b"<html>\n<title> - REPORTING DATA BREACHES: IS FEDERAL LEGISLATION NEEDED TO PROTECT CONSUMERS?</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n   REPORTING DATA BREACHES: IS FEDERAL LEGISLATION NEEDED TO PROTECT \n                               CONSUMERS?\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n           SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JULY 18, 2013\n\n                               __________\n\n                           Serial No. 113-71\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n      Printed for the use of the Committee on Energy and Commerce\n                        energycommerce.house.gov\n                                      ______\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n86-395                         WASHINGTON : 2015 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001                    \n                        \n                        \n                        \n                        \n                        \n                        \n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                          FRED UPTON, Michigan\n                                 Chairman\nRALPH M. HALL, Texas                 HENRY A. WAXMAN, California\nJOE BARTON, Texas                      Ranking Member\n  Chairman Emeritus                  JOHN D. DINGELL, Michigan\nED WHITFIELD, Kentucky                 Chairman Emeritus\nJOHN SHIMKUS, Illinois               FRANK PALLONE, Jr., New Jersey\nJOSEPH R. PITTS, Pennsylvania        BOBBY L. RUSH, Illinois\nGREG WALDEN, Oregon                  ANNA G. ESHOO, California\nLEE TERRY, Nebraska                  ELIOT L. ENGEL, New York\nMIKE ROGERS, Michigan                GENE GREEN, Texas\nTIM MURPHY, Pennsylvania             DIANA DeGETTE, Colorado\nMICHAEL C. BURGESS, Texas            LOIS CAPPS, California\nMARSHA BLACKBURN, Tennessee          MICHAEL F. DOYLE, Pennsylvania\n  Vice Chairman                      JANICE D. SCHAKOWSKY, Illinois\nPHIL GINGREY, Georgia                JIM MATHESON, Utah\nSTEVE SCALISE, Louisiana             G.K. BUTTERFIELD, North Carolina\nROBERT E. LATTA, Ohio                JOHN BARROW, Georgia\nCATHY McMORRIS RODGERS, Washington   DORIS O. MATSUI, California\nGREGG HARPER, Mississippi            DONNA M. CHRISTENSEN, Virgin \nLEONARD LANCE, New Jersey                Islands\nBILL CASSIDY, Louisiana              KATHY CASTOR, Florida\nBRETT GUTHRIE, Kentucky              JOHN P. SARBANES, Maryland\nPETE OLSON, Texas                    JERRY McNERNEY, California\nDAVID B. McKINLEY, West Virginia     BRUCE L. BRALEY, Iowa\nCORY GARDNER, Colorado               PETER WELCH, Vermont\nMIKE POMPEO, Kansas                  BEN RAY LUJAN, New Mexico\nADAM KINZINGER, Illinois             PAUL TONKO, New York\nH. MORGAN GRIFFITH, Virginia\nGUS M. BILIRAKIS, Florida\nBILL JOHNSON, Missouri\nBILLY LONG, Missouri\nRENEE L. ELLMERS, North Carolina\n           Subcommittee on Commerce, Manufacturing, and Trade\n\n                          LEE TERRY, Nebraska\n                                 Chairman\n                                     JANICE D. SCHAKOWSKY, Illinois\nLEONARD LANCE, New Jersey              Ranking Member\n  Vice Chairman                      G.K. BUTTERFIELD, North Carolina\nMARSHA BLACKBURN, Tennessee          JOHN P. SARBANES, Maryland\nGREGG HARPER, Mississippi            JERRY McNERNEY, California\nBRETT GUTHRIE, Kentucky              PETER WELCH, Vermont\nPETE OLSON, Texas                    JOHN D. DINGELL, Michigan\nDAVE B. McKINLEY, West Virginia      BOBBY L. RUSH, Illinois\nMIKE POMPEO, Kansas                  JIM MATHESON, Utah\nADAM KINZINGER, Illinois             JOHN BARROW, Georgia\nGUS M. BILIRAKIS, Florida            DONNA M. CHRISTENSEN, Virgin \nBILL JOHNSON, Missouri                   Islands\nBILLY LONG, Missouri                 HENRY A. WAXMAN, California, ex \nJOE BARTON, Texas                        officio\nFRED UPTON, Michigan, ex officio\n  \n  \n  \n  \n  \n  \n  \n  \n  \n  \n  \n  \n  \n  \n  \n  \n  \n  \n  \n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Lee Terry, a Representative in Congress from the State of \n  Nebraska, opening statement....................................     1\n    Prepared statement...........................................     2\nHon. Janice D. Schakowsky, a Representative in Congress from the \n  State of Illinois, opening statement...........................     3\nHon. Joe Barton, a Representative in Congress from the State of \n  Texas, opening statement.......................................     4\nHon. Henry A. Waxman, a Representative in Congress from the State \n  of California, opening statement...............................     5\nHon. Fred Upton, a Representative in Congress from the State of \n  Michigan, prepared statement...................................    74\n\n                               Witnesses\n\nKevin Richards, Senior Vice President, Federal Government \n  Affairs, Techamerica...........................................     7\n    Prepared statement...........................................     9\nDan Liutikas, Chief Legal Officer, Comptia.......................    17\n    Prepared statement...........................................    19\nJeffrey Greene, Senior Policy Counsel, Cybersecurity and \n  Identity, Symantec Corporation.................................    25\n    Prepared statement...........................................    27\nDebbie Matties, Vice President of Privacy, CTIA--The Wireless \n  Association....................................................    34\n    Prepared statement...........................................    36\nAndrea M. Matwyshyn, Assistant Professor of Legal Studies and \n  Business Ethics, The Wharton School, University of Pennsylvania    42\n    Prepared statement...........................................    44\nDavid Thaw, Visiting Assistant Professor of Law, University of \n  Connecticut School of Law......................................    49\n    Prepared statement...........................................    51\n\n                           Submitted material\n\nStatement of the Electronic Transactions Association, submitted \n  by Mr. Terry...................................................    76\nLetter of July 17, 2013, from the Credit Union National \n  Association to the subcommittee, submitted by Mr. Terry........    78\nStatement of McDonald Hopkins LLC, submitted by Mr. Terry........    82\nStatement of the National Retail Federation, submitted by Mr. \n  Terry..........................................................    86\n\n \n   REPORTING DATA BREACHES: IS FEDERAL LEGISLATION NEEDED TO PROTECT \n                               CONSUMERS?\n\n                              ----------                              \n\n\n                        THURSDAY, JULY 18, 2013\n\n                  House of Representatives,\nSubcommittee on Commerce, Manufacturing, and Trade,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 11:04 a.m., in \nroom 2123 of the Rayburn House Office Building, Hon. Lee Terry \n(chairman of the subcommittee) presiding.\n    Present: Representatives Terry, Lance, Harper, Guthrie, \nOlson, Kinzinger, Bilirakis, Johnson, Long, Barton, Schakowsky, \nSarbanes, McNerney, Barrow, Christensen, and Waxman (ex \nofficio).\n    Staff present: Kirby Howard, Legislative Clerk; Nick \nMagallanes, Policy Coordinator, Commerce, Manufacturing, and \nTrade; Brian McCullough, Senior Professional Staff Member, \nCommerce, Manufacturing, and Trade; Gib Mullan, Chief Counsel, \nCommerce, Manufacturing, and Trade; Andrew Powaleny, Deputy \nPress Secretary; Shannon Weinberg Taylor, Counsel, Commerce, \nManufacturing, and Trade; Michelle Ash, Democratic Chief \nCounsel; and Will Wallace, Democratic Professional Staff \nMember.\n\n   OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF NEBRASKA\n\n    Mr. Terry. Good morning. I recognize myself for an opening \nstatement.\n    In today's economy, nearly everyone leaves a digital \nfootprint. Even if you made a concerted effort to avoid \nsmartphones, laptops, and social media, although I have not \nfound that person, you would have a difficult time keeping your \npersonal information from being held in an electronic database \nsomewhere.\n    Consumers should have the peace of mind that their data is \nprotected in a responsible way. But with all types of nefarious \nactivities online, cyber criminals are finding new ways and, \nfrankly, seem to be very consistent in their wishes to steal \ndata. So in the event that our personal data becomes exposed, \nwe need to be able to trust that the companies in possession of \nthat data will notify us of the exposure. And certainly it is \nin those companies' best interest to notify promptly and \nclearly in order to preserve a trusting relationship with their \ncustomers.\n    Given these considerations, the question before us is: What \nare the rules of the road for companies that experience a \nbreach in their data stores? Currently, the laws that govern \ndata breach notification are a patchwork of state- and \nterritory-specific statutes. Unfortunately, they tend to differ \nfrom each other in many ways. For example, while a number of \nStates have adopted a common definition of personal \ninformation, even more States have adopted alterations to that \ndefinition, and those vary unpredictably. The definition is \nimportant because it triggers the duty to notify of a breach. \nThree States include encrypted or redacted data in the \ndefinition of personal information, whereas the rest do not. \nFive States include public records in the definition. \nMeanwhile, four States protect an individual's date of birth \nand mother's maiden name as personal information.\n    With at least 48 of these various state- and territory-\nspecific laws on the books, you can see how the cost of \ncompliance could add up. The global price tag of cyber crime \nhas been calculated at around $110 billion annually, and we \nshould not add unnecessary compliance costs to this. Adding to \nthe confusion, these laws also tend to vary on the number of \ndays that can elapse after a breach before notification as well \nas the method of notification.\n    Even small breaches can cause a compliance headache. In one \nrecent example, a large company experienced a breach where the \npersonal information of just over 500 consumers was \ncompromised. In comparison to other breaches involving tens of \nmillions of consumers, this may seem small. Yet it turns out \nthat these 500 consumers lived in 44 different States and \ntherefore had to be notified pursuant to 44 different sets of \nrules.\n    We must remember that where a breach in data is an \nintentional intrusion from the outside, for example, if it is \ndone by a hacktivist, a foreign agent or a run-of-the-mill \ncriminal, the company holding the data is also a victim. \nBurdening these entities with overly complicated notification \nrules is not a solution to the harms that result from the \nexposure of that personal information held by the company.\n    And with that, I look forward to hearing the testimony of \nour witnesses and learning about whether or not we can improve \nthe current legal landscape for breach notification.\n    [The prepared statement of Mr. Terry follows:]\n\n                  Prepared statement of Hon. Lee Terry\n\n    <bullet> In today's economy nearly everyone leaves a \ndigital footprint.\n    <bullet> Even if you made a concerted effort to avoid smart \nphones, laptops, and social media, you would have a difficult \ntime keeping your personal information from being held in an \nelectronic database somewhere.\n    <bullet> Consumers should have the peace of mind that their \ndata is protected in a responsible way.\n    <bullet> But, with all types of nefarious activities \nonline, cyber criminals are finding new ways to steal data.\n    <bullet> So in the event that our personal data becomes \nexposed, we need to be able to trust that the companies in \npossession of our data will notify us of the exposure.\n    <bullet> And certainly it is in those companies' best \ninterest to notify promptly and clearly in order to preserve a \ntrusting relationship with consumers.\n    <bullet> Given these considerations, the question before us \nis: What are the rules of the road for companies that \nexperience a breach in their data stores?\n    <bullet> Currently, the laws that govern data breach \nnotification are a patchwork of state- and territory-specific \nstatutes.\n    <bullet> Unfortunately, they tend to differ from each other \nin many ways.\n    <bullet> For example, while a number of states have adopted \na common definition of ``personal information,'' even more \nstates have adopted alterations to that definition, and those \nvary unpredictably.\n    <bullet> This definition is important because it triggers \nthe duty to notify of a breach.\n    <bullet> Three states include encrypted or redacted data in \nthe definition of ``personal information,'' whereas the rest do \nnot.