[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
WHAT ARE THE ELEMENTS OF SOUND DATA BREACH LEGISLATION?
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
JANUARY 27, 2015
__________
Serial No. 114-4
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
____________
U.S. GOVERNMENT PUBLISHING OFFICE
20-396 PDF WASHINGTON : 2016
______________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON ENERGY AND COMMERCE
FRED UPTON, Michigan
Chairman
JOE BARTON, Texas FRANK PALLONE, Jr., New Jersey
Chairman Emeritus Ranking Member
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois ANNA G. ESHOO, California
JOSEPH R. PITTS, Pennsylvania ELIOT L. ENGEL, New York
GREG WALDEN, Oregon GENE GREEN, Texas
TIM MURPHY, Pennsylvania DIANA DeGETTE, Colorado
MICHAEL C. BURGESS, Texas LOIS CAPPS, California
MARSHA BLACKBURN, Tennessee MICHAEL F. DOYLE, Pennsylvania
Vice Chairman JANICE D. SCHAKOWSKY, Illinois
STEVE SCALISE, Louisiana G.K. BUTTERFIELD, North Carolina
ROBERT E. LATTA, Ohio DORIS O. MATSUI, California
CATHY McMORRIS RODGERS, Washington KATHY CASTOR, Florida
GREGG HARPER, Mississippi JOHN P. SARBANES, Maryland
LEONARD LANCE, New Jersey JERRY McNERNEY, California
BRETT GUTHRIE, Kentucky PETER WELCH, Vermont
PETE OLSON, Texas BEN RAY LUJAN, New Mexico
DAVID B. McKINLEY, West Virginia PAUL TONKO, New York
MIKE POMPEO, Kansas JOHN A. YARMUTH, Kentucky
ADAM KINZINGER, Illinois YVETTE D. CLARKE, New York
H. MORGAN GRIFFITH, Virginia DAVID LOEBSACK, Iowa
GUS M. BILIRAKIS, Florida KURT SCHRADER, Oregon
BILL JOHNSON, Ohio JOSEPH P. KENNEDY, III,
BILLY LONG, Missouri Massachusetts
RENEE L. ELLMERS, North Carolina TONY CARDENAS, California
LARRY BUCSHON, Indiana
BILL FLORES, Texas
SUSAN W. BROOKS, Indiana
MARKWAYNE MULLIN, Oklahoma
RICHARD HUDSON, North Carolina
CHRIS COLLINS, New York
KEVIN CRAMER, North Dakota
7_____
Subcommittee on Commerce, Manufacturing, and Trade
MICHAEL C. BURGESS, Texas
Chairman
JANICE D. SCHAKOWSKY, Illinois
LEONARD LANCE, New Jersey Ranking Member
Vice Chairman YVETTE D. CLARKE, New York
MARSHA BLACKBURN, Tennessee JOSEPH P. KENNEDY, III,
GREGG HARPER, Mississippi Massachusetts
BRETT GUTHRIE, Kentucky TONY CARDENAS, California
PETE OLSON, Texas BOBBY L. RUSH, Illinois
MIKE POMPEO, Kansas G.K. BUTTERFIELD, North Carolina
ADAM KINZINGER, Illinois PETER WELCH, Vermont
GUS M. BILIRAKIS, Florida FRANK PALLONE, Jr., New Jersey (ex
SUSAN W. BROOKS, Indiana officio)
MARKWAYNE MULLIN, Oklahoma
FRED UPTON, Michigan (ex officio)
(ii)
C O N T E N T S
----------
Page
Hon. Michael C. Burgess, a Representative in Congress from the
State of Texas, opening statement.............................. 2
Prepared statement........................................... 3
Hon. Leonard Lance, a Representative in Congress from the State
of New Jersey, opening statement............................... 4
Hon. Janice D. Schakowsky, a Representative in Congress from the
State of Illinois, opening statement........................... 5
Prepared statement........................................... 6
Hon. Fred Upton, a Representative in Congress from the State of
Michigan, opening statement.................................... 8
Prepared statement........................................... 8
Hon. Frank Pallone, Jr., a Representative in Congress from the
State of New Jersey, opening statement......................... 10
Prepared statement........................................... 11
Witnesses
Elizabeth Hyman, Executive Vice President, Public Policy,
TechAmerica, Computing Technology Industry Association......... 12
Prepared statement........................................... 15
Answers to submitted questions............................... 97
Brian A. Dodge, Executive Vice President, Communications and
Strategic Initiatives, Retail Industry Leaders Association..... 26
Prepared statement........................................... 28
Answers to submitted questions \1\........................... 102
Jennifer Barrett-Glasgow, Global Privacy Officer, Acxiom
Corporation.................................................... 34
Prepared statement........................................... 36
Answers to submitted questions............................... 103
Woodrow Hartzog, Associate Professor of Law, Cumberland School of
Law, Samford University........................................ 43
Prepared statement........................................... 45
Answers to submitted questions............................... 108
Submitted Material
Letter of January 27, 2015, from Gary Shapiro, President and
Chief Executive Officer, Consumer Electronics Association, to
Mr. Burgess and Ms. Schakowsky, submitted by Mr. Burgess....... 74
Letter of January 26, 2015, from Peggy Hudson, Senior Vice
President, Government Affairs, Direct Marketing Association, to
Mr. Burgess and Ms. Schakowsky, submitted by Mr. Burgess....... 76
Letter of January 23, 2015, from American Bankers Association, et
al., to Mr. Burgess and Ms. Schakowsky, submitted by Mr.
Burgess........................................................ 78
Letter of January 26, 2015, from Howard Fienberg, Director of
Government Affairs, Marketing Research Association, to Mr.
Burgess and Ms. Schakowsky, submitted by Mr. Burgess........... 80
Letter of January 27, 2015, from David French, Senior Vice
President, Government Relations, National Retail Federation, to
Mr. Burgess and Ms. Schakowsky, submitted by Mr. Burgess....... 81
Letter of January 23, 2015, from Carrie R. Hunt, Senior Vice
President of Government Affairs and General Counsel, National
Association of Federal Credit Unions, to Mr. Burgess and Ms.
Schakowsky, submitted by Mr. Burgess........................... 83
----------
\1\ Mr. Dodge did not answer submitted questions for the record by the
time of printing.
Letter of January 27, 2015, from Consumer Data Industry
Association, et al., to Mr. Burgess and Ms. Schakowsky,
submitted by Mr. Burgess....................................... 86
Statement of National Association of Convenience Stores and
Society of Independent Gasoline Marketers of America, January
27, 2015, submitted by Mr. Burgess............................. 88
WHAT ARE THE ELEMENTS OF SOUND DATA BREACH LEGISLATION?
----------
TUESDAY, JANUARY 27, 2015
House of Representatives,
Subcommittee on Commerce, Manufacturing, and Trade,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 11:06 a.m., in
room 2123 of the Rayburn House Office Building, Hon. Michael C.
Burgess (chairman of the subcommittee) presiding.
Members present: Representatives Burgess, Lance, Blackburn,
Harper, Guthrie, Olson, Kinzinger, Bilirakis, Mullin, Upton (ex
officio), Schakowsky, Clarke, Kennedy, Cardenas, Rush,
Butterfield, Welch, and Pallone (ex officio).
Staff present: Charlotte Baker, Deputy Communications
Director; Leighton Brown, Press Assistant; Graham Dufault,
Counsel, Commerce, Manufacturing, and Trade; Melissa Froelich,
Counsel, Commerce, Manufacturing, and Trade; Kirby Howard,
Legislative Clerk; Paul Nagle, Chief Counsel, Commerce,
Manufacturing, and Trade; Olivia Trusty, Counsel, Commerce,
Manufacturing, and Trade; Michelle Ash, Democratic Counsel,
Commerce, Manufacturing, and Trade; Jeff Carroll, Democratic
Staff Director; Lisa Goldman, Democratic Counsel, Commerce,
Manufacturing, and Trade; Tiffany Guarascio, Democratic Deputy
Staff Director; and Meredith Jones, Democratic Director of
Outreach and Member Services.
Mr. Burgess. Well, good morning, everyone. Before we begin
our first subcommittee meeting of the 114th Congress, the
ranking member and I would like to briefly recognize new
members of the subcommittee. For the benefit of the ranking
member, I am not a new member. I was on this subcommittee
several terms ago. So I am back on the subcommittee. For that I
am grateful, but on the majority side--I don't believe she has
joined us yet--but we have Ms. Brooks representing the 5th
District of Indiana and Mr. Markwayne Mullin representing
Oklahoma's 2nd District. Welcome to the committee, welcome to
the subcommittee. We are grateful and excited to have you on
board. For the minority, Subcommittee Ranking Member Schakowsky
will introduce her new members.
Ms. Schakowsky. Thank you, Mr. Chairman, for just letting
me say how much I look forward to working with you on this
subcommittee. New members include Yvette Clarke. She represents
New York's 9th Congressional District as a proud Brooklyn
native with strong roots planted in her Jamaican heritage. She
is an outspoken advocate for her district, always working to
champion the middle class and those who aspire to reach it. Her
district has become a center of innovation for health care and
includes some of the best hospitals, trade associations, and
businesses in the industry. I look forward to her bringing her
tenacity, deep knowledge, and enthusiasm to this subcommittee.
Next to her is Joe Kennedy, who serves the people of
Massachusetts' 4th, has dedicated his life to public service,
and brings with him a firm commitment to social justice and
economic opportunity. Joe has previously served in the Peace
Corps, worked as an International Development Analyst for the
United Nations' Millennium Project, and as an anti-poverty
consultant abroad. I know that he will bring that passion for
public service and economic growth to everything he does on the
subcommittee. And not here now but also a new member of the
subcommittee is Tony Cardenas representing California's 29th
Congressional District. He has made a name for himself by
always advocating strongly on behalf of his constituents on
issues like juvenile justice, immigration, higher education,
and economic improvement. He has brought hard work and
dedication to his 16 years of public service on behalf of the
people of the Northeast San Fernando Valley. As a former small
business owner, an engineer, head of the California Budget
Committee, and as a leader in environmental progress in the
City of Los Angeles, I am certain Tony will be able to lead his
expertise to our subcommittee's progress. Thank you, Mr.
Chairman.
Mr. Burgess. Thank you, Ranking Member Schakowsky. We
welcome all members of the subcommittee back and look forward
to working with each and every one of you in the 114th
Congress.
Before I get started, I also want to recognize a visiting
delegation of the legislative staff from the Parliaments of
Georgia, Kosovo, Macedonia, and Nepal through the House
Democracy Partnership. They are in town for a seminar on
strengthening committee operations and are observing today's
hearing as part of the program. I hope they are able to learn a
great deal, both today and during their tenure here the rest of
the week.
Ms. Schakowsky. Mr. Chairman, could they acknowledge
themselves so we can all see who they are. Great. Thank you.
Mr. Burgess. Welcome. Thank you for coming. I am glad you
were able to make it here with the weather.
The Subcommittee on Commerce, Manufacturing, and Trade will
now come to order. I will recognize myself for 5 minutes for
the purposes of an opening statement.
OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF TEXAS
The purpose of today's hearing is to move one step closer
to a single, Federal standard on data security and breach
notification. Increasingly, our personal details, which we need
to verify financial transactions, are converted into data and
uploaded to networks of servers, and not always can those
servers be protected with a simple lock and key. We benefit
immensely from the quick access and command this system gives
us. Global commerce is literally at our fingertips on a daily
basis.
And yet such a dynamic environment brings with it dynamic,
evolving risks. As our options multiply, so must our defensive
measures. Those defensive measures must adapt quickly. As
several commentators have noted in testimony before this
subcommittee, it is no longer a matter of if a breach occurs.
It is when and what happens when.
Even so, questions remain as to whether businesses are
doing enough to prevent security breaches. That is why I
believe Federal legislation should include a single but
flexible data security requirement. Now, about 12 States have
already implemented such a requirement on commercial actors
that are not banks or health care providers.
A single requirement across the States would give companies
some confidence that their methods are sound in handling
electronic data, an inherently interstate activity. Moreover,
it would put all companies on notice that if you fail to keep
up with other companies, if you aren't learning from other
breaches, you will be subject to Federal enforcement.
Indeed, too many resources are spent trying to understand
the legal obligations involved with data security and breach
notification. Certainty would allow those resources to be spent
on actual security measures and notifications and their
affected consumers.
As we discuss the necessary elements of a data breach bill,
there are a few considerations that I want to mention. First,
there is a limited window for us to act. Criminal data breaches
have grabbed the headlines for about a decade, but a consensus
solution has thus far eluded Federal legislators. This
committee is calling for action, the President asked for
legislation with national breach notification, and the Senate
has legislation in front of it with a national standard.
But most importantly, it is our consumers who are calling
for legislation, thus giving us the time to act.
Second, this legislation is limited to this committee's
jurisdiction. The surest way to deny consumers the benefits of
Federal data security legislation is to go into areas beyond
our jurisdiction. Specifically, the health care and the
financial sectors have their own regimes. If we aim to rewrite
rules for those sectors, then it will be years, perhaps
decades, before a bill is signed into law. That is not to say
that we will ignore those issues. But they may need to be taken
up separately.
Third, our aspiration at this point is that legislation
comes forward with bipartisan support, and do sincerely believe
that that is an achievable goal.
With this hearing, I aim to understand the policy points
where stakeholder compromise is possible. We are seeking to
find agreement not only between the two sides of the dais but
also between stakeholders with divergent interests. The sooner
we understand the most important principles, the smoother
negotiations will go over the next several months.
[The prepared statement of Mr. Burgess follows:]
Prepared statement of Hon. Michael C. Burgess
The purpose of today's hearing is to move one step closer
to a single, Federal standard on data security and breach
notification.
Increasingly, our personal details-which we need to verify
financial transactions-are converted into data and uploaded to
networks of servers that can't be protected with a simple lock
and key.
We benefit immensely from the quick access and command this
system gives us-the world's merchants are at our fingertips.
And yet such a dynamic environment brings with it a dynamic
and evolving set of risks. As our options multiply, so must our
defensive measures.
Those defensive measures must adapt quickly. As several
commentators have noted in testimony before this subcommittee,
it is no longer a matter of if a breach occurs, but when.
Even so, questions remain as to whether businesses are
doing enough to prevent security breaches.
This is why I believe Federal legislation should include a
single-but flexible-data security requirement. Now, about 12
States have already implemented such a requirement on
commercial actors that are not banks or health care providers.
A single requirement across the States would give companies
some confidence that their methods are sound in handling
electronic data, an inherently interstate activity.
Moreover, it would put all companies on notice that if you
fail to keep up with other companies and if you aren't learning
from other breaches, you will be subject to Federal
enforcement.
Indeed, too many resources are spent trying to understand
the legal obligations involved with data security and breach
notification. Certainty would allow those resources to be spent
on actual security measures and notifications to affected
consumers.
As we discuss the necessary elements of a data breach bill,
there are a few considerations I want to mention.
First, there is a limited window for us to act. Criminal
data breaches have grabbed headlines for about a decade, but a
consensus solution has thus far eluded Federal legislators.
This committee is calling for action, the President is
calling for legislation with a national breach notification
regime, and the Senate has legislation with a national
standard. But most importantly, consumers are calling for
legislation-the time to act is now.
Second, this legislation is limited to this committee's
jurisdiction; the surest way to deny consumers the benefits of
Federal data security legislation is to visit areas beyond our
jurisdiction.
Specifically, the healthcare and financial sectors have
their own regimes. If we aim to rewrite rules for those sectors
then it will be years before a bill is signed into law.
That is not to say that we will ignore those issues. But
they may need to be taken up separately. Third, our aspiration
at this point is for legislation with bipartisan support and I
believe that is achievable.
With this hearing, I aim to understand the policy points
where stakeholder compromise is possible. We are seeking to
find agreement not only between the two sides of the aisle, but
also between stakeholders with divergent interests.
The sooner we understand the very most important
principles, the smoother negotiations will go over the next
couple months.
Mr. Burgess. With that, I do want to thank our witnesses
for the testimonies that they have provided us and representing
their interests candidly in the spirit of compromise. And I
would like to recognize the vice chair of the subcommittee, Mr.
Leonard Lance of New Jersey.
OPENING STATEMENT OF HON. LEONARD LANCE, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NEW JERSEY
Mr. Lance. Thank you, Mr. Chairman, and it is an honor to
serve under your leadership as the new chair of the
subcommittee, and I am sure you will do a superb job.
Well, the debate over data breach legislation has continued
for several years. The issue has been brought to the forefront
by unfortunate, high-profile breaches recently, and of course,
the most recent is the Sony Pictures hack at the end of last
year.
The question of how to proceed on data breach reform has
wide implications for both businesses and consumers alike.
Today businesses that attempt to report a breach must navigate
through a complex labyrinth of 47 State laws which are not all
the same. Each State has answered the following questions in
its own way: What is defined as an event trigger? What is the
appropriate timeframe by which companies must notify consumers
that their identifiable information has been breached? Who is
responsible for notifying affected consumers?
The lack of certainty of these regulations places an undue
burden on businesses trying to report a breach properly and an
undue burden on consumers. Federal law will streamline
regulations, give certainty to businesses resulting in greater
compliance and also to consumers who suffer a data breach.
However, it is my belief that it will only be effective if
it preempts the patchwork of 47 State laws. The debate over
Federal data breach legislation has continued over the span of
several Congresses. It is my hope that we can pass effective,
bipartisan data breach legislation this year.
Thank you, Mr. Chairman.
Mr. Burgess. The Chair thanks the gentleman. The Chair now
recognizes the subcommittee ranking member, Ms. Schakowsky, for
5 minutes for the purpose of an opening statement.
OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A
REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS
Ms. Schakowsky. Thank you, Mr. Chairman, for holding
today's important hearing on what to include in Federal
legislative approach to the challenges of data security and
breach notification.
I look forward to our work together in the 114th Congress,
and this is a great issue to open up with.
Data security is one of the most important issues that this
subcommittee will consider this year. In the State of the Union
last week, the President urged us to pass legislation that will
better protect against cyberattacks and identity theft. I look
forward to working with the White House and my colleagues on
both sides of the aisle to meet that goal.
Since 2005, over 900 million records with personally
identifiable information have been compromised. The recent
uptick in high-profile data breaches including those of Target,
Home Depot, Neiman Marcus, and Michael's prove two important
points: One, just about every retailer and many nonretailers
that we engage with are collecting and storing our personal
information, credit card numbers, contact information, and much
more. And two, hackers are growing in number and becoming more
sophisticated in their attempts to access that personal
information, and they are having more success. From programming
home security systems and thermostats from hundreds of miles
away, to remembering shopping preferences and account
information, to connecting with friends over the Internet,
Americans benefit in many ways from an increasingly data-driven
world. But that doesn't mean we should sacrifice our right to
have our personal information appropriately protected or our
right to know if and when that data has been compromised.
There are a variety of State laws regarding data security
standards and breach notification requirements. However, there
is no comprehensive Federal standard for appropriate protection
of personally identifiable information, nor are there Federal
requirements in place to report data breaches to those whose
personal information has been exposed. And I firmly believe
that legislation to address that data breach threat must
include those two safeguards.
It is important to say that no legislation to require data
security standards and breach notification will completely
eliminate the threat of data breach. That being said, entities
that collect and store personal information must take
reasonable steps to protect data, and consumers must be
informed promptly in the event of a breach.
And while I clearly believe that the Federal Government
should have a role in data breach--that is what we have been
working toward--I also believe that there have been many
important protections that are at the State level that we don't
want to eliminate when we do Federal legislation, perhaps even
eliminating rights and protections that would not be guaranteed
under Federal statute. We have to be sure that we don't weaken
protections that consumers expect and deserve. If we include
Federal preemption of some of those things or if we don't
include those good things in Federal legislation, then I think
that would be a serious mistake at this point.
I also believe that if we include Federal preemption, we
must ensure that State Attorneys General are able to enforce
the law, something my Attorney General has made very, very
clear.
So I think we can achieve all these goals working together,
get a good, strong Federal bill that makes consumers feel
confident that we have taken the appropriate steps.
[The prepared statement of Ms. Schakowsky follows:]
Prepared statement of Hon. Janice D. Schakowsky
Thank you, Mr. Chairman, for holding today's important
hearing on what to include in a Federal legislative approach to
the challenges of data security and breach notification. I look
forward to our work together in the 114th Congress, and this is
a great issue to open with.
Data security is one of the most important issues that this
subcommittee will consider this year. In the State of the Union
last week, the President urged us to pass legislation that will
better-protect against cyberattacks and identity theft. I look
forward to working with the White House and my colleagues on
both sides of the aisle to meet that goal.
Since 2005, over 900 million records with personally
identifiable information have been compromised. The recent
uptick in high profile data breaches--including those of
Target, Home Depot, Neiman Marcus, and Michael's--proves two
important points:
1. Just about every retailer--and many nonretailers--that
we engage with are collecting and storing our personal
information--credit card numbers, contact information, and much
more.
2. Hackers are growing in number and becoming more
sophisticated in their attempts to access that personal
information--and they are having more success.
From programming home security systems and thermostats from
hundreds of miles away to remembering shopping preferences and
account information to connecting friends over the Internet,
Americans benefit in many ways from an increasingly data-driven
world. But that doesn't mean we should sacrifice our right to
have our personal information appropriately protected, or our
right to know if and when that data has been compromised.
There are a variety of State laws regarding data security
standards and breach notification requirements. However, there
are no comprehensive Federal standards for appropriate
protection of personally identifiable information. Nor are
there Federal requirements in place to report data breaches to
those whose personal information has been exposed. I firmly
believe that legislation to address the data breach threat must
include those two safeguards.
It is important to say that no legislation to require data
security standards and breach notification will completely
eliminate the threat of data breach. That being said, entities
that collect and store personal information must take
reasonable steps to protect data, and consumers must be
informed promptly in the event of a breach.
