[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]






   REPORTING DATA BREACHES: IS FEDERAL LEGISLATION NEEDED TO PROTECT 
                               CONSUMERS?

=======================================================================

                                HEARING

                               BEFORE THE

           SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 18, 2013

                               __________

                           Serial No. 113-71


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


      Printed for the use of the Committee on Energy and Commerce
                        energycommerce.house.gov
                                      ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

86-395                         WASHINGTON : 2015 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001                    
                        
                        
                        
                        
                        
                        
                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman
RALPH M. HALL, Texas                 HENRY A. WAXMAN, California
JOE BARTON, Texas                      Ranking Member
  Chairman Emeritus                  JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky                 Chairman Emeritus
JOHN SHIMKUS, Illinois               FRANK PALLONE, Jr., New Jersey
JOSEPH R. PITTS, Pennsylvania        BOBBY L. RUSH, Illinois
GREG WALDEN, Oregon                  ANNA G. ESHOO, California
LEE TERRY, Nebraska                  ELIOT L. ENGEL, New York
MIKE ROGERS, Michigan                GENE GREEN, Texas
TIM MURPHY, Pennsylvania             DIANA DeGETTE, Colorado
MICHAEL C. BURGESS, Texas            LOIS CAPPS, California
MARSHA BLACKBURN, Tennessee          MICHAEL F. DOYLE, Pennsylvania
  Vice Chairman                      JANICE D. SCHAKOWSKY, Illinois
PHIL GINGREY, Georgia                JIM MATHESON, Utah
STEVE SCALISE, Louisiana             G.K. BUTTERFIELD, North Carolina
ROBERT E. LATTA, Ohio                JOHN BARROW, Georgia
CATHY McMORRIS RODGERS, Washington   DORIS O. MATSUI, California
GREGG HARPER, Mississippi            DONNA M. CHRISTENSEN, Virgin 
LEONARD LANCE, New Jersey                Islands
BILL CASSIDY, Louisiana              KATHY CASTOR, Florida
BRETT GUTHRIE, Kentucky              JOHN P. SARBANES, Maryland
PETE OLSON, Texas                    JERRY McNERNEY, California
DAVID B. McKINLEY, West Virginia     BRUCE L. BRALEY, Iowa
CORY GARDNER, Colorado               PETER WELCH, Vermont
MIKE POMPEO, Kansas                  BEN RAY LUJAN, New Mexico
ADAM KINZINGER, Illinois             PAUL TONKO, New York
H. MORGAN GRIFFITH, Virginia
GUS M. BILIRAKIS, Florida
BILL JOHNSON, Missouri
BILLY LONG, Missouri
RENEE L. ELLMERS, North Carolina
           Subcommittee on Commerce, Manufacturing, and Trade

                          LEE TERRY, Nebraska
                                 Chairman
                                     JANICE D. SCHAKOWSKY, Illinois
LEONARD LANCE, New Jersey              Ranking Member
  Vice Chairman                      G.K. BUTTERFIELD, North Carolina
MARSHA BLACKBURN, Tennessee          JOHN P. SARBANES, Maryland
GREGG HARPER, Mississippi            JERRY McNERNEY, California
BRETT GUTHRIE, Kentucky              PETER WELCH, Vermont
PETE OLSON, Texas                    JOHN D. DINGELL, Michigan
DAVE B. McKINLEY, West Virginia      BOBBY L. RUSH, Illinois
MIKE POMPEO, Kansas                  JIM MATHESON, Utah
ADAM KINZINGER, Illinois             JOHN BARROW, Georgia
GUS M. BILIRAKIS, Florida            DONNA M. CHRISTENSEN, Virgin 
BILL JOHNSON, Missouri                   Islands
BILLY LONG, Missouri                 HENRY A. WAXMAN, California, ex 
JOE BARTON, Texas                        officio
FRED UPTON, Michigan, ex officio
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Lee Terry, a Representative in Congress from the State of 
  Nebraska, opening statement....................................     1
    Prepared statement...........................................     2
Hon. Janice D. Schakowsky, a Representative in Congress from the 
  State of Illinois, opening statement...........................     3
Hon. Joe Barton, a Representative in Congress from the State of 
  Texas, opening statement.......................................     4
Hon. Henry A. Waxman, a Representative in Congress from the State 
  of California, opening statement...............................     5
Hon. Fred Upton, a Representative in Congress from the State of 
  Michigan, prepared statement...................................    74

                               Witnesses

Kevin Richards, Senior Vice President, Federal Government 
  Affairs, Techamerica...........................................     7
    Prepared statement...........................................     9
Dan Liutikas, Chief Legal Officer, Comptia.......................    17
    Prepared statement...........................................    19
Jeffrey Greene, Senior Policy Counsel, Cybersecurity and 
  Identity, Symantec Corporation.................................    25
    Prepared statement...........................................    27
Debbie Matties, Vice President of Privacy, CTIA--The Wireless 
  Association....................................................    34
    Prepared statement...........................................    36
Andrea M. Matwyshyn, Assistant Professor of Legal Studies and 
  Business Ethics, The Wharton School, University of Pennsylvania    42
    Prepared statement...........................................    44
David Thaw, Visiting Assistant Professor of Law, University of 
  Connecticut School of Law......................................    49
    Prepared statement...........................................    51

                           Submitted material

Statement of the Electronic Transactions Association, submitted 
  by Mr. Terry...................................................    76
Letter of July 17, 2013, from the Credit Union National 
  Association to the subcommittee, submitted by Mr. Terry........    78
Statement of McDonald Hopkins LLC, submitted by Mr. Terry........    82
Statement of the National Retail Federation, submitted by Mr. 
  Terry..........................................................    86

 
   REPORTING DATA BREACHES: IS FEDERAL LEGISLATION NEEDED TO PROTECT 
                               CONSUMERS?

                              ----------                              


                        THURSDAY, JULY 18, 2013

                  House of Representatives,
Subcommittee on Commerce, Manufacturing, and Trade,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 11:04 a.m., in 
room 2123 of the Rayburn House Office Building, Hon. Lee Terry 
(chairman of the subcommittee) presiding.
    Present: Representatives Terry, Lance, Harper, Guthrie, 
Olson, Kinzinger, Bilirakis, Johnson, Long, Barton, Schakowsky, 
Sarbanes, McNerney, Barrow, Christensen, and Waxman (ex 
officio).
    Staff present: Kirby Howard, Legislative Clerk; Nick 
Magallanes, Policy Coordinator, Commerce, Manufacturing, and 
Trade; Brian McCullough, Senior Professional Staff Member, 
Commerce, Manufacturing, and Trade; Gib Mullan, Chief Counsel, 
Commerce, Manufacturing, and Trade; Andrew Powaleny, Deputy 
Press Secretary; Shannon Weinberg Taylor, Counsel, Commerce, 
Manufacturing, and Trade; Michelle Ash, Democratic Chief 
Counsel; and Will Wallace, Democratic Professional Staff 
Member.

   OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF NEBRASKA

    Mr. Terry. Good morning. I recognize myself for an opening 
statement.
    In today's economy, nearly everyone leaves a digital 
footprint. Even if you made a concerted effort to avoid 
smartphones, laptops, and social media, although I have not 
found that person, you would have a difficult time keeping your 
personal information from being held in an electronic database 
somewhere.
    Consumers should have the peace of mind that their data is 
protected in a responsible way. But with all types of nefarious 
activities online, cyber criminals are finding new ways and, 
frankly, seem to be very consistent in their wishes to steal 
data. So in the event that our personal data becomes exposed, 
we need to be able to trust that the companies in possession of 
that data will notify us of the exposure. And certainly it is 
in those companies' best interest to notify promptly and 
clearly in order to preserve a trusting relationship with their 
customers.
    Given these considerations, the question before us is: What 
are the rules of the road for companies that experience a 
breach in their data stores? Currently, the laws that govern 
data breach notification are a patchwork of state- and 
territory-specific statutes. Unfortunately, they tend to differ 
from each other in many ways. For example, while a number of 
States have adopted a common definition of personal 
information, even more States have adopted alterations to that 
definition, and those vary unpredictably. The definition is 
important because it triggers the duty to notify of a breach. 
Three States include encrypted or redacted data in the 
definition of personal information, whereas the rest do not. 
Five States include public records in the definition. 
Meanwhile, four States protect an individual's date of birth 
and mother's maiden name as personal information.
    With at least 48 of these various state- and territory-
specific laws on the books, you can see how the cost of 
compliance could add up. The global price tag of cyber crime 
has been calculated at around $110 billion annually, and we 
should not add unnecessary compliance costs to this. Adding to 
the confusion, these laws also tend to vary on the number of 
days that can elapse after a breach before notification as well 
as the method of notification.
    Even small breaches can cause a compliance headache. In one 
recent example, a large company experienced a breach where the 
personal information of just over 500 consumers was 
compromised. In comparison to other breaches involving tens of 
millions of consumers, this may seem small. Yet it turns out 
that these 500 consumers lived in 44 different States and 
therefore had to be notified pursuant to 44 different sets of 
rules.
    We must remember that where a breach in data is an 
intentional intrusion from the outside, for example, if it is 
done by a hacktivist, a foreign agent or a run-of-the-mill 
criminal, the company holding the data is also a victim. 
Burdening these entities with overly complicated notification 
rules is not a solution to the harms that result from the 
exposure of that personal information held by the company.
    And with that, I look forward to hearing the testimony of 
our witnesses and learning about whether or not we can improve 
the current legal landscape for breach notification.
    [The prepared statement of Mr. Terry follows:]