\n    <bullet> Five states include public records in the \ndefinition. Meanwhile, four states protect an individual's date \nof birth and mother's maiden name as ``personal information.''\n    <bullet> With at least 48 of these various state- and \nterritory-specific laws on the books, you can see how the cost \nof compliance could add up.\n    <bullet> The global price tag of cyber crime has been \ncalculated at around $110 billion annually, and we should not \nadd unnecessary compliance costs to this.\n    <bullet> Adding to the confusion, these laws also tend to \nvary on the number of days that can elapse after a breach \nbefore notification as well as the method of notification.\n    <bullet> Even small breaches can cause a compliance \nheadache: In one recent example, a large company experienced a \nbreach where the personal information of just over 500 \nconsumers was compromised.\n    <bullet> In comparison to other recent breaches involving \ntens of millions of consumers, this may seem small. Yet it \nturns out that these 500 consumers lived in 44 different states \nand therefore had to be notified pursuant to 44 different sets \nof rules.\n    <bullet> We must remember that where a breach in data is an \nintentional intrusion from the outside-for example, if it is \ndone by a ``hacktivist'', a foreign agent, or a run-of-the-mill \ncriminal-the company holding the data is also a victim.\n    <bullet> Burdening these entities with overly complicated \nnotification rules is not a solution to the harms that result \nfrom the exposure of personal information.\n    <bullet> And with that, I look forward to hearing the \ntestimonies of our witnesses and to learning about whether we \ncan improve the current legal landscape for breach \nnotification.\n\n    Mr. Terry. At this point, I will yield back my time and \nrecognize the ranking member, Jan Schakowsky, for her \nstatement.\n\n       OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A \n     REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS\n\n    Ms. Schakowsky. Thank you, Mr. Chairman.\n    Apropos of this hearing, it has just been reported this \nvery morning that Anonymous claims to have hacked into 1,800 \nemail accounts of Members of Congress and their staffs. So that \nis apparently in the news. I don't know to what extent that has \nbeen confirmed. So I look forward to hearing from our witnesses \nabout this issue and steps that can and should be taken to \naddress it.\n    As a long-time consumer advocate, I believe that the public \ndoes have a right to be informed if their personal information \nsuch as names, email addresses, passwords, home addresses, \nhealth and financial data is compromised. As more and more \ninformation moves online, it is equally important to ensure \nthat precautions are taken to keep that data secure.\n    Less than 2 years ago following the breaches of data at \nCiticorp, Epsilon and Sony, a report of the data security from \nProtegrity found that personal information was ``highly \nvaluable'' to cyber criminals but ``vastly unprotected.'' Since \nthen, it seems to me, and you will set me straight, little has \nchanged. Last year, 680 confirmed data breaches compromised \nalmost 28 million records. Many of those could have been \nprevented with relative ease had the entities holding the data \nfollowed known best practices. This is clearly a major issue \nwhich the private sector has not done enough on its own to \naddress, and one of great concern, I believe, to the public.\n    Almost every state and territory including my home State of \nIllinois has adopted data breach standards. While national \nstandards might be needed to adequately address this issue, I \nwant to make clear, my view is that any federal law should not \nweaken strong State laws. In addition, any federal response \nshould establish a baseline so that every American can be \nassured some level of data protection, not just notification \nafter the fact.\n    This subcommittee has several questions to answer as we \nconsider data breaches and hopefully data security as well. \nWhat specific measures should be taken to protect personal \ninformation stored online? When should consumers be notified of \na breach? What role should the federal government play in \nensuring that those steps are taken? I believe that entities \nthat store important data should act proactively to defend that \ninformation and the consumer should be notified if a breach \ncould result in personal harm.\n    The DATA Act, introduced by Mr. Rush and passed by voice \nvote just 4 years ago, would have taken those steps to protect \nAmerican consumers. I was a cosponsor of that bill along with \nMr. Barton, and I believe it should be the framework for \nbipartisan legislation in this Congress.\n    Again, I look forward to hearing from our witnesses today \nabout what can and should be done to address breach \nnotification and data security. I hope that this subcommittee \ncan work constructively toward a bipartisan solution to this \nmajor issue that impacts all of us.\n    Thank you. I yield back.\n    Mr. Terry. And that is our goal.\n    At this time the chair recognizes the chairman emeritus, \nMr. Barton.\n\n   OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN \n                CONGRESS FROM THE STATE OF TEXAS\n\n    Mr. Barton. Thank you, Mr. Chairman, and I am very happy \nthat you are having this hearing. As Congresswoman Schakowsky \njust pointed out, this is an issue that is not unfamiliar to \nthe subcommittee or the full committee. Going back to my tenure \nas chairman in 2005 and 2006, we passed a bill out of committee \nbut it didn't go to the floor. Under Mr. Dingell's chairmanship \nand Mr. Waxman's chairmanship, again, we passed bills that came \nout of committee and we have even had one bill that passed the \nfloor of the House but it wasn't taken up in the Senate. The \nlast Congress, we passed a bill out of this subcommittee but it \nwas not taken up at full committee.\n    So this is an issue that we all have general agreement on. \nAs Congresswoman Schakowsky has pointed out, it is not a \npartisan issue. Hopefully under your leadership, Mr. Chairman, \nand Mr. Upton's leadership at the full committee, we will pass \nsomething in this committee, on the floor and get the other \nbody to take it up.\n    This year alone, our last year, in 2012, there were 470 \nbreaches that meet the definition, and so far this year, there \nhave been 326 breaches. This is an issue that is not going to \ngo away. It would appear to be obvious that we need a federal \nbill instead of a patchwork of State bills, and I would agree \nwith what Congresswoman Schakowsky said, that a federal bill \nshould be a baseline bill and not a bill that limits the \nStates.\n    With that, Mr. Chairman, again, thank you for your \nleadership. I believe you are the man who can make this happen, \nsubcommittee, full committee, the floor and then with the other \nbody. And with that, I will yield back.\n    Mr. Terry. No pressure there.\n    Are there any other Republicans on this side that wish to \nhave time yielded?\n    Mr. Barton. If not, Mr. Chairman, I yield back.\n    Mr. Terry. Then we will yield back.\n    Before I announce our panel and start our testimony, an \nannouncement of sorts--oh, Henry is here, so while he is \nsitting down, my announcement is, we will recess at noon and \nreconvene if it is still necessary to. I have a feeling that \nthere is going to be enough questions that we will reconvene at \n1 o'clock but break at noon, and I recognize the full committee \nranking member, the gentleman from California is recognized for \n5 minutes.\n\nOPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Mr. Waxman. Thank you very much, Mr. Chairman. I welcome \nall of our witnesses today.\n    Our subcommittee is going to address the federal role in \ndata breach notification. It is alarming just how common data \nbreaches have become. Since 2005, at least 600 million records \ncontaining consumers' personal information have been \ncompromised as a result of more than 3,800 data breaches in the \nUnited States. At least 72 million personal records have been \ncompromised only in the time since July 2011, when the \nSubcommittee last considered this issue.\n    Every type of entity has proven vulnerable, including \nprivate sector companies of all sizes, colleges and \nuniversities, and federal, State, and local governments. \nBreaches result from a wide variety of causes. External \ncriminal attacks, dishonest insiders, and simple negligence can \nall be responsible for compromising consumers' personal \ninformation. Moreover, in recent months, it has become \nabundantly clear that commercial data breaches can also result \nfrom State-affiliated cyber attacks.\n    Consumers face severe threats to their financial well-being \nwhen data like banking information or Social Security numbers \nare compromised. In 2012 alone, more than 12 million U.S. \nadults were victims of identity theft or similarly costly forms \nof fraud. Less reported, but also of concern, is when breaches, \nnon-financial in nature, threaten consumers' privacy, including \nbreaches involving health-related information, biometric data, \nor a person's precise location.\n    Nearly all U.S. States and territories now have laws that \nrequire notice for their own residents when a data breach \noccurs. These laws vary greatly, but several of these laws are \nquite strong, ensuring that consumers receive prompt, clear and \ncomplete notification when their personal information is \nbreached and providing them with resources to protect their \nfinancial well-being. I am glad that these laws have been \nenacted, but after-the-fact breach notification is only half of \nwhat is needed. The private sector also must take reasonable \nsteps to safeguard personal information.\n    When it comes to information security, prevention is the \nbest medicine. Research shows that the vast majority of attacks \non commercial data--78 percent according to the Verizon RISK \nTeam--utilize simple tactics easily thwarted by basic security \ninfrastructure and procedures.\n    There are many companies that take information security \nvery seriously and work diligently to combat this problem, and \nperhaps there will always be cyber crime. But unfortunately, \nthere are also companies that are not doing enough to prevent \nbreaches, and consumers are paying the price.\n    As the subcommittee moves forward with its work on \ninformation security, I strongly encourage all members to keep \ntwo points in mind. First, federal legislation must not move \nbackward by undermining those States with strong breach \nnotification laws. And second, effective security for \nconsumers' personal information indisputably requires both \nbreach notification and reasonable safeguards for commercial \ndata.\n    I look forward to the testimony we are going to get today \nand our discussion of this issues today and in the future and I \nhope we can work together to deal with this important issue.\n    Mr. Terry. I appreciate that, Mr. Chairman.\n    At this time I am going to introduce our full panel, and \nthen we will start with Mr. Richards. Mr. Richards is the \nSenior Vice President of Federal Government Affairs for \nTechAmerica. We have Dan Liutikas, Chief Legal Officer, \nCompTIA. We have Mr. Jeff Greene, Senior Policy Counsel, \nCybersecurity and Identity, Symantec Corporation. We then have \nDebbie Matties, CTIA--The Wireless Association Vice President \nof Privacy. We have Andrea Matwyshyn, Assistant Professor of \nLegal Studies and Business Ethics at the Wharton School, \nUniversity of Pennsylvania. David Thaw will complete our \ntestimony, and he is Visiting Assistant Professor of Law at the \nUniversity of Connecticut School of Law.\n    You will see little lights down there. Green means go. At 4 \nminutes, the yellow line will come on and that should be a \nsign, if you got a full page or two left, you may want to skip \nto the conclusion. The red light means I'm going to lightly tap \nthe gavel, and so I appreciate keeping it to the 5-minute mark, \nespecially since we have been kind of put on an awkward, tight \nschedule today.\n    So Mr. Richards, you may begin. You are recognized for your \n5 minutes.\n\n STATEMENTS OF KEVIN RICHARDS, SENIOR VICE PRESIDENT, FEDERAL \n  GOVERNMENT AFFAIRS, TECHAMERICA; DAN LIUTIKAS, CHIEF LEGAL \n   OFFICER, COMPTIA; JEFFREY GREENE, SENIOR POLICY COUNSEL, \n   CYBERSECURITY AND IDENTITY, SYMANTEC CORPORATION; DEBBIE \n    MATTIES, VICE PRESIDENT OF PRIVACY, CTIA--THE WIRELESS \nASSOCIATION; ANDREA M. MATWYSHYN, ASSISTANT PROFESSOR OF LEGAL \nSTUDIES AND BUSINESS ETHICS, THE WHARTON SCHOOL, UNIVERSITY OF \n PENNSYLVANIA; AND DAVID THAW, VISITING ASSISTANT PROFESSOR OF \n          LAW, UNIVERSITY OF CONNECTICUT SCHOOL OF LAW\n\n                  STATEMENT OF KEVIN RICHARDS\n\n    Mr. Richards. Thank you. Mr. Chairman, Ranking Member \nSchakowsky, and distinguished members of the subcommittee, \nthank you for the opportunity to testify today and for \nconvening this hearing on the important issue of data breach \nnotification. I am Kevin Richards, Senior Vice President of \nFederal Government Affairs of TechAmerica, a leading technology \nassociation representing the world's premiere technology \ncompanies from the information and technology communications \nsector at the state, federal, and international level.