. In the bill, they added \ndata minimization provisions. Now, this is something new from \nmy bill, and also it is new from the Rush bill. How do you see \nthis provision playing out? For members and people who don't \nunderstand, this is basically forcing industry to get rid of \ninformation that perhaps they would like to keep. It is not a \ndecision they make, it is a mandated mandate, which is included \nin the bill, as I understand it. So I guess the question is, \nhow do you see this provision playing out, and what role do you \nbelieve, if any, the FTC should have in ensuring that companies \nare complying? So you have this mandate; the companies might \nnot agree, so if they don't do it, how are you going to check \nit, and how are you going to make them comply?\n    Ms. Ramirez. What the commission advocates is that \ncompanies only retain information that they have a legitimate \nbusiness need to retain.\n    Mr. Stearns. And who determines that?\n    Ms. Ramirez. And that they also only retain it for the time \nperiod they need it. I think we would apply a reasonableness \nstandard.\n    Mr. Stearns. What kind of standard?\n    Ms. Ramirez. A reasonableness standard, which is a standard \nthat the FTC has employed throughout the course of its \nenforcement in this arena.\n    Mr. Stearns. So this reasonable standard in your mind is \nbeen pretty much established at the FTC so everybody in \nindustry would understand today what it is?\n    Ms. Ramirez. What I am saying is that the standard that \nwould be applied would be a reasonableness standard, and I \nbelieve--it is an issue that may need to be fleshed out. And \nagain, the commission is willing to work with the committee in \norder to do that. Any rulemaking that does take place would \nentail a comment period, absolutely entail a comment period. I \nbelieve that the FTC has a very solid track record in terms of \nits rulemaking. So I think this is an area, again, that the \nstandard that the FTC has always applied in the area of data \nsecurity is one of reasonableness, taking into account the \nnature of the information, how sensitive it is, the potential \nrisks to consumer. So it would be a reasonableness standard \nthat would be applied.\n    Mr. Stearns. Do you think that Congress should set the \nbroad outline for this data minimization provision and not give \nit any authority to the FTC, or do you think you need to have \nthat authority to make that decision?\n    Ms. Ramirez. I think it would be appropriate to give \nauthority and flexibility to the FTC to provide additional \nguidance to companies as to how to effectuate those \nrequirements.\n    Mr. Stearns. Thank you.\n    Mrs. Bono Mack. The gentleman's time is expired. The chair \nrecognizes Mr. Waxman for 5 minutes.\n    Mr. Waxman. Thank you, Madam Chair. Again, looking at this \ndraft bill, I have some questions, so that we can get your \ninput on it. As I look at the draft bill, there is a notice \nthat must be given to the Federal Trade Commission and the \nconsumers when there has been an electronic data breach. But it \nis only required after the covered person, the people who--a \ncompany who has the identifying information has done certain \nthings in connection with the breach. The covered person must, \none, assess the nature and scope of the breach, that makes \nsense, take steps to further prevent breach orunauthorized \ndisclosure, and then, three, restore the integrity of the data \nsystem. Those clearly are the priorities for the company \nitself.\n    After they have done all that, the covered person must \ndetermine the risk to the consumer. And after they have reached \nthat conclusion, within 48 hours, they are supposed to give the \nnotice to the FTC and the consumer. But there is no limit in \nthis draft bill for how long a person can take to complete \nsteps one, two and three. There is just no limit. The covered \nperson, company, knows about a breach, could take a week, a \nyear, maybe 5 years and then, within 48 hours of that, provide \nnotice to the Federal Trade Commission and the consumers.\n    The bill from the last Congress included an outer limit of \n60 days from the discovery of the breach to provide notice of \nthe breach. That outer limit has been dropped from this \ndiscussion draft. If we were to include an outer limit, how \nlong should that limit be, in your opinion.\n    Ms. Ramirez. In my view, and the commission's view, is that \nthe time for notification should be as soon as practicably \npossible. That may differ depending on the circumstances. I \nbelieve that 60 days should be at most an outer limit. Again, \nour view is that the sooner, the better. The sooner the notice \nis provided, the sooner that a consumer can take appropriate \nsteps to protect and try to mitigate any harm that may result \nfrom a breach.\n    I don't believe there is a particular number that I can \ngive you sitting here today because it may depend on the \ncircumstances, the nature of the breach, the size of the \ncompany, but I would say that 60 days would be at most an outer \nlimit.\n    Mr. Waxman. Sixty days would be an outer limit, but as soon \nas practicable?\n    Ms. Ramirez. Yes.\n    Mr. Waxman. That the information should go to the consumer \nthat their identity has been compromised?\n    Ms. Ramirez. That is correct.\n    Mr. Waxman. A security leak. Thank you for that.\n    The discussion draft provides an exemption from the bill's \ndata security requirements for entities that are subject to \ndata security requirements under different bills, the Gramm-\nLeach-Bliley or the Health Insurance Portability and \nAccountability Act, for any activities governed by GLB and \nHIPAA. Now, this is a departure from last year's bill.\n    Last year's bill only said that compliance with these two \nother statutes meant you were in compliance with the \nrequirements of this legislation as it was drafted, provided \nthat the requirements of GLB and HIPAA were similar or greater \nthan those required under last year's bill. The language was \nnot phrased as exemption for entities subject to FTC \njurisdiction but rather as an alternative means of compliance.\n    It is unclear to me whether under the draft bill, the \nFederal Trade Commission maintains the ability to enforce any \ndata security requirements against those entities or if the \nsafeguards in those other laws must meet or exceed those in the \ndiscussion draft. Do you believe that this exemption could \npotentially limit the Federal Trade Commission's enforcement \nabilities with respect to entities subject to the other two \nstatutes, those other two statutes, and could you explain your \nanswer to that?\n    Ms. Ramirez. Under my reading of the bill, I do believe \nthat it creates, potentially creates a gap in authority, \nbecause it does exempt entities that are subject to FTC \njurisdiction from having breached notification requirements \nwhich are not required under Gramm-Leach-Bliley. So that is a \nconcern about there being a potential gap in authority.\n    Mr. Waxman. And do you believe this exemption could \npotentially lead to a disparity in the security requirements \nfor nonbank financial institutions and everyone else under \nthe----\n    Ms. Ramirez. I do.\n    Mr. Waxman. And what is your understanding of the effect of \nthe phrase ``any activities governed by GLB or HIPAA'' on the \nscope of this exemption? What is the Gramm-Leach-Bliley \nactivity, is that just issuing privacy notices? Is that \nfollowing the FTC's safeguard rule, or is that marketing?\n    Ms. Ramirez. Again, that activity-based exemption, it is a \nlittle bit unclear exactly how broadly it might be interpreted. \nBut I think that the key point is that it does create a \ndisparity between the obligations of certain financial \ninstitutions so that it is a concern about in connection with \nthe authority that is provided.\n    Mr. Waxman. Thank you.\n    Madam Chair, I just want to point this out as an area where \nwe need to work together to make sure that there is no \nambiguity or poor drafting that would undermine what we are \ntrying to do.\n    Mrs. Bono Mack. I thank the gentleman very much. I agree \nwith his questioning and agree with his assessment about where \nwe can fortify the bill, and I look forward to working with you \non that.\n    And the chair is happy to recognize Mr. Olson for 5 \nminutes.\n    Mr. Olson. I thank the chair.\n    Commissioner Ramirez, welcome. Thank you for your time \ntoday. As you know the SAFE Data Act would require an entity to \nbegin to notify as promptly as possible, and that is a quote, \nindividuals whose personal information was acquired or assessed \nin a breach following an assessment, and a notification should \nbe based on risk of harm, not just on the fact that a breach \nhad occurred. Otherwise, we may find ourselves in a situation \nwhere consumers are flooded with notices by companies, become \ndesensitized, and then may not take action to protect \nthemselves when there is a real risk due to a significant \nbreach where personal identifiable information was stolen, and \nidentity theft could occur.\n    As currently drafted this legislation standard for risk is, \nquote, reasonable risk of harm. In response to my colleague \nCongressman Stearns' questions, you said that that is the \nstandard that the FTC supports. Do you think consumers would be \nbetter served in the long run if the standard were changed to, \n``significant risk of harm''? And what in your opinion is the \ndifference between a reasonable risk of harm and a significant \nrisk of harm?\n    Ms. Ramirez. I don't think that consumers would be better \nserved if the standard were to be elevated to a significant \nrisk. I think the key objective, as I understand it, of the \ndraft bill is to ensure that consumers are appropriately \nprotected if there is a breach. And my concern would be that by \nimposing a higher standard, that key objective would be \nundermined.\n    So I think it is appropriate to apply a reasonableness \nstandard. But my fear is that by using the word significant it \nmight just be a standard that might be too high and that it \nwould risk undermining the ability of consumers to take \neffective steps to protect themselves if there is a breach in \nsecurity.\n    Mr. Olson. And one more question, commissioner, a couple \nmore. Does the commission see the concerns about the dangers of \nover-notification or, as my 14-year-old daughter and 11-year-\nold son would say, spam?\n    Ms. Ramirez. In my view, the greater danger is that \nconsumers not be provided adequate notice to protect themselves \nagainst data breaches, so I don't believe that over-\nnotification is a serious issue. I would be more concerned \nabout not providing adequate protection if the standard were to \nbe elevated.\n    Mr. Olson. I am sure that we can agree that there is some \nbalance there between over-notification and timely \nnotification?\n    Ms. Ramirez. That is right. And I believe the \nreasonableness standard accommodates that.\n    Mr. Olson. OK. Thanks for that. And one final question, why \ndoes the FTC feel so strongly about obtaining authority over \nnonprofits and universities for data security breaches?\n    Ms. Ramirez. The issue there is that, regardless of the \nnature of the particular entity, if the entity does have \npersonal information about a consumer and there is a data \nbreach, there is harm to the consumer regardless of whether \nthat entity is either a nonprofit or a for-profit entity. So \nthat distinction, in our view, would not provide adequate \nprotection. So we are pleased to see that the draft bill does \nprovide coverage for nonprofits.\n    Mr. Olson. Yes, ma'am. Well, I am hearing some concerns \nfrom the nonprofit sector and the universities about this \nprovision, and I would like to work with you forward and work \nwith the chairman to resolve these concerns back home for the \npeople I represent.\n    Ms. Ramirez. We would be pleased to do so.\n    Mr. Olson. Thank you, ma'am. I yield back my time.\n    Mrs. Bono Mack. I thank the gentleman. And the chair \nrecognizes Mr. Gonzalez for 5 minutes.\n    Mr. Gonzalez. Thank you very much, Madam Chairwoman.\n    To my colleagues who have worked on this for the past few \nyears, again, just that we continue down this road and haven't \nbeen successful yet, we passed things out of the House, and \nthen we can't say that much about controlling anything that the \nSenate does, but it does mean that we will not be moving timely \nand aggressively.\n    To Mr. Stearns, thank you for his leadership. I still \nremember way back then, Cliff, when we used to say, don't \ncollect it if you can't protect it. Remember we used to say \nthat? And I think we are still saying that. And what has \ntranspired since that time is that we haven't had the \nsafeguards. We haven't had the review and the protections, of \ncourse. And we have just had--what have we had? We have had \nmore breaches. I would like to think that had we had something \nin place, we would not have had the occurrences that have \ntranspired recently.\n    Commissioner Ramirez, thank you very much for being here \ntoday. My questions are going to go to information brokers. And \nI do want to compare past efforts with the present effort, and \nhopefully, we can even improve what we have in the initial \ndraft. H.R. 2221 had a lot as it related to information \nbrokers. And I just want to get your opinion as to whether any \nnew version of legislation should maybe also include some of \nthese responsibilities that information brokers should be \ncharged with. We had accuracy access and dispute resolution \naspects or provisions when it came to brokers, but I am going \nto be a little more specific on some things that I believe at \nthis early date the draft would not include, and I am going to \nask whether you think it would be important that we would \ninclude these particular provisions: 2221 required information \nbrokers to submit its security policies to the FTC, is that a \ngood idea?\n    Ms. Ramirez. I think generally data security brokers need \nto be covered under any appropriate legislation, just as any \nother entity would be. If they collect information about a \nconsumer, they ought to be covered.\n    Mr. Gonzalez. 2221 permitted the FTC to conduct an audit or \nrequire each information broker to conduct an audit of its \nsecurity practices, good provision?\n    Ms. Ramirez. Again, I think the data security measures that \napply to other entities ought to apply equally to data brokers, \nbecause any entity that collects, gathers and uses personal \ninformation of consumers need to have appropriately protective \ndata security measures.\n    Mr. Gonzalez. Maybe even more so since that is your primary \nobjective and activity, is it not, as opposed to someone else \nthat, again, relative to their own commercial transaction may \nrequire certain information that is personal in nature and \nneeds to be protected? But we are talking about information \nbrokers. The very purpose of their existence is to do what?