While I clearly believe the Federal Government should have
a role on data breach, I am concerned about the impacts of
Federal legislation that would pre-empt State law. Federal
preemption could weaken important consumer protections--perhaps
even eliminating rights and protections that would not be
guaranteed under a Federal statute. We must be sure not to
weaken the protections consumers expect and deserve. If we
include Federal preemption, we must ensure that State Attorneys
General are able to enforce the law.
I look forward to hearing the views and perspectives of our
panel on the Federal role in this important issue. I yield back
the balance of my time.
Ms. Schakowsky. And let me with my remaining time yield to
Peter Welch for his comments.
Mr. Welch. Thank you very much. Mr. Chairman and Ranking
Member, you both nailed it with your description of what we are
doing. It is pretty astonishing that with the use of computers,
two things still have not been done at the Federal level: one,
to provide data breach security, and number two, to provide
notice to consumers. Consumers receive notice when they have
been harmed, but they don't need notice just to scare them. And
we have bipartisan momentum here, thanks to Chairman Upton and
my colleague Marsha Blackburn, who I have been working with,
and Congressman Rush has been working on this for a long time.
So we have got a foundation here.
The practical challenges, those are the ones we have to
resolve. What do we do about a national standard? What do we do
about having enforcement at the AG level, something I agree
with Ms. Schakowsky on. What is the notice standard? When
should consumers be notified? How do you give some time for a
company that has been breached to do law enforcement,
investigation, and inquiry into what the scope of the breach
was? These are more or less practical issues. And I think the
chairman has set a good tone here where we have a common
objective, and we don't have ideological differences. We have
practical differences. And the hope I think of all of us with
the foundation that has been laid by my predecessors is to find
some common-sense, legitimate balancing of the interests so
that at the end of the day we do protect consumers with data
breach security, we give some reasonable certainty to our
companies, and we have a standard that is robust and strong. I
yield back.
Mr. Burgess. I thank the gentleman. The gentleman yields
back. The Chair now recognizes the chairman of the full
committee, Mr. Upton, for 5 minutes for an opening statement.
OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN
Mr. Upton. Thank you, Mr. Chairman, and it has been noted
this committee does have a strong tradition of bipartisan
cooperation and problem solving. In this spirit, today we
continue our focus on the key elements to pass a Federal data
breach law, a priority that the President identified in his
State of the Union address just last week. I look forward to
working with the White House, Dr. Burgess, and members of this
committee on both sides of the aisle to accomplish that goal.
Criminal cyberhacking presents a serious risk of economic
harm to consumers and businesses alike. From small mom-and-pop
shops in my district in Southwest Michigan to global Fortune
100 companies, the unfortunate reality is that companies of all
sizes are at risk of having information hacked.
This committee will be examining a series of issues
relating to cybersecurity in this Congress. Where the
conversation begins today is with a data breach bill, and I
want to encourage all members and the public to focus on
getting that issue right before we try to tackle some of the
other concerns. There are significant privacy issues in an
online economy, and some of those will have to be addressed
separately.
Let us also be clear that this isn't a financial services
bill. We cannot let data breach legislation be sunk by
extraneous issues.
Today's hearing will examine two discrete issues related to
the complex effects of cybercrime, commercial data security and
breach notification to consumers. There is a real opportunity
this Congress to set a single, national standard for data
security and breach notification. I personally believe that a
single, Federal standard is the key to passing a solution. The
trade-off is that it has to be a strong, consumer-friendly law,
one that has real protections and real enforcement. Both the
FTC and State AGs have shown that this is an area that they
would police very effectively. Our role is to strike the right
balance on when notification is required, how timely it needs
to be, and what information leads to identity theft.
Setting a national standard benefits consumers by ensuring
that every business must look at their activities and make
certain that they are taking reasonable security measures. A
national standard allows businesses to focus on securing
information and systems instead of trying to figure out how to
comply with a host of different State laws with their team of
lawyers. Consumers benefit from consistency as well.
We are particularly concerned with the impact that these
criminal acts have on consumer confidence, economic growth, and
job creation. So let us get to work. A data breach bill is the
first step in securing that future.
[The prepared statement of Mr. Upton follows:]
Prepared statement of Hon. Fred Upton
This committee has a strong tradition of bipartisan
cooperation and problem solving. In this spirit, today we
continue our focus on the key elements to pass a Federal data
breach law--a priority the president identified in his State of
the Union address last week. I look forward to working with the
White House, Dr. Burgess, and members of this committee to
accomplish that goal.
Criminal cyberhacking presents a serious risk of economic
harm to consumers and businesses alike. From small mom-and-pop
shops in Southwest Michigan to global fortune 100 companies--
the unfortunate reality is that companies of all sizes are at
risk of having information hacked.
This committee will be examining a series of issues
relating to cybersecurity this new Congress. Where the
conversation begins today is with a data breach bill, and I
want to encourage members and the public to focus on getting
that issue right before we try to tackle some of the other
concerns. There are significant privacy issues in an online
economy, and some of those will have to be addressed
separately. Let's also be clear that this isn't a financial
services bill. We cannot let data breach legislation be sunk by
extraneous issues.
Today's hearing will examine two discrete issues related to
the complex effects of cybercrime: commercial data security and
breach notification to consumers. There is a real opportunity
this Congress to set a single, national standard for data
security and breach notification.
I personally believe that a single, Federal standard is the
key to passing a solution. The trade-off is that it has to be a
strong, consumer-friendly law--one that has real protections
and real enforcement. Both the FTC and State AGs have shown
that this is an area that they would police very effectively.
Our role is to strike the right balance on when notification is
required, how timely it needs to be, and what information leads
to identity theft.
Setting a national standard benefits consumers by ensuring
that every business must look at their activities and make sure
they are taking reasonable security measures. A national
standard allows businesses to focus on securing information and
systems instead of trying to figure out how to comply with a
host of different State laws with teams of lawyers. Consumers
benefit from consistency in security and breach notification no
matter what State they live in.
We are particularly concerned with the impact these
criminal acts have on consumer confidence, economic growth, and
job creation. The criminals are in this for the money, so we
need to make it far harder to steal an identity or use stolen
information to make purchases. The cost to consumers is well
into the billions of dollars. No committee is more aware than
this one about how central the online economy is to our future.
A data breach bill is the first step to securing that future.
Mr. Upton. I yield the balance of my time to the vice chair
of the full committee, Marsha Blackburn.
Mrs. Blackburn. Thank you, Mr. Chairman, and I want to
thank the chairman of the subcommittee for calling the hearing,
and I want to welcome all of our witnesses today. We are indeed
looking forward to hearing what you have to say.
As has been referenced by Mr. Welch, we have spent a couple
of years working on the issues of privacy and data security. We
have done this in a working group or a task force and drilling
down, making certain that we have a good understanding of
defining the problem and then looking at the opportunities for
addressing that. So we come to you from that basis of work. And
Ms. Schakowsky, Mr. Olson, both served on this task force with
us.
Last October Director Comey from the FBI said there are two
kinds of big companies in the United States: those that know
they have been hacked by the Chinese and those that don't know
they have been hacked by the Chinese. That is pretty apropos,
and we know that it applies to all sizes of companies, as
Chairman Upton just said.
Because of that, we understand that there are a few things
that we need to look at: preemption and making certain that we
have the standard, that this is easily communicated, that our
constituents and the citizens understand what is the toolbox
that they have for protecting, as I define it, the virtual you,
whether that virtual you is they themselves individually, they
themselves the small business person, or the corporate entity
that is looking to protect its product and its name.
Now, I come from Nashville. We have a lot of entertainment,
healthcare, and financial services that are watching this issue
closely. They want to make certain that we get this right the
first time.
With that, I yield back the balance of my time.
Mr. Burgess. The gentlelady yields back. The Chair now
recognizes the ranking member of the full committee, 5 minutes
for an opening statement, Mr. Pallone from New Jersey.
OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF NEW JERSEY
Mr. Pallone. Thank you, Mr. Chairman. I first wanted to
congratulate Dr. Burgess on his appointment as the chairman. I
will say, though, that having spent last evening with you on
rules, I am not going to congratulate you on continuing on
rules because I don't know what possible reason you could have
for continuing to stay there. But everyone makes their own
decisions around here.
I do look forward to working with you on many issues,
starting with the issue of today's hearing, data security and
breach notification. I also wanted to thank Ms. Schakowsky for
her continued service as the Democratic Ranking Member.
The title of this hearing, What are the Elements of Sound
Data Breach Legislation?, assumes that legislation is needed,
and I agree that it is time to legislate but only if the result
is a strong bill that puts consumers in a better place than
they are today. Right now millions of consumers are being hit
with endless waves of breaches. Criminal hackers will always
target our communities, and while we cannot expect to eliminate
data breaches, we can work harder to reduce the number of
breaches and better protect consumers' information. Just as we
expect a bank to lock its vaults of money, we should expect
that companies lock and secure personal consumer information.
Unfortunately, that is not happening. According to the Online
Trust Alliance, over 90 percent of data breaches in the first
half of 2014 could have been prevented had businesses
implemented security best practices. Firms must do a better job
of protecting information they demand of consumers, and
preventing breaches is not just best for the consumer, in the
long run it is cheaper for companies as well.
And I believe that we should also expect companies to
notify consumers in the event of a breach. During this hearing
we will hear the often-repeated statistic that 47 States plus
Washington, DC, Guam, Puerto Rico, and the Virgin Islands
already have data breach notification laws on the books. While
no one on either side of the aisle wants to unnecessarily
burden businesses with duplicative or overlapping requirements,
these State laws provide baseline breach notification to most
Americans. In addition, businesses that operate nationally
often follow the strictest State laws, giving our constituents
strong data security and breach notification protections
coverage regardless of what is written in any individual State
law. And therefore, I can't support any proposal that
supersedes strong State protections and replaces them with one
weak Federal standard.
So Mr. Chairman, this subcommittee has had a tradition of
being bipartisan, particularly on the issue of data security,
and the 111th Congress' committee passed a compromise bill on
the House Floor as H.R. 2221, and that bill was shepherded by
then-Subcommittee Chairman Bobby Rush and was based on a bill
crafted by former Subcommittee Chairman Cliff Stearns, and
Chairman Upton, Vice Chairwoman Blackburn, and Chairman Barton
were original cosponsors of these various bills.
So I just want to say I look forward to working with the
subcommittee on a bipartisan basis to craft similar legislation
and legislation that requires companies to have reasonable
security measures in place and to provide notification to
consumers once a breach has occurred.
[The prepared statement of Mr. Pallone follows:]
Prepared statement of Hon. Frank Pallone, Jr.
I want to start by congratulating Dr. Burgess on his
appointment as chairman. I look forward to working with him on
many issues, starting with the issue of today's hearing, data
security and breach notification. I also want to thank Ms.
Schakowsky for her service as the Democratic ranking member.
The title of this hearing, ``What are the Elements of Sound
Data Breach Legislation?,'' assumes that legislation is needed.
I agree that it is time to legislate--but only if the result is
a strong bill that puts consumers in a better place than they
are today.