\n    The topic of today's hearing is an issue of great concern \nto our members who view the unauthorized disclosure and use of \npersonal information as a threat that erodes public confidence \nin a connected world. TechAmerica's member companies understand \nbetter than anyone the nature of cyber threats that America \nfaces today and what must be done in order to protect \nconsumers' information from data breaches.\n    The rapid growth of the collection of information in \nelectronic form has provided consumers, businesses and \ngovernments with tremendous opportunities from revolutionizing \nthe way medical care is provided to enhancing government \nservices, to enabling a free Internet with more opportunities \nappearing daily. However, this collection of data has also \nresulted in a concomitant exposure of companies to risks and \nliabilities arising from the collection, use, storage and \ntransmission of information, particularly sensitive information \nabout individuals.\n    TechAmerica strongly believes that if a breach occurs that \nposes a significant risk of serious harm, that there should be \na consistent national policy to ensure that customers and \nconsumers are notified in an appropriate manner.\n    Today, 48 different State jurisdictions in the United \nStates have data breach notification laws, and while many \nbusinesses have managed to adapt to these various laws, a \nproperly defined data breach notification standard would go a \nlong way to guide organizations on how to address cyber threats \nin their risk management policies. It also would help prevent \nbreaches and give guidance on how best to respond if an \norganization should fall victim to a reach caused by an attack. \nIt would be particularly helpful for smaller businesses, many \nof whom cannot afford teams of lawyers to navigate 48 breach \nstandards should something bad actually happen.\n    National data breach legislation should be carefully \ncrafted and in particular be technology-neutral to help \norganizations prevent and respond to security incidents while \navoiding costly, burdensome rules that would not provide any \nreal protection to consumers and free security innovation. Such \nlegislation will provide much-needed regulatory relief to \ncompanies facing conflicting legal obligations under today's \npatchwork of State laws.\n    TechAmerica has been a leader in calling for a strong, \npreemptive, and uniform national breach notification law. \nFederal legislation that promotes notification to consumers \nwhen their data has been compromised is needed, and can \neffectively help restore consumers' online trust and \nconfidence.\n    The first objective of federal data breach notification \nlegislation should be to establish a uniform national standard \nand preempts the current patchwork of existing State laws while \nproviding a safe harbor for those entities that take steps to \nprotect their systems from breaches and render data unreadable, \nundecipherable and unusable in order to protect individuals \nfrom harm. The following recommendations are a result of \nlessons learned from the implementation of regimes by the \ncurrent 48 different State jurisdictions in the United States \nand which serve as a good benchmark for drafting potential \nlegislation.\n    One, legislation must establish a single, uniform \npreemptive standard. Two, a meaningful threshold for \nnotification should be established. Three, define carefully the \nkind of personally identifiable information that is covered by \nnotification requirements. Four, avoid mandating specific \ntechnologies while encouraging the adoption of good practices. \nFive, when third-party managed data notification is required, \navoid consumer confusion. Six, a federal law should do more \nthan the patchwork of state laws to protect consumers.\n    In conclusion, TechAmerica believes that the patchwork \nquilt of state laws and existing requirements needs to be \noverhauled by a uniform preemptive national standard based on \nthe risk of harm. This would be in addition to the significant \nprotection consumers receive today. With the chairman's \npermission, TechAmerica would like to request the submission of \nTechAmerica's national data breach legislative principles for \ninclusion in the record for today's hearing.\n    Mr. Terry. Unanimous consent to allow? Hearing no \nobjection, so allowed.\n    Mr. Richards. Thank you. We are happy to offer assistance \nto the committee and work with you as the legislative process \nmoves forward.\n    Thank you for allowing me the privilege to appear today in \norder to share TechAmerica's views on the important of data \nbreach notification. I would be happy to answer any questions \nthat the committee may have at this time.\n    [The prepared statement of Mr. Richards follows:]\n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    \n    Mr. Terry. Thank you very much.\n    And now, Mr. Liutikas, you have your 5 minutes.\n\n                   STATEMENT OF DAN LIUTIKAS\n\n    Mr. Liutikas. Good morning, Chairman Terry, Ranking Member \nSchakowsky, and distinguished members of the House Subcommittee \non Commerce, Manufacturing, and Trade. This testimony is \nsubmitted on behalf of the 2,000 members of the Computing \nTechnology Industry Association, also known as CompTIA, a not-\nfor-profit trade association.\n    CompTIA is also the leading developer and provider of \nvendor-neutral education, IT workforce certifications including \nA+, Security+ and Network+, and organizational credentials such \nas the Security Trust Mark.\n    My name is Dan Liutikas, and I am the Chief Legal Officer \nof CompTIA. Prior to CompTIA, I was an attorney in private \npractice focusing on corporate technology and intellectual \nproperty matters, primarily for the small- to medium-size \nbusiness. I am a native of Chicago, Illinois, and was born to \nimmigrant parents from Lithuania. My father opened his own \ntelevision repair shop and then later started a construction \nbusiness. My mother started her own restaurants, delis, and \nbanquet halls. Both lived the American dream by being \nentrepreneurial and starting their own small businesses. From \nmy own experience, I submit that small business owners don't \nwant handouts.\n    Like the businesses started by my parents, many of our \nmembers are small- to medium-sized businesses expect that they \nare IT solution providers that help other small- to medium-\nsized businesses set up IT systems and manage data. They also \njust want a fair shot at pursuing the American dream. In the \ncontext of today's hearing, that means eliminating unnecessary \nbarriers to entry such as redundant and burdensome regulations. \nWith that context, let me state upfront that our membership \nsupports a federal approach to data breach notification.\n    It is hard to believe that it has been 10 years since \nCalifornia became the first State in the country to enact a \nState data breach notification law. Today, there are 46 states, \nD.C., and several territories that enacted data breach \nnotification laws. Data breach notification standards are \nclearly a relevant concern for millions of users sharing \ninformation through the Internet and for information being \nstored in various forms.\n    A federal approach will bring clarity and certainty not \nonly to small businesses but also to consumers who may not be \naware of the notice obligations of a particular State's data \nbreach notification law or even when such obligations may \napply.\n    We appreciate the opportunity to submit our written \ntestimony that provides greater details on the burdens of the \ncurrent patchwork of State laws and the way in which \nadvancements in mobile technology exacerbate those burdens. \nTherefore, I would like to spend the balance of my time on a \nsolution.\n    Based on our collective experience and outreach efforts, we \nbelieve that the IT industry will be receptive to a national \ndata breach reform framework that contains the following six \nprinciples.\n    Number one, there should be a single national federal \nstandard for data breach policy. Businesses which conduct \ncommerce over multiple States need the certainty and efficiency \nthat a national standard would provide.\n    Number two, Congress and the FTC should not mandate \nspecific technology or methods for data security practices. The \nenvironment for data security is constantly evolving, so any \nregulation should focus on promoting validated industry \nstandards for security, rather than a single quickly outdated \nsolution.\n    Number three: There should be an exemption from \nnotification requirement for entities that deploy technology or \nmethods such as encryption and other technologies that render \ndata unusable or unreadable by hackers as a harm-prevention \nmeasure.\n    Number four, all enforcement and penalties for data breach \nlaw should be administrated by a central government agent \ninstead of State Attorneys General, except in cases where the \nfederal agent can or has not acted.\n    Number five, entities compliant with existing data breach \nlegislation such as the Gramm-Leach-Bliley Act should be exempt \nfrom new regulation. We should not reinvent the wheel or create \nconflicting of overlapping regulations.\n    And number six, notification should occur on a reasonable \ntime frame, which includes allowances for risk assessment and \nany necessary law enforcement procedures or investigation. \nNotification should be focused on events where there is a \npossibility of actual harm including a minimum threshold of \naffected individuals.\n    In closing, I want to reiterate that we believe that a \nnational data breach framework is in the best interest of both \nconsumers and small- to medium-sized businesses.\n    Thank you again for the opportunity to share our \nperspective on the issue of data breach notification reform, \nand I look forward to our discussion on how to best approach \nthis issue, and I would be happy to answer any questions.\n    [The prepared statement of Mr. Liutikas follows:]\n   \n   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n   \n    \n    Mr. Terry. Thank you very much.\n    Mr. Greene, you are now recognized for 5 minutes.\n\n                  STATEMENT OF JEFFREY GREENE\n\n    Mr. Greene. Chairman Terry, Ranking Member Schakowsky, \nmembers of the subcommittee, thank you for the opportunity to \ntestify today on behalf of Symantec Corporation. We are the \nlargest security software company in the world with 31 years of \nexperience in developing Internet security technology.\n    For organizations that have critical information assets, \nthe risk of a data breach has really never been higher than it \nis now. We estimate that last year, there were 93 million \nidentities exposed. Thankfully, few of these victims will have \nhis or her identity stolen or bank account raided, but the \nreality is that all of them are at risk for it because once \nyour information has been stolen, you can do little more than \nhope that no one tries to monetize it.\n    The costs of these breaches is real. Mr. Chairman, as you \nmentioned in 2012, our Norton cyber crime report put the global \nprice tag of consumer cyber crime at $110 billion, and that is \njust the consumer side. On the business side, the Ponemon \nInstitute estimated that in 2012, the average organizational \ncost for a breach in the United States was $5.4 million.\n    Breaches can be caused most commonly or very commonly by \nlost computers or portable media, and they can be caused by \noutright theft--people that walk out the door with sensitive \ninformation, disgruntled or fired employees. But there is \nanother cause for breaches, and that is targeted attacks, and \nactually last year, according to our Internet Security Threat \nreport, 40 percent of breaches were caused by targeted attacks \nand hackers. Most of these attacks rely on social engineering, \nbasically trying to trick people into doing something on their \ncomputer that they were never do if they were fully cognizant \nof their actions. We also saw a lot of email attacks. It is \nstill a very common vector. And we regularly see criminals \nmining social media to come up with tidbits about individuals \nthey use to craft emails that will look legitimate, even to \nvery cautious users. Twenty twelve also saw the emergence of \nwhat we call watering hole attacks. Like the proverbial lion in \nthe jungle who waits by the watering hole for unsuspecting \nprey, cyber criminals have become adept at compromising \nlegitimate Web sites and then sitting on them and waiting for \nvisitors to come by and then attempting to compromise every one \nwho visits.