\n    Ms. Ramirez. I understand the point. All I am trying to say \nis that all entities that gather information that is personal \nto consumers create a potential risk of harm when there is a \ndata breach. So, from the commission's perspective, we don't \nwant to draw distinctions. If an entity collects and uses \nconsumer information there ought to be appropriate data \nsecurity measures and absolutely they ought to apply to data \nbrokers.\n    Mr. Gonzalez. And that is the reason it was in 2221, and we \nwould agree with you of course. The last two, because I have \nabout a minute and a half, required the FTC to promulgate rules \nrequiring information brokers to establish measures \nfacilitating the investigation of breaches. Would that be \nimportant?\n    Ms. Ramirez. Yes.\n    Mr. Gonzalez. And lastly, prohibit information brokers from \npretexting, the practice of obtaining information through false \nrepresentations?\n    Ms. Ramirez. Yes.\n    Mr. Gonzalez. Thank you very much.\n    And I yield back Madam Chair.\n    Mrs. Bono Mack. I thank the gentleman.\n    And the chair recognizes Mr. Pompeo for 5 minutes.\n    Mr. Pompeo. Thank you, Madam Chairman.\n    Thank you for being here today, Ms. Ramirez. You talked \nabout your concern for the exemption for publicly available \ninformation that you said that now with current technology, it \nhas increased the value of that information. Can you give me an \nexample of what you are thinking of?\n    Ms. Ramirez. I think there are a number of companies that \ngather information about consumers because it may aid, for \ninstance, in connection with advertising and online behavioral \nadvertising in particular. I know that the Wall Street Journal \nseries has identified a number of companies that do this. It is \nan area that is of significant concern to the commission. And \nagain, regardless of the fact that the information may be \npublicly available, given that it is now aggregated and it can \nbe accessed technologically and much more easily, it raises \nsignificant data security concerns.\n    Mr. Pompeo. And what kind of information are you concerned \nabout? Is it addresses? Tell me what it is that is publicly \navailable that you are concerned about this aggregation of this \ninformation in the hands of these people you think are going to \ndo harm.\n    Ms. Ramirez. It could be addresses. It could be names, \nfamily members that reside in a house. That combined with other \ninformation could potentially lead to security concerns.\n    Mr. Pompeo. Thank you.\n    I want to come back to something Congressman Stearns was \nspeaking of. He was talking about the definition in the draft \nof legitimate business purposes. And if I understood your \ntestimony correctly, you want to retain the authority, that you \nwant the FTC to retain the authority to define that, that is to \nsay we are going to apply a reasonableness standard, is that \ncorrect?\n    Ms. Ramirez. That is right.\n    Mr. Pompeo. Forgive me for my skepticism. I have been 16 \nyears in business, and when the Federal Government says, don't \nworry, we will be reasonable, it causes alarm bells to go off \nin my head.\n    Ms. Ramirez. Perhaps it might help if I can articulate a \nconcern. In many of these data breach cases, we find that \ninformation has been maintained for very lengthy periods of \ntime when in fact the company really had no reason to maintain \nthat information. So that is why we, and I personally, believe \nthat companies need to take greater care in ensuring that the \nconsumer information that they maintain is needed. And if it is \nno longer needed, they should dispose of that information \nsafely; otherwise, it just increases the potential for harm \nshould there be a breach.\n    Mr. Pompeo. Suppose a company had some information, and \nthey had no real current use for it, but they thought there \nmight be value in that information 20 years from now. They \nmight be able to sell their business, and somebody else might \nbe able to use that information, but they couldn't touch today \nwhat exactly it is they thought the value of that was. But a \nlegitimate business person, at least in that business owner's \nmind was, you know, I think there is value there. I worked to \nget that information. I obtained that information lawfully, and \nI now possess it, and I would just like to hang onto it because \nI think there may a good lawful use of that information \nsometime down the road. Would you consider that, after 10 or 20 \nyears, would you consider that a legitimate business purpose in \nretaining that information?\n    Ms. Ramirez. I would be concerned that--there are many \ncompanies that do make that statement. My concern is that that \nis at odds with the desire to have adequate security. Because, \nagain, the more that you keep information, the greater danger \nthat it creates. So I am not going to sit here and say, it can \nonly be after 5 years. I think there needs to be an appropriate \nassessment under particular facts and circumstances. But what \nwe do advocate and I personally believe is that companies need \nto take a greater look at their practices, at their data \nsecurity practices, to ensure that they minimize the possible \nrisks of harm to consumers.\n    Mr. Pompeo. Right. I am not speaking to their practices in \nterms of securing that data. I am simply speaking to their \ndesire to hold onto this thing that they view as their \nproperty, this thing that they have paid for and worked for and \nworked really hard to maintain, and they are engaged in the \nmost capable security process you can imagine; they have not \nhad a breach, and all they want to do is hold onto their \nproperty. But as I hear you, there is some risk that the FTC is \ngoing to come in and say, sorry, not legitimate?\n    Ms. Ramirez. No. Again, I think the standard to be applied \nis reasonableness. I think what the FTC and I personally \nbelieve is that companies simply need to take a stronger look \nand ask the question, do we really truly need this information, \nand not just simply use the concept of, oh, we may need it down \nthe line without care to ask important questions about whether \nthat information is entirely needed.\n    Mr. Pompeo. Great. Thank you.\n    Ms. Ramirez. And again, our focus is on information. I can \njust give you an example. I highlighted one case today, \nCeridian, where Social Security numbers were being retained for \na period when they were no longer needed in that particular \ninstance. Again, there was no need to maintain those.\n    Mr. Pompeo. And when you say needed, you mean, in your \nmind, as opposed to in the company's mind?\n    Ms. Ramirez. The company no longer had reason to maintain \nthose Social Security numbers, and unfortunately, there was a \nbreach, and it created significant risk of harm to consumers.\n    Mr. Pompeo. Thank you. My time is expired.\n    Thank you, Madam Chairman.\n    Mrs. Bono Mack. I thank the gentleman.\n    The chair is pleased to realize the chairman emeritus of \nthis committee, Mr. Dingell, for 5 minutes.\n    Mr. Dingell. Thank you, Madam Chairman. Welcome, \nCommissioner Ramirez. I will be asking yes and no questions so \nI would appreciate your cooperation because time is short. Now, \nthe draft legislation pending, our consideration exempts \nentities that must comply with the Gramm-Leach-Bliley Act or \nGLBA. The Federal Trade Commission's role to implement the data \nprivacy requirements of GLBA is known as the safeguard rule, is \nthat correct?\n    Ms. Ramirez. Yes.\n    Mr. Dingell. Now, Commissioner, does the safeguard rule \nrequire that covered entity, that a covered entity under the \njurisdiction of the FTC notify a consumer of a data breach \nwithin a certain period of time, yes or no?\n    Ms. Ramirez. No, it does not.\n    Mr. Dingell. Commissioner, so an entity regulated by FTC \nthat is covered under GLBA, but not the draft bill, is under no \nstatutory or regulatory obligation to notify consumers of a \ndata breach within a time certain; is that correct?\n    Ms. Ramirez. Yes.\n    Mr. Dingell. Now, it would seem to me that we should \nconsider removing the draft bill's GLBA exemption as well as to \ninclude H.R. 2221 60-day backstop notification in the interests \nof improving consumer protection. Now, the draft bill allows \nthe Commission to modify the definition of the term ``personal \ninformation'' according to the Administrative Procedure Act, or \nAPA, which I applied. I am worried, however, though, that the \nbill imposes vague conditions on the Commission to be satisfied \nbefore it could commence a rulemaking.\n    I fear that the effect would be that the Commission may \nnever amend the definition of ``personal information.''\n    Now, Commissioner, has the Commission examined this matter \nand, if so, does the Commission share my opinion on the matter?\n    Ms. Ramirez. We do have concerns about the ability of the \nFTC to modify the definition of ``personal information'' as I \narticulated earlier in my testimony.\n    Mr. Dingell. Now, I would request that the Commission \nsubmit its comments for the record. Would you do that for us, \nplease, on this question?\n    Ms. Ramirez. Yes, of course.\n    Mr. Dingell. Now, I understand the draft bill does not \ntreat data brokers any different from other entities that \ncollect and store personal information. This is a change from \nH.R. 2221, which by the way passed the House overwhelmingly, \nwhich describes additional requirements for data brokers.\n    The bill does not contain provisions that allow consumers \nto have reasonable access to information data brokers who \ncollect information about them; is that correct?\n    Ms. Ramirez. Yes.\n    Mr. Dingell. Now, Commissioner, does the Commission believe \nthat brokers should be subject to more stringent data security \nand breach notification requirements than other entities that \ncollect and store personal information; yes or no?\n    Ms. Ramirez. In my view, yes.\n    Mr. Dingell. Would you submit such amplification of that as \nyou might deem appropriate?\n    Ms. Ramirez. Yes.\n    Mr. Dingell. Now, Commissioner, does the Commission believe \nthat consumers should have a statutory right to reasonable \naccess of the personal information that data brokers collect \nabout them; yes or no?\n    Ms. Ramirez. In my view, yes.\n    Mr. Dingell. And I believe you would say that that is the \nonly way you are going to assure that they will have that right \nto access; is that right?\n    Ms. Ramirez. In my view, yes.\n    Mr. Dingell. Now, Madam Chairman, I appreciate your work on \nthe bill so far, and I want to thank you for these hearings.\n    As my questions have indicated, I believe there are parts \nof the bill that can be improved. I stand by to work with you \nand am ready to assist you and the rest of our colleagues in \norder to report a bipartisan consensus bill that offers \nconsumers the best protections possible. And I would observe, \njust quickly once more, the FTC has substantial experience in \nthe protection of personal privacy from data collectors and \nthings of that kind; is that not so, Madam Commissioner?\n    Ms. Ramirez. Yes.\n    Mr. Dingell. So, Madam Chairman, I thank you for the \ncourtesy and I yield back the balance of my time, which \nconstitutes 37 seconds. Thank you.\n    Mrs. Bono Mack. I thank the gentleman very much and \nrecognize Mr. Guthrie for 5 minutes.\n    Mr. Guthrie. Thank you very much. Thank you, Madam \nCommissioner, for being here.\n    I appreciate this and this is a serious issue that we have \nto address, and it looks like there is going to be significant \nwork to do this in a way that is bipartisan. And I really \ndidn't even think about this, and Mr. Pompeo said, but, you \nknow, some of the things I learned when I was involved in the \nState legislature, involved in writing law and so forth, is \nthat we have got to be as clear as we can because you see \nthings--and just an example, you know, laws written 50, 60 \nyears ago today are being used to, I think, doing \ninterpretations by agencies that were never intended.\n    And so we just want to be careful that we are not just \ndealing with each other, and we know each other, and we know \neach other are thinking, but we have got to think what is going \nto happen as we go down the road.\n    And so in that, you know, I say, you have been there, and \nwe had SEC here before and they said, well, we are trying to \nsolve uncertainty. This may have to be decided in court if what \nwe are doing is right. So when we look at words like \n``reasonable'' and ``significant risk,'' ``reasonable risk,'' \njust kind of understanding what we are thinking. And so I know \nwe talk about reasonable risk in data security and significant \nrisk.\n    And if you would kind of talk about the differences in \nthose two and the cost of complying with this, I guess, for a \nbusiness or in the level of security for consumers. We have got \nto decide, give this consumer the security they have, with the \nbusiness having the knowledge or the certainty of what it is \ngoing to cost them to do, so they can plan and move forward.\n    So just the difference in reasonable and significant risk, \nin your mind, I guess.\n    Ms. Ramirez. In my mind, the concern that I had was that \nusing the word ``significant'' would elevate the standards and \nthe result would be that it would undermine protection to the \nconsumer. The FTC has applied a reasonableness standard \nthroughout its enforcement history in this arena, and it really \ndoes depend on the particular circumstances.\n    We would like to take into account, again, the nature of \nthe information that might be at issue, the size of the \ncompany, the costs that might be involved. So I believe that \ntaking a flexible approach allows us to fashion the right \nbalance between the costs and burdens that may be imposed on \nbusiness, as well as making sure that we have robust protection \nfor consumers.\n    Now, I also want to highlight that the cases that the \nagency has brought in this arena have been--have related to \nvery basic and fundamental failures in data security. These \nhave not been close calls, so I hope that provides some \nassurance to those who may have concerns.\n    Mr. Guthrie. Yes. I am not an attorney, I did have one law \nschool class, and the questions on tests aren't usually the \nobvious things, and that is where--usually there is some area \nthat that is why it ends up in court; not that it is clear that \nsomebody had data for 20 years, had Social Security numbers, \nhad no need for them, and somebody breached them and took them.\n    As a matter of fact, at the expense of what a breach costs \na company, I wouldn't want to hold on to that information \nmore--if I didn't have a purpose or a need for it.\n    And I want to hit one thing and I will yield back. You \ntalked earlier about the time for notification was too long, I \nguess in the draft you thought was too long. Did you say what \nyou thought was reasonable for that, or what you suggest?\n    Ms. Ramirez. Our view is that notification ought to be \nprovided as soon as practically feasible because, again, the \ncircumstances may change. In certain situations it may be \nappropriate to have a short requirement of just a few days. In \nother situations, there may be a need for a company to take \nmore time to write--to provide notifications.