                  Prepared statement of Hon. Lee Terry

     In today's economy nearly everyone leaves a 
digital footprint.
     Even if you made a concerted effort to avoid smart 
phones, laptops, and social media, you would have a difficult 
time keeping your personal information from being held in an 
electronic database somewhere.
     Consumers should have the peace of mind that their 
data is protected in a responsible way.
     But, with all types of nefarious activities 
online, cyber criminals are finding new ways to steal data.
     So in the event that our personal data becomes 
exposed, we need to be able to trust that the companies in 
possession of our data will notify us of the exposure.
     And certainly it is in those companies' best 
interest to notify promptly and clearly in order to preserve a 
trusting relationship with consumers.
     Given these considerations, the question before us 
is: What are the rules of the road for companies that 
experience a breach in their data stores?
     Currently, the laws that govern data breach 
notification are a patchwork of state- and territory-specific 
statutes.
     Unfortunately, they tend to differ from each other 
in many ways.
     For example, while a number of states have adopted 
a common definition of ``personal information,'' even more 
states have adopted alterations to that definition, and those 
vary unpredictably.
     This definition is important because it triggers 
the duty to notify of a breach.
     Three states include encrypted or redacted data in 
the definition of ``personal information,'' whereas the rest do 
not.
     Five states include public records in the 
definition. Meanwhile, four states protect an individual's date 
of birth and mother's maiden name as ``personal information.''
     With at least 48 of these various state- and 
territory-specific laws on the books, you can see how the cost 
of compliance could add up.
     The global price tag of cyber crime has been 
calculated at around $110 billion annually, and we should not 
add unnecessary compliance costs to this.
     Adding to the confusion, these laws also tend to 
vary on the number of days that can elapse after a breach 
before notification as well as the method of notification.
     Even small breaches can cause a compliance 
headache: In one recent example, a large company experienced a 
breach where the personal information of just over 500 
consumers was compromised.
     In comparison to other recent breaches involving 
tens of millions of consumers, this may seem small. Yet it 
turns out that these 500 consumers lived in 44 different states 
and therefore had to be notified pursuant to 44 different sets 
of rules.
     We must remember that where a breach in data is an 
intentional intrusion from the outside-for example, if it is 
done by a ``hacktivist'', a foreign agent, or a run-of-the-mill 
criminal-the company holding the data is also a victim.
     Burdening these entities with overly complicated 
notification rules is not a solution to the harms that result 
from the exposure of personal information.
     And with that, I look forward to hearing the 
testimonies of our witnesses and to learning about whether we 
can improve the current legal landscape for breach 
notification.

    Mr. Terry. At this point, I will yield back my time and 
recognize the ranking member, Jan Schakowsky, for her 
statement.

       OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A 
     REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS

    Ms. Schakowsky. Thank you, Mr. Chairman.
    Apropos of this hearing, it has just been reported this 
very morning that Anonymous claims to have hacked into 1,800 
email accounts of Members of Congress and their staffs. So that 
is apparently in the news. I don't know to what extent that has 
been confirmed. So I look forward to hearing from our witnesses 
about this issue and steps that can and should be taken to 
address it.
    As a long-time consumer advocate, I believe that the public 
does have a right to be informed if their personal information 
such as names, email addresses, passwords, home addresses, 
health and financial data is compromised. As more and more 
information moves online, it is equally important to ensure 
that precautions are taken to keep that data secure.
    Less than 2 years ago following the breaches of data at 
Citicorp, Epsilon and Sony, a report of the data security from 
Protegrity found that personal information was ``highly 
valuable'' to cyber criminals but ``vastly unprotected.'' Since 
then, it seems to me, and you will set me straight, little has 
changed. Last year, 680 confirmed data breaches compromised 
almost 28 million records. Many of those could have been 
prevented with relative ease had the entities holding the data 
followed known best practices. This is clearly a major issue 
which the private sector has not done enough on its own to 
address, and one of great concern, I believe, to the public.
    Almost every state and territory including my home State of 
Illinois has adopted data breach standards. While national 
standards might be needed to adequately address this issue, I 
want to make clear, my view is that any federal law should not 
weaken strong State laws. In addition, any federal response 
should establish a baseline so that every American can be 
assured some level of data protection, not just notification 
after the fact.
    This subcommittee has several questions to answer as we 
consider data breaches and hopefully data security as well. 
What specific measures should be taken to protect personal 
information stored online? When should consumers be notified of 
a breach? What role should the federal government play in 
ensuring that those steps are taken? I believe that entities 
that store important data should act proactively to defend that 
information and the consumer should be notified if a breach 
could result in personal harm.
    The DATA Act, introduced by Mr. Rush and passed by voice 
vote just 4 years ago, would have taken those steps to protect 
American consumers. I was a cosponsor of that bill along with 
Mr. Barton, and I believe it should be the framework for 
bipartisan legislation in this Congress.
    Again, I look forward to hearing from our witnesses today 
about what can and should be done to address breach 
notification and data security. I hope that this subcommittee 
can work constructively toward a bipartisan solution to this 
major issue that impacts all of us.
    Thank you. I yield back.
    Mr. Terry. And that is our goal.
    At this time the chair recognizes the chairman emeritus, 
Mr. Barton.

   OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Barton. Thank you, Mr. Chairman, and I am very happy 
that you are having this hearing. As Congresswoman Schakowsky 
just pointed out, this is an issue that is not unfamiliar to 
the subcommittee or the full committee. Going back to my tenure 
as chairman in 2005 and 2006, we passed a bill out of committee 
but it didn't go to the floor. Under Mr. Dingell's chairmanship 
and Mr. Waxman's chairmanship, again, we passed bills that came 
out of committee and we have even had one bill that passed the 
floor of the House but it wasn't taken up in the Senate. The 
last Congress, we passed a bill out of this subcommittee but it 
was not taken up at full committee.
    So this is an issue that we all have general agreement on. 
As Congresswoman Schakowsky has pointed out, it is not a 
partisan issue. Hopefully under your leadership, Mr. Chairman, 
and Mr. Upton's leadership at the full committee, we will pass 
something in this committee, on the floor and get the other 
body to take it up.
    This year alone, our last year, in 2012, there were 470 
breaches that meet the definition, and so far this year, there 
have been 326 breaches. This is an issue that is not going to 
go away. It would appear to be obvious that we need a federal 
bill instead of a patchwork of State bills, and I would agree 
with what Congresswoman Schakowsky said, that a federal bill 
should be a baseline bill and not a bill that limits the 
States.
    With that, Mr. Chairman, again, thank you for your 
leadership. I believe you are the man who can make this happen, 
subcommittee, full committee, the floor and then with the other 
body. And with that, I will yield back.
    Mr. Terry. No pressure there.
    Are there any other Republicans on this side that wish to 
have time yielded?
    Mr. Barton. If not, Mr. Chairman, I yield back.
    Mr. Terry. Then we will yield back.
    Before I announce our panel and start our testimony, an 
announcement of sorts--oh, Henry is here, so while he is 
sitting down, my announcement is, we will recess at noon and 
reconvene if it is still necessary to. I have a feeling that 
there is going to be enough questions that we will reconvene at 
1 o'clock but break at noon, and I recognize the full committee 
ranking member, the gentleman from California is recognized for 
5 minutes.

OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Mr. Waxman. Thank you very much, Mr. Chairman. I welcome 
all of our witnesses today.
    Our subcommittee is going to address the federal role in 
data breach notification. It is alarming just how common data 
breaches have become. Since 2005, at least 600 million records 
containing consumers' personal information have been 
compromised as a result of more than 3,800 data breaches in the 
United States. At least 72 million personal records have been 
compromised only in the time since July 2011, when the 
Subcommittee last considered this issue.
    Every type of entity has proven vulnerable, including 
private sector companies of all sizes, colleges and 
universities, and federal, State, and local governments. 
Breaches result from a wide variety of causes. External 
criminal attacks, dishonest insiders, and simple negligence can 
all be responsible for compromising consumers' personal 
information. Moreover, in recent months, it has become 
abundantly clear that commercial data breaches can also result 
from State-affiliated cyber attacks.
    Consumers face severe threats to their financial well-being 
when data like banking information or Social Security numbers 
are compromised. In 2012 alone, more than 12 million U.S. 
adults were victims of identity theft or similarly costly forms 
of fraud. Less reported, but also of concern, is when breaches, 
non-financial in nature, threaten consumers' privacy, including 
breaches involving health-related information, biometric data, 
or a person's precise location.
    Nearly all U.S. States and territories now have laws that 
require notice for their own residents when a data breach 
occurs. These laws vary greatly, but several of these laws are 
quite strong, ensuring that consumers receive prompt, clear and 
complete notification when their personal information is 
breached and providing them with resources to protect their 
financial well-being. I am glad that these laws have been 
enacted, but after-the-fact breach notification is only half of 
what is needed. The private sector also must take reasonable 
steps to safeguard personal information.
    When it comes to information security, prevention is the 
best medicine. Research shows that the vast majority of attacks 
on commercial data--78 percent according to the Verizon RISK 
Team--utilize simple tactics easily thwarted by basic security 
infrastructure and procedures.
    There are many companies that take information security 
very seriously and work diligently to combat this problem, and 
perhaps there will always be cyber crime. But unfortunately, 
there are also companies that are not doing enough to prevent 
breaches, and consumers are paying the price.
    As the subcommittee moves forward with its work on 
information security, I strongly encourage all members to keep 
two points in mind. First, federal legislation must not move 
backward by undermining those States with strong breach 
notification laws. And second, effective security for 
consumers' personal information indisputably requires both 
breach notification and reasonable safeguards for commercial 
data.
    I look forward to the testimony we are going to get today 
and our discussion of this issues today and in the future and I 
hope we can work together to deal with this important issue.
    Mr. Terry. I appreciate that, Mr. Chairman.
    At this time I am going to introduce our full panel, and 
then we will start with Mr. Richards. Mr. Richards is the 
Senior Vice President of Federal Government Affairs for 
TechAmerica. We have Dan Liutikas, Chief Legal Officer, 
CompTIA. We have Mr. Jeff Greene, Senior Policy Counsel, 
Cybersecurity and Identity, Symantec Corporation. We then have 
Debbie Matties, CTIA--The Wireless Association Vice President 
of Privacy. We have Andrea Matwyshyn, Assistant Professor of 
Legal Studies and Business Ethics at the Wharton School, 
University of Pennsylvania. David Thaw will complete our 
testimony, and he is Visiting Assistant Professor of Law at the 
University of Connecticut School of Law.
    You will see little lights down there. Green means go. At 4 
minutes, the yellow line will come on and that should be a 
sign, if you got a full page or two left, you may want to skip 
to the conclusion. The red light means I'm going to lightly tap 
the gavel, and so I appreciate keeping it to the 5-minute mark, 
especially since we have been kind of put on an awkward, tight 
schedule today.
    So Mr. Richards, you may begin. You are recognized for your 
5 minutes.