\n    The growing use of the cloud also presents unique \nchallenges and opportunities. Cloud done right is an \nopportunity for very strong security. You are putting your data \nbehind higher walls and having it watched by more walls. Cloud \ndone wrong, though, can be a recipe for data breach because you \nare grouping your data with many other people's, creating a \nvery desirable target for attackers and one that is not well \ndefended.\n    As you mentioned, Mr. Chairman, mobile devices require \nstrong security. We are all doing more and more of our lives on \nmobile computers, and unfortunately, the criminals are \nfollowing. Last year, we saw a 58 percent increase in the types \nof malware that were designed specifically for mobile devices, \nand even since we released our report in April, we have seen \ndramatic evidence of the increasing focus on mobile attacks.\n    Good security really starts with the basics--patch \nmanagement, updating your patches on your computer, and strong \npasswords. The breach that the ranking member indicated was \nreported this morning, based on the early reporting, there was \na significant number of people who were using the word \n``password'' as their password. That is just not a strong \npassword; you are asking for it.\n    So-called zero days or previously unknown critical \nvulnerabilities receive a lot of media attention, but \nunfortunately, it is still well-known older vulnerabilities \nthat cause most patches. Modern security software is essential. \nI am not talking about the proverbial your father's antivirus \nanymore. Modern security software will monitor your computer \nlooking for anomalous Internet activity, processes or other \nsystem events that could be indicative of a previously known \ninfection. We have reputation-based technology we use that \nactually looks at individual files based upon their frequency \nwe see out in the wild and we are able to detect previously \nunknown threats just by looking at a file that way.\n    Looking at the legal landscape, we do support a national \nstandard for breach notification, and we have identified three \nprinciples that are key to us. First, the scope of any \nlegislation should include all entities that collect, maintain \nor sell significant numbers of records containing sensitive \npersonal information, and we think that that should apply \nequally to the government and to the private sector. Second, \npre-breach security measures should be central to any \nlegislation. New legislation should seek to minimize the \nlikelihood of a breach and not just focus on what to do \nafterward. And finally, any notification scheme should minimize \nfalse positives. Promoting technology like encryption as a best \npractice would significantly reduce these false positives and \nlimit the burden on consumers and on businesses.\n    I thank you again for the opportunity and the privilege to \ntestify today. I look forward to your questions.\n    [The prepared statement of Mr. Greene follows:]\n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    \n    Mr. Terry. Thank you very much.\n    Ms. Matties, you are recognized for 5 minutes.\n\n                  STATEMENT OF DEBBIE MATTIES\n\n    Ms. Matties. Chairman Terry, Ranking Member Schakowsky, and \nthe members of the subcommittee, thank you for the opportunity \nto participate in today's hearing. My name is Debbie Matties, \nand I am the Vice President for Privacy at CTIA.\n    CTIA along with AT&T, Comcast, DIRECTV, NCTA, Time Warner \nCable, USTelecom, and Verizon is a member of the 21st Century \nPrivacy Coalition. The Coalition seeks to modernize U.S. \nprivacy and data security laws to better serve consumers as \nwell as to reflect the ways that communications technology and \ncompetition has changed in the last two decades.\n    CTIA commends the subcommittee for exploring whether \nfederal data breach legislation is necessary to protect \nconsumers. Today's patchwork of state and federal data security \nand breach notification laws is complicated for businesses and \nprovides uneven protection for consumers. A strong, \ncomprehensive and streamlined federal framework enforced by a \nsingle agency would create more certainty for businesses and \nbetter protect consumers from the harms associated with data \nbreaches.\n    Today's variety of State and federal requirements creates \ninconsistent, sometimes contradictory responses to breaches \nthat do not benefit consumers. For example, some States require \nbreach notifications to occur ``without unreasonable delay'' \nwhereas other States require specific time frames for \nnotification. Some states provide an exemption for notification \nfor immaterial breaches whereas other States do not.\n    Most data breaches impact consumers in multiple States, \njust like the breach that happened here in the House, and \nelectronic data is rarely segmented by State. So under law, the \nquestion becomes, which State law should apply? The State in \nwhich the consumer resides? The State in which the breach \noccurred or the State in which a vulnerability existed and was \nexploited? For wireless consumers using family plans, often the \nuser of a device is in a different State from the subscriber \nwho pays the bill. Given the fact that breaches inevitably \ntranscend State borders, a federal approach to breach \nnotification is appropriate so that all consumers receive the \nsame benefits.\n    The absence of a consistent nationwide regime also creates \nunnecessary distraction for companies that need to stop a \nbreach, evaluate the damage caused by the breach and its scope, \ncorrect whatever vulnerability resulted in the breach, work \nwith law enforcement to investigate the brief, and of course, \nmost important, notify consumers to help mitigate any harm. \nThese time-sensitive activities are hampered when a company, \nespecially a small business, has to evaluate which of the 48 \ndifferent State regimes applies to each of their customers and \nthen tailor breach notifications accordingly. It also makes it \ndifficult for consumer protection agencies, consumer advocates \nand businesses to educate consumers faced with a data breach \nabout their rights.\n    Multiple federal regimes undermine consumer protection in a \nsimilar manner. For example, wireless carriers fall within the \nFCC'S CPNI rules to the extent they are providing a \ntelecommunications service such as voice. But some providers of \nvoice like Skype are not subject to CPNI rules, and then the \nFTC asserts data security jurisdiction over wireless carriers \nwhen they are providing Internet access.\n    In any case, the CPNI rules don't really make a lot of \nsense. They don't cover critically important information like \nname, Social Security number or credit card number but they do \ncover, for example, the number of voice lines a subscriber has \non her plan. A unified, streamlined federal data security and \nbreach notification law that applies equally to all entities \nand to all data would make consumers more confident in the \nsecurity of their online information and would in turn give \nthem greater trust in Internet commerce. This unified federal \napproach to data security is bipartisan and is in line with the \nObama Administration's recommendations to level the playing \nfield for companies and provide a consistent set of \nexpectations for consumers by simplifying and clarifying the \nprivacy laws. CTIA supports the Administration's recommendation \nto narrow the common carrier exemption to the extent needed to \nenable the FTC to enforce data security and data breach \nnotification requirements.\n    Mr. Chairman, CTIA fully supports a unified, streamlined \nfederal data security and breach notification law that is \nenforced by the FTC and benefits consumes who expect that their \ninformation will be afforded the same high degree of protection \nregardless of what entity collects the information, where the \nconsumer lives, where a breach occurs, or where hackers may be \ntrying to access personal information. Congress should enact a \nnew law to better reflect consumer expectations.\n    I would be happy to answer your questions.\n    [The prepared statement of Ms. Matties follows:]\n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Terry. Well done.\n    Professor Matwyshyn, you are now recognized for 5 minutes.\n\n                 STATEMENT OF ANDREA MATWYSHYN\n\n    Ms. Matwyshyn. Thank you. Chairman Terry, Ranking Member \nSchakowsky, it is my great honor to be with all of you today to \ndiscuss a topic that I have devoted my scholarship to, and that \nis the question of how to improve information security in the \nUnited States.\n    I started working in this space approximately 14 years ago \nas a corporate attorney representing multinational clients as \nwell as entrepreneurs in Chicago. I really watched the \nevolution of this space as both a member of the business \ncommunity at first representing clients and now as an academic, \nand although there has been tremendous improvement in this \nspace, we still have a reasonable way to go.\n    The public awareness around questions of information \nsecurity has tremendously increased during the last 10 years, \nand it is with great pleasure that I see that we are discussing \nthese topics today. However, the questions of conduct and \nreasonableness in behavior and information security still \nremain unanswered.\n    With that, I would like to offer a historical example to \noffer perhaps a paradigm to conceptualize questions of \ninformation security. In addition to teaching Internet law and \ndata security and privacy law, I also teach securities \nregulation, and I would submit that perhaps the questions that \nwe are facing today have a historical parallel in the questions \nthat this Congress faced when thinking about balancing the \ninterests of consumer protection, capital formation and market \nstability in the 1933 and 1934 Acts.\n    Today in this context, perhaps those three elements are \nconsumer protection, economic stability broadly in terms of \nsecuring information and preserving sectors of our economy that \nrely on information flows, and facilitating responsible \ninnovation. So with those three elements, we can take a look at \nthe broader set of questions in information security, and I \nwould submit that perhaps we should draw a clear distinction \nbetween disclosure regulation and conduct regulation.\n    Disclosure regulation, specifically data breach \nnotification statutes, have developed to a high degree on the \nState level. We have had States function as the laboratories of \nexperimentation, and the State statutes have shown us the way \nas to what is a feasible and successful approach for \ndisclosure, and offered us guidance to at this point be able to \ncome up with a set of criteria that can be operationalized on a \nnational level through the Federal Trade Commission to provide \nus the data to be able to analyze what is going on in our \neconomy, who are the companies that are behaving with best \npractices, and who are the companies that are not yet quite up \nto par and need to be encouraged regulatorily or otherwise on \nthe State or national level to improve the quality of \ninformation security that they implement throughout the their \norganizations. The written statement that I have submitted \noffers a framework of this nature.\n    Conduct regulation, I would submit, we are not ready to \nreally focus in on with a national framework yet. We need the \nstates to show us the way, the same way that they did in the \ncontext of data breach notification. Let the states experiment, \nguide us, discover what works, what doesn't work, and then \nperhaps we can revisit this question. I would respectfully urge \nthis body to allow for this state experimentation and to \npreserve the right of states to determine recourse appropriate \nfor their consumer harms.\n    While disclosure legislation deals with purely providing \ninformation to empower consumers to make good choices, conduct \nregulation is the place where we contemplate harms. This \ndistinction, I think, would be fruitful to operationalize into \na national framework for a data breach notification \nharmonization.\n    And in my last minute, I will highlight some of the \nelements that I elaborate on in detail in my written statement \nthat may provide guidance for a federal harmonized framework.\n    First, the concept of information from a consumer and from \na corporate perspective does not map onto the notion of PII \nthat we have been working with. Sometimes the most innocuous \nbits of information can be the most important. If I use my \nfavorite flavor of ice cream as my security question for my \nbank account, that is perhaps my most sensitive information, \nand so I would suggest that perhaps we should reconceptualize \nour notion of what constitutes consumer information in line \nwith the way that sophisticated companies treat information and \nthat is around information that is shared by a consumer in a \ntrusted relationship.