\n    So I think there ought to be an outer limit, and I have \nsuggested that 60 days would be an outer limit but, again, that \nis an outer limit. Our view is the sooner, the better, because \nthat allows consumers to take appropriate steps to mitigate any \npotential harm.\n    Mr. Guthrie. Oh, I agree with that. The difference is how \nwe define--that is how we define it, so yes.\n    Ms. Ramirez. And, again, I think it is important to \npreserve some flexibility because it may differ depending on \nparticular facts and circumstances.\n    Mr. Guthrie. Yes. I think there was one testimony in a \nprevious hearing trying to figure out what happened, and they \nwere trying to go through that. But you are right, because I \nmean, I would want to know as soon as practicable. Those were \nthose words, you argued ``practical'' or ``practicable,'' \nright?\n    Ms. Ramirez. Or ``feasible.''\n    Mr. Guthrie. But you are right. That is absolutely right. \nSo I appreciate that look forward to working with the \nchairwoman and thank you for your courtesy.\n    Mrs. Bono Mack. I thank the gentleman. For not being a \nlawyer, you sure play one well on TV.\n    The chair is happy to recognize Ms. Schakowsky for 5 \nminutes.\n    Ms. Schakowsky. Thank you, Madam Chairman.\n    Let me just say that this committee has a history of \nworking in a bipartisan basis, and the House did pass out H.R. \n20--is it 21--whatever that brush bill was that I was a \ncosponsor of.\n    Ms. Ramirez. H.R. 2221.\n    Ms. Schakowsky. And, you know, we worked very closely \ntogether and, as Mr. Stearns says, it has been going on since \n2005. I am so hopeful that we will be able to craft a bill. I \nfeel confident that we will be able to craft a bill. In some \nrespects this draft is even better, the quickness of certain \nnotification. But we need to focus on, I think, where those \ndifferences are.\n    So let me just ask a couple of questions, Ms. Ramirez.\n    The Republican discussion draft includes language that I am \nconcerned could have a narrowing effect that we don't totally \nunderstand. The draft narrows application of the bill's data \nsecurity and notification requirements to persons engaged in \ninterstate commerce with personal information, quote, ``related \nto that commercial activity.''\n    So let's take someone, a company like Amazon that is in the \nbusiness of selling books. And in that process it generally \ncollects your full name, address, credit card number and \nsecurity code. But what if they also ask you for your Social \nSecurity number? I don't think they need that to sell a book. \nAnd if they did ask you for it, it probably wouldn't be to sell \nyou that book. And what about other information that isn't at \nthis time within the meaning of personal information like an IP \naddress?\n    I know this is a fairly technical point so you may not have \nan answer right now, but to the extent you can, do you know how \nthe FTC would interpret and implement this phrase, quote, \n``related to that commercial activity''?\n    Ms. Ramirez. I think we would interpret it to be \ncoextensive with our jurisdiction over entities that engage in \ninterstate commerce. I think it would be relatively broadly \ninterpreted. Again, the precise scope of the definition is an \narea that we are happy to work with the committee to ensure \nthat we assist in the committee coming up with a suitable \ndefinition that addresses the concerns that have been \narticulated today.\n    Ms. Schakowsky. Well, I am just worried that it is \nambiguous language, and we may want to work with you and work \nwith the committee to tighten that up.\n    Ms. Ramirez. And we would absolutely be pleased to work \nwith you on that language.\n    Ms. Schakowsky. Great. Here we are, H.R. 2221 from the last \nCongress and the Republican discussion draft of the SAFE Data \nAct require notice to the FTC and consumers of an electronic \ndata breach only if the covered person has determined that the \nbreach, quote, ``presents a reasonable risk of identity theft, \nfraud or other unlawful conduct.''\n    I know that others have asked this, but I wonder if one \nmore time, do you believe this trigger for notification, based \non reasonable risk, et cetera, is appropriate?\n    Ms. Ramirez. I do. I think that the standard of reasonable \nrisk gives it appropriate flexibility to accommodate both the \nneed to protect consumers, as well as the need to take into \naccount any burdens, excessive burdens on business.\n    Ms. Schakowsky. And it falls on the covered person to \ndetermine whether or not the trigger has been--for notification \nto the FTC and consumers--has been met. Do you believe it is \nappropriate for the covered person to make the ultimate \ndetermination about the risk posed to consumers from a data \nbreach and whether notice to the FTC and consumers is required; \nand, if not, who should make that determination and how should \nthey go about doing that?\n    Ms. Ramirez. That is a serious concern that we have. We \nbelieve that the FTC ought to be notified at the same time as \nother law enforcement agencies so that we can also examine the \nissue and determine if there ought to be notification that may \ndiffer from the determination that is made by the company.\n    Ms. Schakowsky. Thank you. And, finally, in the few seconds \nI have, H.R. 2221 would require notice to law enforcement, the \nFTC, and consumers in the event of a data breach involving \nelectronic records. There is no requirement for notice in the \nevent of a data breach involving paper records.\n    Do you believe the scope of the notification requirement \nshould be expanded to include data breaches involving paper \nrecords?\n    Ms. Ramirez. I do. I believe that paper records can also \npose serious concerns and risks to consumers.\n    Ms. Schakowsky. Thank you, and I yield back at zero.\n    Mrs. Bono Mack. I thank the gentlelady. The chair--I was \ngoing to give Christmas presents that equaled per seconds, like \nChristmas gifts would be valued by the size and the amount of \ntime you give back.\n    The chair is happy to recognize Mr. Harper for 5 minutes.\n    Mr. Harper. Thank you, Madam Chairman, and thank you, \nCommissioner, for being here and giving us your insight into \nthis.\n    If I could just talk a little bit more about reasonable \nrisk or significant risk, and you have indicated you support \nthe reasonable risk standard.\n    How do you define that reasonable risk? What do you see \nthat being?\n    Ms. Ramirez. I think if the information that is at issue is \npotentially going to be misused, can be misused to harm \nconsumers, I think that there ought to be a presumption that \nthere ought to be notification.\n    Again, I do--I do want to highlight that the agency has \ndone significant work in this arena and our enforcement actions \nand consent orders that we have entered into, I think, can \nelaborate more fully on the situations that we have found where \naction was necessary. So, but again, I think there needs to be \nflexibility; I think reasonableness accomplishes that, and I \nwould be concerned about changing that standard.\n    Mr. Harper. So you said the Commission has done significant \nwork versus reasonable work?\n    Ms. Ramirez. We have great experience in the area of data \nsecurity.\n    Mr. Harper. Right. So how would we vary with significant? \nIf the standard was significant risk, how would you view that \ndifferent than reasonable risk?\n    Ms. Ramirez. I think it is a flexible concept, and I don't \nhave any magic words to articulate here today, but I think, in \nmy mind, the key is how do we best protect consumers. And if \nthat is the aim of the legislation, I believe that we ought to \nerr in favor of protecting consumers, given that we know that \nthe incidence of identity theft and data breach, by the way, is \none significant cause, of, again, identity theft continues to \nbe such a significant concern.\n     It is the most--we have received the most complaints \nrelating to identity theft than any other complaint, and that \nhas been in the last decade, so it remains a very significant \nconcern.\n    Mr. Harper. So ``reasonable'' would be in the eye of the \nbeholder in some instances, is how we define this.\n    Ms. Ramirez. No. I believe that you can establish objective \nstandards. The reasonableness of the concept that is, you know, \nwell and defined in many different areas and used in many \ndifferent areas of law, so I think it is one that can be \nemployed in a way that I think would address concerns. I think \nit maintains appropriate flexibility and allows one to balance \npotentially competing interests.\n    Mr. Harper. Yes. And I know as we go through the discussion \ndraft and we look at it, there is going to be that discussion \nbetween reasonable and significant risk. You know, of course, \nas you know in the practice of law, some-- you will have \npreponderance of the evidence, or, in a criminal case, beyond a \nreasonable doubt, but also there is clear and convincing.\n    So I think you are going to have that tug back and forth \nbetween reasonable and significant, wanting to protect the \nconsumers but also looking at how the businesses will deal with \nthis. So, you know, I appreciate your input on that.\n    As we look at the notification of when you believe FTC \nshould be notified, you believe they should be notified at the \nsame time as law enforcement. Is that what you have stated?\n    Ms. Ramirez. I do, yes.\n    Mr. Harper. OK. And what period of time do you think is the \noptimum time for you to get that notification?\n    Ms. Ramirez. I think as soon as the breach takes place. I \nam now not remembering if the bill is specific on that point, \nbut essentially at the very outset, when other law enforcement \nagencies are notified.\n    Mr. Harper. When we look at that specific time limit, you \nknow, these are certainly a great concern, as you have stated \nand as we know, data breach is something that everybody is \nconcerned about and with this age that we have.\n    So tell me why you believe that the FTC should be notified \nprior to the consumers?\n    Ms. Ramirez. As a law enforcement agency, I think it is \nimportant that the FTC be provided prompt notification so that \nit can take appropriate action if necessary.\n    In addition, I think that waiting for the outcome of a \nparticular company to engage in its own risk assessment risks a \nsituation where a company may perhaps conclude that \nnotification won't be necessary to consumers. The FTC may have \na different view of it. It may provide an additional level of \nassurance as protection for consumers.\n    Mr. Harper. Well, let me end with this quickly. Do you \nbelieve that this legislation, that it will address the current \nand evolving environment with respect to cloud computing?\n    Ms. Ramirez. I am sorry, could you repeat that?\n    Mr. Harper. Do you think that this legislation \nappropriately addresses the current and evolving environment \nwith respect to cloud computing?\n    Ms. Ramirez. I do. I think, again, cloud computing is, of \ncourse, the wave of the future. But the data security methods \nought to apply to cloud computing, just as they do with other \nmethods of storage.\n    Mr. Harper. Thank you. With that, I yield back.\n    Mrs. Bono Mack. I thank the gentleman. The chair recognizes \nDr. Cassidy for 5 minutes.\n    Mr. Cassidy. Ms. Ramirez, the examples of health info which \nare not covered by HIPAA, can you give me those?\n    Ms. Ramirez. Let me give you an example from one of the \nmatters that the FTC handled, the Eli Lilly matter, which \ninvolved the release of information about individuals who had \nused Prozac. HIPAA only covers particular entities such as \nhospitals, doctors' offices.\n    Mr. Cassidy. So a noncovered entity, if you will.\n    Ms. Ramirez. It would be a noncovered entity; correct.\n    Mr. Cassidy. Now, you--so this may answer my next question. \nIt seems, as I am trying to understand this, that you in effect \nhave two sets of data, one with unique identifiers and the \nother that is gained from publicly accessible information that \nyou have a similar concern, even though it might not have a \nunique identifier; is that correct?\n    Ms. Ramirez. Well, it is not the issue of a unique \nidentifier. Again, when it comes to public records, our concern \nis that once you compile information and you gather information \nthat in the past might have been very difficult to collect, \nonce it is collected at one place, that can then raise very \nserious concerns.\n    Mr. Cassidy. So what are those concerns?\n    Ms. Ramirez. When you have data aggregators that are \ngathering information about----\n    Mr. Cassidy. Well, I understand what a data aggregator is, \nI understand that. They get all the data about mortgages being \nsold in Washington, D.C.\n    Ms. Ramirez. One example could be that they may have \ninformation that might--can be given to a payday lender, for \ninstance, because they have information that may reveal--have \nindications about income level. That information can then be \nused by a payday lender or someone who aims to engage in some \ntype of fraudulent activity.\n    Mr. Cassidy. Now, a payday lender is not inherently \nfraudulent?\n    Ms. Ramirez. No, no, no, no, no. But my point is it can be \nused by persons who may want--seek to misuse that information, \nso it is very important that that information----\n    Mr. Cassidy. But that is true of all information in a free \nsociety; correct? I am nervous about limiting access to \npublicly available information, and I don't necessarily \ndisagree with you, but it always seems like we should have a \nbias towards openness, knowing that those--so why should we not \nhave this bias towards openness if it is not being used by a \nfraudulent entity and if it is publicly available otherwise?\n    Ms. Ramirez. The key is to ensure that appropriate measures \nare taken to protect the information that has been aggregated. \nYou then--you now have an ability with these data aggregators \nwho have gathered just a treasure trove of information that, \nagain, previously may not have been easily accessible.\n    Mr. Cassidy. You keep saying that, and I understand that. I \nunderstand that issue. What I don't know is what danger you see \nwith that. And I am asking openly.\n    Ms. Ramirez. So the danger can be that it can be misused \nfor a number of reasons.\n    Mr. Cassidy. But I guess all information could be misused. \nAll information can be misused. And so I am just trying to \nunderstand.\n    Ms. Ramirez. So the fundamental point is that that \ninformation needs to be protected; and if that information, if \nthere has been a breach, the consumer ought to be notified. And \nin the case of data brokers, I believe that there ought to be \nsome additional requirements where a consumer may have access \nto that----\n    Mr. Cassidy. Just so I understand better, because clearly I \nam struggling, can you give me a specific example of--and just \nso I can understand--again, I am not challenging, I am trying \nto understand--a specific example of where a data aggregator \nhad data that was breached that did not include a Social, did \nnot include a credit card number or a security code, it was \njust like, you know, Bill Cassidy, the Congressman from Baton \nRouge, and he has got three kids and et cetera, et cetera. Are \nyou with me?