Right now, millions of consumers are being hit with endless
waves of breaches. Criminal hackers will always target our
communities. And while we cannot expect to eliminate data
breaches, we can work harder to reduce the number of breaches
and better protect consumers' information. Just as we expect a
bank to lock its vaults of money, we should expect that
companies lock and secure personal consumer information.
Unfortunately, that is not happening. According to the
Online Trust Alliance, over 90 percent of data breaches in the
first half of 2014 could have been prevented had businesses
implemented security best practices. Firms must do a better job
at protecting the information they demand of consumers.
Preventing breaches is not just best for the consumer, in the
long-run, it is cheaper for companies as well.
I believe that we should also expect companies to notify
consumers in the event of a breach. During this hearing, we
will hear the often repeated statistic that 47 States, plus
Washington, DC, Guam, Puerto Rico, and the Virgin Islands,
already have data breach notification laws on the books. While
no one, on either side of the aisle, wants to unnecessarily
burden business with duplicative or overlapping requirements,
these State laws provide baseline breach notification to most
Americans. In addition, businesses that operate nationally
often follow the strictest State laws, giving our constituents
strong data security and breach notification protections
coverage regardless of what is written in any individual State
law. Therefore, I cannot support any proposal that supersedes
strong State protections and replaces them with one weak
Federal standard.
Mr. Chairman, this subcommittee has had a tradition of
being bipartisan, particularly on the issue of data security.
In the 111th Congress, this committee passed a compromise bill
on the House floor as H.R. 2221. That bill was shepherded by
then-Subcommittee Chairman Bobby Rush and was based on a bill
crafted by former Subcommittee Chairman Cliff Stearns. Chairman
Upton, Vice Chairman Blackburn, and Chairman Emeritus Barton
were original cosponsors of these various iterations.
I look forward to working with this subcommittee on a
bipartisan basis to craft similar legislation--legislation that
requires companies to have reasonable security measures in
place and to provide notification to consumers once a breach
has occurred.
Thank you.
Mr. Pallone. I yield back, Mr. Chairman.
Mr. Burgess. The gentleman yields back his time. The Chair
would remind all members on the subcommittee that they are able
to insert their written statements for the record.
And I do want to welcome our witnesses for being here this
morning. I thank all of you for agreeing to testify before the
committee. Our witness panel for today's hearing will include
Ms. Elizabeth Hyman who is the Executive Vice President of
Public Advocacy for TechAmerica, and she will be testifying on
behalf of the Computing Technology Industry Association. We
also have Ms. Jennifer Glasgow, the Global Privacy Officer for
Acxiom Corporation; Mr. Brian Dodge, who is the Executive Vice
President of Communications and Strategic Initiatives on behalf
of the Retail Industry Leaders Association; and Mr. Woodrow
Hartzog, an Associate Professor of Law at Samford University's
Cumberland School of Law in Birmingham, Alabama.
Our first witness is Ms. Elizabeth Hyman, and you are
recognized for 5 minutes.
STATEMENTS OF ELIZABETH HYMAN, EXECUTIVE VICE PRESIDENT, PUBLIC
POLICY, TECHAMERICA, COMPUTING TECHNOLOGY INDUSTRY ASSOCIATION;
BRIAN A. DODGE, EXECUTIVE VICE PRESIDENT, COMMUNICATIONS AND
STRATEGIC INITIATIVES, RETAIL INDUSTRY LEADERS ASSOCIATION;
JENNIFER BARRETT-GLASGOW, GLOBAL PRIVACY OFFICER, ACXIOM
CORPORATION; AND WOODROW HARTZOG, ASSOCIATE PROFESSOR OF LAW,
CUMBERLAND SCHOOL OF LAW, SAMFORD UNIVERSITY
STATEMENT OF ELIZABETH HYMAN
Ms. Hyman. Good morning, and thank you very much for having
us, Chairman Burgess, Ranking Member Schakowsky, and
distinguished members of the Subcommittee on Commerce,
Manufacturing, and Trade. We appreciate your convening this
hearing and for giving us the opportunity to provide our
insights on the important issue of consumer data breach
notification.
My name as you mentioned is Elizabeth Hyman. I am the
Executive Vice President of Public Advocacy for TechAmerica,
the public policy department of The Computing Technology
Industry Association, CompTIA. CompTIA is headquartered in
Downers Grove, Illinois, and we represent over 2,200 technology
companies, a large number of which are small- and medium-sized
firms.
Technology companies take their obligations to protect
consumers' information very seriously. Data is the life-blood
of the Internet economy, and protecting consumers' information
is not only a responsibility of the industry but also a crucial
business practice. Failure to do so will lead to a loss in
customer faith and damage to a business' reputation.
Unfortunately, as has been pointed out, criminals remain
intent on stealing information. Data breaches are sadly all too
common in 2015, and thus we need strong rules in place to
inform consumers when a harmful breach occurs and to provide
the necessary information to enable consumers to take the
necessary steps to protect themselves.
As you are all well aware and has been stated, there
currently is no Federal standard for data breach notification.
Instead, 47 different States, the District of Columbia, Puerto
Rico, Guam, and the Virgin Islands, all have their own separate
data breach notification laws and requirements.
Furthermore, States are regularly changing and updating
their data breach notification laws. This year we have already
seen 17 bills introduced in seven States in just the first 2
weeks of State legislative sessions. With the increasingly
mobile and decentralized nature of our economy, most companies
are under the umbrella of multiple State laws at all times.
This patchwork of State laws creates significant compliance
costs with no additional protection for consumers since no two
State data breach laws are exactly the same. In fact, many are
in conflict with one another. A Federal data breach
notification standard is thus necessary to protect consumers
and ensure that companies can respond quickly and effectively
after a breach.
Responding to a data breach for a company of any size is
difficult, especially given the need to assess whether the
breach could trigger notification provisions in any one of 47
States, whether they have any consumers that live in any of
those States, who to notify, how to notify, what information to
include, and what the timelines are for notification.
Small- and medium-sized businesses face particularly
difficult compliance challenges. To address their obligations
to resolve the breach, gather information, and notify the
necessary parties, these companies often rely on cyber-
insurance, payment processors, or outside counsel to help
implement a response plan. None of these options is cheap.
Thus, the key to any Federal data breach notification law
will be finding a single standard that maintains strong
requirements but allows companies to focus on the important
work of protecting their customers in the wake of a breach.
In crafting a Federal data breach standard, we would
suggest a few key provisions that are further outlined in my
statement for the record. For example, any Federal data breach
notification law needs to be the standard for all companies to
comply with. It cannot simply just become the 48th standard
that State can add to. In order to avoid the risks associated
with overnotification, a Federal standard should ensure that
consumers only receive notification about a breach when their
information has actually been accessed and only when that
information is likely to be used in a harmful manner.
Adequate time should be provided for companies to conduct a
risk assessment in order to best assess the scope and depth of
the breach. A circumscribed set of sensitive, personally
identifiable information must be the basis for determining
whether any notification should occur. We should try to avoid
mandating specific technologies while also exempting companies
from notification requirements where data is rendered unusable.
Companies should not be punished for the criminal acts of
others, and private rights of action regarding data breach
notification should be explicitly banned.
In closing, I would like to thank the subcommittee for
working on the issue of data breach notification.
Unfortunately, our patchwork of State laws, while well-
intentioned, has created a burdensome and complex compliance
regime. A strong, single standard that applies throughout the
country will ensure our consumers are safer and ensure our
companies are well-informed about how to respond to the growing
threat of data breaches.
Security and economic growth are not mutually exclusive,
and I would respectfully request that the solutions you draft
through this subcommittee address both through a national data
breach notification standard. Thank you.
[The prepared statement of Ms. Hyman follows:]
[GRAPHICS NOT AVAILABLE TIFF FORMAT]
Mr. Burgess. The gentlelady yields back. The Chair would
now recognize Mr. Brian Dodge, the Executive Vice President of
the Retail Industry Leaders Association, 5 minutes for your
testimony, sir. Thank you.
STATEMENT OF BRIAN A. DODGE
Mr. Dodge. Chairman Burgess, Ranking Member Schakowsky, and
Members of the committee, my name is Brian Dodge, and I am an
Executive Vice President with the Retail Industry Leaders
Association. Thank you for the opportunity to testify today
about data breach legislation and the steps that the retail
industry is taking to address this important issue and to
protect consumers.
RILA is the trade association of the world's largest and
most innovative companies. Retailers embrace innovative
technology to provide American consumers with unparalleled
services and products. While technology presents great
opportunity, nation-states, criminal organizations, and other
bad actors also are using it to attack businesses,
institutions, and governments. As we have seen, no organization
is immune from attacks. Retailers understand that defense
against cyberattacks must be an ongoing effort.
RILA is committed to working with Congress to give
Government and retailers the tools necessary to thwart this
unprecedented attack on the U.S. economy and bring the fight to
cybercriminals around the world.
As leaders in the retail community, we are taking new and
significant steps to enhance cybersecurity throughout the
industry. To that end, last year RILA formed the Retail Cyber
Intelligence Sharing Center in partnership with America's most
recognized retailers. The Center has opened a steady flow of
information between retailers, law enforcement and other
relevant stakeholders.
In addition to the topics this hearing will cover today,
one area of security that needs immediate attention is payment
card technology. The woefully outdated magnetic stripe
technology used on cards today is the chief vulnerability in
the payments ecosystem. Retailers continue to press banks and
card networks to provide U.S. consumers with the same chip and
PIN technology that has proven to dramatically reduce fraud
when it has been deployed elsewhere around the world.
Before I discuss what RILA believes the components of sound
data breach legislation are, I will briefly highlight the
significant data breach and data notification laws with which
retailers currently comply. As has been said, 47 States, the
District of Columbia, Guam, Puerto Rico, and the U.S. Virgin
Islands have adopted data breach notification laws. In addition
to the 47-plus existing State data breach notice laws,
retailers are subject to robust data security regulatory
regimes as well. The Federal Trade Commission has settled at
least 50 cases against businesses that it charged with failing
to maintain reasonable data security practices. These actions
have created a common law of consent decrees that signal the
data security standards expected of businesses. Additionally,
inadequate data security measures for personal information can
lead to violations of expressed State data security laws. Also,
many States has so-called little FTC acts that can be used to
enforce against what Attorneys General deem to be unreasonable
data security practices.
Finally, retailers voluntarily and by contract follow a
variety of security standards including those maintained by the
payment card industry, NIST, and the International Organization
of Standardization.
While retailers diligently comply with this range of data
security notice and data requirements, a carefully crafted
Federal data breach law can clear up regulatory confusion and
better protect and notify consumers.
RILA supports a Federal data breach that is practical,
proportional, and sets a single national standard. RILA urges
the committee to consider data breach legislation that creates
a single national notification standard that allows business to
focus on quickly providing affected individuals with actionable
information; that provides flexibility in the method and timing
of notification; that ensures that notice is required only when
there is a reasonable belief that the breach has or will result
in identity theft, economic loss, or harm; that ensures that
the responsibility to notify is that of the entity breached but
provides the flexibility for entities to contractually
determine the notifying party; that establishes a precise and
targeted definition for personal information; that recognizes
that retailers already have robust data security obligations
and that security must be able to adapt over time.