\n    And with that, I will conclude because I am running out of \ntime but I would request that this committee turn to my \nstatement and examine the framework that I have proposed. Thank \nyou.\n    [The prepared statement of Ms. Matwyshyn follows:]\n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Terry. We will. I appreciate you submitting that.\n    Professor Thaw, you are recognized for 5 minutes.\n\n                    STATEMENT OF DAVID THAW\n\n    Mr. Thaw. Thank you, Mr. Chairman.\n    Chairman Terry, Ranking Member Schakowsky, distinguished \nmembers of the subcommittee, I am David Thaw, Visiting \nAssistant Professor of Law at the University of Connecticut and \nFellow of the Information Society Project at Yale Law School. I \nappreciate the opportunity to testify regarding the important \nissues of data security and consumer protection, a subject that \nI have spent the better part of a decade researching and \nworking on professionally.\n    Federal data breach notification is important but it must \nbe implemented properly. In my oral testimony today, I wish to \naddress two core issues relevant to proper implementation. \nFirst, whether to address breach notification separate from \nbroader information security regulation, and second, what \nburden of proof should be required if a risk-of-harm threshold \nis adopted for breach notification.\n    I understand the subcommittee to be taking up the issue of \ndata security beginning with the question of breach \nnotification separate from comprehensive information security \nregulation. I caution against this approach for two reasons. \nFirst, comprehensive information security combined with breach \nnotification is substantially more effective than is either \nregime alone. As part of my research on information security \nregulation, I compared the efficacy of these two regimes. \nSpecifically of note to the subcommittee's agenda, the \ncombination of the two was nearly four times more effective at \npreventing incidents than was breach notification alone. I \nanalogize the effects of breach notification alone to locking \nthe bank or vault door while leaving a back window wide open.\n    Second, approaching the issue of breach notification \nseparately requires establishing certain information \ncategories. For example, defining what information to protect \nis essential to breach notification. This definition, however, \nhas a different purpose when considering comprehensive \ninformation security. Furthermore, once established, these \ndefinitions will be difficult to change. The burden to \nbusiness, for example, to reclassify information for compliance \nwith multiple definitions is substantial.\n    To be specific, the types of information that should \ntrigger notification differ from the types of information that \nshould be protected overall. For example, medical records, \nwills, personal diaries, sensitive or private photographs and \nother similar information are all items federal law currently \nrecognizes as sensitive personal information. State law has \nmore narrow definitions including Social Security numbers, \nfinancial account number, and government ID numbers. Consumers \nshould be informed about unauthorized disclosure of all this \ninformation. By contrast, sensitive information about trade \nsecrets, computer infrastructure or security measures it not \nthe province of the general consumer, yet such information must \nalso be secured. On these bases, I strongly recommend that the \nsubcommittee address breach notification and comprehensive data \nsecurity concurrently.\n    The second issue I wish to address is the risk-of-harm \nthreshold. Certain formulations of this threshold negatively \nimpact information security. Specifically, a threshold \nemploying a negative presumption of notification, which \nrequires proving risk of harm before triggering notification \nrequirements, disincentivizes organizations from conducting \nthorough investigations. Organizations have incentives to limit \ninvestigations that might increase their liability. For \nexample, when conducting comprehensive information security \nassessments, auditing and consulting firms often work together \nwith law firms so that the results will be privileged and thus \nnot discoverable in future civil litigation or regulatory \ninvestigations. Clients do not want to incur liability for \nfailure to remediate security vulnerabilities identified in the \nassessment. A similar analysis applies to breach \ninvestigations. My research data supports this conclusion as \ndoes my professional experience. Thus, I strongly recommend \nthat if a risk-of-harm threshold is adopted, the committee \nadopt an affirmative presumption of notification where risk of \nharm must be disproved before notification is exempted. To \nplace the burden otherwise disincentivizes information security \ninvestigations, one of the most important tools in protecting \nconsumers against future breaches and securing the overall \ninformation security ecosystem.\n    I am happy to offer any assistance to the committee as it \nmoves forward in his work. I again thank the chairman and the \nranking member for the privilege and opportunity to testify \nhere today, and I am pleased to answer any of your questions.\n    [The prepared statement of Mr. Thaw follows:]\n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Terry. Thank you very much for your testimony and \nappreciate the two law school professors here. It makes me \nfeel--I had flashbacks to law school during your testimony.\n    With that, I will start the questions--the answer to this \nis just yes or no. It was clearly clear in some of the \ntestimonies but I do want to get it succinctly on the record \nstarting with Mr. Richards and then going down to Professor \nThaw.\n    Do you believe there should be a federal notification law? \nMr. Richards?\n    Mr. Richards. Yes, we do, Mr. Chairman.\n    Mr. Liutikas. Yes, we do, Mr. Chairman.\n    Mr. Greene. Yes, sir.\n    Ms. Matties. Yes.\n    Mr. Terry. Now we get to the murkier.\n    Ms. Matwyshyn. Exactly. Yes, provided the standard is at \nthe highest level and does not preempt State law, as well as \nconduct being carved out to allow for States to experiment.\n    Mr. Thaw. Yes, provided implemented properly. I provide \ndetail in my written testimony on this, and concur with \nProfessor Matwyshyn's statement.\n    Mr. Terry. See, that is the flashbacks. There is always \nenough room to screw up on the test now.\n    Ms. Matwyshyn. It always depends, right?\n    Mr. Terry. It always depends.\n    And the reason why I think it was important to just lay \nthat item of foundation is that with 48 States and territories \ncombined already having at least at the multinational level, \nyou have a level of sophistication where they are already in \ncompliance and then there is a level of concern that a new \nnational standard just creates 49 instead of 48. So that brings \nus to what Professor Matwyshyn said in her ``but'', and that is \nno State preemption. So how does it work without preemption, \nand who wants to start? I will go with Dr. Matwyshyn first and \nthen anyone else that wants to speak on preemption.\n    Ms. Matwyshyn. So I actually consulted with a California \ngovernment official responsible for enforcement, and provided \nthat the framework on the national level provides a \ncomprehensive disclosure regime and States and their \nenforcement agencies have direct access to this information as \nwell as consumers, everyone wins because the information would \nsimply be centralized. So if the disclosure requirements \nadequately conceptualize the questions that consumers and \nenforcers want to know, States, I believe, would be happy with \na centralized regime and there wouldn't be a problem with \nenforcement, however, because of limitations of resources on \nthe part of the Federal Trade Commission I believe should \nremain on the State level.\n    Mr. Terry. All right. Mr. Richards, Liutikas and Greene, \nand Ms. Matties, quickly, though.\n    Mr. Richards. Sure. Well, we believe the patchwork \nframework occurring in State laws are very duplicative in some \ncases, and in a lot of cases don't make sense. North Dakota, \nfor example, requires notice of a breach of name and birth date \nso there are different qualifications in terms of PII and what \ninformation you should focus on. New York requires notice of \nsecurity breaches made to three separate State agencies. I \nthink federal preemption is important but I don't think you \nshould undermine strong consumer protections that are currently \nheld and enjoyed at the State level.\n    Mr. Terry. Thank you. Mr. Liutikas?\n    Mr. Liutikas. I mean, at the end of the day I think we \nbelieve that first and foremost that consumers need the \nnotification standard but in providing that standard, we could \nalso simplify matters substantially for the small- to medium-\nsized business which the current technology infrastructure \nallows them to operate in a way that is much bigger than maybe \nthey could have done some years ago. So I think centralizing \nthat notification standard and avoiding having the issue of \ndetermining whether or not a variety of State laws applies or \ndoes not apply would be extremely beneficial to the small- to \nmidsized business that simply doesn't have the resources.\n    Mr. Terry. Interesting. Mr. Greene?\n    Mr. Greene. I would echo what Mr. Richards said, that if \nyou have essentially 49 standards, you are just creating \nanother box you have to check to ensure that you are doing \neverything right. If you do have a breach, you are not going to \nspeed the process of understanding the scope of your breach of \nwho you need to notify.\n    Mr. Terry. Thank you. And Ms. Matties, I am actually going \nto change the question for you to more personalized because of \nyour background and experience with the FTC. There has been a \nsuggestion that at least with some of the telecoms that the FTC \nhas the experience on data breach and notification in those \nareas. If there is a national bill, should it include the \ntelecommunications and video with the FTC?\n    Ms. Matties. Yes. The FTC has had more than 10 years of \nexperience working on data breaches and data security cases, so \nthey are well equipped to handle these kinds of cases. And I \njust would like to point out that there is already a model in \nDo Not Call for consolidating experiments in the States with \nconsumer protection. A number of States have consumer \nprotection laws for Do Not Call in individual States, and when \nthe national standard became applicable, it really made things \na lot easier for both businesses and for consumers because now \nconsumers have a one-stop shop to go and put their name on a \nlist. That would be a similar aspect here.\n    Mr. Terry. All right. Thank you very much.\n    The ranking member, Jan Schakowsky, is now recognized for 5 \nminutes.\n    Ms. Schakowsky. Thank you very much. Mr. Chairman, I just \nwant to acknowledge that as important as this is to consumers \nthat maybe in the future we could have a consumer witness or \ntwo to talk about some of their experiences. I think it would \nhelpful to inform our committee.\n    Talking about data breaches, Professor Matwyshyn, do you \nforesee potential harms to the development of effective \ninformation security laws if Congress enacts certain breach \nnotification provisions without enacting a well-considered data \nsecurity law at the same time? I know Professor Thaw addressed \nthat. And if so, what would they be?\n    Ms. Matwyshyn. If I am understanding the question \ncorrectly, I believe that the optimal approach at this juncture \nis to bifurcate, to divide off the questions of data breach \nnotification harm in this Nation from the questions of the best \nstandard for liability arising from data security breaches.\n    Ms. Schakowsky. To separate those two?\n    Ms. Matwyshyn. To separate those two out. While the States \nhave shown us the way and adequately experimented with \nnotification, the questions of liability, how to craft it, what \nthe standards are, what reasonable conduct is, that is a moving \ntarget and still very undeveloped, both from the standpoint of \nthe information security community as a just-now-coalescing \nbody of experts and from the standpoint of States having \ndifferent approaches to consumer protection and the connection \nto other bodies of law. The Securities and Exchange Commission \nis starting to regulate in this space.\n    These issues are tied with broader questions of software \nliability generally, and if we start to regulate too early, we \nmay disrupt existing bodies of law and stifle innovation that \nis responsible and consumer protection.\n    Ms. Schakowsky. OK. I do want to put the same question to \nProfessor Thaw and see if the two of you are in agreement.