\n    Ms. Ramirez. Let me give you one example. Information \nrelating to income, for instance, is information that might be \ngathered or somehow ascertained through the access of publicly \navailable information.\n    Mr. Cassidy. Now I am told, when I suddenly saw all these \ncatalogs that I was getting back from people who send catalogs, \nthat they looked at my census track and said, oh, he is in a \npretty good census track, and so therefore I started getting an \nincredible number of catalogs. Now, are we going to restrict \nthe ability of someone to know what census track I live in?\n    Ms. Ramirez. No, but I think you can provide access rights \nso that if, for instance--again let me go back to----\n    Mr. Cassidy. Now the access rights is a separate issue. The \naccess rights, I gather from Mr. Dingell's thoughts, and it \nactually seems--I can see some use in that.\n    But, again, I am wondering, what is the inherent damage----\n    Ms. Ramirez. We would not be restricting the ability to \ngather the information that was publicly available. We would \nsimply want there to be adequate security measures to protect \nthe information, and we would want there to be notification to \nthe consumer in appropriate circumstances. And in light of \npotential misuse of information, additional requirements such \nas access may be one way of addressing. But I am not advocating \nthat there be a limitation on the ability----\n    Mr. Cassidy. As the risk of losing my Christmas presents, I \nwill say, though, that it almost seems that if you have one \nwith credit card numbers and Socials and medical, you know, \nmilitary identification numbers, that clearly should be in its \nown silo.\n    The other seems--the other seems, I am not sure--and I am \nsure there is going to be an expense in terms of being in the \nsilo. The other seems to me to be inherently less, I don't \nknow, onerous as regards the protective measures taken, because \nit doesn't have the same import if somebody knows I have got \nthree kids and live in the census track as opposed to knowing \nmy Social.\n    Ms. Ramirez. My apologies if I haven't been able to fully \narticulate the potential risks that we see, and my staff is \nvery happy to work with you to provide some additional \ninformation if I have not been able to answer your question \nadequately.\n    Mr. Cassidy. If you will do that. And, again, I would just \nunderstand. If you all send it to me, I would appreciate it.\n    Thank you. I yield back.\n    Mrs. Bono Mack I thank the gentleman. I recognize Mr. Rush \nfor 5 minutes.\n    Mr. Rush. I want to thank you, Madam Chairman. We have \nknown for several Congresses now that mass MEGA data breaches \ncould and will occur. And we have had the vision to introduce \nlegislation to make these breaches more difficult to perpetuate \nand that would make consumers as close to whole as possible \nwhen they piece back together their personal lives and \nidentities.\n    The DATA Accountability and Trust Act that I reintroduced \nin May, along with Congressman Barton and Congresswoman \nSchakowsky, is essentially the same bill that was passed out of \nthis committee in December of 2009, in the 111th Congress, as \nH.R. 2221. That bill passed out of the House on suspension and \nwas then referred to the Senate Commerce Committee.\n    When I became chair of this subcommittee in the 110th \nCongress, I introduced H.R. 958, which has since been shaped to \nkeep up with online and network technologies and emerging \nformats for storing consumer data. These technologies and \nformats improve consumers' lives and make new and exciting \nbusiness efforts and revenue models viable. But it has been \nimportant in our approach to remain technologically neutral, so \nthat we don't pick winners and losers, and also cognizant--and \nremain cognizant of the unique natures of the business models \nand realities involving what the bill defines as ``service \nproviders,'' ``information brokers,'' and ``fraud databases.''\n    Madam Commissioner, I only have a few minutes and so I am \ngoing to ask you a few questions, and I intend to ask each \npanel these questions. So if I could get a yes or no answer, \nthat would certainly help me. And if I don't get to ask the \nquestions, I have some that I will refer to you in writing for \nthe record.\n    Should commercial entities that do business in interstate \ncommerce be required under Federal law to protect individuals' \npersonal information by securing it and protecting it from \nimproper access?\n    Ms. Ramirez. Yes.\n    Mr. Rush. And when these entities contract with a third \nparty to maintain that personal data, should they be further \nrequired to establish and implement information, security \npolicies, and procedures?\n    Ms. Ramirez. Yes.\n    Mr. Rush. Should the FTC be authorized to prescribe what \nthose policies and procedures ought to be?\n    Ms. Ramirez. Yes.\n    Mr. Rush. Should personal information be defined to include \nan individual's first name or initial and last name, or \naddress, or phone number, in combination with any--with any one \nor more of the following. An individual's Social Security \nnumber?\n    Ms. Ramirez. I believe that that would be too narrow a \ndefinition.\n    Mr. Rush. I have got a number of them, yes or no. Yes or \nno.\n    Ms. Ramirez. No.\n    Mr. Rush. A driver's license number?\n    Ms. Ramirez. No.\n    Mr. Rush. A passport number, military number, or similar \nidentification number issued on a government document for \nverifying identity?\n    Ms. Ramirez. No.\n    Mr. Rush. A financial account number?\n    Ms. Ramirez. No.\n    Mr. Rush. A credit card number?\n    Ms. Ramirez. No.\n    Mr. Rush. A debit card number?\n    Ms. Ramirez. No.\n    Mr. Rush. Or any security, access code, or password needed \nto access the account?\n    Ms. Ramirez. No.\n    Mr. Rush. Should information brokers be required to submit \ntheir data security policies to the FCC?\n    Ms. Ramirez. Yes.\n    Mr. Rush. Should information brokers be required to \nestablish procedures that consumers may follow to review and, \nif necessary, dispute the accuracy of their personal data?\n    Ms. Ramirez. In my view, yes.\n    Mr. Rush. Thank you very much. You have been very kind and \nhelpful.\n    With that, Madam Chair, I yield back the balance of my \ntime.\n    Mrs. Bono Mack. The chair recognizes Mrs. Blackburn for 5 \nminutes.\n    Mrs. Blackburn. Thank you, Madam Chair, and thank you for \nbeing here with us today.\n    I want to stay with this personally identified information, \nbecause I think that gets to kind of the crux of the matter \nwhen you talk to our constituents and you look at how they have \nreacted to what has transpired with the Sony breach and the \namount of time that was required to inform people there. You \ncan go back as far as the TJX breach and the amount of time and \nthe inconvenience that was caused to individuals there.\n    So I think that what we have to do is that our goal should \nbe to define this legislation in a way that is very clear and \nvery meaningful to our constituents and to policymakers. And I \nknow Mr. Stearns talked about FTC control and authority, and \nsome people believe that we should not give the FTC the control \nto make the policy. Specifically, the FTC with the rulemaking \nprocess and having the ability to set what is personally \nidentified information is a very powerful tool, and there are \nmany that think we should define that in law and not give it to \nthe FTC.\n    So I want to stay with this. I want you to define for me, \njust go down the tick list of--as making rules, what you would \nput sequence, what would be personally identified information, \nhow you would sequence that in the rulemaking authority.\n    Ms. Ramirez. I think the touchstone here is information \nthat can be uniquely tied to an individual. I am afraid that I \njust can't rattle off a list here, but my staff is very happy \nto work with you to articulate in more specific terms. But, \nagain, the key would be information that can then be used to \nidentify someone. And I believe it would be broader than the \ndefinition that is currently used in the draft bill.\n    Mrs. Blackburn. OK. What I would like for you all to do, \nthen, is to submit that to us in writing, because I think this \nis an area where we are going to need to focus, put some \nattention on what this is, who owns that online presence; is it \nbecoming more important to our constituents? And we hear from \nthem daily on the privacy issue, on the data searching, the \ndata selling, all of these issues that are becoming \nintertwined, even with the piracy issue and the intertwining \nthat is there.\n    So to say a unique tie may be a simple, concise answer to \ngive, but it does not provide the depth that we are going to \nneed and have as we go through this. So I would ask you to do \nthat.\n    OK. The chair talked about declaring war on identity theft \nand online fraud, and I think she is exactly right on this \nbecause--and I agree with her on this, and our constituents \nlook at this as a virtual marketplace that is out there. And \nthey look at the relationship they have had with brick-and-\nmortar retails and entities and then with click-and-mortar \nbusinesses and also virtuals. So let's talk about people who \nhave become the victim of identity theft. What services do you \nthink should be made available to them? People realize a free \ncredit report doesn't cut it. Credit monitoring doesn't cut it.\n    So tell me what you think for those that have been harmed \nby identity theft. What services should be available for them?\n    Ms. Ramirez. I do think that credit monitoring is an \nimportant aspect of the protection, but I also think it is \nincumbent--what the consumer will need to do is to be very \nvigilant, monitoring all of their financial accounts, \nmonitoring their billing statements, and if they see anything, \nso that----\n    Mrs. Blackburn. So the personal responsibility aspect.\n    Ms. Ramirez. That is an element of it. And we provide \nguidance to consumers about what they ought to do and the steps \nthat they ought to take.\n    Mrs. Blackburn. So you see the FTC's role more as providing \nguidance on that.\n    Ms. Ramirez. In terms of--consumer education is a \nsignificant piece of what the FTC does, and we do provide \nsignificant information to consumers, helping them take steps \nif their identity has been stolen or there is a risk of that, \nwhat steps they can take to protect themselves.\n    Mrs. Blackburn. OK. Let me ask you one other thing. The \nbill that we are considering, should it apply to government \nsystems?\n    Ms. Ramirez. The bill should apply to commercial activity. \nThat is the jurisdiction that the FTC has to commercial \nentities, so that is the scope of our jurisdiction.\n    Mrs. Blackburn. And you don't think we should apply it to \ngovernment entities?\n    Ms. Ramirez. It is an area that is outside the scope of \nwhat the FTC does.\n    Mrs. Blackburn. I respect that answer. Thank you very much. \nI yield back.\n    Mrs. Bono Mack. I thank the gentlelady very much.\n    With that, we have concluded the first panel. We want to \nthank our witness very much for her in-depth and very \nthoughtful answers today.\n    I will say to the audience, we are going to take a 5-minute \nbreak while we reseat the second panel, but to remind people \nthat there is an overflow room in 2123 for anybody who would \nprefer to sit rather than stand.\n    So, again, Commissioner Ramirez, thank you very much for \nyour time today.\n    Ms. Ramirez. Thank you.\n    Mrs. Bono Mack. See you all in 5 minutes.\n    [Recess.]\n    Mrs. Bono Mack. All right. If the subcommittee could come \nto order once again. If the gentleman in the corners could \nplease take your seats.\n    On our second panel we have four witnesses who are deeply \nengaged on the issue of cybersecurity.\n    Testifying are Jason Goldman, Counsel, Telecommunications & \nE-Commerce, U.S. Chamber of Commerce; Robert Holleyman, \nPresident and CEO of the Business Software Alliance; Stuart \nPratt, President and CEO of the Consumer Data Industry \nAssociation; and Marc Rotenberg, Executive Director for the \nElectronic Privacy Information Center.\n    Good afternoon, gentlemen. Thank you all for coming. You \nwill each be recognized for 5 minutes. To help you keep track \nof the time there is a time clock in front of you, and green, \nred, yellow, you know what they mean. Yellow means 1 minute to \nget to the conclusion of your testimony.\n\n STATEMENTS OF JASON D. GOLDMAN, COUNSEL, TELECOMMUNICATIONS & \nE-COMMERCE, U.S. CHAMBER OF COMMERCE; ROBERT W. HOLLEYMAN, II, \nPRESIDENT AND CEO, BUSINESS SOFTWARE ALLIANCE; STUART K. PRATT, \nPRESIDENT AND CEO, CONSUMER DATA INDUSTRY ASSOCIATION; AND MARC \n ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION \n                             CENTER\n\n    Mrs. Bono Mack. So at this point in time we are going to \nrecognize Mr. Goldman for 5 minutes, and please remember to \nturn your microphone on and bring it close to your mouth.\n\n                 STATEMENT OF JASON D. GOLDMAN\n\n    Mr. Goldman. Good afternoon, Chairwoman Bono Mack, Ranking \nMember Butterfield, and other distinguished members of the \nsubcommittee. I am Jason Goldman, Telecommunications & E-\nCommerce Counsel of the U.S. Chamber of Commerce, the world's \nlargest federation, business federation, representing the \ninterests of more than 3 million businesses and organizations \nof every size, sector, and region.\n    On behalf of the Chamber and its members, I thank you for \nthe opportunity to testify here today regarding the discussion \ndraft of the SAFE Data Act.\n    We live in an information economy. Today, Chamber members \nof all shapes and sizes communicate with employees, existing \nconsumers, potential consumers, and business partners around \nthe world. They use data to spur sales and job growth, enhance \nproductivity, enable cost savings and improve efficiency.\n    Global and U.S. data usage are skyrocketing. In today's \ntough economy, businesses depend more than ever on having \nbeneficial and trusted relationships with their customers. \nTherefore, there is no question that protecting sensitive \ncustomer information should be a priority for all businesses \nthat collect and store this data, and the customers deserve to \nbe promptly notified if a security breach has put them at risk \nof identity theft, fraud, or other harm.\n    The Chamber supports the enactment of meaningful Federal \ndata security legislation that would implement national data \nsecurity standards to protect against the unauthorized access \nto sensitive personal information about businesses' customers, \nand breach notification requirements to notify customers when a \nsignificant risk to them may result from a security breach. At \nthe same time, the Chamber urges policymakers to ensure that \nany legislation in this area does not hinder innovation and \nbeneficial uses of the data.\n    The Chamber appreciates the willingness of the subcommittee \nto work with us in legislation aimed at accomplishing this \ngoal. The Chamber only recently got this text of the SAFE Data \nAct, so our comments are based on our initial read and may \nchange as we continue to vet the bill through our membership.