 STATEMENTS OF KEVIN RICHARDS, SENIOR VICE PRESIDENT, FEDERAL 
  GOVERNMENT AFFAIRS, TECHAMERICA; DAN LIUTIKAS, CHIEF LEGAL 
   OFFICER, COMPTIA; JEFFREY GREENE, SENIOR POLICY COUNSEL, 
   CYBERSECURITY AND IDENTITY, SYMANTEC CORPORATION; DEBBIE 
    MATTIES, VICE PRESIDENT OF PRIVACY, CTIA--THE WIRELESS 
ASSOCIATION; ANDREA M. MATWYSHYN, ASSISTANT PROFESSOR OF LEGAL 
STUDIES AND BUSINESS ETHICS, THE WHARTON SCHOOL, UNIVERSITY OF 
 PENNSYLVANIA; AND DAVID THAW, VISITING ASSISTANT PROFESSOR OF 
          LAW, UNIVERSITY OF CONNECTICUT SCHOOL OF LAW

                  STATEMENT OF KEVIN RICHARDS

    Mr. Richards. Thank you. Mr. Chairman, Ranking Member 
Schakowsky, and distinguished members of the subcommittee, 
thank you for the opportunity to testify today and for 
convening this hearing on the important issue of data breach 
notification. I am Kevin Richards, Senior Vice President of 
Federal Government Affairs of TechAmerica, a leading technology 
association representing the world's premiere technology 
companies from the information and technology communications 
sector at the state, federal, and international level.
    The topic of today's hearing is an issue of great concern 
to our members who view the unauthorized disclosure and use of 
personal information as a threat that erodes public confidence 
in a connected world. TechAmerica's member companies understand 
better than anyone the nature of cyber threats that America 
faces today and what must be done in order to protect 
consumers' information from data breaches.
    The rapid growth of the collection of information in 
electronic form has provided consumers, businesses and 
governments with tremendous opportunities from revolutionizing 
the way medical care is provided to enhancing government 
services, to enabling a free Internet with more opportunities 
appearing daily. However, this collection of data has also 
resulted in a concomitant exposure of companies to risks and 
liabilities arising from the collection, use, storage and 
transmission of information, particularly sensitive information 
about individuals.
    TechAmerica strongly believes that if a breach occurs that 
poses a significant risk of serious harm, that there should be 
a consistent national policy to ensure that customers and 
consumers are notified in an appropriate manner.
    Today, 48 different State jurisdictions in the United 
States have data breach notification laws, and while many 
businesses have managed to adapt to these various laws, a 
properly defined data breach notification standard would go a 
long way to guide organizations on how to address cyber threats 
in their risk management policies. It also would help prevent 
breaches and give guidance on how best to respond if an 
organization should fall victim to a reach caused by an attack. 
It would be particularly helpful for smaller businesses, many 
of whom cannot afford teams of lawyers to navigate 48 breach 
standards should something bad actually happen.
    National data breach legislation should be carefully 
crafted and in particular be technology-neutral to help 
organizations prevent and respond to security incidents while 
avoiding costly, burdensome rules that would not provide any 
real protection to consumers and free security innovation. Such 
legislation will provide much-needed regulatory relief to 
companies facing conflicting legal obligations under today's 
patchwork of State laws.
    TechAmerica has been a leader in calling for a strong, 
preemptive, and uniform national breach notification law. 
Federal legislation that promotes notification to consumers 
when their data has been compromised is needed, and can 
effectively help restore consumers' online trust and 
confidence.
    The first objective of federal data breach notification 
legislation should be to establish a uniform national standard 
and preempts the current patchwork of existing State laws while 
providing a safe harbor for those entities that take steps to 
protect their systems from breaches and render data unreadable, 
undecipherable and unusable in order to protect individuals 
from harm. The following recommendations are a result of 
lessons learned from the implementation of regimes by the 
current 48 different State jurisdictions in the United States 
and which serve as a good benchmark for drafting potential 
legislation.
    One, legislation must establish a single, uniform 
preemptive standard. Two, a meaningful threshold for 
notification should be established. Three, define carefully the 
kind of personally identifiable information that is covered by 
notification requirements. Four, avoid mandating specific 
technologies while encouraging the adoption of good practices. 
Five, when third-party managed data notification is required, 
avoid consumer confusion. Six, a federal law should do more 
than the patchwork of state laws to protect consumers.
    In conclusion, TechAmerica believes that the patchwork 
quilt of state laws and existing requirements needs to be 
overhauled by a uniform preemptive national standard based on 
the risk of harm. This would be in addition to the significant 
protection consumers receive today. With the chairman's 
permission, TechAmerica would like to request the submission of 
TechAmerica's national data breach legislative principles for 
inclusion in the record for today's hearing.
    Mr. Terry. Unanimous consent to allow? Hearing no 
objection, so allowed.
    Mr. Richards. Thank you. We are happy to offer assistance 
to the committee and work with you as the legislative process 
moves forward.
    Thank you for allowing me the privilege to appear today in 
order to share TechAmerica's views on the important of data 
breach notification. I would be happy to answer any questions 
that the committee may have at this time.
    [The prepared statement of Mr. Richards follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    Mr. Terry. Thank you very much.
    And now, Mr. Liutikas, you have your 5 minutes.

                   STATEMENT OF DAN LIUTIKAS

    Mr. Liutikas. Good morning, Chairman Terry, Ranking Member 
Schakowsky, and distinguished members of the House Subcommittee 
on Commerce, Manufacturing, and Trade. This testimony is 
submitted on behalf of the 2,000 members of the Computing 
Technology Industry Association, also known as CompTIA, a not-
for-profit trade association.
    CompTIA is also the leading developer and provider of 
vendor-neutral education, IT workforce certifications including 
A+, Security+ and Network+, and organizational credentials such 
as the Security Trust Mark.
    My name is Dan Liutikas, and I am the Chief Legal Officer 
of CompTIA. Prior to CompTIA, I was an attorney in private 
practice focusing on corporate technology and intellectual 
property matters, primarily for the small- to medium-size 
business. I am a native of Chicago, Illinois, and was born to 
immigrant parents from Lithuania. My father opened his own 
television repair shop and then later started a construction 
business. My mother started her own restaurants, delis, and 
banquet halls. Both lived the American dream by being 
entrepreneurial and starting their own small businesses. From 
my own experience, I submit that small business owners don't 
want handouts.
    Like the businesses started by my parents, many of our 
members are small- to medium-sized businesses expect that they 
are IT solution providers that help other small- to medium-
sized businesses set up IT systems and manage data. They also 
just want a fair shot at pursuing the American dream. In the 
context of today's hearing, that means eliminating unnecessary 
barriers to entry such as redundant and burdensome regulations. 
With that context, let me state upfront that our membership 
supports a federal approach to data breach notification.
    It is hard to believe that it has been 10 years since 
California became the first State in the country to enact a 
State data breach notification law. Today, there are 46 states, 
D.C., and several territories that enacted data breach 
notification laws. Data breach notification standards are 
clearly a relevant concern for millions of users sharing 
information through the Internet and for information being 
stored in various forms.
    A federal approach will bring clarity and certainty not 
only to small businesses but also to consumers who may not be 
aware of the notice obligations of a particular State's data 
breach notification law or even when such obligations may 
apply.
    We appreciate the opportunity to submit our written 
testimony that provides greater details on the burdens of the 
current patchwork of State laws and the way in which 
advancements in mobile technology exacerbate those burdens. 
Therefore, I would like to spend the balance of my time on a 
solution.
    Based on our collective experience and outreach efforts, we 
believe that the IT industry will be receptive to a national 
data breach reform framework that contains the following six 
principles.
    Number one, there should be a single national federal 
standard for data breach policy. Businesses which conduct 
commerce over multiple States need the certainty and efficiency 
that a national standard would provide.
    Number two, Congress and the FTC should not mandate 
specific technology or methods for data security practices. The 
environment for data security is constantly evolving, so any 
regulation should focus on promoting validated industry 
standards for security, rather than a single quickly outdated 
solution.
    Number three: There should be an exemption from 
notification requirement for entities that deploy technology or 
methods such as encryption and other technologies that render 
data unusable or unreadable by hackers as a harm-prevention 
measure.
    Number four, all enforcement and penalties for data breach 
law should be administrated by a central government agent 
instead of State Attorneys General, except in cases where the 
federal agent can or has not acted.
    Number five, entities compliant with existing data breach 
legislation such as the Gramm-Leach-Bliley Act should be exempt 
from new regulation. We should not reinvent the wheel or create 
conflicting of overlapping regulations.
    And number six, notification should occur on a reasonable 
time frame, which includes allowances for risk assessment and 
any necessary law enforcement procedures or investigation. 
Notification should be focused on events where there is a 
possibility of actual harm including a minimum threshold of 
affected individuals.
    In closing, I want to reiterate that we believe that a 
national data breach framework is in the best interest of both 
consumers and small- to medium-sized businesses.
    Thank you again for the opportunity to share our 
perspective on the issue of data breach notification reform, 
and I look forward to our discussion on how to best approach 
this issue, and I would be happy to answer any questions.
    [The prepared statement of Mr. Liutikas follows:]
   
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
   
    
    Mr. Terry. Thank you very much.
    Mr. Greene, you are now recognized for 5 minutes.