The final goal of data breach legislation should be to
ensure fair, consistent, and equitable enforcement of data
breach law. Enforcement of the law should be consistently
applied by the FTC based on cases of actual harm. Similarly, if
civil penalty authority is provided, it should be capped based
on the actual harm to consumers. Also, any legislation should
deny a private right of action as it would undermine consistent
enforcement.
We look forward to working with the committee on specific
language to address each of these above goals. I thank the
committee for considering the need for preemptive data breach
legislation and look forward to answering your questions.
[The prepared statement of Mr. Dodge follows:]
[GRAPHICS NOT AVAILABLE TIFF FORMAT]
Mr. Burgess. The gentleman yields back. The Chair would now
like to recognize Jennifer Barrett-Glasgow, the Global Privacy
Officer for the Acxiom Corporation. Thank you for your
testimony today, 5 minutes.
STATEMENT OF JENNIFER BARRETT-GLASGOW
Ms. Barrett-Glasgow. Chairman Burgess, Ranking Member
Schakowsky, members of the committee, thank you for holding
this hearing today. I am Jennifer Barrett-Glasgow, Global
Privacy Officer for Acxiom, headquartered in Little Rock,
Arkansas. Acxiom has two lines of business. We offer primarily
to large businesses, not-for-profit organizations, political
parties, and candidates and Government agencies. First, we
offer computer processing services for our clients' information
which includes ensuring that information is accurate, analyzing
the information to help our clients understand their customers
better so they can improve their offerings, and our digital
reach services which enable our clients to market to audiences
across all digital channels. These services represent over 80
percent of our total business in the United States.
Second, we provide a line of information products to
clients in three categories: fraud management, telephone
directories, and marketing. And these products support all
channels of communication, offline, online, mobile, and
addressable television.
Acxiom supports enacting a data security and breach
notification bill, and I would like to mention some of the
provisions that we think should and should not be included.
Regarding data breach notification provisions, first, the bill
needs to include strong preemption for State laws. As stated
earlier, 47 States and 4 territories have breach laws, and
every year a number of these change. Businesses and consumers
will benefit from having one recognizable standard.
Second, there should be a harm-based trigger for
notification. Consumers shouldn't get meaningless notices when
there is no risk of harm. Businesses will have to evaluate
whether there is a reasonable risk if there are penalties for
failing to notify, and we will do that responsibly without
Congress needing to spell out how it should be done.
Third, legislation should also provide a reasonable
timeframe for notification. Consumers do need to be notified
promptly, but it is critical to understand the extent and means
of the breach and to give law enforcement time to identify and
hopefully even apprehend the bad guys. Fixed statutory
deadlines do not accomplish these objectives.
Fourth, penalty provisions should be reasonable, and we do
not believe there should be a private right of action.
Companies who take reasonable precautions but who still get
breached are victims, too. Regarding data security language,
just as with breach notification, having a single data security
standard is more efficient for companies than multiple State
standards. This is more important for some businesses and other
entities than it is for Acxiom. We process data for other
companies, and our security is assessed by clients upwards of
80 times a year, plus we conduct our own audit internally. So
we already meet multiple client standards in addition to those
set by law.
Next, because the bad guys' capabilities keep changing,
legal and regulatory data security standards need to be
extremely flexible to allow adaptive compliance to keep ahead
of the threats.
And last, Acxiom believes that businesses have a
responsibility to educate their employees about security risks
and that Government has a role to play in educating the general
public on these topics.
Where once the purpose of passing a data security law might
have been to ensure companies were thinking enough about
security, today we believe Congress should think about security
breach legislation more like it has thought about cybersecurity
legislation. How can the industry and Government and law
enforcement work together to keep ahead of these threats.
Finally, a comment on what should not be included in this
legislation. Congress should keep this bill focused on data
security and breach notification. There is bipartisan support
for enacting a good bill into law on these issues. In the past,
other issues have crept into data breach bills, and this has
hurt the chances of enactment. For example, some previous bills
have included provisions for data brokers, and while Acxiom
would be considered a data broker under any definition, it
already offers the kinds of provisions seen in past bills
through our web portal, AboutTheData.com. The problem has been
the definition of data brokers. It was quite broad and included
many companies that don't consider themselves to be one. This
has stymied enactment of these bills. We urge you to keep the
bill clean so we can finally put a good consensus Federal data
security and breach notification law into place.
Thank you for the opportunity to testify today, and I look
forward to your questions.
[The prepared statement of Ms. Barrett-Glasgow follows:]
[GRAPHICS NOT AVAILABLE TIFF FORMAT]
Mr. Burgess. Thank you. The witness yields back. The Chair
now recognizes Mr. Hartzog, 5 minutes for your testimony. Thank
you, sir, for being here.
STATEMENT OF WOODROW HARTZOG
Mr. Hartzog. Thank you. Chairman Burgess, Ranking Member
Schakowsky, and members of the committee, thank you very much
for inviting me to appear before you and provide testimony. My
name is Woodrow Hartzog, and I am an associate professor of law
at Samford University's Cumberland School of Law and an
affiliate scholar at the Center for Internet and Society at
Stanford Law School. I have spent the last 3 years researching
the law and policy of data protection, data security, and
responses to data breaches. My comments today will address what
I have learned from this research.
In order to be sound, data breach legislation must further
three fundamental goals: transparency, data protection, and
remedies for affected individuals. The patchwork of existing
State and Federal sector-specific laws further these goals, but
aggressively preemptive Federal legislation risks counteracting
these goals and weakening our critical data protection
infrastructure. Hard-won consumer protections could be lost. In
short, any data breach legislation that fails to advance these
three goals will be counterproductive.
I would like to make two main points regarding the elements
of sound data breach legislation. First, sound data breach
legislation should be minimally preemptive of existing State-
and sector-specific data breach laws. Data breach laws are
relatively new. It is not yet clear what the most effective
approach to data protection and data response is or should be.
We need multiple regulatory bodies to ensure the adequate
resources and experimentation necessary to respond to
constantly evolving threats and new vulnerabilities.
Additionally, preemption threatens to water down important
existing robust data breach protections. There is a real risk
that preemptive Federal legislation would do more harm than
good. For example, Federal data breach legislation would reduce
the level of protection many or most Americans currently have
if it narrowed existing definitions of personal information, if
it mandated a showing of harm before companies were required to
send notification, or if it failed to require a notice to a
centralized organization, like the office of the State Attorney
General.
Data breach legislation would also be counter-productive if
it created gaps in protection. Federal data breach legislation
that preempts all State data breach laws could fail to cover
data breaches that only affect the residents of one State.
Additionally, preemptive legislation that only covered
digitized records would fail to cover breaches involving paper
records which remain a significant target for data thieves.
The second point I would like to make is that sound data
breach legislation must also incorporate requirements for data
security. While data breach notification is important, we must
be sure not to ask too much of it. Under a pure data breach
notification scheme, providing reasonable data security would
be voluntary. The law should require not just encourage that
companies reasonably secure their personal data. If people
cannot trust that the entities that collect and store our
personal information, the commerce, innovation, public health,
our personal relationships, and our culture will all suffer.
Ensuring that companies must provide reasonable data security
will ensure that fewer breach notifications need to be sent at
all.
One important way to fortify data security would be to give
the Federal Trade Commission rule-making authority. Specific
authority for data security would help the FTC further clarify
data security standards, require data security from nonprofit
entities such as educational institutions, and issue civil
penalties.
Federal legislation should also preserve the regulation of
data security by States and sector-specific agencies. The
numerous Federal agencies that require data security are not
redundant. Rather, they can and do coexist with unique
expertise and regulatory authority. Even agencies with
overlapping jurisdiction contribute valuable resources and have
relatively harmonized approaches to data security.
Finally, data breach legislation must preserve the ability
of States to regulate data security. Data security is both a
national and a local issue sometimes affecting small but
significant groups of State residents. Even in the case of
large national breaches, residents of some States are hit
harder than others. States are nimble and capable of continued
experimentation regarding the best approach to regulating data
security. They are also closer to those whose data was
compromised and provide additional resources to alleviate the
strain and cost to enforcement on Federal agencies.
The modern threat to personal data is still relatively new.
The concept of data breach legislation is newer still. It is
too early to start rolling back protections and consolidating
agencies to cut costs. Instead, sound data breach legislation
should reinforce the current trajectory of data breach law
which involves multiple approaches and constantly evolving
robust consumer protection. Thank you very much, and I look
forward to your questions.
[The prepared statement of Mr. Hartzog follows:]
[GRAPHICS NOT AVAILABLE TIFF FORMAT]
Mr. Burgess. The gentleman yields back, and I thank all the
witnesses for their testimony and participating in today's
hearing. We will now move into the question-and-answer portion
of the hearing, and for that purpose, I will recognize myself
for 5 minutes. And I do again thank you all for being here.
Let me just ask a general question to the entire panel, and
we will start with Ms. Hyman and work our way down to Ms.
Hartzog. Reading through the testimony and listening to you
this morning, it is clear that most of the panelists agree on--
I guess I could say three out of four panelists agree on
preemption, that it is necessary for a successful piece of
legislation on data security and breach notification. The
question is why is it important to have a single standard
rather than allowing new requirements to be developed in State
courts on top of a Federal law? Ms. Hyman, let us start with
you.
Ms. Hyman. Thank you, Chairman Burgess. It is important
because right now we have all these different laws, many of
which are in conflict with one another. Many of our member
companies are small- and medium-sized IT firms, and they are
trying to do business across State lines. They don't
necessarily have the in-house resources to cover all the
different State requirements. So having a more simplified
Federal standard, strong but a Federal standard, would allow
these companies to do business across State lines with
confidence that they are serving their consumers.
The only other thing I would point out is, and I mentioned
this in my opening remarks, this is a very unsettled area. As I
mentioned just in the last couple of weeks, we have seen a
number of bills introduced in State legislatures, and again, if
there is some way that we can come up with a strong,
appropriate Federal standard, I think it would alleviate a fair
amount of ambiguity for both the consumer and for the business.
Mr. Burgess. Thank you. Mr. Dodge?
Mr. Dodge. So I would say the States deserve a lot of
credit for acting in the place where the Federal Government
hasn't yet. But if Congress intends to or chooses to pass a
Federal standard, we believe it should be preemptive because
first, it will allow consumers to have a clear set of
expectations regardless of where they live about what kind of
notification they will get, at what time post-breach. We think
that is important. Consumers need to know what to expect in the
wake of a breach. And also for a breach of institution or
business, they want to put all of their energy towards making
sure they are quickly communicating actionable information to
the consumers. And a national standard would allow them to do
that instead of the complexity of complying with 47-plus
different laws.
Mr. Burgess. Ms. Glasgow?
Ms. Barrett-Glasgow. Breach notification laws that are in
place today in the States vary widely as has been said, and in
some instances, we don't even have a security requirement in
certain State laws. So enacting a Federal law that includes
both a security requirement and a breach notification
requirement will raise the level across the country. And I
think if you study those laws to any great degree, you will
find that there are very few exceptions that would make a State
regime more protective from any consumers.