\n    The United States has a national economy. And almost every \nState has enacted various data security and breach notification \nprovisions, many of which differ from one another in material \nways. This patchwork of State laws not only makes compliance \ndifficult for businesses, but it can also create confusion for \ncustomers who receive notices from many sources.\n    The Chamber supports the preemption of State information \nsecurity and related liability laws to create a national \nuniform standard that will create regulatory certainty and \nminimize compliance costs for businesses that operate in \nmultiple States.\n    The Chamber has long advocated for a notice requirement \nthat avoids the dangers of over-notification. As was discussed \nin the previous panel, the Chamber worries that if needlessly \nalarmed, customers may take actions that are not warranted and \nare a waste of their time.\n    Alternatively, more worrisome, customers that are flooded \nby these notices may be falsely lulled into inactivity and not \ntake proper action when the risk is justified.\n    Therefore, the Chamber is pleased that the draft bill \nrecognizes that the notification should be based on risk of \nharm, not just on the mere fact that data breach occurred.\n    The Chamber agrees that notification of breach is not \nnecessary where the data has been rendered unusable, \nunreadable, orindecipherable by different methods such as \nencryption, redaction, or access controls.\n    The Chamber also recommends the inclusion of a threshold \nnumber of individuals requiring notification that would trigger \nnotification to the FTC.\n    The Chamber agrees that consumers should be notified in a \ntimely manner after the occurrence of a reportable breach. \nHowever, given the complexities of dealing with a data breach, \nthe Chamber recommends that the draft be modified to allow \ncompanies a reasonable amount of time to notify consumers, \nrather than a specific time frame.\n    Furthermore, to catch cybercrooks and other criminals, as \nwell as to ensure the safety of our Nation, the Chamber \nsupports the revisions in the draft bill permitting delay of \nnotification for law enforcement or national security purposes. \nAlong with that, the Chamber recommends inclusion of language \nin the bill that identifies which specific agencies would \ntrigger that exception or would have been able to enact that \nexemption.\n    Regarding liability, the Chamber is concerned about the \napplication of a daily fine as it relates to the bill's \nsecurity requirements. If any entity is found liable for \nviolating the data minimization requirement, is every day the \nentity maintains records that should have been destroyed \nthroughout all of their data bases a multiplier penalty?\n    The Chamber appreciates the revisions on the data broker \nprovisions that were discussed in the panel earlier.\n    On enforcement, the Chamber is concerned about enabling \nState attorneys general to impose 50 different enforcement \nregimes that will undermine the uniformity of this act and make \ncompliance extremely difficult. At the very least, the draft \nbill should curtail the ability of State attorneys general to \nutilize private outside contingency attorneys to enforce this \nact or to litigate claims on behalf of their constituents.\n    Also the Chamber appreciates the tech-neutral provision in \nthe act that says the FTC should implement in a tech-neutral \nmanner. And, last, the Chamber does appreciate the inclusion of \na prohibition of the no private right of action.\n    With that, thank you, and I am happy to answer any \nquestions.\n    Mrs. Bono Mack. Thank you, Mr. Goldman.\n    [The prepared statement of Mr. Goldman follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mrs. Bono Mack. Mr. Holleyman, you are recognized for 5 \nminutes.\n\n              STATEMENT OF ROBERT W. HOLLEYMAN, II\n\n    Mr. Holleyman. Chairwoman Bono Mack, Mr. Butterfield, \nmembers of the committee, Business Software Alliance strongly \nsupports the enactment of a national data security and data \nbreach notification law. We believe that that is important to \nbuild trust and confidence in the digital economy.\n    This is now the fourth Congress to consider data breach \nlegislation, and we are grateful for the opportunity that we \nhave had to work with the members of this committee to advance \na bill.\n    The time to act is now. The need is clear, as are the \nsolutions. BSA endorses the key elements of the SAFE Data Act \nthat are before us today. We support requiring organizations \nthat hold sensitive personal information to implement \nreasonable security procedures. And the draft bill takes into \naccount an organization's size, the scope of its activities, \nand the costs involved.\n    We support creating incentives to adopt strong security \nmeasures. The draft bill will promote the use of technologies \nsuch as encryption, which render data unusable, unreadable, or \nindecipherable to thieves if they manage to steal it. We \nsupport an approach that avoids unnecessarily alarming or \nconfusing consumers, and the draft bill accomplishes that by \nonly requiring notification when there is a risk of identity \ntheft, fraud, or unlawful activity.\n    Finally, we support the bill's establishment of a uniform, \nnational framework with Federal enforcement preempting today's \npatchwork of State laws.\n    We hear about new data breaches almost daily. One group, \nthe Privacy Rights Clearinghouse, has recorded more than 2,500 \nof them since 2005, involving more than 530 million individual \nrecords. In many cases these records include data that are \nuseful to identify individuals and then exploited by thieves, \nsuch as Social Security, credit card, or driver's license \nnumbers.\n    Surveys indicate that these breaches are causing consumers \nto question the security of online transactions, and that is \nespecially troubling, because we are in the middle of an \nexciting new wave of innovation with the emergence of cloud \ncomputing. Cloud computing offers tremendous new opportunities \nfor economic growth and efficiency. It allows businesses and \norganizations to reinvent their back office operations and will \ngive users access to their data and services from any device, \nwhether they are at home, at the office, or on the road.\n    We cannot allow breaches to erode confidence in the cloud \nenvironment or the Internet economy, and for years BSA members \nhave been working hard to protect data from cybercriminals. BSA \nmembers are leaders in providing new security solutions and \nthemselves invest in reducing vulnerabilities and protecting \nthe integrity of their technology.\n    BSA members are developing cutting-edge security solutions \nthat are employed by businesses and consumers to defend against \nthe evolving and the very real threats. And BSA has led the \nfight against the use of illegal software, not only because it \ndrains revenues from American companies, but also because \npirated software commonly includes malicious computer code that \nhackers and other criminals use to steal data. Importantly, BSA \nmembers are at the forefront of the cloud revolution, which \ncreates new opportunities to better store data behind strong \nsecurity walls.\n    As this committee understands, Congress also has a \nresponsibility. In the absence of a national law, States have \nenacted their own data breach notification requirements. \nUnfortunately, this has resulted in inconsistency that is \nunwieldy for business and confusing for consumers. We need a \nuniform national framework that better protects consumers and \nalso, as this bill does, promotes effective security measures.\n    I testified before this committee 2 years ago about the \nneed for a national data breach law. Since then, another 250 \nmillion sensitive records have been breached.\n    Madam Chairman, I commend you and your colleagues for \ndrafting this bill. I urge Congress to pass a Federal data \nbreach law this year. And the BSA and I look forward to working \nwith you and members of this committee to make that a reality.\n    Mrs. Bono Mack. Thank you very much, Mr. Holleyman.\n    [The prepared statement of Mr. Holleyman follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mrs. Bono Mack. Mr. Pratt, you are recognized for your 5 \nminutes.\n\n                  STATEMENT OF STUART K. PRATT\n\n    Mr. Pratt. Madam Chairman, Ranking Member Butterfield, and \nmembers of the subcommittee. My name is----\n    Mrs. Bono Mack. Excuse me, is that microphone on?\n    Mr. Pratt. It is. I will pull it closer.\n    Mrs. Bono Mack. Thank you.\n    Mr. Pratt. Madam Chairman--is it working?\n    Mrs. Bono Mack. If the light is on. I can't necessarily \ntell, but the people in the back really care that they will \nhear well.\n    Mr. Pratt. I am President and CEO of the Consumer Data \nIndustry Association. We appreciate the opportunity to testify \ntoday.\n    For more than a decade, CDIA has been on record as \nsupporting the enactment of a inform Federal standard for both \nsecurity of sensitive personal information and notification of \nconsumers where there is a significant risk of identity theft.\n    With this in mind, we applaud the focus of this hearing. \nYour committee's leadership is key to finding the right path \nforward. CDIA's members support the proactive approach you have \ntaken by circulating a discussion draft in order to build the \nmuch-needed consensus. It is the right step to take.\n    You have asked us to comment on the discussion draft known \nas the SAFE Act, or SAFE Data Act. So, first, CDIA is very \nencouraged by the essential structure of the draft bill. Risks \nto sensitive consumer data are best addressed with two key \npillars:\n    First, sensitive personal data must be secured. The draft \nproposal appropriately empowers the Federal Trade Commission to \nwrite scalable regulations relative to data security, much as \nthe FTC and bank agencies have done for financial institutions \ngoverned by the Gramm-Leach-Bliley Act. CDIA members support \nthis approach.\n    Second, consumers must be notified when sensitive personal \ninformation about them has been lost or stolen. Again, our \nmember support notification where, for example, there is a \nsignificant risk of harm for the consumer, such as the \nlikelihood of becoming a victim of the crime of identity theft.\n    Within these two key pillars are many provisions which are \nwell thought out and deserve to be highlighted. For example, \nthe discussion draft establishes strong incentives for U.S. \nbusinesses to adopt strategies to reduce risks by rendering \ndata unusable, unreadable, orindecipherable. These incentives \nare appropriately technology-neutral and thus will spur \ninnovation in the design of systems that will ultimately \nprotect data about consumers.\n    The draft properly includes a risk-based trigger for \ndetermining when a notice must be sent, which ensures that we \nas consumers receive relevant and timely notices, rather than a \ndeluge of notices through which we need to sift to find the one \nthat is meaningful.\n    While the draft urges speedy notification of consumers, it \nacknowledges the need for law enforcement to engage with \nprivate sector and, in some cases, to delay such notices, but \nnot to allow delays that are unduly long.\n    We are pleased that the draft's proposals solve the problem \nof overlapping laws with regard to data security. Fully \nexempting persons who are subject to the data security \nrequirements of Title 5 of the Gramm-Leach-Bliley Act ensures \nthat CDIA members, both large and small, are in the very best \nposition to successfully comply with the law and, most \nimportantly, to be successful in securing sensitive personal \ninformation about consumers.\n    We encourage the committee to adopt a similar subject to \nstandard with regard to persons who are already held \naccountable for data breach notification duties under Federal \nlaws, regulations, or agency guidance.\n    Ensuring a truly uniform national standard for both data \nbreach notification and data security is essential to the \nsuccess of the draft the proposal. To this end, we applaud the \ninclusion of section 6. As the committee continues to refine \nthe discussion draft, we encourage it to consider a subject \nmatter approach to preemption to ensure that the standard is \ntruly uniform.\n    Regarding the content of notices, let me make just a couple \nof points:\n    First, we thank you for the inclusion of language in \nsection 3(e), which makes it clear that the person who \nexperienced the breach and who is notifying consumers is the \none who pays for the credit reports to which the consumer is \nentitled.\n    Second, for the sake of consumers, we request that the bill \nbe amended to require those who are sending out breach notices \nto more than 5,000 individuals, to notify consumer reporting \nagencies in advance so that our members can appropriately \nprepare to handle the spike in volume.\n    Further, all persons issuing notices must verify the \naccuracy of the contact information included. Our members have \nat times discovered that breach notices issued by others had \nincorrect toll-free numbers listed, which is a disservice to \nconsumers.\n    In terms of definitions, we are glad that section 5(7)(A) \nestablishes the definition for the term ``personal \ninformation.'' Having a definition is clearly necessary to \nensure that all persons affected by the scope of the bill \nunderstand the type of data which must be protected. Section \n5(7)(B) properly excludes public records from that definition.\n    Our members are concerned with the inclusion of section \n5(7)(C) which allows the FTC to alter the definition. We \nbelieve the definition as proposed is adequate and should be \nset by the Congress.\n    In closing, let me congratulate you on a very strong \ndiscussion draft that is unencumbered by ancillary issues. The \ncommittee is on the right track, and we look forward to \nsupporting its efforts to protect consumers' sensitive personal \ninformation. Thank you.\n    Mrs. Bono Mack. Thank you, Mr. Pratt.\n    [The prepared statement of Mr. Pratt follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mrs. Bono Mack. Mr. Rotenberg, 5 minutes.\n\n                  STATEMENT OF MARC ROTENBERG\n\n    Mr. Rotenberg. Thank you, Madam Chair, Mr. Rush, members of \nthe committee. My name is Mark Rotenberg. I am the Executive \nDirector of the Electronic Privacy Information Center, and I \nteach privacy law at the Georgetown Law Center, and I thank you \nvery much for holding this hearing today.\n    It is actually difficult to overstate the problem of \nsecurity breaches in the United States. In fact, as your \nearlier hearings have demonstrated, these risks are far-\nreaching and they impact millions of consumers,, in May, more \nthan 200,000 customers of Citigroup, and 100 million users of \nthe PlayStation Network also had information improperly \naccessed.