\n    Mr. Thaw. I agree with Professor Matwyshyn in the respect \nthat the States have the ability to provide important \nexperimentation. However, I am concerned about the resources \nthat the States have on the technical side. With respect to the \nlegal standard, I agree with Professor Matwyshyn. They can \nexperiment and provide us with valuable data. However, this is \na highly interconnected issue across the entire country, and I \ndo not believe that the States have sufficient resources for \nenforcement or for simple providing the research and \ninvestigation necessary to know what standards would be \neffective at a national level as opposed to at a State level.\n    Ms. Schakowsky. Let me get into the issue of data brokers. \nMost consumers have never heard about data brokers but there is \na several-billion-dollar industry that knows the name, address, \nage, purchasing habits of nearly every American consumer. One \ncompany in this industry possesses on average 1,500 data points \napiece on each of 190 million individuals in the United States \nand a profit of more than $77 million on this information. So \nagain, let me go to Professor Matwyshyn.\n    The Data Accountability and Trust Act as was passed in the \n111th Congress would have required data brokers to submit their \nsecurity policies to the FTC and allow the Commission to \nperform or mandate the performance of security audits following \na breach of security. What is your opinion on these kinds of \nprovisions regarding data brokers?\n    Ms. Matwyshyn. In that case, I believe you mentioned it was \nfollowing a breach?\n    Ms. Schakowsky. Yes.\n    Ms. Matwyshyn. That would be entirely consistent with the \ntypes of proposals that we are considering now for centralized \nbreach notification. The goal is to get as much information \nabout breaches, how they happened, why they happened, the level \nof security that is in place in the particular organization to \nprovide the information to both consumers and enforcement \nagencies to determine which entities are the good actors and \nwhich entities are the actors that still have a way to go to \nimprove the level of care.\n    Ms. Schakowsky. With just a minute or two, actually less \nthan that, you may also want to comment on data brokers and the \nrole that they play and how they should be regulated, Professor \nThaw?\n    Mr. Thaw. With respect to data brokers, I draw the \ncommittee's attention to the fourth section of my written \ntestimony where I identify different levels of criticality, and \nI would suggest that data brokers are at a higher level of \ncriticality, the reason being that the information they \ncontain, to use Professor Matwyshyn's earlier example, could be \ninformation which is an authentication credential such as your \nmother's maiden name or your favorite color, your first pet, \nsomething that you use to secure other data that is very \nsensitive. For this reason, they should be regulated at a \nhigher level, and this is something that cannot be overlooked.\n    Mr. Terry. Thank you, and now we recognize the chairman \nemeritus for 5 minutes.\n    Mr. Barton. Thank you, Mr. Chairman. I am going to try to \ngive you a little bit of that time back.\n    I think in your questions, Mr. Chairman, we established the \npanel does support a federal standard for notification. My \nquestion would be, does the panel also support going beyond \nthat so that we get into the prevention and the liability \nissues? Does everybody, you know, support a federal law that \ngoes beyond breach notification?\n    Mr. Richards. I think that would depend on--we would \nobviously have to see the legislation but I certainly think we \nshould probably change the culture of how our society looks at \ncybersecurity or information technology and how do you protect \nthe information. Instead of making it an IT department issue, \nmake it a CFO issue and really change the thinking and the \napproach to how we approach data protection in the country.\n    Mr. Liutikas. I think we also need to look to industry \nassociations like CompTIA which provides the industry a \nplatform for collaborating on standards and best practices and \ntheir industry credentials such as the CompTIA Security Trust \nMark credential, which audits the security practices of an \norganization. So I think in light of considering options such \nas that, I think we should also look at the options that the \nindustry can provide as well.\n    Mr. Greene. Conceptually, we support the notion of \nrequiring security standards, so you are looking to prevent the \nbreach, not just to mitigate after, and the same thing with the \nencryption. So if you have a breach, you are limiting the \ndamage that can happen. But as Mr. Liutikas said, there are a \nlot of existing industry standards that are effective, and any \ntype of standard needs to be very flexible and performance \nbased. We don't want to be mandating anything specific in \nstatute when we have a very shifting threat environment. So the \nnotion of saying you need to be secure is OK, but if we get \ninto the where we are mandating specific types of solutions, I \nthink that could be problematic.\n    Ms. Matties. CTIA members and the broader 21st Century \nPrivacy Coalition is interested in talking about data security \nfor sure but we are happy to see that we are starting with data \nbreach notifications.\n    Ms. Matwyshyn. No limitations of liability are appropriate \nat this juncture. I think we are a little too premature. On the \nstate level, experimentation would be great. A negligence \nstandard perhaps evolving would be a good move. I think we are \nready to address breach notification but I would be cautious in \napproaching liability.\n    Mr. Thaw. Yes, if properly implemented, and I note that \nrespectfully, Mr. Richards, I am concerned with his proposal of \nmaking this a CFO issue. While that is appropriate to \ncompanies' fiduciary duties under state law, it is not \nappropriate to the question of negative externalities that \nwould result from breaches in one organization to the overall \ninformation ecosystem. I also do concur with my panelists' \nopinion that flexible standards are important.\n    Mr. Barton. I agree with flexible standards.\n    Mr. Chairman, I want to turn it back, but let me simply \nsay, back in the 1930s when we had a rash of kidnappings, the \nCongress did not pass a kidnapping notification law. They \npassed strict laws delineating it was a federal crime if it \ncrossed State lines and empowered the FBI to use every means \npossible to go after the kidnappers. We are not talking about \nstealing our children but we are talking about stealing our \nidentifies, and I would hope that this subcommittee and the \nfull committee goes beyond breach notification law, and with \nthat, I yield back.\n    Mr. Terry. It is the intent. I am going to call on Mr. \nBarrow, and then we will adjourn, so if you are next in line as \na Republican, you can go to the meeting.\n    Mr. Barrow, you are now recognized for 5 minutes.\n    Mr. Barrow. Thank you, Mr. Chairman, and thank you for \nsetting the table with your questions. I want to follow up some \nof the issues that you raised.\n    You know, privacy is important to me. The right to be \nsecure in your persons and papers from State intrusion is in \nthe Fourth Amendment. Warren and Brandeis said that the right \nto be let alone, the right of privacy is the right most prized \nby civilized men, I guess we would say today civilized men and \nwomen. I certainly agree with them on that.\n    I guess the general consensus is that the current regime of \nessentially 48 separate State and territorial jurisdictions \nregulating this matter and our common market of the United \nStates just ain't working. I think we all agree with that, and \nthere is a general need for some federal guidelines, some \nfederal standards for a uniform law in our national economy.\n    Mr. Richards, Mr. Liutikas, Ms. Matties, you each talk \nabout the subject of preemption, the need to preempt \nconflicting state laws. I want to ask the other members of the \npanel, what is the appropriate scope of federal preemption in \nthis area? Yes, ma'am, go ahead.\n    Ms. Matwyshyn. I believe the appropriate scope if creating \na harmonized disclosure form but enforcement should be shared \nin the same way that it is in securities regulation. In the \nsecurities regulation context, we have multiple sources of \noversight--the FCC, state level, securities regulators, other \nagencies inside the States.\n    Mr. Barrow. Are you proposing a uniform law but shared \nresponsibility with respect to enforcing the same law so the \nfederal regulator would set the rules and regulations but the \nState folks might enforce the same federal law if the federal \ngovernment isn't devoting enough resources to enforcing its \nlaw, the national standard? Is that what you have in mind?\n    Ms. Matwyshyn. In the same way that securities disclosures \nhappen on the federal level primarily but a particular state \nmay have requirements in terms of protecting its citizens.\n    Mr. Barrow. Well, additional requirements, additional \nsubstantive regulations and obligations and duties are \ndifferent from a uniform standard that either the federal \nprosecutor or the state prosecutor can enforce the same law--\none land, one law. That is a very different matter. And having \nthe right at the state level to enforce a federal standard is \ndifferent than being able to make your own standard and enforce \nthat in addition to the federal standard, so I want to talk \nabout whether or not there are other folks on the panel who \nagree with the proposition that federal regulation ought to \noccupy the field when it comes to the substantive obligations \nand responsibilities in this area. Mr. Greene?\n    Mr. Greene. Sir, we would agree that it should occupy the \nfield but ultimately I think the notion of state enforcement \nwould be acceptable as long as we are talking about a uniform \nfederal standard.\n    Mr. Barrow. I got you.\n    Professor Thaw?\n    Mr. Thaw. State enforcement concurrent with federal \nenforcement would be appropriate, and I want to emphasize that \nin either case, centralized notification and collection by a \nfederal regulator so that we have information on what is going \non is critical.\n    Mr. Barrow. All right. We have had a slight diversity of \nopinion with respect to who ought to be able to make the rules, \nbut there seems to be a general consensus that as long as we \nare enforcing the same rules, it doesn't matter which \ngovernment the cop reports to if they are enforcing the law.\n    I want to get to the subject of who ought to be the federal \nregulator. I think, Ms. Matties, you said that we not only need \nto have a uniform federal system but it ought to be headed up \nby the FTC as opposed to, say, the FCC. Does anybody disagree \nwith that on the panel as to which federal regulator ought to \nbe making the rules that we will be trying to enforce on a \nconsistent basis nationwide? Does anybody disagree with that \napproach? Professor Thaw?\n    Mr. Thaw. I agree that the Federal Trade Commission is the \nmost appropriate for consumer regulation. However, that should \nnot exempt critical infrastructure providers, which would \ninclude telecommunications providers from regulations to which \nthey would also be subject by their regulators. Those \nregulators, for example, the Federal Communications Commission, \nthe Nuclear Regulatory Commission are better familiar with what \nare the challenges faced by their entities, and if they need to \nimpose additional standards, they should not be prevented from \ndoing so by consumer regulation.\n    Mr. Barrow. Is it your position that they can regulate in \ntheir areas of subject-matter jurisdiction and should not be \nable to regulate in the area of consumer protection?\n    Mr. Thaw. If I understand your question correctly, my \nposition is not that they should be pushing out the consumer \nregulator so the consumer regulator has no authority but only \nthat they may and if necessary should regulate concurrently \nwith the consumer regulator.\n    Mr. Barrow. What do other members of the panel feel about \nthat? Mr. Richards, Mr. Liutikas, Mr. Greene?\n    Mr. Richards. Mr. Barrow, I would say that the FTC \ndefinitely when it comes to consumer information certainly I \nthink our approach to privacy in this country is somewhat \npatchwork when you are dealing with HIPAA and the Fair Credit \nReporting and Gramm-Leach-Bliley, so I certainly think that the \ncurrent functional regulators also have a good system in place \nbut the FTC certainly is equipped when it comes to consumer \ninformation.\n    Mr. Barrow. Mr. Liutikas?\n    Mr. Liutikas. I would generally concur with that although I \nthink we would have to conduct some further analysis and see \nwhat really makes sense at the end of the day. You know, the \nquestion right now is somewhat theoretical but I think overall \nmakes sense, and we certainly support having a federal agent, \nso whichever department that is.\n    Mr. Barrow. Well, my time has run out, Mr. Greene. I regret \nthat. But if any of you all want to follow up on this and \nsupplement the responses that you have given or that others \nhave given on this subject, please feel free to do so for the \nrecord.