                  STATEMENT OF JEFFREY GREENE

    Mr. Greene. Chairman Terry, Ranking Member Schakowsky, 
members of the subcommittee, thank you for the opportunity to 
testify today on behalf of Symantec Corporation. We are the 
largest security software company in the world with 31 years of 
experience in developing Internet security technology.
    For organizations that have critical information assets, 
the risk of a data breach has really never been higher than it 
is now. We estimate that last year, there were 93 million 
identities exposed. Thankfully, few of these victims will have 
his or her identity stolen or bank account raided, but the 
reality is that all of them are at risk for it because once 
your information has been stolen, you can do little more than 
hope that no one tries to monetize it.
    The costs of these breaches is real. Mr. Chairman, as you 
mentioned in 2012, our Norton cyber crime report put the global 
price tag of consumer cyber crime at $110 billion, and that is 
just the consumer side. On the business side, the Ponemon 
Institute estimated that in 2012, the average organizational 
cost for a breach in the United States was $5.4 million.
    Breaches can be caused most commonly or very commonly by 
lost computers or portable media, and they can be caused by 
outright theft--people that walk out the door with sensitive 
information, disgruntled or fired employees. But there is 
another cause for breaches, and that is targeted attacks, and 
actually last year, according to our Internet Security Threat 
report, 40 percent of breaches were caused by targeted attacks 
and hackers. Most of these attacks rely on social engineering, 
basically trying to trick people into doing something on their 
computer that they were never do if they were fully cognizant 
of their actions. We also saw a lot of email attacks. It is 
still a very common vector. And we regularly see criminals 
mining social media to come up with tidbits about individuals 
they use to craft emails that will look legitimate, even to 
very cautious users. Twenty twelve also saw the emergence of 
what we call watering hole attacks. Like the proverbial lion in 
the jungle who waits by the watering hole for unsuspecting 
prey, cyber criminals have become adept at compromising 
legitimate Web sites and then sitting on them and waiting for 
visitors to come by and then attempting to compromise every one 
who visits.
    The growing use of the cloud also presents unique 
challenges and opportunities. Cloud done right is an 
opportunity for very strong security. You are putting your data 
behind higher walls and having it watched by more walls. Cloud 
done wrong, though, can be a recipe for data breach because you 
are grouping your data with many other people's, creating a 
very desirable target for attackers and one that is not well 
defended.
    As you mentioned, Mr. Chairman, mobile devices require 
strong security. We are all doing more and more of our lives on 
mobile computers, and unfortunately, the criminals are 
following. Last year, we saw a 58 percent increase in the types 
of malware that were designed specifically for mobile devices, 
and even since we released our report in April, we have seen 
dramatic evidence of the increasing focus on mobile attacks.
    Good security really starts with the basics--patch 
management, updating your patches on your computer, and strong 
passwords. The breach that the ranking member indicated was 
reported this morning, based on the early reporting, there was 
a significant number of people who were using the word 
``password'' as their password. That is just not a strong 
password; you are asking for it.
    So-called zero days or previously unknown critical 
vulnerabilities receive a lot of media attention, but 
unfortunately, it is still well-known older vulnerabilities 
that cause most patches. Modern security software is essential. 
I am not talking about the proverbial your father's antivirus 
anymore. Modern security software will monitor your computer 
looking for anomalous Internet activity, processes or other 
system events that could be indicative of a previously known 
infection. We have reputation-based technology we use that 
actually looks at individual files based upon their frequency 
we see out in the wild and we are able to detect previously 
unknown threats just by looking at a file that way.
    Looking at the legal landscape, we do support a national 
standard for breach notification, and we have identified three 
principles that are key to us. First, the scope of any 
legislation should include all entities that collect, maintain 
or sell significant numbers of records containing sensitive 
personal information, and we think that that should apply 
equally to the government and to the private sector. Second, 
pre-breach security measures should be central to any 
legislation. New legislation should seek to minimize the 
likelihood of a breach and not just focus on what to do 
afterward. And finally, any notification scheme should minimize 
false positives. Promoting technology like encryption as a best 
practice would significantly reduce these false positives and 
limit the burden on consumers and on businesses.
    I thank you again for the opportunity and the privilege to 
testify today. I look forward to your questions.
    [The prepared statement of Mr. Greene follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    Mr. Terry. Thank you very much.
    Ms. Matties, you are recognized for 5 minutes.

                  STATEMENT OF DEBBIE MATTIES

    Ms. Matties. Chairman Terry, Ranking Member Schakowsky, and 
the members of the subcommittee, thank you for the opportunity 
to participate in today's hearing. My name is Debbie Matties, 
and I am the Vice President for Privacy at CTIA.
    CTIA along with AT&T, Comcast, DIRECTV, NCTA, Time Warner 
Cable, USTelecom, and Verizon is a member of the 21st Century 
Privacy Coalition. The Coalition seeks to modernize U.S. 
privacy and data security laws to better serve consumers as 
well as to reflect the ways that communications technology and 
competition has changed in the last two decades.
    CTIA commends the subcommittee for exploring whether 
federal data breach legislation is necessary to protect 
consumers. Today's patchwork of state and federal data security 
and breach notification laws is complicated for businesses and 
provides uneven protection for consumers. A strong, 
comprehensive and streamlined federal framework enforced by a 
single agency would create more certainty for businesses and 
better protect consumers from the harms associated with data 
breaches.
    Today's variety of State and federal requirements creates 
inconsistent, sometimes contradictory responses to breaches 
that do not benefit consumers. For example, some States require 
breach notifications to occur ``without unreasonable delay'' 
whereas other States require specific time frames for 
notification. Some states provide an exemption for notification 
for immaterial breaches whereas other States do not.
    Most data breaches impact consumers in multiple States, 
just like the breach that happened here in the House, and 
electronic data is rarely segmented by State. So under law, the 
question becomes, which State law should apply? The State in 
which the consumer resides? The State in which the breach 
occurred or the State in which a vulnerability existed and was 
exploited? For wireless consumers using family plans, often the 
user of a device is in a different State from the subscriber 
who pays the bill. Given the fact that breaches inevitably 
transcend State borders, a federal approach to breach 
notification is appropriate so that all consumers receive the 
same benefits.
    The absence of a consistent nationwide regime also creates 
unnecessary distraction for companies that need to stop a 
breach, evaluate the damage caused by the breach and its scope, 
correct whatever vulnerability resulted in the breach, work 
with law enforcement to investigate the brief, and of course, 
most important, notify consumers to help mitigate any harm. 
These time-sensitive activities are hampered when a company, 
especially a small business, has to evaluate which of the 48 
different State regimes applies to each of their customers and 
then tailor breach notifications accordingly. It also makes it 
difficult for consumer protection agencies, consumer advocates 
and businesses to educate consumers faced with a data breach 
about their rights.
    Multiple federal regimes undermine consumer protection in a 
similar manner. For example, wireless carriers fall within the 
FCC'S CPNI rules to the extent they are providing a 
telecommunications service such as voice. But some providers of 
voice like Skype are not subject to CPNI rules, and then the 
FTC asserts data security jurisdiction over wireless carriers 
when they are providing Internet access.
    In any case, the CPNI rules don't really make a lot of 
sense. They don't cover critically important information like 
name, Social Security number or credit card number but they do 
cover, for example, the number of voice lines a subscriber has 
on her plan. A unified, streamlined federal data security and 
breach notification law that applies equally to all entities 
and to all data would make consumers more confident in the 
security of their online information and would in turn give 
them greater trust in Internet commerce. This unified federal 
approach to data security is bipartisan and is in line with the 
Obama Administration's recommendations to level the playing 
field for companies and provide a consistent set of 
expectations for consumers by simplifying and clarifying the 
privacy laws. CTIA supports the Administration's recommendation 
to narrow the common carrier exemption to the extent needed to 
enable the FTC to enforce data security and data breach 
notification requirements.
    Mr. Chairman, CTIA fully supports a unified, streamlined 
federal data security and breach notification law that is 
enforced by the FTC and benefits consumes who expect that their 
information will be afforded the same high degree of protection 
regardless of what entity collects the information, where the 
consumer lives, where a breach occurs, or where hackers may be 
trying to access personal information. Congress should enact a 
new law to better reflect consumer expectations.
    I would be happy to answer your questions.
    [The prepared statement of Ms. Matties follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Terry. Well done.
    Professor Matwyshyn, you are now recognized for 5 minutes.

                 STATEMENT OF ANDREA MATWYSHYN

    Ms. Matwyshyn. Thank you. Chairman Terry, Ranking Member 
Schakowsky, it is my great honor to be with all of you today to 
discuss a topic that I have devoted my scholarship to, and that 
is the question of how to improve information security in the 
United States.
    I started working in this space approximately 14 years ago 
as a corporate attorney representing multinational clients as 
well as entrepreneurs in Chicago. I really watched the 
evolution of this space as both a member of the business 
community at first representing clients and now as an academic, 
and although there has been tremendous improvement in this 
space, we still have a reasonable way to go.
    The public awareness around questions of information 
security has tremendously increased during the last 10 years, 
and it is with great pleasure that I see that we are discussing 
these topics today. However, the questions of conduct and 
reasonableness in behavior and information security still 
remain unanswered.
    With that, I would like to offer a historical example to 
offer perhaps a paradigm to conceptualize questions of 
information security. In addition to teaching Internet law and 
data security and privacy law, I also teach securities 
regulation, and I would submit that perhaps the questions that 
we are facing today have a historical parallel in the questions 
that this Congress faced when thinking about balancing the 
interests of consumer protection, capital formation and market 
stability in the 1933 and 1934 Acts.
    Today in this context, perhaps those three elements are 
consumer protection, economic stability broadly in terms of 
securing information and preserving sectors of our economy that 
rely on information flows, and facilitating responsible 
innovation. So with those three elements, we can take a look at 
the broader set of questions in information security, and I 
would submit that perhaps we should draw a clear distinction 
between disclosure regulation and conduct regulation.
    Disclosure regulation, specifically data breach 
notification statutes, have developed to a high degree on the 
State level. We have had States function as the laboratories of 
experimentation, and the State statutes have shown us the way 
as to what is a feasible and successful approach for 
disclosure, and offered us guidance to at this point be able to 
come up with a set of criteria that can be operationalized on a 
national level through the Federal Trade Commission to provide 
us the data to be able to analyze what is going on in our 
economy, who are the companies that are behaving with best 
practices, and who are the companies that are not yet quite up 
to par and need to be encouraged regulatorily or otherwise on 
the State or national level to improve the quality of 
information security that they implement throughout the their 
organizations. The written statement that I have submitted 
offers a framework of this nature.
    Conduct regulation, I would submit, we are not ready to 
really focus in on with a national framework yet. We need the 
states to show us the way, the same way that they did in the 
context of data breach notification. Let the states experiment, 
guide us, discover what works, what doesn't work, and then 
perhaps we can revisit this question. I would respectfully urge 
this body to allow for this state experimentation and to 
preserve the right of states to determine recourse appropriate 
for their consumer harms.
    While disclosure legislation deals with purely providing 
information to empower consumers to make good choices, conduct 
regulation is the place where we contemplate harms. This 
distinction, I think, would be fruitful to operationalize into 
a national framework for a data breach notification 
harmonization.
    And in my last minute, I will highlight some of the 
elements that I elaborate on in detail in my written statement 
that may provide guidance for a federal harmonized framework.
    First, the concept of information from a consumer and from 
a corporate perspective does not map onto the notion of PII 
that we have been working with. Sometimes the most innocuous 
bits of information can be the most important. If I use my 
favorite flavor of ice cream as my security question for my 
bank account, that is perhaps my most sensitive information, 
and so I would suggest that perhaps we should reconceptualize 
our notion of what constitutes consumer information in line 
with the way that sophisticated companies treat information and 
that is around information that is shared by a consumer in a 
trusted relationship.
    And with that, I will conclude because I am running out of 
time but I would request that this committee turn to my 
statement and examine the framework that I have proposed. Thank 
you.
    [The prepared statement of Ms. Matwyshyn follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Terry. We will. I appreciate you submitting that.
    Professor Thaw, you are recognized for 5 minutes.