\n    And if I can make an additional point for you this morning, \nthese problems are going to get worse. We are moving more of \nour personal data from our laptops, our devices, and our \ndesktop computers into the cloud where they can be more easily \naccessed by others. You are going to hear more and more about \nsecurity breaches.\n    You are also going to learn that the attacks are becoming \nmore sophisticated. Not only do we have to now contend with \nphishing, which seeks to obtain sensitive personal data, we now \nhave to contend with what is called spear phishing, which means \nidentifying particular users and using some information about \nthem, such as their home address, to get additional information \nthat makes possible identity theft, financial fraud, and so \nforth.\n    So at the outset, my sense would be that given the fact \nthat the House last year had passed a strong measure, the \nproblems are getting worse and likely to continue to do so. I \nwould have started there and tried to figure out how to improve \nthat bill. And in that spirit, I actually wanted to commend you \nfor incorporating the data minimization provision in the draft \nbill.\n    I think this is a very important safeguard that not only \nlimits the risk at the outset by telling companies, you know, \nreally think if you need to have Social Security numbers on \nhealth club members, for example, because if you lose control \nof that information, you have created a risk. So you reduce the \nrisk at the outset. But in the circumstances where the \ninformation isn't properly accessed, there is less exposure to \ncustomers, so that is also an important safeguard. And I am \nvery glad to see that incorporated in the draft measure that \nyou circulated, as well as the effort to reduce the time period \nfor notification.\n    Because one of the other things that we have learned based \non the Citibank experience and the Sony experience is not \nsurprising. These companies are reluctant to notify their \ncustomers when they have a problem, and that is why legislation \nis so important for companies to tell customers that there is a \nproblem and that you are going to need to act on this \ninformation. So I think the fact that you have limited that \ntime period is very important.\n    Now, in my written testimony, I made some additional \nsuggestions, and I will try to highlight the key points in \nparticular about questions that have been raised by the members \nduring the earlier part of this hearing with Commissioner \nRamirez.\n    I noticed for example, Dr. Cassidy had asked this question: \nWell, why should we have a public information, you know, \nrequirement if that data is already out there? Can't we kind of \nput that in a separate category and not have to notify people? \nAnd I think the answer is obvious.\n    There is a big difference between someone breaking into a \ndatabase to get someone's home address and someone finding the \nhome address in a publicly accessible file. And the reason, of \ncourse, is that there is intent behind the break-in to go after \nthe person whose home address has been obtained. And the fact \nthat it might be accessible somewhere else should hardly make \npeople feel good about the fact that it can be categorized as \npublic information.\n    So I would take away that exception that says that somehow \ncompanies get a free pass if it is information that can be \nobtained somewhere else, and therefore they don't have to worry \nabout people breaking in who get access to it. I think the home \naddress information makes obvious the problem.\n    There has been some discussion about how do we define \npersonally identifiable information. It is a very difficult \nproblem. It comes up in almost every privacy bill. I think a \nvery good starting point is to say, simply, personally \nidentifiable information is information that identifies or \ncould identify a person, and then include by way of \nillustration, including but not limited to many of the \nprovisions you have in your bill. So it is a Social Security \nnumber, it is a bank account number, it is a person's name, it \nis a home address. But it could also be an IP address; in other \nwords, the fixed Internet address associated with their laptop \nor their mobile device. That very well could be personal \nidentifiable information.\n    Their Facebook user ID could also be personally \nidentifiable information. In fact, that is exactly what \ncontributed to one of the concerns about app access to \nFacebook-based information.\n    On this critical question of preemption, I completely \nunderstand why my colleagues at this table would favor national \nstandard. It is quite sensible from their perspective. But I \nwould urge you to look very closely at some of these strong \nState measures that would be effectively overwritten if a weak \nFederal standard is established.\n    Those bills are important, and even in States like \nCalifornia, where they thought they had it right the first time \non financial data, they had to come back later and deal with \nmedical breach notification as well.\n    Thank you very much.\n    Mrs. Bono Mack. Thank you, and I apologize that I did not \npronounce your name correctly. Mr. Rotenberg. Correct?\n    Mr. Rotenberg. Thank you.\n    Mrs. Bono Mack. Thank you.\n    [The prepared statement of Mr. Rotenberg follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mrs. Bono Mack. As a student of how John Dingell does his \nquestioning, I am going to try this myself and recognize myself \nfor the first 5 minutes with a ``yes'' or ``no'' required out \nof each of you, and we can go down the line starting with Mr. \nGoldman and around and around.\n    So yes or no, Mr. Goldman, is the existence of so many \nState standards an impediment to faster consumer notification?\n    Mr. Goldman. Yes.\n    Mr. Holleyman. Yes.\n    Mr. Pratt. Yes.\n    Mr. Rotenberg. Should not be.\n    Mrs. Bono Mack. Is preemption necessary to speed up the \nconsumer notification?\n    Mr. Goldman. Yes.\n    Mr. Holleyman. Yes.\n    Mr. Pratt. Yes.\n    Mr. Rotenberg. No.\n    Mrs. Bono Mack. Would a single Federal standard lessen the \nrisk of over-notification and decrease the number of \nunnecessary notices sent every year?\n    Mr. Goldman. Yes.\n    Mr. Holleyman. Yes.\n    Mr. Pratt. Yes.\n    Mr. Rotenberg. No.\n    Mrs. Bono Mack. Do you think consumers can become \ndesensitized to risk if they receive too many notifications?\n    Mr. Goldman. Yes.\n    Mr. Holleyman. Yes.\n    Mr. Pratt. Yes.\n    Mr. Rotenberg. Yes.\n    Mrs. Bono Mack. Do you believe there is a problem with \nover-notification that can adversely affect consumers even if \nit may be erring on the side of caution with consumers' \nbenefits?\n    Mr. Goldman. Yes.\n    Mr. Holleyman. Yes.\n    Mr. Pratt. Yes.\n    Mr. Rotenberg. No.\n    Mrs. Bono Mack. Do businesses ever err on the side of \nnotifying consumers even if they may not be required to do so, \nbecause wading through 46-plus standards is too difficult or \ntime-consuming?\n    Mr. Goldman. Yes.\n    Mr. Holleyman. Yes.\n    Mr. Pratt. Yes.\n    Mr. Rotenberg. I don't know.\n    Mrs. Bono Mack. Should companies who no longer need it keep \nsensitive information such as credit card numbers or dates of \nbirth in perpetuity?\n    Mr. Goldman. Would you repeat the question? Sorry.\n    Mrs. Bono Mack. Should companies who no longer need it keep \nsensitive information such as credit card numbers or dates of \nbirth in perpetuity?\n    Mr. Goldman. ``It depends'' is not an answer, right? No.\n    Mr. Holleyman. I would say no.\n    Mr. Pratt. No.\n    Mr. Rotenberg. No.\n    Mrs. Bono Mack. Should every data breach trigger a notice \nto consumers?\n    Mr. Goldman. No.\n    Mr. Holleyman. No.\n    Mr. Pratt. No.\n    Mr. Rotenberg. Yes.\n    Mrs. Bono Mack. Should information made available by \nFederal, State, or local governments in accordance with the \nlaw, and thus otherwise be publicly available, be considered \npersonal information?\n    Mr. Goldman. No.\n    Mr. Holleyman. I would not take a position on that.\n    Mr. Pratt. No.\n    Mr. Rotenberg. Yes.\n    Mrs. Bono Mack. Should the FTC have the ability to modify \nthe definition of PDI?\n    Mr. Goldman. No.\n    Mr. Holleyman. I would say our answer would be yes.\n    Mr. Pratt. No.\n    Mr. Rotenberg. Yes.\n    Mrs. Bono Mack. Should entities that are governed by \nexplicit information security and breach notification \nrequirements of other Federal laws enforced by other agencies \nalso be subject to FTC enforcement under this draft?\n    Mr. Goldman. No.\n    Mr. Holleyman. No.\n    Mr. Pratt. No.\n    Mr. Rotenberg. Yes.\n    Mrs. Bono Mack. Should all entities, regardless of their \nsize or the scope of personal data they hold, be subject to the \nsame data security requirement rules for section 2 of this \nlegislation?\n    Mr. Goldman. No.\n    Mr. Holleyman. We have not taken a position on that.\n    Mr. Pratt. No.\n    Mr. Rotenberg. No.\n    Mrs. Bono Mack. Thank you. And do you believe regulation of \nthe collection and use of data is a data security issue?\n    Mr. Goldman. Yes.\n    Mr. Holleyman. Yes.\n    Mr. Pratt. No.\n    Mr. Rotenberg. Yes.\n    Mrs. Bono Mack. Do you think encrypted data that is \nbreached should require notification?\n    Mr. Goldman. No.\n    Mr. Holleyman. No.\n    Mr. Pratt. No.\n    Mr. Rotenberg. Yes.\n    Mrs. Bono Mack. And lastly, should State attorney generals \nhave the ability to enforce this law.\n    Mr. Goldman. No.\n    Mr. Holleyman. Yes.\n    Mr. Pratt. No position.\n    Mr. Rotenberg. Yes.\n    Mrs. Bono Mack. Is your organization a nonprofit \norganization?\n    Mr. Goldman. Yes.\n    Mr. Holleyman. Yes.\n    Mr. Pratt. Yes.\n    Mr. Rotenberg. Yes.\n    Mrs. Bono Mack. Does your organization maintain personal \ninformation of the sort that would be covered by this bill?\n    Mr. Goldman. I don't know.\n    Mr. Holleyman. Yes, for our employees.\n    Mr. Pratt. Yes.\n    Mr. Rotenberg. Yes.\n    Mrs. Bono Mack. Do you agree with the proposal to allow the \nFTC to regulate in this area?\n    Mr. Goldman. Yes.\n    Mr. Holleyman. Yes.\n    Mr. Pratt. Yes.\n    Mr. Rotenberg. Yes.\n    Mrs. Bono Mack. And now just the wild card, to throw it \nout: Do you believe political campaigns should be covered as \nwell?\n    Mr. Goldman. No comment.\n    Mr. Holleyman. Would consider it.\n    Mr. Pratt. No position.\n    Mr. Rotenberg. Yes.\n    Mrs. Bono Mack. Thank you. All right. That went rather \nwell.\n    Mr. Goldman, you suggest change in the time frame from 48 \nhours to a reasonable time frame would guard against over-\nnotification and consumer overreaction. If notification is tied \nto risk of harm, how do we risk over-notification?\n    Mr. Goldman. I think it comes down to, again, we are \nextremely concerned about over-notification, and specifically \nit depends what kind the breach is. I mean, this is one of the \nthings I mentioned in my testimony, is that if you, for \nexample, have an employee steal information for another \nemployee, that is sort of a one-on-one breach; so does that \ntrigger the whole breach mechanism that is included as part of \nthis? So I think it sort of depends on a case-by-case basis, is \nwhat I would say.\n    Mrs. Bono Mack. Thank you.\n    And Mr. Rotenberg, you recommend that Congress define PII \nand not permit the FTC to further amend that definition--I \nmean, excuse me; Mr. Pratt, this question is for you. But is it \nwise to lock anything into stone when it comes to technology? \nCould there be advances in technology that would enable \nseemingly innocuous pieces of information to become the tool of \nfraudsters?\n    Mr. Pratt. As an industry that deals with a lot of that \ninformation that is sensitive and as an industry that secures \nthat information today, I mean, we are comfortable with the \nstructure that you have in place. We do think it encompasses \nthe types of data that expose consumers to a degree of risk. \nAnd I think even some of the examples that Mr. Rotenberg has \ngiven, we would disagree with those, that those are necessarily \nnew and different risks that might have to be accounted for \nsubsequently. So we still stand by the position that we believe \nCongress should work out its definition and give businesses a \nstable marketplace in which to then compete and build the \nproducts and services.\n    Mrs. Bono Mack. Thank you. My time is expired. I look \nforward to a second round of questioning, and now recognize Mr. \nButterfield for 5 minutes.\n    Mr. Butterfield. I thank the chairman. Information brokers \npossess huge data profiles on a staggering number of Americans, \nnearly all of them--nearly all of whom do no business with \nthese brokers. These brokers invest time and money to uncover \npersonal details and, without knowledge or consent, they sell \nthis information to the highest bidder. It appears that \nAmerican consumers have no free market method of showing \ndisapproval if they feel their personal information is being \nmisused or to correct any inaccuracies in the profiles. It is \nin situations like these where it becomes prudent to enact laws \nthat empower consumers, giving them the tools they need to \ncontrol their personal data.\n    Mr. Rotenberg, do you believe, sir, that consumers should \nbe able to access the information that brokers hold about them \nupon their request?\n    Mr. Rotenberg. Yes, I do, Mr. Butterfield. And I do so for \nprecisely the reason that you explained, which is that there is \nno one-to-one relationship between the consumer and the \ninformation broker. They are a third party, which means the \nconsumer actually doesn't otherwise know what information they \nwould have.\n    Mr. Butterfield. When a broker possesses information. Who \nactually owns that data?\n    Mr. Pratt. Well, of course the broker would claim that they \ndo. But what they do with the data has an enormous impact on \nthe individual. It can determine employment, it can determine \nwhether they get an apartment, a Federal contract. A whole \nrange of activity in the United States is today deeply impacted \nby the information that information brokers have about us and \nthey make available to others.\n    Mr. Butterfield. Do you believe that consumers should be \nable to dispute inaccurate information that brokers hold on \nthem?\n    Mr. Rotenberg. Yes I do. The information brokers have \nbecome the modern-day equivalent of the credit reporting \nagency. And Congress figured out 40 years ago the credit \nreporting agencies were holding financial reports on consumers \nthat impacted their ability to get loans and start businesses. \nInformation brokers are playing a similar role today. \nIndividuals should have a right to dispute what is in that \nrecord.\n    Mr. Butterfield. H.R. 2221, the data security bill approved \nby the House last Congress, that Mr. Rush and others had their \nfingerprints on but which the Senate failed to act, contained \nvarious requirements on how information brokers must interact \nwith consumers seeking to access their personal information or \nresolve a dispute about its accuracy or misuse.\n    In lieu of complying with these requirements, brokers were \ngiven an alternative procedure that they could follow; namely, \nproviding individuals with the option to completely opt out of \nhaving their personal info used for marketing purposes. Neither \nthe special requirements on information brokers nor the \nalternative opt-out procedure are included in the Republican \ndiscussion draft as we can discern.