\n    Thank you so much, and thank you, Mr. Chairman.\n    Mr. Terry. And I mistakenly used the word ``adjourn'' \nearlier. We are recessing until probably 1 o'clock, hopefully \nby 1:03 or 1:04 we are asking questions of you. So thank you \nfor your patience, and we will see you in 50, 55 minutes.\n    [Recess.]\n    Mr. Terry. I appreciate you all being back. We are missing \nProfessor Thaw for the moment.\n    Ms. Matwyshyn. He went to go fetch a deserted bag so that \nthey don't confiscate it. He will be right back.\n    Mr. Terry. Oh, that is important. We will string things \nout, but we will start with the questions. We have a short time \nbefore either votes or the next committee takes over. So we \ndon't want to delay until he comes back but we will start with \nother people.\n    Vice Chairman of the subcommittee, you are recognized for 5 \nminutes, Mr. Lance.\n    Mr. Lance. Thank you, Mr. Chairman, and good afternoon to \nthe panel.\n    To Ms. Matties, what, in your opinion, should be the proper \nstandard for breach notification? Suspicion that a breach has \noccurred or actual evidence that such a breach has occurred?\n    Ms. Matties. Actual evidence that a breach has occurred.\n    Mr. Lance. So you would have a higher standard before----\n    Ms. Matties. Yes.\n    Mr. Lance. Thank you. And number two, should a breach have \nto result in identity theft or other financial harm to require \nconsumer notification?\n    Ms. Matties. There certainly should be consumer \nnotification for identify theft and financial harm, and we are \nwilling to talk to you about the other kinds of harms that \nmight result from a breach of other information.\n    Mr. Lance. Do you have suggestions regarding that other \nthan financial harm?\n    Ms. Matties. We are still working with our members to talk \nabout this, and we look forward to talking to you as well about \nit.\n    Mr. Lance. Thank you.\n    Are there others on the panel who have an opinion on that? \nYes, Professor.\n    Ms. Matwyshyn. I believe that actual harm should not be \nrequired for notification. It serves a function to advise \nconsumers of the occurrence of a breach and also to allow for \ntabulation and centralization of information about security \npractices so that we can collectively get a better picture of \nthe entirety of the economy and the behaviors that are \nhappening around information security.\n    Mr. Lance. Thank you.\n    Others on the panel? Mr. Richards?\n    Mr. Richards. I thank you. We would--our standard would be \nthat there should be a notification requirement if the breach \npresents a significant risk of harm to consumers and may \nperpetuate identity theft.\n    Mr. Lance. A significant harm to consumers, which might be \na slightly different standard from financial harm, if I am \nunderstanding you accurately?\n    Mr. Richards. Yes.\n    Mr. Lance. Professor Thaw?\n    Mr. Thaw. I believe that notification should at least occur \nin all cases to a central reporting authority, which could be a \nfederal regulator, that a substantial risk of harm is too high \na threshold. I base this on the civil litigation where it was \nvirtually impossible for any case to advance based on those \ntypes of claims, and with respect to the types of harm, I \nbelieve this requires further investigation but should not be \nlimited to identity theft.\n    Mr. Lance. And if the notification were made to an entity \nof the federal government, that entity would then in turn \ndetermine whether further notification should be made to the \nconsumer?\n    Mr. Thaw. That would be conditional on whether or not \nnotification had already been made also by the company. I think \nat least the agency should retain the right to make that \ndetermination.\n    Mr. Lance. Thank you. Are there other thoughts from the \npanel? Hearing none, Mr. Chairman, I am finished with 2 minutes \nto.\n    Mr. Terry. Thank you, Mr. Lance.\n    Mr. Harper, you are now recognized for 5 minutes.\n    Mr. Harper. Thank you, Mr. Chairman, and thank each of you \nfor being here, and it is a very important issue to each of \nyou, I know, and certainly it is to our country and many \nbusinesses, and I will start with you, if I could, Mr. \nRichards, and ask you, how would you define a breach that \nconstitutes a reasonable risk of harm to consumers?\n    Mr. Richards. Sure. Thank you, Congressman. In terms of a \nreasonable risk, we believe that data that could be used to \nperpetuate identity theft, if you were to allow someone to use, \nlog in to or access an individual's account or establish a new \naccount using that individual's identifying information, and we \nwould hold it to that standard.\n    Mr. Harper. So as you define a breach, how do you define a \nsignificant risk of harm to consumers?\n    Mr. Richards. If there is a risk of identity theft or \nstealing personal information and using or creating a new \nidentity based on that personal information.\n    Mr. Harper. Well, how should we or how would we define what \nconstitutes a significant risk of harm to consumers? If you \nwere advising us, if Congress did define the type of personally \nidentifiable information that constitutes harm to consumers, is \nit possible that such a list would keep up with technological \ninnovations?\n    Mr. Richards. Yes, sir. I think it is important not to \nmandate specific technologies. As you know, we need a flexible \nframework. Some technologies today and best practices can \nrender data useless, and in that case, if a company or an \norganization is trying to take the right approach and render \nthe data useless, we believe a safe harbor should be granted to \nincentivize that good behavior if the information is \nindecipherable, but we need a flexible framework in an effort \nnot to undermine innovation for new technologies that come down \nthe line.\n    Mr. Harper. And I know I am going to mispronounce your \nname, Ms. Matties, if I could ask you a question. My \nunderstanding from your testimony is that different data breach \nrequirements apply to different entities, even for the same \ninformation. Is there any public policy justification for \napplying different data breach requirements to the same \ninformation?\n    Ms. Matties. No, there is not.\n    Mr. Harper. And I will ask this panel-wide, if I could. All \nof your testimony points out that States have different \nnotification requirements and definitions. Is there a certain \ntime frame post breach that you believe individuals have a \nright to be notified? I would like to hear each of your \nresponses on that, and I will start with you, Mr. Richards.\n    Mr. Richards. Certainly. Well, we think there needs to be a \nlittle bit of time in order for a company to perform cyber \nforensics. We don't have a specific position on a specific time \nframe but our businesses and their approach is as quickly as \npossible and consulting with law enforcement and others, and we \nfollow up on our due diligence and report it to the consumer as \nquickly as possible.\n    Mr. Harper. Well, following up on that, how can--maybe you \ncan walk me through. How is notification without unreasonable \ndelay how that really works in the real world?\n    Mr. Richards. Well, I think in terms of, if you look at the \ndifferent State requirements, there is different time frames \nthat are offered. Puerto Rico is 10 days to notify folks. \nVermont is about 14 days. Minnesota requires reporting to \ncredit bureaus within 48 hours. So sometimes when you are \nlooking at the condensed time frame, you are really trying to \nfigure out the extent of the breach, what has been breached. So \nI think in terms of those time frames, it is a very short \nturnaround and a very short fuse, and I think companies want to \nmake sure that they have the right answers before they disclose \ninformation publicly but I believe they do have the \nresponsibility to report it to consumers.\n    Mr. Harper. Thank you. And I will ask each of you, is there \na certain time frame post breach that you believe individuals \nhave a right to be notified?\n    Mr. Liutikas. Yes, Congressman, we certainly--and we will \nmirror a little bit of what Mr. Richards said. We believe in a \nreasonable time frame in which to notify. I think it is just \nimportant for the exceptions to be made for instances where law \nenforcement needs to act or other information needs to be \ngathered so that the correct information is being provided to \nthe consumers. So we don't have an exact timeline that we \nrecommend but we do recommend having exceptions for those \nlegitimate reasons.\n    Mr. Harper. And Mr. Greene, I think I can at least get your \nresponse before my time is up.\n    Mr. Greene. Sure. I would say that you definitely need to \nhave enough time so the company can determine the scope of what \nwas lost and what wasn't lost, fix the vulnerability. You don't \nwant to go public and basically hang a target around your neck, \nand I would say, though, a rush to report can be bad. Every \nincident is different. I think if there is one rule, it is that \nfirst reports are pretty much always wrong. With respect to the \nbreach about Congress today, you are going to see what was \npublished today a week from now is going to be outdated, is \ngoing to be different, so you need to allow time. It needs to \nbe as quickly as possible but you need to make sure that you \nare getting it right. It is better to be right in most cases \nthan it is to be fast.\n    Mr. Harper. Thank you, and I believe my time has expired so \nI yield back, Mr. Chairman.\n    Mr. Terry. Thank you, and now the chair recognizes the \ngentleman from Texas, of which he is very proud and will \nprobably mention that. He is recognized for 5 minutes.\n    Mr. Olson. Thank you, Mr. Chairman, for holding this \nhearing, and thank you to the witnesses for attending.\n    Mr. Chairman, you should know that I got my plug in with \nall the witnesses as to why they should move to the great State \nof Texas before we were gaveled in at 11 o'clock, so we are \ndone with that business.\n    At the end of the day, this hearing, to me, is about two \nquestions. Number one, is federal legislation necessary when \ndata has been breached. If the answer is yes, then what should \nthat legislation look like. In your written testimonies that I \nreviewed last night, it appears that federal legislation would \nhelp protect consumers, but Mr. Richards raises the point that \nthere are some technology companies it is helpful but not \nvital. The two professors were concerned with, you know, \nfederal government overreach and taking over what the States \nare doing pretty well. But I believe this difference raises an \nimportant point, that if we pursue legislation, we must \ncarefully draft it to ensure that the federal government \ndoesn't become the 49th entity out there that companies must \ncomply with. We should have a Hippocratic oath for data \nbreaches: harm has been done; do no more harm.\n    In regards to the ultimate decision to pursue legislation, \nconsumers expect their privacy of their personal information to \nbe protected, and I know you all agree we must keep them at the \nforefront of this conversation and debate.\n    My first question is for you, Ms. Matties. Do you think the \nexistence of 48 different data breach regimes results in brief \nnotifications being faster or slower?\n    Ms. Matties. I think it makes it slower. Companies try very \nhard to comply with all the laws out there but it certainly is \na distraction, at best, from the other tasks that they need to \ncomplete when dealing with a data breach as has been discussed \nby the other panelists.\n    Mr. Olson. Does anybody else care to comment on that, \nfaster or slower? Professor Thaw?\n    Mr. Liutikas. Congressman, I think it makes it \nsignificantly--oh, I apologize.\n    Mr. Olson. You are up next, Mr. Liutikas.\n    Mr. Thaw. I believe historically it has made it slower but \nit absolutely does not need to. It is a very formulaic regime \nfor which procedures can be developed, for example, to \nanalogize to something with which I believe many people may be \nfamiliar, Legal Zoom, the product that provides--you punch in \nthe information, we generate a will or something similar. I \ncould develop today a program that would handle the current \njurisdiction requirements in place.\n    Mr. Olson. OK, Mr. Liutikas, come on in.\n    Mr. Liutikas. Thank you, Congressman. In addition to making \nthe process slower today, I think the process of actually \nevaluating all of the different requirements and the laws out \nthere also creates more opportunity for not properly reporting \nunder a variety of State laws. So not only does it slow it \ndown, I think there is more opportunity for mistakes to be made \nas well.\n    Mr. Olson. Thank you.