                    STATEMENT OF DAVID THAW

    Mr. Thaw. Thank you, Mr. Chairman.
    Chairman Terry, Ranking Member Schakowsky, distinguished 
members of the subcommittee, I am David Thaw, Visiting 
Assistant Professor of Law at the University of Connecticut and 
Fellow of the Information Society Project at Yale Law School. I 
appreciate the opportunity to testify regarding the important 
issues of data security and consumer protection, a subject that 
I have spent the better part of a decade researching and 
working on professionally.
    Federal data breach notification is important but it must 
be implemented properly. In my oral testimony today, I wish to 
address two core issues relevant to proper implementation. 
First, whether to address breach notification separate from 
broader information security regulation, and second, what 
burden of proof should be required if a risk-of-harm threshold 
is adopted for breach notification.
    I understand the subcommittee to be taking up the issue of 
data security beginning with the question of breach 
notification separate from comprehensive information security 
regulation. I caution against this approach for two reasons. 
First, comprehensive information security combined with breach 
notification is substantially more effective than is either 
regime alone. As part of my research on information security 
regulation, I compared the efficacy of these two regimes. 
Specifically of note to the subcommittee's agenda, the 
combination of the two was nearly four times more effective at 
preventing incidents than was breach notification alone. I 
analogize the effects of breach notification alone to locking 
the bank or vault door while leaving a back window wide open.
    Second, approaching the issue of breach notification 
separately requires establishing certain information 
categories. For example, defining what information to protect 
is essential to breach notification. This definition, however, 
has a different purpose when considering comprehensive 
information security. Furthermore, once established, these 
definitions will be difficult to change. The burden to 
business, for example, to reclassify information for compliance 
with multiple definitions is substantial.
    To be specific, the types of information that should 
trigger notification differ from the types of information that 
should be protected overall. For example, medical records, 
wills, personal diaries, sensitive or private photographs and 
other similar information are all items federal law currently 
recognizes as sensitive personal information. State law has 
more narrow definitions including Social Security numbers, 
financial account number, and government ID numbers. Consumers 
should be informed about unauthorized disclosure of all this 
information. By contrast, sensitive information about trade 
secrets, computer infrastructure or security measures it not 
the province of the general consumer, yet such information must 
also be secured. On these bases, I strongly recommend that the 
subcommittee address breach notification and comprehensive data 
security concurrently.
    The second issue I wish to address is the risk-of-harm 
threshold. Certain formulations of this threshold negatively 
impact information security. Specifically, a threshold 
employing a negative presumption of notification, which 
requires proving risk of harm before triggering notification 
requirements, disincentivizes organizations from conducting 
thorough investigations. Organizations have incentives to limit 
investigations that might increase their liability. For 
example, when conducting comprehensive information security 
assessments, auditing and consulting firms often work together 
with law firms so that the results will be privileged and thus 
not discoverable in future civil litigation or regulatory 
investigations. Clients do not want to incur liability for 
failure to remediate security vulnerabilities identified in the 
assessment. A similar analysis applies to breach 
investigations. My research data supports this conclusion as 
does my professional experience. Thus, I strongly recommend 
that if a risk-of-harm threshold is adopted, the committee 
adopt an affirmative presumption of notification where risk of 
harm must be disproved before notification is exempted. To 
place the burden otherwise disincentivizes information security 
investigations, one of the most important tools in protecting 
consumers against future breaches and securing the overall 
information security ecosystem.
    I am happy to offer any assistance to the committee as it 
moves forward in his work. I again thank the chairman and the 
ranking member for the privilege and opportunity to testify 
here today, and I am pleased to answer any of your questions.
    [The prepared statement of Mr. Thaw follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Terry. Thank you very much for your testimony and 
appreciate the two law school professors here. It makes me 
feel--I had flashbacks to law school during your testimony.
    With that, I will start the questions--the answer to this 
is just yes or no. It was clearly clear in some of the 
testimonies but I do want to get it succinctly on the record 
starting with Mr. Richards and then going down to Professor 
Thaw.
    Do you believe there should be a federal notification law? 
Mr. Richards?
    Mr. Richards. Yes, we do, Mr. Chairman.
    Mr. Liutikas. Yes, we do, Mr. Chairman.
    Mr. Greene. Yes, sir.
    Ms. Matties. Yes.
    Mr. Terry. Now we get to the murkier.
    Ms. Matwyshyn. Exactly. Yes, provided the standard is at 
the highest level and does not preempt State law, as well as 
conduct being carved out to allow for States to experiment.
    Mr. Thaw. Yes, provided implemented properly. I provide 
detail in my written testimony on this, and concur with 
Professor Matwyshyn's statement.
    Mr. Terry. See, that is the flashbacks. There is always 
enough room to screw up on the test now.
    Ms. Matwyshyn. It always depends, right?
    Mr. Terry. It always depends.
    And the reason why I think it was important to just lay 
that item of foundation is that with 48 States and territories 
combined already having at least at the multinational level, 
you have a level of sophistication where they are already in 
compliance and then there is a level of concern that a new 
national standard just creates 49 instead of 48. So that brings 
us to what Professor Matwyshyn said in her ``but'', and that is 
no State preemption. So how does it work without preemption, 
and who wants to start? I will go with Dr. Matwyshyn first and 
then anyone else that wants to speak on preemption.
    Ms. Matwyshyn. So I actually consulted with a California 
government official responsible for enforcement, and provided 
that the framework on the national level provides a 
comprehensive disclosure regime and States and their 
enforcement agencies have direct access to this information as 
well as consumers, everyone wins because the information would 
simply be centralized. So if the disclosure requirements 
adequately conceptualize the questions that consumers and 
enforcers want to know, States, I believe, would be happy with 
a centralized regime and there wouldn't be a problem with 
enforcement, however, because of limitations of resources on 
the part of the Federal Trade Commission I believe should 
remain on the State level.
    Mr. Terry. All right. Mr. Richards, Liutikas and Greene, 
and Ms. Matties, quickly, though.
    Mr. Richards. Sure. Well, we believe the patchwork 
framework occurring in State laws are very duplicative in some 
cases, and in a lot of cases don't make sense. North Dakota, 
for example, requires notice of a breach of name and birth date 
so there are different qualifications in terms of PII and what 
information you should focus on. New York requires notice of 
security breaches made to three separate State agencies. I 
think federal preemption is important but I don't think you 
should undermine strong consumer protections that are currently 
held and enjoyed at the State level.
    Mr. Terry. Thank you. Mr. Liutikas?
    Mr. Liutikas. I mean, at the end of the day I think we 
believe that first and foremost that consumers need the 
notification standard but in providing that standard, we could 
also simplify matters substantially for the small- to medium-
sized business which the current technology infrastructure 
allows them to operate in a way that is much bigger than maybe 
they could have done some years ago. So I think centralizing 
that notification standard and avoiding having the issue of 
determining whether or not a variety of State laws applies or 
does not apply would be extremely beneficial to the small- to 
midsized business that simply doesn't have the resources.
    Mr. Terry. Interesting. Mr. Greene?
    Mr. Greene. I would echo what Mr. Richards said, that if 
you have essentially 49 standards, you are just creating 
another box you have to check to ensure that you are doing 
everything right. If you do have a breach, you are not going to 
speed the process of understanding the scope of your breach of 
who you need to notify.
    Mr. Terry. Thank you. And Ms. Matties, I am actually going 
to change the question for you to more personalized because of 
your background and experience with the FTC. There has been a 
suggestion that at least with some of the telecoms that the FTC 
has the experience on data breach and notification in those 
areas. If there is a national bill, should it include the 
telecommunications and video with the FTC?
    Ms. Matties. Yes. The FTC has had more than 10 years of 
experience working on data breaches and data security cases, so 
they are well equipped to handle these kinds of cases. And I 
just would like to point out that there is already a model in 
Do Not Call for consolidating experiments in the States with 
consumer protection. A number of States have consumer 
protection laws for Do Not Call in individual States, and when 
the national standard became applicable, it really made things 
a lot easier for both businesses and for consumers because now 
consumers have a one-stop shop to go and put their name on a 
list. That would be a similar aspect here.
    Mr. Terry. All right. Thank you very much.
    The ranking member, Jan Schakowsky, is now recognized for 5 
minutes.
    Ms. Schakowsky. Thank you very much. Mr. Chairman, I just 
want to acknowledge that as important as this is to consumers 
that maybe in the future we could have a consumer witness or 
two to talk about some of their experiences. I think it would 
helpful to inform our committee.
    Talking about data breaches, Professor Matwyshyn, do you 
foresee potential harms to the development of effective 
information security laws if Congress enacts certain breach 
notification provisions without enacting a well-considered data 
security law at the same time? I know Professor Thaw addressed 
that. And if so, what would they be?
    Ms. Matwyshyn. If I am understanding the question 
correctly, I believe that the optimal approach at this juncture 
is to bifurcate, to divide off the questions of data breach 
notification harm in this Nation from the questions of the best 
standard for liability arising from data security breaches.
    Ms. Schakowsky. To separate those two?
    Ms. Matwyshyn. To separate those two out. While the States 
have shown us the way and adequately experimented with 
notification, the questions of liability, how to craft it, what 
the standards are, what reasonable conduct is, that is a moving 
target and still very undeveloped, both from the standpoint of 
the information security community as a just-now-coalescing 
body of experts and from the standpoint of States having 
different approaches to consumer protection and the connection 
to other bodies of law. The Securities and Exchange Commission 
is starting to regulate in this space.
    These issues are tied with broader questions of software 
liability generally, and if we start to regulate too early, we 
may disrupt existing bodies of law and stifle innovation that 
is responsible and consumer protection.
    Ms. Schakowsky. OK. I do want to put the same question to 
Professor Thaw and see if the two of you are in agreement.
    Mr. Thaw. I agree with Professor Matwyshyn in the respect 
that the States have the ability to provide important 
experimentation. However, I am concerned about the resources 
that the States have on the technical side. With respect to the 
legal standard, I agree with Professor Matwyshyn. They can 
experiment and provide us with valuable data. However, this is 
a highly interconnected issue across the entire country, and I 
do not believe that the States have sufficient resources for 
enforcement or for simple providing the research and 
investigation necessary to know what standards would be 
effective at a national level as opposed to at a State level.
    Ms. Schakowsky. Let me get into the issue of data brokers. 
Most consumers have never heard about data brokers but there is 
a several-billion-dollar industry that knows the name, address, 
age, purchasing habits of nearly every American consumer. One 
company in this industry possesses on average 1,500 data points 
apiece on each of 190 million individuals in the United States 
and a profit of more than $77 million on this information. So 
again, let me go to Professor Matwyshyn.
    The Data Accountability and Trust Act as was passed in the 
111th Congress would have required data brokers to submit their 
security policies to the FTC and allow the Commission to 
perform or mandate the performance of security audits following 
a breach of security. What is your opinion on these kinds of 
provisions regarding data brokers?
    Ms. Matwyshyn. In that case, I believe you mentioned it was 
following a breach?
    Ms. Schakowsky. Yes.
    Ms. Matwyshyn. That would be entirely consistent with the 
types of proposals that we are considering now for centralized 
breach notification. The goal is to get as much information 
about breaches, how they happened, why they happened, the level 
of security that is in place in the particular organization to 
provide the information to both consumers and enforcement 
agencies to determine which entities are the good actors and 
which entities are the actors that still have a way to go to 
improve the level of care.
    Ms. Schakowsky. With just a minute or two, actually less 
than that, you may also want to comment on data brokers and the 
role that they play and how they should be regulated, Professor 
Thaw?
    Mr. Thaw. With respect to data brokers, I draw the 
committee's attention to the fourth section of my written 
testimony where I identify different levels of criticality, and 
I would suggest that data brokers are at a higher level of 
criticality, the reason being that the information they 
contain, to use Professor Matwyshyn's earlier example, could be 
information which is an authentication credential such as your 
mother's maiden name or your favorite color, your first pet, 
something that you use to secure other data that is very 
sensitive. For this reason, they should be regulated at a 
higher level, and this is something that cannot be overlooked.
    Mr. Terry. Thank you, and now we recognize the chairman 
emeritus for 5 minutes.
    Mr. Barton. Thank you, Mr. Chairman. I am going to try to 
give you a little bit of that time back.
    I think in your questions, Mr. Chairman, we established the 
panel does support a federal standard for notification. My 
question would be, does the panel also support going beyond 
that so that we get into the prevention and the liability 
issues? Does everybody, you know, support a federal law that 
goes beyond breach notification?
    Mr. Richards. I think that would depend on--we would 