Secondarily, from a consumer perspective, we don't live in
one State all our lives often. I grew up in Texas and moved to
Arkansas. And different States with different regimes with
different requirements for the types of notices that need to be
given create inconsistency for the consumer if they happen to
have received a notice in one State and then receive a
different notice in another State. As I said in my testimony, I
hope that we will look at much more cooperation between law
enforcement and companies to educate consumers about the risks
that are out there so that they can help in protecting
themselves and not rely solely on companies or Government
notifying them when there has been a problem.
Mr. Burgess. Thank you. Mr. Hartzog?
Mr. Hartzog. So I think that preemption on a very limited
scale could actually be useful. I think the important thing to
remember is that preemption is not an all-or-nothing game,
right? So we can preempt minimally or we can have aggressive
preemption. So one of the reasons I recommend minimal
preemption is so we can move closer towards having a national
standard but then preserve some of the hard-won consumer
protections and also make sure that Federal legislation doesn't
create gaps that things that were protected are no longer
protected, so for example, solely interstate, intrastate data
breaches. And I think that as far as the differences between
the 47 different pieces of legislation, they do vary, but I
think that maybe sometimes the differences can be overstated
possibly. I mean, I think that sometimes it is compared so that
it is apples to oranges, which I don't think is true. I think
the more appropriate metaphor might be Fuji to red delicious
apples, and the idea that it is very burdensome to comply with
all 47 State laws, I think that is also possibly, potentially
an overstated claim in the sense that (a) businesses comply
with 50 different State laws all the time, and (b) a very
robust support network exists to provide companies of all sizes
with the adequate help they need to respond to data breach
requirements.
Mr. Burgess. I thank the gentleman. The Chair now
recognizes Ms. Schakowsky, 5 minutes for the purposes of
questions.
Ms. Schakowsky. Thank you. Professor, I wanted to direct my
question to you. Authors of some State laws and some Federal
legislative proposals have chosen to require notification to
consumers to be determined by a standard in which notification
is dependent on the presence of a risk of harm or actual
financial harm to consumers. And I am just wondering if you are
concerned about harms beyond identity theft, fraud, or other
economic loss, and if so, if you could give us some examples
that might narrow too much the definition of risk.
Mr. Hartzog. Sure. Thank you very much. I think that the
harm trigger as it has been described, the idea that you only
have to notify if there is some kind of finding of harm, is a
dubious proposition in several different ways, mainly because
the concept of harm within privacy law is hotly contested, and
to limit the idea of harm to something like financial harm I
think is really constraining because there are lots of
different harm that can result from data breaches. So fraud and
identity theft are not the only two. When health data gets
stolen, you risk things like discrimination, adverse employment
decisions, emotional distress. The Sony hack made it very clear
that sometimes when information is breached, it is not used to
commit financial harm. It is posted online for everyone to see.
And so that brings me to my next point which is the harm
trigger is dubious mainly because it is very difficult to draw
a line of causation between a breach that occurred and likely
harm that can happen sometime in the future. So it is not as
though data gets stolen and it is a one-to-one that harm occurs
as a result of it. Oftentimes data gets flooded downstream and
aggregated with other pieces of data, and it can be extremely
difficult to meet the burden of proof that harm is actually
likely in any one particular instance. And when you mandate a
harm trigger in notification, then what that means is if you
don't have enough information to prove some kind of likelihood
of harm, which is often the case in many different kinds of
data breaches, then the harm doesn't go out. So as a matter of
default, the notification isn't extended.
And so I think that it is important to remember the many
different ways in which harm can occur and the many different
ways in which harm is a relatively dubious concept within data
breach law, not the least of which is that we haven't even
talked about the ways in which information can be used against
people, not just to harm you for identity theft purposes but to
trick you into revealing more information. This is a common
phishing attack, right, which is what they call where they use
your own personal information into tricking you into think this
is a communication from a trusted source. You click on it, then
disclose more personal information. And this is more than just
a threat to the individual who is tricked. One of the most
common ways to hack into companies is through exploiting human
vulnerabilities, and one of the ways in which we do that is we
take information about people and use that to trick them into
revealing more information.
Ms. Schakowsky. Answer a question then. Is there a way to
identify harm or define harm that would include everything you
are talking about? Or are you saying that a harm trigger
itself? In other words, what you are suggesting is there needs
to be notification of a breach without having to establish harm
at all or are you saying we need to define harm better?
Mr. Hartzog. That is correct. So generally speaking, I want
to caution against overleveraging the concept of harm, and the
easiest way to overleverage the concept of harm is to create a
harm trigger. And so as a result, my recommendation would be to
have the default be noticed because any definition that you use
to come up with harm is probably going to be pretty flawed. It
is either going to be overinclusive in which it would include
every single possibility of harm we can imagine, or it is going
to be underinclusive and leave out huge chunks of things that
we want to protect against.
And so as a result, my recommendation would be let us not
overleverage the concept.
Ms. Schakowsky. I know in the Sony breach we saw employment
records, for example, that were revealed. And so, you know,
that would be I think a problem for a lot of people.
Well, let me just put this on the table, and maybe others
would want to answer it at some other point, the concern that
there would be some sort of problem of overnotification.
Mr. Hartzog. The problem of overnotification is also one
that I think can tend to be overinflated. So of course you
don't want consumers and people getting 45 emails a day saying,
oh, hey, guess what? You know, another piece of your data has
been breached. But I think we are a very long way from reaching
some kind of point where consumers would just flippantly ignore
some kind of piece of advice and--
Ms. Schakowsky. I am going to go ahead actually and cut you
off because my time has expired, but I thank you.
Mr. Burgess. The gentlelady yields back. The Chair now
recognizes the vice chair of the full committee, Ms. Blackburn,
5 minutes for questions, please.
Mrs. Blackburn. Thank you so much, Mr. Chairman. I want to
talk a little bit about doing a technology-neutral data
security requirement, and it seems like when we talk about
privacy, when we talk about data security, when we talk about
entertainment delivery, more and more we are hearing, you know,
don't get specific on the delivery system or don't get specific
on the technology because it takes us forever, forever, to
bring legislation into line with where technology is.
So we are going to start. Mr. Hartzog, I will start with
you. We will go all the way down the panel, and I just want to
hear your thoughts on technology-neutral or specific and how
you think we are best served to approach that.
Mr. Hartzog. I would agree with you that we should strive
to be as technology-neutral as possible. We have seen time and
time again when we pass laws that are highly technically
specific that they are almost outdated the moment they are
passed. And so----
Mrs. Blackburn. They are.
Mr. Hartzog [continuing]. This is why things like
reasonable data security standards tend to make sense, and it
also is another good strong word of caution against really
being overly specific in any one particular area, and if to the
point where you have to be overly specific, being sure that you
have enabled the definition to change where possible. So I
would agree.
Mrs. Blackburn. OK.
Ms. Barrett-Glasgow. I agree that the bill should be
technology-neutral. I think a good example of language
regarding security is the Gramm-Leach-Bliley security
provisions which have now stood the test of 15, 16 years or so
in the marketplace.
And I would also, which actually may touch on Ms.
Schakowsky's question a little bit, in the Rush bill, H.R.
2221, the definition of harm reads determination that there is
no reasonable risk of identity theft, fraud, or other unlawful
conduct. And I think that other unlawful conduct picks up a lot
of opportunities as technology involves, as new unlawfuls
occur, for us to not have to come back and revisit the
language.
Mrs. Blackburn. Got it.
Mr. Dodge. So we would agree, of course, that we should be
technology-neutral. I don't think we can ever lose sight of the
fact that the criminals in this space are highly sophisticated
and rapidly evolving as we have seen in some of the more recent
reports, sometimes backed by nation-states. So allowing
businesses to evolve as the threat evolves is really important,
and technology is a big part of that.
Mrs. Blackburn. OK.
Ms. Hyman. And we would agree as well, technology-neutral
is an important principle. You know, we have gone from simple
redaction to encryption to more sophisticated versions, and as
has just been pointed out, you know, we have to keep ahead of
those that wish to cause harm. And the innovation of the
private sector is a great opportunity to lead on behalf of the
consumers.
Mrs. Blackburn. OK. Thank you. Now, Ms. Hyman, we are going
to stay with you and come right back down the row. When we are
talking about preemption language, I want to hear--and this is
the lightning round. We have got a minute and a half left on
the clock. So what language do you want to see us consider as
we look at preemption?
Ms. Hyman. Well, as I stated previously, we want to make
sure that we are not just ending up with the 48th standard--
Mrs. Blackburn. OK.
Ms. Hyman. --that it needs to be strong enough to actually
matter in terms of preemption and simplification.
Mr. Dodge. A strong preemption sets a single, national
standard.
Mrs. Blackburn. OK.
Mr. Dodge. Again, States deserve credit for the work they
have done, but you can't create a 48th law.
Ms. Barrett-Glasgow. In my written testimony, I actually
suggested some language that you might want to take a look at.
I am not going to get into that right here.
Mrs. Blackburn. Thank you.
Mr. Hartzog. My recommendation would be preemption that
served as a floor but not a ceiling and at worst would only
preempt the very specific provisions listed by the Federal
legislation.
Mrs. Blackburn. OK. Thank you all. I yield back.
Mr. Burgess. The gentlelady yields back. The Chair now
recognizes Ms. Clarke for 5 minutes for your questions, please.
Ms. Clarke. Thank you, Mr. Chairman, and I thank the
ranking member. I would like to drill down a bit more on the
breach notification issue.
Breach notification laws and legislative proposals can vary
greatly in how they treat the question of when a company
affected by a breach is required to notify consumers. The Data
Accountability Trust Act, H.R. 2221, affirmatively presumed a
company affected by a breach would notify consumers in the
breach unless it determined that there is a reasonable risk of
identity theft, fraud, and other unlawful conduct. There have
also been proposals with a ``negative presumption,'' in other
words, that a company does not have to notify consumers unless
an investigation reveals that a certain level of risk exists to
the consumers whose information was breached. The burden to
prove risk in this case is not on the breached holder of
consumers' personal information but rather on those challenging
its breach notification practices.
So Professor Hartzog, have you thought through what should
be the presumption for firms to notify consumers of a breach
and if so, why?
Mr. Hartzog. Thank you very much. I have, and my
recommendation would be to a presumption of notification in
terms of breach. There are some interesting options available
with respect to granting a safe harbor that are still
debatable. Maybe if you make information unusable, unreadable,
using things like encryption standards, then that is something
that States have been experimenting with. That is a positive
element, although that is not free from controversy with
respect to the effectiveness of encryption. But when the
presumption is that you don't have to notify unless an
assessment of risk of harm proves that it is likely, then you
miss out on a great deal of notifications. And it is important
to remember that notifications are important not just for the
individual that is being notified but also for other companies
that are similarly situated so that they can know about threats
that are facing them and perhaps practically respond to them,
for State AGs, for the public so that they can be aware, just
become more aware of the issues about data breach generally
speaking.