\n    Another one for you, Ms. Matties. How do wireless companies \ndeal with the fact that States have different definitions of \npersonal information? Can that result in over-reporting in some \nStates? Does it create consumer confusion? And what harm may \ncompanies incur if they over-report and some examples? So \nbasically over-reporting, confusion, harm, examples.\n    Ms. Matties. I am not sure I have examples for all those \nquestions, but certainly, over-reporting can be a problem. It \nis sort of the boy who cried wolf. If you get notices over and \nover that actually don't pertain to you, you may start to \nignore them, but worse, you may actually start making changes \nto your passwords and closing and opening bank accounts \nunnecessarily, wasting your own energy. So the different State \nregimes can cause over-reporting, which can harm consumers, and \nit also certainly impacts businesses in being able to comply \nwith those laws.\n    Mr. Olson. It looks like the professor wants to make \ncomments. Ma'am, you are up.\n    Ms. Matwyshyn. I wanted to play up on that point. The two \ncomplaints--I shouldn't say complaints. The two comments that I \nhave heard repeatedly from businesses in their compliance \nefforts, first, that the regulatory end of this complicated. \nDifferent regulators are required to receive filings in \ndifferent States so simplifying the regulatory complexity would \nbe something they would want.\n    The second point that they repeatedly mention to me is the \ndefinition of what constitutes information that triggers \nreporting, and they would be happy with a broader definition of \nthe information that triggers information as long as it is a \nbright line, it is clear to them. And so many companies, \nespecially the most sophisticated technology companies, are now \nerring on the side of reporting because it is simpler, and they \ndon't view it necessarily as a bad thing, they just want \nsimplification and a single regulatory point of contact.\n    Mr. Olson. And I would assume when they go public that they \nhave had some data breach, that affects their business because \nconsumers look at a company that has had a data breach, maybe \nis having some faults, which is not true, but the bottom line, \nin the market they get spooked and move their products \nelsewhere. One more comment, ma'am. I am out of time.\n    Ms. Matwyshyn. If I can just follow up, the other benefit \nthat a centralized point provides is the ability for companies \nengaging in highest security practices to announce that. So \neven if they suffer a data breach from a zero day \nvulnerability, for example, if they are using the highest end \nsoftware possible, then enforcement agencies are going to say \noh, they tried really hard, this is a good company doing the \nright thing. But if it is someone who hasn't updated their \nsystems in 6 years and that is why they had a data breach, that \nis a completely different ball of wax.\n    Mr. Olson. I am out of time. I thank the witnesses, and \ncome to Texas.\n    I yield back.\n    Mr. Terry. No.\n    Mr. Johnson, you are recognized.\n    Mr. Johnson. Also no, Mr. Chairman.\n    I would like to thank the panel for being here today. I \nspent about 30 years of my professional career before I came to \nCongress in the information technology field in the Department \nof Defense, worked as the director of the CIO staff for special \noperations command, so I certainly understand the complexities \nof data security and how easy it is for those who are \ndetermined to get into it.\n    So with that as a backdrop, do we have any empirical data \nto answer the question about how quickly we should notify \nconsumers? I mean, do we have any data that tells us after \nseveral hundred thousand identities are breached, do we know \nhow long before the bad guys start using that information? \nAnybody on the panel? Mr. Greene?\n    Mr. Greene. Unfortunately, there is no answer. There are \nthriving black markets in personal information, whether it is a \nSocial Security number, et cetera, or simply credit card \nnumbers, and it can be a game of roulette whether your card is \nbought before it goes stale or not, so we don't know how fast. \nIt really depends on how they are going to use their \ninformation. Slightly off point, but there is empirical \nevidence. The Ponemon study from last year found--it was \nlooking at the impacts, and one of the drivers of increased \ncosts was notification too early. What they found is, companies \nthat rushed to notify often notified a significant number of \npeople who once they did their full forensic work had not \nactually had their personal information made public, yet the \ncompanies notified them. The individuals, many of them, went to \nthe trouble of changing passwords, etc. The company had to pay \nfor monitoring and other services. So we do know--and again, \nnot discounting the need to notify quickly but doing it too \nquickly can drive up costs, both for the individuals and the \ncompanies.\n    Mr. Johnson. Speaking of quickly or not quick enough, do \nyou think that breaches are over- or under-notified today? \nAgain for the entire panel. Does anybody have a thought? Yes, \nma'am.\n    Ms. Matwyshyn. I would say they are dramatically under-\nnotified. Frequently, they are never discovered, and that is \npartially because companies unfortunately don't always have \nstate-of-the-art security in the place. Also in the public \nsector, we have the same challenges with security. So I would \nassume there are two breaches for every one that is reported.\n    Mr. Johnson. Given that there is a plethora of State \nregulations that require this, do you think an overarching \nfederal standard lessons the risk of under- or over-\nnotification?\n    Ms. Matwyshyn. I think it is heading in the right \ndirection. I think we are improving. We are all becoming more \neducated about these issues. Companies are becoming more \nsensitive. There is dramatic improvement in the last decade, \nand particularly in industries such as financial services, they \nare improving, and there is a learning curve happening, so we \nare heading in a good direction, and I think federal harmonized \nlegislation is a step in that direction.\n    Mr. Johnson. Mr. Richards, you noted that the FTC has been \nrelatively active in bringing cases against companies for \nfailure to maintain or disclose their security practices. If \nthe FTC has this existing authority, do we need to address data \nsecurity in more federal legislation?\n    Mr. Richards. Congressman, in reference to your last point, \nI believe strong federal preemptive data breach notification \nlaw that is broad in scope would cut down on over-notification \ncertainly. We believe that the FTC does have a lot of \njurisdiction within its existing authority but we believe given \nthe patchwork quilt of 48 different State laws that a broad \nfederal preemptive law would be very helpful to our businesses.\n    Mr. Johnson. Well, I think I know the answer to this next \nquestion, Mr. Richards, but can data security and data breach \nnotification be addressed separately or are they hand in hand?\n    Mr. Richards. Well, I think they can be. Well, I would \nsuggest addressing them separately, first data breach \nnotification, getting some consensus on the committee. I think \ncertainly the conversation around data security is important. I \nthink there should be some focus on what we have been talking \nabout in terms of a safe harbor, how do you incentivize \ncompanies or give companies some type of guidance on how they \nrender the data useless so if it is hacked or stolen, you have \ntaken the measures and you shouldn't have to report. So I think \ncertainly as a balance, a lot of the focus has been on what \nhappens post breach but I certainly think there are some \nmeasures they can take pre-breach.\n    Mr. Johnson. Great. I think I am last, Mr. Chairman. If you \nwould indulge for one more?\n    Mr. Greene, you stated that there were 93 million \nidentities exposed in 2012. Does this mean people, their names, \ntheir user names or their Social Security numbers? What does \nidentity mean in that 93 million number?\n    Mr. Greene. By the way we counted, it was name in \nconnection with Social Security number, address--one of the \nfollowing: Social Security number, address, date of birth, or \ncredit card information. Essentially, information that put \ntogether would allow financial fraud or identity theft.\n    Mr. Johnson. All right. Thank you, Mr. Chairman. I yield \nback.\n    Mr. Terry. Well done, everybody, so that concludes the \nquestioning period, which means that we are finished except for \na little bit of work here.\n    I ask unanimous consent to include the following statements \nin the record: one, statement of the Electronic Transaction \nAssociation dated July 18, 2013; two, a letter from the Credit \nUnion National Association, CUNA, dated July 17, 2013; a letter \nfrom McDonald Hopkins LLC dated July 18, 2013; number four, \nNational Retail Federation statement dated July 18, 2013. These \nhave all been approved by the minority staff. Hearing no \nobjections then, so ordered.\n    [The information appears at the conclusion of the hearing.]\n    Mr. Terry. No documents to be submitted on your side. Now \nall of our business is done, and I want to thank all of you. It \nhas been very insight. It was very stimulating, and we greatly \nappreciate your time and your testimony, which is your talent, \nand thank you, and we are adjourned.\n    [Whereupon, at 1:24 p.m., the subcommittee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n\n                 Prepared statement of Hon. Fred Upton\n\n    Those of us who have been in Congress more than a term or \ntwo know the issue of informing consumers in the event of a \ndata breach has been around for a number of years.\n    The importance of protecting our personal information grew \nas the crimes of identity theft and financial fraud became more \npervasive in our digital world. It's a fact of life almost \nevery citizen has some digital footprint or profile--whether \nfrom the state and county records, school records, or \ntransaction with businesses.\n    As we enjoy the wonderful new conveniences and efficiencies \nprovided by the technology, the downside is that it also \nfacilitates the ability of criminals to act with equal \nefficiency to commit identity theft or other crimes that can \npotentially injure far more consumers' credit and finances. No \nlonger is a criminal confined by what he can gather from a few \npaper based records taken from a mailbox or file cabinet. \nRather, the most sophisticated of today's cybercriminals can \nattempt to hack into digital databases and gain access to the \ndata on millions of individuals.\n    Data breaches were a somewhat novel issue 8 years ago when \nwe first learned of it. Our constituents were being notified of \na breach of their information for the first time under a \nhandful of state notification laws. The landscape has evolved \nand notifications have become more common, as have breaches and \nstate notification laws: we now have laws in 48 states and \nterritories, including every state represented on this dais \nexcept for one--many of which have slight differences--as well \nas a separate federal notification law addressing breached \nhealth information. Entities holding our personal information \nhave also evolved, incorporating security as an essential part \nof their operation. Experience has demonstrated the harm to \ntheir customers and the entity's reputation are reason enough \nto encourage those who hold our information to take reasonable \nsteps to protect it.\n    Yet breaches, identity theft, and financial fraud continue \nand we must consider whether the current notification regime is \nappropriate. I believe timely notification is an important \naspect of helping consumers protect themselves following a \nbreach of their information--and I question whether having to \nexamine 48 different laws before notifying one's customers is \nhelpful to this goal. If the breach was intentional or if the \ndata falls into the hands of criminals with malicious goals, \nthe consumer should be aware to take preventative steps to \nprotect or monitor their accounts more closely. Dealing with \nidentity theft or account fraud can be an expensive and time \nconsuming ordeal for a victim.\n    I think the title of the hearing is an appropriate question \nto ask: ``Is Federal Legislation Needed to Protect Consumers?'' \nCertainly no one would propose 48 variants of the same law--\neach with their own compliance requirements--as an efficient \nway to address any problem. Can a Federal notification law \nreplace the state laws in a way that maintains the protections \nafforded by the states and minimizes consumer confusion? I \nthink the potential benefits to both consumers and businesses \nfrom a single standard make this an issue worthy of our time. I \nwelcome our witnesses and look forward to discussing their \nperspectives.\n                              ----------   \n                              \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n                                 [all]\n</pre></body></html>\n"