\n    In the absence of a Federal law mandating simple opt-out \nprocedures, brokers have generally not provided them. However, \nin a perverse turn the data broker, U.S. Search, Incorporated, \nrecently tried to fill the gap by telling consumers that for \n$10 it would lock their record so that others could not see \nthem or buy them. The FTC soon found this promise was entirely \nfalse. In March the Commission reached a settlement where the \ncompany agreed to refund all fees charged and avoid \nmisrepresentations in the future.\n    Again, Mr. Rotenberg, do you believe that it is currently \ntoo difficult for consumers to opt out of information broker \ndatabases?\n    Mr. Rotenberg. Yes, I do, Mr. Butterfield. I think this is \nan area where there needs to be legislative safeguards.\n    Mr. Butterfield. Can you discuss how difficult it is to \nremove one's information from a broker's database in regards to \nbroker retailers?\n    Mr. Rotenberg. Well, the broker business model relies, of \ncourse, on the collection of detailed information about \nconsumers without their knowledge. It is not the consumers \nproviding information. And that information gains commercial \nvalue as it is shared with more third parties. The consumer has \nno ability to interact to limit those transactions. So the \nsimple answer to your question is, it is very difficult--it is \nvery difficult I think for consumers to play any meaningful \nrole in what information brokers do with information about \nthem.\n    Mr. Butterfield. I see your point. And let me just throw it \nover to the chairman and yield to her.\n    Mrs. Bono Mack. I appreciate the gentleman yielding to me \nvery much at a strange time.\n    I just want to reiterate to the panel and the subcommittee \nthat we are also looking at privacy. And to the degree that we \ncan separate the privacy debate from the data breach debate, it \nall will be helpful for us as lawmakers to understand that the \ntwo, although very similar in this case, they might be \ndifferent. So I just wanted to throw that out for you all, to \npoint out when you see it as a privacy issue beyond data \nbreach, that would be helpful.\n    Mr. Butterfield. That is a very important distinction, and \nI thank the chairman for making that comment. My time is \nexpired. I yield back.\n    Mrs. Bono Mack. Thank you very much, Mr. Butterfield. And \nthe chair is happy to recognize Mr. Stearns for 5 minutes.\n    Mr. Stearns. Thank you Madam Chair.\n    Mr. Goldman, the chairlady talked about this 48 hours \nbreach. And Mr. Goldman, you had indicated that you have more \npreference for a reasonable, I think you indicated----\n    Mr. Goldman. Correct.\n    Mr. Stearns. Are there cases where, for example, we could \nmove the 48 hours to, let's say 96 or 72, that you would feel \nmore comfortable with, rather than 48 hours; or is it a \nfundamental idea in your mind that every company is different; \none is a small company, one is a large company, the situation \nin which it occurs is different, so in fact to put a mandate of \n48 hours as a time frame might not be applicable? So maybe you \nmight want to explore that.\n    Mr. Goldman. Sure. I mean, from talking to some of our \nmembers that have experienced, unfortunately, some of these \nbreaches, they are talking that it can take anywhere from a few \ndays, to even 100 days or more, to get to the bottom of it. So \nthat is why we are very leery of putting a time frame on it.\n    I guess H.R. 2221 included, I think, a 60-day time frame. I \ndon't think we generally supported that bill, but I don't think \nwe fully vetted that 60-day requirement, so I would have to get \nback to you on that. But I think generally we are concerned \nabout making sure that businesses have the ability to properly \nreact without having a time frame guide their actions.\n    Mr. Stearns. Can you give me a specific example from one of \nyour members where a 48-hour time frame would be harmful or \nvery difficult to accomplish?\n    Mr. Goldman. Well, I think from reading the press reports, \nI will speak to this. In one of the cases that recently \noccurred the company said, originally said, that the credit \ncard data was compromised. And it turns out that credit card \ndata was not compromised.\n    Mr. Stearns. So it took them some time to figure it out?\n    Mr. Goldman. It took them some time, but in the meantime \nthey notified and told customers that their credit card data \nwas compromised. So in the meantime you have customers \ncanceling their credit cards, going through the inconvenience \nof canceling their credit card and having to get new credit \ncards. And it is even more of an inconvenience if you have \nmonthly fees automatically charged to your credit card, because \nthen you have to contact those vendors, and it just gets very \ncomplicated.\n    So I think from the consumer point of view, I would like to \nmake sure before I go through that hassle that I actually have \nto.\n    Mr. Stearns. And so when you use the language \n``reasonable'' time period, that gives them that flexibility?\n    Mr. Goldman. I would say so.\n    Mr. Stearns. And Mr. Rotenberg, you don't agree with this. \nAs I understand it, you think that 48 hours. But based upon \nwhat Mr. Goldman said, is there a possibility where there are \nsituations where a company, particularly you mentioned this \ncredit card company, that if they go out and scare all their \nmembers within this 24- or 48-hour period, these people all \nstart canceling their credit cards, when actually when they do \nthe investigation there was not a breach? Is that a good \nexample or do you think that his example is----\n    Mr. Rotenberg. If I may clarify, Congressman, not only do I \nstay by the 48-hour rule, I actually disagree with the \ncharacterization of your first witness. I know a fair amount \nabout what happened in this Citigroup breach matter. In fact, \nthere was credit card information disclosed; it was account \nholder name information and it was the account number \ninformation. Now, it was not the security code and it was not \nthe expiration number. And the conclusion was drawn that \ntherefore the risk was somewhat--somewhat less than they \ninitially thought. But the risk was very real and it was \nimportant for people to be notified.\n    Mr. Stearns. But would you also agree with what Mr. Goldman \nsays, that every company is different and sometimes this breach \nwhen they are going to look at perhaps thousands and millions \nand tens of thousands, that it is possible that they can't do \nit in 48 hours, and there might be some idea, maybe not 48 and \n96, there might be a reasonable time period; wouldn't you agree \non that?\n    Mr. Rotenberg. I appreciate the difficulty, and there is no \ndoubt there is a real burden on companies when they have to \nnotify customers, and they are understandably reluctant to. But \nthere is a problem, and I don't think we can diminish the \nproblem by----\n    Mr. Stearns. OK. I want to go on. I have another question.\n    Mr. Goldman. Just to clarify, I was not referring to \nCitibank, just to clarify.\n    Mr. Stearns. OK. Also in the bill it talks about personal \nidentifiable information, and we had some questions on that. Is \nthere any--are any of you concerned about the definition of \npersonal identifiable information? Can a company adequately \nunderstand that definition so that they can actually conclude \nwhen it comes to data minimization what they should take out?\n    I guess my question is, Mr. Goldman, are you concerned \nabout the FTC and how they interpret these terms and what \nimpact the legislation would have dealing with data \nminimization?\n    Mr. Goldman. Yes, we are concerned about the ability of the \nFTC to expand its definition of what PII means. I think we are \ncomfortable with the definition that is in the draft bill as \nis. We worry about the inclusion of Internet protocol \naddresses, we worry about inclusion of user names. So I think, \nyes, we are definitely worried about the expansion, the \npossibility of expansion authority.\n    Mr. Stearns. Thank you, Madam Chair.\n    Mrs. Bono Mack. I thank the gentleman. The chair now \nrecognizes Mr. Rush for 5 minutes.\n    Mr. Rush. I want to thank you, Madam Chair.\n    Mr. Holleyman, you said in your testimony, and I hope that \nI am accurate in my paraphrasing, that security breach \nnotifications should be required in instances where there is \nreasonable risk of identity theft, fraud, or unlawful conduct. \nYou suggest that these limits are needed to help reduce \nexcessive notifications which might lead to mass anxiety and \npanic among consumers. But as Mr. Rotenberg pointed out, \nphishing and spear fishing was the two examples of fraud and \nunlawful conduct likely to result in most, if not all, \ninstances of large-scale breaches.\n    So should the scale of the breach be a dispositive factor \nin determining whether consumers also receive immediate \nnotification?\n    Mr. Holleyman. Thank you, Mr. Rush. A good question. I \nthink we believe that there should be notification triggered \nwhen there is a significant risk of a harm. We think that the \nimportant provisions in this bill, however, are the ones that \nencourage industry to adopt security measures, using encryption \nor other technologies that would render the information \nindecipherable or unreadable; and that that is actually, at the \nend of the day, the most important safeguard because that, when \nit is affected--if that information is obtained but the \ncriminal can't do anything with that information, then we \nbelieve that you should not have to notify consumers, because \nit is that excessive notification that we believe raises \nconsumers' concerns unnecessarily. And what the market should \nbe doing is driving people to store data in unreadable format \nso that when breaches occur--and they will--the criminal can't \ndo anything with that data.\n    Mr. Rush. Do the other three witnesses agree with that?\n    Mr. Pratt. We strongly agree, though, that one of the--and \nthis was true of your bill as well, Congressman, and that is \nthe incentive to render the data unusable is probably one of \nthe most critical provisions of the current draft of the bill \nthat you had passed last year. It is the one that we focus on \nas an industry every day, it is the one that we take most \nseriously. Because the strong incentive is not to notify people \nthat you have lost data, whether it is a criminal act or some \nother failing, but to have protected it in the first place. I \nmean, that is always first. Protect it in the first place. Find \nthe best technology to do it when the data is at rest, when the \ndata is in transmission. That is really critical.\n    Mr. Rush. Mr. Pratt, you argue in your testimony for \nadvance notice of a security breach presumably at the same time \nas when notice is given to the FTC. Would such a model favor \nyour members over other similar parties who don't make the \ndefinitional cut as, quote, ``data broker,'' end of quote?\n    Mr. Pratt. The reason we are requesting notice--and I am \nnot sure we are saying that it has to occur concurrent with \nnotification of law enforcement or the FTC--we are just \nsimply--we have call centers, and when a letter goes out and \nsays, call the credit bureau and order a credit report, we have \nto make sure that we have the right staff, we have to make sure \nthat we have the right pipes open for the online access or the \ntelephonic access, even the mail processing access. And we have \nto normalize systems. We understand what our normal pattern is.\n    But a very, very large data breach creates aberrant \npatterns which create spikes of activity. We just want to be \nable to serve the consumer and ensure that they get the credit \nreport that they want, or ensure that the telephone is picked \nup on time, which is what they expect. So that really is the \nreason why we are asking for that.\n    Mr. Rush. Can any of the other witnesses conceive how such \na model might impede the FTC's ability to investigate and \nenforce under the law? Any other witnesses? All right.\n    OK, let me ask Mr. Rotenberg. Mr. Rotenberg, can you please \nelaborate further on why you believe this definition of \npersonal information is too narrow and why you believe it \nshould be defined as information that, quote, ``identifies or \ncould identify a particular person,'' end quote.\n    Mr. Rotenberg. Well, I think the definition that I proposed \nfollowed with examples, which are included in the bill, is \ncommon sense. We think of personal information as information \nthat identifies someone, or could identify them, and then the \nexamples are good. But I also know, based on some of the recent \nexperiences with data breaches, that an IP address poses a risk \nbecause it can be personally identifiable.\n    The Facebook user ID posed a risk because it was user \nidentifiable. So the list helps people understand. But if the \nlist is limited, I think we have a problem.\n    Mr. Rush. Thank you, Madam Chair. I yield back the balance \nof my time.\n    Mrs. Bono Mack. Thank you, Mr. Rush. And the chair \nrecognizes Mr. Olson for 5 minutes.\n    Mr. Olson. I thank the chair, and I would like to welcome \nthe witnesses. And I really appreciate your perspectives on an \nissue which has only become more pervasive in the future, just \nas Mr. Rotenberg eloquently stated in his opening statement.\n    My first two questions are for you, Mr. Goldman. What is \nthe Chamber's view of the carveout for entities already covered \nin the Gramm-Leach-Bliley? Is this an adequate, explicit \ncarveout?\n    Mr. Goldman. We didn't take a position in our testimony. \nBut generally we have supported carveouts for entities that are \nalready covered by other laws, so there is not duplicative laws \nand they can figure out which agency they are better regulated \nunder. So, yes, that is my answer.\n    Mr. Olson. OK. Thank you for that answer. And as currently \ndrafted, the legislation standard for risk is a reasonable risk \nof harm. When I asked our witness on a previous panel, the FTC \ncommissioner, Ms. Ramirez, she stated that the FTC thought that \nreasonable risk was the right standard, because erring on the \nside of notification overrides some sort of desensitation of \nthe public.\n    And could you elaborate on why the Chamber believes that \nconsumers will be better off if the standard were changed to \nsignificant risk of harm?\n    Mr. Goldman. Sure. The Chamber does support a significant \nrisk standard because we are worried, I guess as I stated in my \nopening comments, about two possibilities where customers are \nover-notified and they just ignore it, and then when a real \nrisk occurs they don't take any action; or they get a notice \nand get--and sort of reactneedlessly, and so they cancel their \ncredit card. So both--I mean both extremes. So we prefer to \nhave the significant risk standard.