So when the default is set and a practical effect will
result in far fewer notifications, then I think that the public
and other companies and individuals are----
Ms. Clarke. So that brings me back around to the question
raised by Ranking Member Schakowsky. She broached this issue of
overnotification with you, and one of the concerns raised about
breach notification is notification fatigue or
overnotification. Would a negative presumption for notification
be effective in preventing overnotification?
Mr. Hartzog. I think that it is not so much as to whether
the presumption of harm trigger would be effective in
preventing overnotification. Certainly it would probably result
in fewer notifications. So then the question becomes is that a
good thing or a bad thing? And I again state that we
collectively lose out when notifications drop, even though
there have been breaches because there is value we can get from
notification. And also, overnotification is a problem not just
aided by reduction in notification, but we also need to
continue to experiment with the way notification is given.
There is a presumption maybe that notification is just a big
dense block of text that individuals would--it is very easy
just to look at and throw in the trash. One of the reasons we
still need to experiment, perhaps at the State law level, is
that we need to focus on the way notification is actually
delivered because there is a lot of opportunity there to avoid
oversaturation as well.
Ms. Clarke. Did any of you want to weigh in on the issue of
overnotification or concerns that your industries may have? Ms.
Glasgow?
Ms. Barrett-Glasgow. Yes. I will go back to H.R. 2221, and
the language that is in there I think is reasonable and good in
terms of both the risk of harm as well as the presumption of
notification unless it says the person shall be exempt from the
requirement, meaning the notification, if certain conditions
apply.
I think we have to be very careful about overnotification.
I think we have learned through not just breach notification
laws that exist today but also other requirements such as
Gramm-Leach-Bliley privacy notices that when consumers get
repeated information about risks or about even what a bank may
do with their data and there is no clear instruction as to what
to do, and there may not be any recourse other than watch your
accounts, that is possible, then they tend to get far more
complacent about them and potentially even not read the one
that really was the one that they needed to react and respond
to. So I think industry in general is very sensitive to the
overnotification problem.
Ms. Clarke. Let me just say very quickly in closing, is
there something that we can learn? Is there value to proceeding
with notifications simply in terms of uncovering what works
best? We are really in the advent of understanding exactly what
is taking place. We wanted to get a sense of whether in fact
there is value. Mr. Hartzog?
Mr. Hartzog. One of the great benefits of breach
notification statutes is it allows us to collect information
and then issue reports which could then benefit not only
companies but the field of data security generally because it
helps us know where threats are coming from, what the response
to those threats are, and how long it takes to respond.
Mr. Burgess. The gentlelady's time has expired. The Chair
thanks the gentlelady. The Chair now recognizes the vice chair
of the subcommittee, Mr. Lance, for 5 minutes for questions,
please.
Mr. Lance. Thank you, Mr. Chairman. This is a very
complicated issue, and we don't want to become the 48th and yet
we want strong protection. And I think it is going to be a
difficult needle to thread.
Ms. Glasgow, as I understand your testimony, you believe
that we threaded the needle relatively well in Gramm-Leach-
Bliley, is that accurate?
Ms. Barrett-Glasgow. As in regards to the security rule,
yes.
Mr. Lance. Yes. And do other distinguished members of the
panel have an opinion on that and how it might relate to what
we are attempting to do here? Ms. Hyman?
Ms. Hyman. As we think about harm and the risk of
overnotification and how we should be looking at this, we want
to make sure that the information that is exposed actually is
significant harm. So just having for example a name or address
on its own without other identifiable information like a Social
Security, these things need to be seen in context, and how we
thread that will be important.
Mr. Lance. Mr. Dodge?
Mr. Dodge. So I think the regulatory regimes that cover
businesses should reflect the businesses themselves, but
specific to notification, I believe that consumers should have
a strong expectation of how they would be notified if certain
information, personally identifiable information, is lost
regardless of the business itself. It should be based on the
data.
Mr. Lance. Professor Hartzog?
Mr. Hartzog. I think the Gramm-Leach-Bliley safeguards
protections have been quite effective. They are technology-
neutral and recognize data security as a process rather than
just a one-time thing. So I would say that that has been very
effective.
Mr. Lance. So this might be an area of agreement in the
panel, and I think this subcommittee and then the full
committee want to reach a point where we can report to the
floor a bipartisan bill that moves the Nation forward.
It has been a long time since I went to law school, but do
we look ultimately to fundamental principles of tort law,
Professor Hartzog, as to what we should be doing here?
Mr. Hartzog. I would caution against relying on tort law
too heavily, mainly because tort law is entrenched in a harm-
based mindset.
Mr. Lance. That is why I asked the question.
Mr. Hartzog. And we see that because of causation issues,
because it is very difficult to prove that one piece of
notification when compromised results in some kind of tangible
harm on the other end. I teach tort law, and causation is one
of the things you always end up getting tripped up on. And so I
would actually caution away against looking to tort law and
look into more general proactive regulatory principles.
Mr. Lance. I was taught tort law by John Wade who is the
reporter of the restatement in the law school not too far from
where you teach, just a little north of where you teach. How
about others on the panel regarding should we look at all to
tort law or is it not broad enough given our desire in a
bipartisan fashion to protect the public. Mr. Dodge?
Mr. Dodge. I know when I am out over my skis, so I
wouldn't----
Mr. Lance. I see.
Mr. Dodge [continuing]. Be able to comment on that.
Mr. Lance. I see. Ms. Glasgow?
Ms. Barrett-Glasgow. No, I am a technologist, not a lawyer
so--
Mr. Lance. OK. That speaks well of you. Ms. Hyman?
Ms. Hyman. Unfortunately, I have to join my colleagues on
that.
Mr. Lance. I see. I won't take all of my time, but let me
say that the chairman and I have discussed this at some length,
and we want to be able to report a bipartisan bill. But we
don't want this to be the 48th State. We want to move the
Nation forward, and we want strong consumer protection. And I
know the chairman is dedicated to that as am I, and I hope that
we can all work together. And I see some areas of agreement.
Thank you, Mr. Chairman.
Mr. Burgess. The Chair thanks the gentleman. The gentleman
yields back. The Chair recognizes the gentleman from
Massachusetts, Mr. Kennedy, 5 minutes for your questions,
please.
Mr. Kennedy. Thank you, Mr. Chairman. Thank you to the
witnesses for testifying today. Insightful hearing. I want to
build off actually some of the comments that my colleague, Mr.
Lance, just talked about and touched on and try to see if we
can thread that needle a little bit.
As he indicated, 47 States, the District of Columbia, Guam,
Puerto Rico, and the Virgin Islands have all enacted their own
laws requiring notification of security breaches involving
personal information. Some States, such as Massachusetts and
California, have mandated strong requirements. California's
data breach notification law requires that a person be notified
when their encrypted personal information has been or is
reasonably believed to have been acquired by an unauthorized
person, and the consumer has the right to know about all
breaches of personal information, not just those deemed capable
of doing harm.
Massachusetts law mandates that data owners provide notice
of a security breach to the State's Consumer Affairs Office,
State Attorney General, and the affected resident and include
any steps the data-holder has taken relating to the incident.
Professor Hartzog, some legislative proposals include
preemption of ``any provision of a law, rule, regulation,
requirement, standard, or other provision having force and
effect of law relating to either data security of personally
identifiable information or notification following a breach of
personal, identifiable information.'' As I understand it, that
would not be limited to the 47 States' statutes but it could,
building off of a comment a moment ago, also preempt tort law
and contract law. Seeing as you are a tort professor, is that
correct and can you just walk us through that a little bit?
Mr. Hartzog. Sure. So that strikes me as very broad
preemptive language and the kind of which I would recommend
against, precisely because while tort law isn't our best hope,
we still might actually find some hope in tort law, maybe not
in the tort of negligence which is very harm based, but perhaps
other theories. So some of the more successful theories at the
State level with regard to data security have been promises
made by companies about data security which is sort of a tort
and contract mixture. And for legislation to preempt that I
think would be very problematic, and I think we have to be very
careful about broad preemption with respect to Federal sector-
specific data security law as well because there are some
extremely important protections that exist throughout in
various different sectors.
And so that kind of preemptive language is exactly the kind
of preemptive language that would strike me as one that would
ultimately end up doing more harm than good based on how
significant it would seem to scale back protections for
consumers.
Mr. Kennedy. So building off of that, Professor, as I
understand it, Massachusetts data breach law has some strong
data security requirements which include the authority of the
Massachusetts Department of Consumer Affairs and Business
Regulation to issue regulations regarding data security. Would
those regulations then be preempted potentially by that
language that I just referenced? We obviously, yes, don't want
to add in another layer of regulation but want to make sure
that there is some strong consumer protection standards and
allow States to innovate here as well.
Mr. Hartzog. That is correct. That language would seem to
preempt the State law protections in Massachusetts as well as
all the other States that have data security requirements
related to it, and this is potentially problematic because
while the general approach to regulating data security seems
relatively consistent--we all want reasonable data security
practices which are relatively tethered to industry standards--
States and policymakers in general are still trying to figure
out exactly the best approach to that. And it would seem to be
a problem to set something in stone when we are still trying to
grapple with this very important issue.
Mr. Kennedy. OK. Thank you, Professor. I will yield back.
Mr. Burgess. The gentleman yields back. The Chair
recognizes the gentleman from Mississippi, Mr. Harper, 5
minutes for your questions, please.
Mr. Harper. Thank you, Mr. Chairman, and thanks to each of
you for being here. It is a great concern as to how you protect
the consumers and reduce the burden here and maybe prosecute
the bad guys. So there is a lot to be done. I don't know of a
company that is not greatly impacted and truly troubled by
this.
First question would be a follow-up, Mr. Dodge. Some have
suggested that consumers should receive notice from the company
that was breached, even if they have never interacted with that
company. Wouldn't it be clear for a consumer if they receive
notification about a breach from the company that they actually
gave the information to directly?
Mr. Dodge. So we think that the obligation to notify
creates a very important incentive to keep systems strong and
protect the information that companies hold. We would urge the
committee as it considers this to maintain that obligation but
allow for flexibility for businesses to contractually determine
the notifying party because I think there are situations that
you describe where that is appropriate. But to try to
contemplate all those situations would be problematic and could
undermine that important incentive.
Mr. Harper. Is there a risk to consumers that you could
create some confusion by duplicate notification from the
company they gave information to and also a third party? What
do you say about that?
Mr. Dodge. So again, I think the objective from all the
parties involved would be to make sure that it was a
streamlined and clear notification. And so that is why we would
argue that the value of maintaining that incentive is high, but
allowing flexibility for the parties involved as you described
to contractually determine who would distribute that notice.
Mr. Harper. And this would be a question to Ms. Hyman, you,
Mr. Dodge, and Ms. Glasgow. Some States trigger notification to
individuals after the company determines that there has been an
unauthorized access to their information while the majority of
States require notice upon a reasonable belief that the data
was acquired by an unauthorized party. So the data was actually
removed from the system. Is there a danger of overnotification
to consumers if the duty to notify individuals is triggered by
access but not acquisition?
Ms. Hyman. Yes, there is, and we think it is very important
that companies have an opportunity to do an appropriate risk
assessment to determine whether there has been actual access to
the information.