obviously have to see the legislation but I certainly think we 
should probably change the culture of how our society looks at 
cybersecurity or information technology and how do you protect 
the information. Instead of making it an IT department issue, 
make it a CFO issue and really change the thinking and the 
approach to how we approach data protection in the country.
    Mr. Liutikas. I think we also need to look to industry 
associations like CompTIA which provides the industry a 
platform for collaborating on standards and best practices and 
their industry credentials such as the CompTIA Security Trust 
Mark credential, which audits the security practices of an 
organization. So I think in light of considering options such 
as that, I think we should also look at the options that the 
industry can provide as well.
    Mr. Greene. Conceptually, we support the notion of 
requiring security standards, so you are looking to prevent the 
breach, not just to mitigate after, and the same thing with the 
encryption. So if you have a breach, you are limiting the 
damage that can happen. But as Mr. Liutikas said, there are a 
lot of existing industry standards that are effective, and any 
type of standard needs to be very flexible and performance 
based. We don't want to be mandating anything specific in 
statute when we have a very shifting threat environment. So the 
notion of saying you need to be secure is OK, but if we get 
into the where we are mandating specific types of solutions, I 
think that could be problematic.
    Ms. Matties. CTIA members and the broader 21st Century 
Privacy Coalition is interested in talking about data security 
for sure but we are happy to see that we are starting with data 
breach notifications.
    Ms. Matwyshyn. No limitations of liability are appropriate 
at this juncture. I think we are a little too premature. On the 
state level, experimentation would be great. A negligence 
standard perhaps evolving would be a good move. I think we are 
ready to address breach notification but I would be cautious in 
approaching liability.
    Mr. Thaw. Yes, if properly implemented, and I note that 
respectfully, Mr. Richards, I am concerned with his proposal of 
making this a CFO issue. While that is appropriate to 
companies' fiduciary duties under state law, it is not 
appropriate to the question of negative externalities that 
would result from breaches in one organization to the overall 
information ecosystem. I also do concur with my panelists' 
opinion that flexible standards are important.
    Mr. Barton. I agree with flexible standards.
    Mr. Chairman, I want to turn it back, but let me simply 
say, back in the 1930s when we had a rash of kidnappings, the 
Congress did not pass a kidnapping notification law. They 
passed strict laws delineating it was a federal crime if it 
crossed State lines and empowered the FBI to use every means 
possible to go after the kidnappers. We are not talking about 
stealing our children but we are talking about stealing our 
identifies, and I would hope that this subcommittee and the 
full committee goes beyond breach notification law, and with 
that, I yield back.
    Mr. Terry. It is the intent. I am going to call on Mr. 
Barrow, and then we will adjourn, so if you are next in line as 
a Republican, you can go to the meeting.
    Mr. Barrow, you are now recognized for 5 minutes.
    Mr. Barrow. Thank you, Mr. Chairman, and thank you for 
setting the table with your questions. I want to follow up some 
of the issues that you raised.
    You know, privacy is important to me. The right to be 
secure in your persons and papers from State intrusion is in 
the Fourth Amendment. Warren and Brandeis said that the right 
to be let alone, the right of privacy is the right most prized 
by civilized men, I guess we would say today civilized men and 
women. I certainly agree with them on that.
    I guess the general consensus is that the current regime of 
essentially 48 separate State and territorial jurisdictions 
regulating this matter and our common market of the United 
States just ain't working. I think we all agree with that, and 
there is a general need for some federal guidelines, some 
federal standards for a uniform law in our national economy.
    Mr. Richards, Mr. Liutikas, Ms. Matties, you each talk 
about the subject of preemption, the need to preempt 
conflicting state laws. I want to ask the other members of the 
panel, what is the appropriate scope of federal preemption in 
this area? Yes, ma'am, go ahead.
    Ms. Matwyshyn. I believe the appropriate scope if creating 
a harmonized disclosure form but enforcement should be shared 
in the same way that it is in securities regulation. In the 
securities regulation context, we have multiple sources of 
oversight--the FCC, state level, securities regulators, other 
agencies inside the States.
    Mr. Barrow. Are you proposing a uniform law but shared 
responsibility with respect to enforcing the same law so the 
federal regulator would set the rules and regulations but the 
State folks might enforce the same federal law if the federal 
government isn't devoting enough resources to enforcing its 
law, the national standard? Is that what you have in mind?
    Ms. Matwyshyn. In the same way that securities disclosures 
happen on the federal level primarily but a particular state 
may have requirements in terms of protecting its citizens.
    Mr. Barrow. Well, additional requirements, additional 
substantive regulations and obligations and duties are 
different from a uniform standard that either the federal 
prosecutor or the state prosecutor can enforce the same law--
one land, one law. That is a very different matter. And having 
the right at the state level to enforce a federal standard is 
different than being able to make your own standard and enforce 
that in addition to the federal standard, so I want to talk 
about whether or not there are other folks on the panel who 
agree with the proposition that federal regulation ought to 
occupy the field when it comes to the substantive obligations 
and responsibilities in this area. Mr. Greene?
    Mr. Greene. Sir, we would agree that it should occupy the 
field but ultimately I think the notion of state enforcement 
would be acceptable as long as we are talking about a uniform 
federal standard.
    Mr. Barrow. I got you.
    Professor Thaw?
    Mr. Thaw. State enforcement concurrent with federal 
enforcement would be appropriate, and I want to emphasize that 
in either case, centralized notification and collection by a 
federal regulator so that we have information on what is going 
on is critical.
    Mr. Barrow. All right. We have had a slight diversity of 
opinion with respect to who ought to be able to make the rules, 
but there seems to be a general consensus that as long as we 
are enforcing the same rules, it doesn't matter which 
government the cop reports to if they are enforcing the law.
    I want to get to the subject of who ought to be the federal 
regulator. I think, Ms. Matties, you said that we not only need 
to have a uniform federal system but it ought to be headed up 
by the FTC as opposed to, say, the FCC. Does anybody disagree 
with that on the panel as to which federal regulator ought to 
be making the rules that we will be trying to enforce on a 
consistent basis nationwide? Does anybody disagree with that 
approach? Professor Thaw?
    Mr. Thaw. I agree that the Federal Trade Commission is the 
most appropriate for consumer regulation. However, that should 
not exempt critical infrastructure providers, which would 
include telecommunications providers from regulations to which 
they would also be subject by their regulators. Those 
regulators, for example, the Federal Communications Commission, 
the Nuclear Regulatory Commission are better familiar with what 
are the challenges faced by their entities, and if they need to 
impose additional standards, they should not be prevented from 
doing so by consumer regulation.
    Mr. Barrow. Is it your position that they can regulate in 
their areas of subject-matter jurisdiction and should not be 
able to regulate in the area of consumer protection?
    Mr. Thaw. If I understand your question correctly, my 
position is not that they should be pushing out the consumer 
regulator so the consumer regulator has no authority but only 
that they may and if necessary should regulate concurrently 
with the consumer regulator.
    Mr. Barrow. What do other members of the panel feel about 
that? Mr. Richards, Mr. Liutikas, Mr. Greene?
    Mr. Richards. Mr. Barrow, I would say that the FTC 
definitely when it comes to consumer information certainly I 
think our approach to privacy in this country is somewhat 
patchwork when you are dealing with HIPAA and the Fair Credit 
Reporting and Gramm-Leach-Bliley, so I certainly think that the 
current functional regulators also have a good system in place 
but the FTC certainly is equipped when it comes to consumer 
information.
    Mr. Barrow. Mr. Liutikas?
    Mr. Liutikas. I would generally concur with that although I 
think we would have to conduct some further analysis and see 
what really makes sense at the end of the day. You know, the 
question right now is somewhat theoretical but I think overall 
makes sense, and we certainly support having a federal agent, 
so whichever department that is.
    Mr. Barrow. Well, my time has run out, Mr. Greene. I regret 
that. But if any of you all want to follow up on this and 
supplement the responses that you have given or that others 
have given on this subject, please feel free to do so for the 
record.
    Thank you so much, and thank you, Mr. Chairman.
    Mr. Terry. And I mistakenly used the word ``adjourn'' 
earlier. We are recessing until probably 1 o'clock, hopefully 
by 1:03 or 1:04 we are asking questions of you. So thank you 
for your patience, and we will see you in 50, 55 minutes.
    [Recess.]
    Mr. Terry. I appreciate you all being back. We are missing 
Professor Thaw for the moment.
    Ms. Matwyshyn. He went to go fetch a deserted bag so that 
they don't confiscate it. He will be right back.
    Mr. Terry. Oh, that is important. We will string things 
out, but we will start with the questions. We have a short time 
before either votes or the next committee takes over. So we 
don't want to delay until he comes back but we will start with 
other people.
    Vice Chairman of the subcommittee, you are recognized for 5 
minutes, Mr. Lance.
    Mr. Lance. Thank you, Mr. Chairman, and good afternoon to 
the panel.
    To Ms. Matties, what, in your opinion, should be the proper 
standard for breach notification? Suspicion that a breach has 
occurred or actual evidence that such a breach has occurred?
    Ms. Matties. Actual evidence that a breach has occurred.
    Mr. Lance. So you would have a higher standard before----
    Ms. Matties. Yes.
    Mr. Lance. Thank you. And number two, should a breach have 
to result in identity theft or other financial harm to require 
consumer notification?
    Ms. Matties. There certainly should be consumer 
notification for identify theft and financial harm, and we are 
willing to talk to you about the other kinds of harms that 
might result from a breach of other information.
    Mr. Lance. Do you have suggestions regarding that other 
than financial harm?
    Ms. Matties. We are still working with our members to talk 
about this, and we look forward to talking to you as well about 
it.
    Mr. Lance. Thank you.
    Are there others on the panel who have an opinion on that? 
Yes, Professor.
    Ms. Matwyshyn. I believe that actual harm should not be 
required for notification. It serves a function to advise 
consumers of the occurrence of a breach and also to allow for 
tabulation and centralization of information about security 
practices so that we can collectively get a better picture of 
the entirety of the economy and the behaviors that are 
happening around information security.
    Mr. Lance. Thank you.
    Others on the panel? Mr. Richards?
    Mr. Richards. I thank you. We would--our standard would be 
that there should be a notification requirement if the breach 
presents a significant risk of harm to consumers and may 
perpetuate identity theft.
    Mr. Lance. A significant harm to consumers, which might be 
a slightly different standard from financial harm, if I am 
understanding you accurately?
    Mr. Richards. Yes.
    Mr. Lance. Professor Thaw?
    Mr. Thaw. I believe that notification should at least occur 
in all cases to a central reporting authority, which could be a 
federal regulator, that a substantial risk of harm is too high 
a threshold. I base this on the civil litigation where it was 
virtually impossible for any case to advance based on those 
types of claims, and with respect to the types of harm, I 
believe this requires further investigation but should not be 
limited to identity theft.
    Mr. Lance. And if the notification were made to an entity 
of the federal government, that entity would then in turn 
determine whether further notification should be made to the 
consumer?
    Mr. Thaw. That would be conditional on whether or not 
notification had already been made also by the company. I think 
at least the agency should retain the right to make that 
determination.
    Mr. Lance. Thank you. Are there other thoughts from the 
panel? Hearing none, Mr. Chairman, I am finished with 2 minutes 
to.
    Mr. Terry. Thank you, Mr. Lance.
    Mr. Harper, you are now recognized for 5 minutes.
    Mr. Harper. Thank you, Mr. Chairman, and thank each of you 
for being here, and it is a very important issue to each of 
you, I know, and certainly it is to our country and many 
businesses, and I will start with you, if I could, Mr. 
Richards, and ask you, how would you define a breach that 
constitutes a reasonable risk of harm to consumers?
    Mr. Richards. Sure. Thank you, Congressman. In terms of a 
reasonable risk, we believe that data that could be used to 
perpetuate identity theft, if you were to allow someone to use, 
log in to or access an individual's account or establish a new 
account using that individual's identifying information, and we 
would hold it to that standard.
    Mr. Harper. So as you define a breach, how do you define a 
significant risk of harm to consumers?
    Mr. Richards. If there is a risk of identity theft or 
stealing personal information and using or creating a new 
identity based on that personal information.
    Mr. Harper. Well, how should we or how would we define what 
constitutes a significant risk of harm to consumers? If you 
were advising us, if Congress did define the type of personally 
identifiable information that constitutes harm to consumers, is 
it possible that such a list would keep up with technological 
innovations?
    Mr. Richards. Yes, sir. I think it is important not to 
mandate specific technologies. As you know, we need a flexible 
framework. Some technologies today and best practices can 
render data useless, and in that case, if a company or an 
organization is trying to take the right approach and render 
the data useless, we believe a safe harbor should be granted to 
incentivize that good behavior if the information is 
indecipherable, but we need a flexible framework in an effort 
not to undermine innovation for new technologies that come down 
the line.
    Mr. Harper. And I know I am going to mispronounce your 
name, Ms. Matties, if I could ask you a question. My 
understanding from your testimony is that different data breach 
requirements apply to different entities, even for the same 
information. Is there any public policy justification for 
applying different data breach requirements to the same 
information?
    Ms. Matties. No, there is not.
    Mr. Harper. And I will ask this panel-wide, if I could. All 