\n    Mr. Olson. Thank you for that answer. And then I have got a \nround of questions for all four of the witnesses. And we will \nstart off with you, Mr. Rotenberg, just to give Mr. Goldman a \nbreak here. But if you or one of your member companies suffered \nfrom a security breach, how would the proposed SAFE Data Act \nchange their response and how would it better help consumers \navoid identity theft?\n    Mr. Rotenberg. Congressman, we actually don't have member \ncompanies. But I will say that many of the elements that are \ncurrently in the bill we have actually tried to follow over the \nyears. For example, this goal of data minimization we think is \na very good way to protect people online, and we have for a \nnumber of years taken steps to limit the amount of personal \ninformation that we collect. We collect information we need to \nprovide the services that we provide, but we don't collect \nexcessive information.\n    Mr. Olson. Thank you. Mr. Pratt.\n    Mr. Pratt. Our members are regulated first on the data \nbreach notification side by the 47 or 48 State statutes that \nare out there today. So establishing a Federal standard I think \nwould give us an easier route to compliance. But we would be \nnotifying consumers, just as we do today, under those State \nstatutes. And all of our, almost all of our members are \nfinancial institutions under the Gramm-Leach-Bliley Act. And so \nwe are already complying with a data security regime which is \ncalled the Safeguards Rule.\n    And so for most of our members it would not be a remarkable \nchange. In fact, even where our members have sensitive data \nthat isn't otherwise regulated under GLB, for example, we build \nenterprise-wide data security. There is no reason to segregate \nout some data and treat it differently from other information, \nso it is built enterprise-wide.\n    Mr. Olson. Thank you for that answer. Mr. Holleyman.\n    Mr. Holleyman. I can't speak for any individual member \ncompany. But I can say that all of our companies are involved \nin trying to build greater security into their products in \ncompanies who provide tools to consumers and businesses to \nsecure their environments. And certainly in supporting the \nconcepts of this bill, we recognize that they are ones that we \nwould be subject to. And our members with that are completely \nwelcoming this legislation, again with some fine-tuning we \nwould like to see. But we think it is important to act, and \nimportant to act this year.\n    Mr. Olson. Thank you, sir. And finally, Mr. Goldman.\n    Mr. Goldman. Sir, with the uniform national standard it \nwould make it easier for our companies to comply, versus the \ncurrent situation of having to comply with 46, 47 State rules. \nAlso a lot of our companies are covered by other laws such as \nGLB or HIPAA.\n    Mr. Olson. Well, thank you for that question. As a Navy \nguy, I can say to all four of you that we may not be hitting \nthe bull's-eye but we are hitting the target.\n    Finally, one question for the four of you. This proposed \nlegislation would require an entity to conduct an assessment \nupon discovering a breach.\n    Do you or one of your member companies, with all due \napologies, Mr. Rotenberg, already conduct assessments? I think \nI know the answer. And how would this requirement and its \ntiming impact your ability--your company's ability to members \nto resolve a security breach?\n    Mr. Rotenberg. I will take a pass.\n    Mr. Pratt. I can't speak specifically, because today those \nassessments would be dictated by the State laws that are out \nthere which dictate different standards. That is one of the \nreasons why a national standard would be helpful in terms of \nassessing a data breach risk.\n    If I could just take 1 minute to speak to this GLB \nexception. It is important to have this exception, because data \nsecurity in this bill is a good idea, and our members are happy \nto live under a new data security regime for part of our \nbusinesses which might not otherwise be regulated. But if our \nmembers, small or large, are regulated by the Gramm-Leach-\nBliley Act, we are only asking that we just operate in tandem, \nthat we have the same data security provision under GLB.\n    That is why that exception is so important, though, because \nit means I don't have overlapping requirements between two \ndifferent standards. And for small businesses, in particular in \nour membership, that is an important thing, because they don't \nnecessarily have a general counsel on staff that is going to \nadvise them all the time.\n    Mr. Olson. Thank you for that. Mr. Holleyman.\n    Mr. Holleyman. Because our members oftentimes provide \ntechnologies that are used to prevent breaches, we also have a \nlot of experience in helping identify breaches when they occur. \nAnd we know through that, that the nature of the breach may \ndiffer, the amount of time to make the assessment may differ, \nand we support the provisions of the bill that are flexible, \ndepending on the nature of the breach and the size of the \nenterprise.\n    Mr. Olson. Thank you. And finally, Mr. Goldman.\n    Mrs. Bono Mack. Excuse me, we need to move on. We are a \nminute over.\n    Mr. Olson. That was yield back time that I didn't have, but \nI yield back the balance of my time.\n    Mrs. Bono Mack. I appreciate that very much, and am happy \nto recognize Mr. Kinzinger for 5 minutes.\n    Mr. Kinzinger. Thank you, Madam Chairman. And I will say as \nan Air Force guy, we hit the bull's-eye on the target every \ntime, so I think that is important to note.\n    Mr. Olson. You don't want to go there, my friend.\n    Mr. Kinzinger. I appreciate all four of you in your \nassistance in helping us draft, I think, this very important \npiece of legislation. Some of this stuff has been touched on a \nlittle bit, but I want to make sure we are getting all the \nquestions answered that we need.\n    For the three, Mr. Holleyman, Pratt, and Rotenberg, and \nthen I guess Mr. Goldman, if you want to jump in on this too. \nLet me ask, in the current draft, if a company is unable to \ndetect a breach over the course of several months due to \ninsufficient security techniques, it does not appear that they \nnecessarily face harsher penalties for that.\n    Do you believe that this legislation should include \nreasonable standards or methods for detecting breaches, and \npenalties for those companies that fail to reach those \nstandards?\n    Mr. Rotenberg. Yes, I think it is an excellent point. It \nwould be a good change.\n    Mr. Pratt. We haven't actually asked our members that \nquestion, but maybe we could follow up with you and give you an \nanswer to that. I would say in general, though, that the data \nsecurity requirements that the FTC writes today are broad, they \nare enforced aggressively, and they would imply that you have \nto have sufficient security standards, not just simply to \nprotect against, but to detect possible intrusions.\n    And I know even the association I run has stood up several \nmajor platforms where we have had intrusion detection systems \nthat operate concurrently with other forms of protection of the \ndata itself, so it is fairly common.\n    Mr. Kinzinger. And for those kinds of systems are they \npretty foolproof?\n    Mr. Pratt. Well, I don't think anything is foolproof. It is \na moving target. And I think that is very important for all of \nyou--all of you all know this because of the cybersecurity \nissues that you probably learned about in other hearings; and \nthat is, it is a moving target. So they are always hitting \ntargets, but they are different targets.\n    Mr. Kinzinger. Right. I understand.\n    Mr. Pratt. But it is critical. And so when you look at \nthese security requirements that are imposed on U.S. \nbusinesses, they are written flexibly enough to account for \nongoing assessment of risk. That is one of the key components. \nWe are comfortable with that. Because we would agree, by the \nway, as well that it is a business necessity that we protect \nthe data that we have, that we use the best technologies, that \nwe look at new risk.\n    Our members, for example, participate in the ISAC, which is \nthe Information Sharing and Analysis Center that is operated by \nTreasury in order to see what kind of cybersecurity risks are \nout there, so we exchange information.\n    Mr. Kinzinger. Mr. Holleyman.\n    Mr. Holleyman. We certainly support the framework that this \nbill outlines. I want to get back to you on some of the \nspecifics, particularly around newer concepts like \nminimization. They are important but we have to canvas our \nmembers. We do believe that this bill is important because it \nnot only deals with the issue of notification of breaches after \nthe fact, but it puts in place obligations related to securing \ndata. Again, those obligations, and when businesses do that up \nfront, that is going to minimize the need for notifications, \nthe excessive notification. So that is an important addition to \nthe concept of this bill.\n    Mr. Kinzinger. Did you want to jump in on this?\n    Mr. Goldman. I have to go back to our members and ask, but \ngenerally companies are very concerned about reputational harm. \nSo they are going to take, you know, for liability purposes and \nreputation purposes, they are going to take the best practices \nthey can imagine.\n    Mr. Kinzinger. And just quickly.\n    Mr. Pratt. Just one point. And that is data security \ninvolves access control. Access control would almost inherently \nrequire or at least implicitly require some sort of intrusion \ndetection system, because otherwise you are not controlling \naccess. So I think even if it is not expressly stated, it is \nbuilt into the access control concept.\n    Mr. Kinzinger. OK. And as we talked about, getting into the \nboy-who-cried-wolf issue--and if we can keep this real brief \nfor all of you--this draft could give a company an exceedingly \nlong period of time to notify customers in a breach of high \nseverity.\n    Do you believe we should look into creating kind of tiers \nof risk, so if there is a high level of risk for the consumer, \nthat notification be treated differently than that of a more \nmoderate risk? Should we have obviously different tiers on \nthat?\n    Mr. Rotenberg. Congressman, I think that is an attractive \nidea, but it would actually end up adding a layer of complexity \nto an already serious problem. And I think it is notable when \nwe have these extreme breach problems with Citibank, Sony, and \nothers, very sophisticated companies, a large number of \ncustomers, here we are more than a month later and we still \ndon't fully know the extent of the harm.\n    So while I appreciate the approach, I would try to go for a \nsingle simple standard. I think it is easier to manage.\n    Mr. Kinzinger. And if you just, very quickly, because I \nhave one more quick question and 20 seconds.\n    Mr. Pratt. I would have to get back to you on that. We \ndon't have a position on that right now.\n    Mr. Kinzinger. OK.\n    Mr. Holleyman. We believe your issue can be best addressed \nby using the term ``significant risk'' in the bill.\n    Mr. Kinzinger. And then, Mr. Goldman, do you believe that \nthe legislation should more clearly define the size and scope \nof companies that must develop a security plan?\n    Mr. Goldman. Yes. I mean, specifically--well, I will go \nback to what I said before, was that when it talks about the--\nyou know, if you have a breach, you know, it depends on the \nsize of the breach; and in terms of the company, yes. I mean, \nsmall businesses obviously are going to have much different \ncapabilities to respond than a larger-size business, yes.\n    Mr. Kinzinger. And I yield back my negative time. Thank \nyou, Madam Chairman.\n    Mrs. Bono Mack. Thank you very much, Mr. Kinzinger. And \ngentlemen, I would like to express the gratitude of all of the \nmembers of our subcommittee for your time today and thank you \nfor your willingness to engage with us on this very important \ndiscussion. I think there are a lot of great ideas and \nwillingness to come together with a great bill.\n    I want to reiterate again my desire for a bipartisan \nproduct, and believe that Mr. Butterfield and I can accomplish \nthat goal. I am very hopeful for that.\n    I would also like to say that I was hoping for a second \nround of questions but time has gotten the better of us here. \nSo I note that I will have some further questions in writing to \nsend to all of you. And I would like to remind the members that \nthey all have 10 business days to submit questions for the \nrecord, and would ask the witnesses to please respond promptly \nto any questions they receive.\n    Mrs. Bono Mack. So again, as the recent spate of high-\nprofile, eye-popping data breaches point to the need for new \nsafeguards to better protect sensitive online consumer \ninformation. It is a huge challenge and I know that we can get \nthis done by working together.\n    So thank you all very much for your time today. And with \nthat, the hearing--the subcommittee is adjourned.\n    [Whereupon, at 1:05 p.m., the subcommittee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n\n               Prepared Statement of Hon. Edolphus Towns\n\n    Thank you Chairman Bono-Mack and Ranking Member Butterfield \nfor holding this legislative hearing today on ``The SAFE Data \nAct''. The issue of data theft has plagued consumers in our \ncountry for several years and currently there is no \ncomprehensive federal law that would require companies that \nhold consumer's personal information to implement reasonable \nmeasures to protect that data. It is my hope that this hearing \nwill reinforce the need to protect consumers\n    against fraudulent activity that target an individual's \npersonal information. With the advent of cloud computing and \nthe increased volume of online purchasing, data security must \nbe at the forefront of consumer protection.\n    In the previous Congress members from both sides of the \nisle took the lead on this issue and acted in a bipartisan \neffort to reduce the number of data breaches while at the same \ntime empowering consumers with new rights whenever personal \ninformation is compromised. Unfortunately time was not on our \nside and the Senate was unable take on this issue of data theft \nbefore the end of the 111th Congress. Data theft still remains \na very large burden for the American consumer that must be \naddressed by legislative action from this committee. \nUnfortunately the discussion draft before us today falls short \nof the commitment needed to ensure that the personal \ninformation of hard working Americans are kept safe.\n    Recent media reports pertaining to data breaches at the \nSony Corporation, Epsilon Data Management and Gawker Media help \nto reinforce the need for congress to act once again in a \nbipartisan manner. I look forward to hearing from our witnesses \ntoday about how they have been dealing with this important \nissue. I also look forward to working with my colleagues on \nthis committee to ensure that data security measures and \nprotocols are enhanced in this congress to protect the American \npeople.\n    Thank you Madam Chair, I yield back my time.\n                              ----------                              \n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n                                 <all>\n\x1a\n</pre></body></html>\n"