of your testimony points out that States have different 
notification requirements and definitions. Is there a certain 
time frame post breach that you believe individuals have a 
right to be notified? I would like to hear each of your 
responses on that, and I will start with you, Mr. Richards.
    Mr. Richards. Certainly. Well, we think there needs to be a 
little bit of time in order for a company to perform cyber 
forensics. We don't have a specific position on a specific time 
frame but our businesses and their approach is as quickly as 
possible and consulting with law enforcement and others, and we 
follow up on our due diligence and report it to the consumer as 
quickly as possible.
    Mr. Harper. Well, following up on that, how can--maybe you 
can walk me through. How is notification without unreasonable 
delay how that really works in the real world?
    Mr. Richards. Well, I think in terms of, if you look at the 
different State requirements, there is different time frames 
that are offered. Puerto Rico is 10 days to notify folks. 
Vermont is about 14 days. Minnesota requires reporting to 
credit bureaus within 48 hours. So sometimes when you are 
looking at the condensed time frame, you are really trying to 
figure out the extent of the breach, what has been breached. So 
I think in terms of those time frames, it is a very short 
turnaround and a very short fuse, and I think companies want to 
make sure that they have the right answers before they disclose 
information publicly but I believe they do have the 
responsibility to report it to consumers.
    Mr. Harper. Thank you. And I will ask each of you, is there 
a certain time frame post breach that you believe individuals 
have a right to be notified?
    Mr. Liutikas. Yes, Congressman, we certainly--and we will 
mirror a little bit of what Mr. Richards said. We believe in a 
reasonable time frame in which to notify. I think it is just 
important for the exceptions to be made for instances where law 
enforcement needs to act or other information needs to be 
gathered so that the correct information is being provided to 
the consumers. So we don't have an exact timeline that we 
recommend but we do recommend having exceptions for those 
legitimate reasons.
    Mr. Harper. And Mr. Greene, I think I can at least get your 
response before my time is up.
    Mr. Greene. Sure. I would say that you definitely need to 
have enough time so the company can determine the scope of what 
was lost and what wasn't lost, fix the vulnerability. You don't 
want to go public and basically hang a target around your neck, 
and I would say, though, a rush to report can be bad. Every 
incident is different. I think if there is one rule, it is that 
first reports are pretty much always wrong. With respect to the 
breach about Congress today, you are going to see what was 
published today a week from now is going to be outdated, is 
going to be different, so you need to allow time. It needs to 
be as quickly as possible but you need to make sure that you 
are getting it right. It is better to be right in most cases 
than it is to be fast.
    Mr. Harper. Thank you, and I believe my time has expired so 
I yield back, Mr. Chairman.
    Mr. Terry. Thank you, and now the chair recognizes the 
gentleman from Texas, of which he is very proud and will 
probably mention that. He is recognized for 5 minutes.
    Mr. Olson. Thank you, Mr. Chairman, for holding this 
hearing, and thank you to the witnesses for attending.
    Mr. Chairman, you should know that I got my plug in with 
all the witnesses as to why they should move to the great State 
of Texas before we were gaveled in at 11 o'clock, so we are 
done with that business.
    At the end of the day, this hearing, to me, is about two 
questions. Number one, is federal legislation necessary when 
data has been breached. If the answer is yes, then what should 
that legislation look like. In your written testimonies that I 
reviewed last night, it appears that federal legislation would 
help protect consumers, but Mr. Richards raises the point that 
there are some technology companies it is helpful but not 
vital. The two professors were concerned with, you know, 
federal government overreach and taking over what the States 
are doing pretty well. But I believe this difference raises an 
important point, that if we pursue legislation, we must 
carefully draft it to ensure that the federal government 
doesn't become the 49th entity out there that companies must 
comply with. We should have a Hippocratic oath for data 
breaches: harm has been done; do no more harm.
    In regards to the ultimate decision to pursue legislation, 
consumers expect their privacy of their personal information to 
be protected, and I know you all agree we must keep them at the 
forefront of this conversation and debate.
    My first question is for you, Ms. Matties. Do you think the 
existence of 48 different data breach regimes results in brief 
notifications being faster or slower?
    Ms. Matties. I think it makes it slower. Companies try very 
hard to comply with all the laws out there but it certainly is 
a distraction, at best, from the other tasks that they need to 
complete when dealing with a data breach as has been discussed 
by the other panelists.
    Mr. Olson. Does anybody else care to comment on that, 
faster or slower? Professor Thaw?
    Mr. Liutikas. Congressman, I think it makes it 
significantly--oh, I apologize.
    Mr. Olson. You are up next, Mr. Liutikas.
    Mr. Thaw. I believe historically it has made it slower but 
it absolutely does not need to. It is a very formulaic regime 
for which procedures can be developed, for example, to 
analogize to something with which I believe many people may be 
familiar, Legal Zoom, the product that provides--you punch in 
the information, we generate a will or something similar. I 
could develop today a program that would handle the current 
jurisdiction requirements in place.
    Mr. Olson. OK, Mr. Liutikas, come on in.
    Mr. Liutikas. Thank you, Congressman. In addition to making 
the process slower today, I think the process of actually 
evaluating all of the different requirements and the laws out 
there also creates more opportunity for not properly reporting 
under a variety of State laws. So not only does it slow it 
down, I think there is more opportunity for mistakes to be made 
as well.
    Mr. Olson. Thank you.
    Another one for you, Ms. Matties. How do wireless companies 
deal with the fact that States have different definitions of 
personal information? Can that result in over-reporting in some 
States? Does it create consumer confusion? And what harm may 
companies incur if they over-report and some examples? So 
basically over-reporting, confusion, harm, examples.
    Ms. Matties. I am not sure I have examples for all those 
questions, but certainly, over-reporting can be a problem. It 
is sort of the boy who cried wolf. If you get notices over and 
over that actually don't pertain to you, you may start to 
ignore them, but worse, you may actually start making changes 
to your passwords and closing and opening bank accounts 
unnecessarily, wasting your own energy. So the different State 
regimes can cause over-reporting, which can harm consumers, and 
it also certainly impacts businesses in being able to comply 
with those laws.
    Mr. Olson. It looks like the professor wants to make 
comments. Ma'am, you are up.
    Ms. Matwyshyn. I wanted to play up on that point. The two 
complaints--I shouldn't say complaints. The two comments that I 
have heard repeatedly from businesses in their compliance 
efforts, first, that the regulatory end of this complicated. 
Different regulators are required to receive filings in 
different States so simplifying the regulatory complexity would 
be something they would want.
    The second point that they repeatedly mention to me is the 
definition of what constitutes information that triggers 
reporting, and they would be happy with a broader definition of 
the information that triggers information as long as it is a 
bright line, it is clear to them. And so many companies, 
especially the most sophisticated technology companies, are now 
erring on the side of reporting because it is simpler, and they 
don't view it necessarily as a bad thing, they just want 
simplification and a single regulatory point of contact.
    Mr. Olson. And I would assume when they go public that they 
have had some data breach, that affects their business because 
consumers look at a company that has had a data breach, maybe 
is having some faults, which is not true, but the bottom line, 
in the market they get spooked and move their products 
elsewhere. One more comment, ma'am. I am out of time.
    Ms. Matwyshyn. If I can just follow up, the other benefit 
that a centralized point provides is the ability for companies 
engaging in highest security practices to announce that. So 
even if they suffer a data breach from a zero day 
vulnerability, for example, if they are using the highest end 
software possible, then enforcement agencies are going to say 
oh, they tried really hard, this is a good company doing the 
right thing. But if it is someone who hasn't updated their 
systems in 6 years and that is why they had a data breach, that 
is a completely different ball of wax.
    Mr. Olson. I am out of time. I thank the witnesses, and 
come to Texas.
    I yield back.
    Mr. Terry. No.
    Mr. Johnson, you are recognized.
    Mr. Johnson. Also no, Mr. Chairman.
    I would like to thank the panel for being here today. I 
spent about 30 years of my professional career before I came to 
Congress in the information technology field in the Department 
of Defense, worked as the director of the CIO staff for special 
operations command, so I certainly understand the complexities 
of data security and how easy it is for those who are 
determined to get into it.
    So with that as a backdrop, do we have any empirical data 
to answer the question about how quickly we should notify 
consumers? I mean, do we have any data that tells us after 
several hundred thousand identities are breached, do we know 
how long before the bad guys start using that information? 
Anybody on the panel? Mr. Greene?
    Mr. Greene. Unfortunately, there is no answer. There are 
thriving black markets in personal information, whether it is a 
Social Security number, et cetera, or simply credit card 
numbers, and it can be a game of roulette whether your card is 
bought before it goes stale or not, so we don't know how fast. 
It really depends on how they are going to use their 
information. Slightly off point, but there is empirical 
evidence. The Ponemon study from last year found--it was 
looking at the impacts, and one of the drivers of increased 
costs was notification too early. What they found is, companies 
that rushed to notify often notified a significant number of 
people who once they did their full forensic work had not 
actually had their personal information made public, yet the 
companies notified them. The individuals, many of them, went to 
the trouble of changing passwords, etc. The company had to pay 
for monitoring and other services. So we do know--and again, 
not discounting the need to notify quickly but doing it too 
quickly can drive up costs, both for the individuals and the 
companies.
    Mr. Johnson. Speaking of quickly or not quick enough, do 
you think that breaches are over- or under-notified today? 
Again for the entire panel. Does anybody have a thought? Yes, 
ma'am.
    Ms. Matwyshyn. I would say they are dramatically under-
notified. Frequently, they are never discovered, and that is 
partially because companies unfortunately don't always have 
state-of-the-art security in the place. Also in the public 
sector, we have the same challenges with security. So I would 
assume there are two breaches for every one that is reported.
    Mr. Johnson. Given that there is a plethora of State 
regulations that require this, do you think an overarching 
federal standard lessons the risk of under- or over-
notification?
    Ms. Matwyshyn. I think it is heading in the right 
direction. I think we are improving. We are all becoming more 
educated about these issues. Companies are becoming more 
sensitive. There is dramatic improvement in the last decade, 
and particularly in industries such as financial services, they 
are improving, and there is a learning curve happening, so we 
are heading in a good direction, and I think federal harmonized 
legislation is a step in that direction.
    Mr. Johnson. Mr. Richards, you noted that the FTC has been 
relatively active in bringing cases against companies for 
failure to maintain or disclose their security practices. If 
the FTC has this existing authority, do we need to address data 
security in more federal legislation?
    Mr. Richards. Congressman, in reference to your last point, 
I believe strong federal preemptive data breach notification 
law that is broad in scope would cut down on over-notification 
certainly. We believe that the FTC does have a lot of 
jurisdiction within its existing authority but we believe given 
the patchwork quilt of 48 different State laws that a broad 
federal preemptive law would be very helpful to our businesses.
    Mr. Johnson. Well, I think I know the answer to this next 
question, Mr. Richards, but can data security and data breach 
notification be addressed separately or are they hand in hand?
    Mr. Richards. Well, I think they can be. Well, I would 
suggest addressing them separately, first data breach 
notification, getting some consensus on the committee. I think 
certainly the conversation around data security is important. I 
think there should be some focus on what we have been talking 
about in terms of a safe harbor, how do you incentivize 
companies or give companies some type of guidance on how they 
render the data useless so if it is hacked or stolen, you have 
taken the measures and you shouldn't have to report. So I think 
certainly as a balance, a lot of the focus has been on what 
happens post breach but I certainly think there are some 
measures they can take pre-breach.
    Mr. Johnson. Great. I think I am last, Mr. Chairman. If you 
would indulge for one more?
    Mr. Greene, you stated that there were 93 million 
identities exposed in 2012. Does this mean people, their names, 
their user names or their Social Security numbers? What does 
identity mean in that 93 million number?
    Mr. Greene. By the way we counted, it was name in 
connection with Social Security number, address--one of the 
following: Social Security number, address, date of birth, or 
credit card information. Essentially, information that put 
together would allow financial fraud or identity theft.
    Mr. Johnson. All right. Thank you, Mr. Chairman. I yield 
back.
    Mr. Terry. Well done, everybody, so that concludes the 
questioning period, which means that we are finished except for 
a little bit of work here.
    I ask unanimous consent to include the following statements 
in the record: one, statement of the Electronic Transaction 
Association dated July 18, 2013; two, a letter from the Credit 
Union National Association, CUNA, dated July 17, 2013; a letter 
from McDonald Hopkins LLC dated July 18, 2013; number four, 
National Retail Federation statement dated July 18, 2013. These 
have all been approved by the minority staff. Hearing no 
objections then, so ordered.
    [The information appears at the conclusion of the hearing.]
    Mr. Terry. No documents to be submitted on your side. Now 
all of our business is done, and I want to thank all of you. It 
has been very insight. It was very stimulating, and we greatly 
appreciate your time and your testimony, which is your talent, 
and thank you, and we are adjourned.
    [Whereupon, at 1:24 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

                 Prepared statement of Hon. Fred Upton

    Those of us who have been in Congress more than a term or 
two know the issue of informing consumers in the event of a 
data breach has been around for a number of years.
    The importance of protecting our personal information grew 
as the crimes of identity theft and financial fraud became more 
pervasive in our digital world. It's a fact of life almost 
every citizen has some digital footprint or profile--whether 
from the state and county records, school records, or 
transaction with businesses.
    As we enjoy the wonderful new conveniences and efficiencies 
provided by the technology, the downside is that it also 
facilitates the ability of criminals to act with equal 
efficiency to commit identity theft or other crimes that can 
potentially injure far more consumers' credit and finances. No 
longer is a criminal confined by what he can gather from a few 
paper based records taken from a mailbox or file cabinet. 
Rather, the most sophisticated of today's cybercriminals can 
attempt to hack into digital databases and gain access to the 
data on millions of individuals.
    Data breaches were a somewhat novel issue 8 years ago when 
we first learned of it. Our constituents were being notified of 
a breach of their information for the first time under a 
handful of state notification laws. The landscape has evolved 
and notifications have become more common, as have breaches and 
state notification laws: we now have laws in 48 states and 
territories, including every state represented on this dais 
except for one--many of which have slight differences--as well 
as a separate federal notification law addressing breached 
health information. Entities holding our personal information 
have also evolved, incorporating security as an essential part 
of their operation. Experience has demonstrated the harm to 
their customers and the entity's reputation are reason enough 
to encourage those who hold our information to take reasonable 
steps to protect it.
    Yet breaches, identity theft, and financial fraud continue 
and we must consider whether the current notification regime is 
appropriate. I believe timely notification is an important 
aspect of helping consumers protect themselves following a 
breach of their information--and I question whether having to 
examine 48 different laws before notifying one's customers is 
helpful to this goal. If the breach was intentional or if the 
data falls into the hands of criminals with malicious goals, 
the consumer should be aware to take preventative steps to 
protect or monitor their accounts more closely. Dealing with 
identity theft or account fraud can be an expensive and time 
consuming ordeal for a victim.
    I think the title of the hearing is an appropriate question 
to ask: ``Is Federal Legislation Needed to Protect Consumers?'' 
Certainly no one would propose 48 variants of the same law--
each with their own compliance requirements--as an efficient 
way to address any problem. Can a Federal notification law 
replace the state laws in a way that maintains the protections 
afforded by the states and minimizes consumer confusion? I 
think the potential benefits to both consumers and businesses 
from a single standard make this an issue worthy of our time. I 
welcome our witnesses and look forward to discussing their 
perspectives.
                              ----------   
                              
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 [all]