Mr. Harper. Mr. Dodge?
Mr. Dodge. We believe that it has to be at the time of the
confirmed breach. You want to be able to, in the wake of a
breach, to define the universe of affected individuals so that
the notice goes to the people who truly were or could be
impacted, rather than overly broad and catching people that
perhaps weren't affected.
Mr. Harper. OK. Ms. Glasgow?
Ms. Barrett-Glasgow. You know, the subtle difference
between access and acquisition is really kind of lost I think
in this debate in that if there is access and it is from an
unauthorized person, you more than likely have some potential
risk.
So if a company is assessing that, I think responsible
companies are going to err on the side of caution.
Mr. Harper. And Ms. Glasgow, earlier you testified when we
were talking about a national notification standard, you
mentioned a harm-based standard. In your eyes, who is best able
to determine if there is harm?
Ms. Barrett-Glasgow. Well, I think it is determined by a
number of parties. First, the company is the one that is on the
line to begin with to make that assessment based on their
understanding of what has happened. But beyond that, there are
various regulatory agencies, the FTC at the Federal level and
of course State AGs at the State level, that put teeth into
that analysis to make sure that that assessment is done
effectively and fairly for all parties.
Mr. Harper. Just as a comment. When you have 47 standards
and you have a company, most companies are national companies.
It is extremely confusing and difficult for them, and that is
why as we look toward a bipartisan approach to this, it is
going to be very important how we move forward.
Mr. Dodge, if I could ask you, while there are ongoing
discussions on how to establish a sensible time period in which
companies are required to notify consumers of a breach, I am
also interested in understanding what exactly or who exactly
would start the notification timeframe so there is no room for
misinterpretation of when companies are required to notify
consumers. I would imagine that your members would not want
this left up for interpretation after the fact. What are your
thoughts on when this clock should start and who should be
responsible for starting it?
Mr. Dodge. So we believe that the trigger should be the
confirmation of a breach, and at that point of course there are
lots of players who would be involved from law enforcement to
presumably regulators if Congress were to go down this path. I
think what is important to remember that there needs to be
flexibility in that timeline because there are a number of
steps that need to occur in order to ensure that the notice
that goes out provides actionable information. So you want to
first define the universe as I said a moment ago. Then you need
to train your staff because invariably when these notices are
received, it is going to lead to a number of questions. It
won't be limited to the phone number or whatever the method of
contact is on the notice. So you need to train staff in order
to be able to respond and help consumers protect themselves.
And then there is the complex process of sending out a
notice. It could be extremely large scale and making sure that
notices aren't just going into junk mailboxes.
Mr. Harper. And not meaning to cut you off, my time is
expired. Thank you, Mr. Chairman.
Mr. Burgess. The gentlelady yields back. The Chair thanks
the gentleman. The Chair now recognizes the gentleman from
Vermont, 5 minutes for your questions, please.
Mr. Welch. Thank you. I didn't know whether Mr. Rush was
ahead of me or not, but he tells me he is not from Vermont. So
I am OK to go. We would love to have you.
Thank you very much. This is extremely helpful. A couple of
the issues we are wrestling with is, number one, is preemption,
and in general, I favor nonpreemption but I have been persuaded
that if we can get the right standard, this is one of those
situations where it really makes sense to have preemption.
Let me just go down the line like my colleague, Marsha
Blackburn, did. If we have preemption, it is going to give I
think a lot more comfort to those of us who are willing to take
that step if the standard is stronger, and we have got a strong
standard in Illinois. We have got a strong standard in
California. In my conversations with some folks in the
industry, the advantage of a single standard makes them
supportive of a strong standard. And I want to just get each of
your views on that. In other words, if we have preemption, do
you support a relatively robust standard?
Ms. Hyman. We have spoken out in favor of significant harm
to the consumer. States are justifiably proud of the work that
they have done. The chairman of our IT security group is from
Massachusetts, but he, too, has shared with us the notion that
the patchwork has become unworkable----
Mr. Welch. Right. So----
Ms. Hyman [continuing]. For companies such as theirs. So--
--
Mr. Welch [continuing]. You get a single standard, a strong
standard is something you could support if you got preemption?
Ms. Hyman. Yes.
Mr. Welch. And how about you, Mr. Dodge?
Mr. Dodge. Again, based on the recognition in the case of
harm or risk to consumers, yes, we totally agree, and we
believe that the preemption is really, really critical.
Mr. Welch. OK. Thank you. Ms. Glasgow?
Ms. Barrett-Glasgow. Yes, the harm-based trigger tied with
Federal preemption is very acceptable.
Mr. Welch. OK. And Mr. Hartzog?
Mr. Hartzog. Well, I would say that if Federal legislation
is really going to move the ball forward and not actually strip
away existing protections, then we should not have a harm-based
trigger, and we should also, even to the extent that we should
have broad definitions of things like PII which we have now,
that may actually change in the future. And so we need to be
sure that we can change the law----
Mr. Welch. If I understood your testimony, though, you had
reservations about preemption, but you weren't categorically
opposed to it.
Mr. Hartzog. That is correct. That is right.
Mr. Welch. Your concern is that whatever our standard is,
it be robust.
Mr. Hartzog. That is right.
Mr. Welch. Correct?
Mr. Hartzog. So, so long as the standard is at or above
what we currently have now, then I think that we can continue
to move in the correct trajectory for data breach.
Mr. Welch. OK. Thank you for that. The other question is if
you have a single standard, can you have that be enforceable at
the local Attorney General level as well as at the Federal
level? And folks like Illinois, the Attorney General has been
very active in this. I know Vermont has been active in local
enforcement. Would there be any problem with allowing the
enforcement of that standard, both at the Federal and at the
State level, where people would have I think more confidence
that they would be heard? Let us go down the line.
Ms. Hyman. Sure. We understand and accept the notion that
the State Attorneys General should have the opportunity to
enforce or the FTC or the Federal body, but we would argue that
one should extinguish the other. In other words, you shouldn't
have those contemporaneously.
Mr. Welch. I see. OK. Mr. Dodge?
Mr. Dodge. Just building off that, I think we do recognize
that there is an important role for the State AGs to play in
this.
Mr. Welch. Thank you.
Ms. Barrett-Glasgow. Yes, I agree, and so long as the
coordination between State AGs and FTC is in place.
Mr. Welch. OK. Mr. Hyman [sic]?
Mr. Hartzog. I would agree that enforcement of the State
AGs would be desirable for a data breach.
Mr. Welch. OK. The other question I want to go to is this
whole issue of tort law, and I understand that is somewhat
injected into this. My understanding is, and correct me if I am
wrong, the issue of tort law just applies in general across
commerce and across noncommercial activity, and this committee,
I am not sure--fMr. Chairman, I thought you were correct in
your opening statement for acknowledging in some areas we
simply don't have the jurisdiction to get involved. And I am
thinking----
Mr. Burgess. Would the gentleman yield?
Mr. Welch. Yes, I will.
Mr. Burgess. For his purposes going forward, the Chair is
always correct.
Mr. Welch. That more or less settles it. But I see that
this whole question of tort law and whether there should be
some carve-out as really a separate question from the heart of
this legislation. There are a lot of folks that would love to
not ever have to worry about tort law, but that is across the
whole spectrum of any kind of activity in society, and taking
that challenge on in this legislation may be a burden that is
inappropriate to bear and too great to bear.
So I just want to get your comment as to whether some tort
provision in here in your mind is essential to getting some of
the good things that both sides seem to be supporting.
Ms. Hyman. Well, again, I will point out I am recovering
lawyer. So my familiarity with tort law is a little bit
obscured at this point in time. But the one thing I would say
is that we need to separate out and distinguish between good
actors and bad actors. And what this effort about data breach
notification is about is trying to provide clear lines of
responsibility between the companies and the consumer. There
are always going to be people that are bad actors, and they
should be punished.
Mr. Welch. Right.
Ms. Hyman. That is a different subject.
Mr. Welch. OK. Mr. Dodge?
Mr. Dodge. I, too, am not a lawyer, so I can't speak to the
details of tort law. But I would say that, you know, this whole
exercise is about empowering customers, consumers, with
expectations around how they would receive notice and
empowering businesses to conform to a standard.
Mr. Welch. All right. I see my time is expired. So the last
two dodged the bullet. Thank you. I yield back.
Mr. Burgess. The Chair thanks the gentleman. The Chair now
recognizes the gentleman from Texas, Mr. Olson, 5 minutes for
your questions, please.
Mr. Olson. Thank you, Mr. Chairman, and congratulations on
your first hearing of this important subcommittee, and welcome
to all of our witnesses. I assure you, I went to law school,
but you won't hear the word tort come out of my mouth through
my questions.
Unfortunately, in today's world, data breaches are
happening more and more often. Target, Home Depot, Neiman
Marcus, Sony Pictures all have been attacked by very different
bad actors. We have to be aggressive on account of this threat,
but it is a bit but, we must craft a balanced approach that
protects consumers without undue burdens upon business.
My first line of question is about notification. I want to
bore down the issue a little bit. My first question to you, Ms.
Hyman, is it realistic to require any company to notify
consumers within a set number of days after a breach occurs?
Ms. Hyman. Thank you, Congressman. First of all, I just
want to reiterate, businesses are incented to be responsible to
the consumer. This is about trying to make sure that the
consumer has information quickly and it is actionable.
There needs to be a reasonable period of time to do a risk
assessment to find out, as was pointed out by my colleague, was
there actual harm? You know, are there opportunities to remedy
that harm? What kind of messaging is being provided to the
workforce so that they can respond to the consumer when a
notice goes out? So a reasonable period of time needs to be in
place for risk assessment. Thereafter, if there is an
appropriate timeframe for the actual notification, that makes a
lot of sense.
Mr. Olson. How about if they have some notification, when
did this breach occur? Wouldn't we say that is where it
happened, that is where the notification period starts? I mean,
I am so confused when this clock starts running. Any idea when
that clock starts running, ma'am?
Ms. Hyman. I think you are saying does the clock start----
Mr. Olson. Yes, when does it start? You said it is
reasonable.
Ms. Hyman. When there is an actual breach.
Mr. Olson. OK. When does it start if it is reasonable? When
do we start the clock? When has the breach occurred?
Ms. Hyman. As soon as there is any type of information for
the company to take a look and do the risk assessment, they
have to do that within a reasonable period of time.
Mr. Olson. OK. Mr. Dodge, how about you, sir? Is there
reasonable required notification within a set number of days?
Mr. Dodge. So we would urge flexibility in determining what
that length of time is. As we have talked about, there are a
number of steps that need to occur. But in every instance, the
business entity that I am aware of has a desire to communicate
that quickly because they want to make sure they are limiting
any exposure or risk to those affected by the breach itself.
Mr. Olson. Ms. Glasgow, I know you are a UT Longhorn and
probably want to talk about this issue. Any concerns about
requiring notification of breaches?
Ms. Barrett-Glasgow. Yes. I think there are two. First, any
kind of deadline tends to become the norm, and some breaches
are a very simple or small breach. Notification can take place
in a matter of days or weeks if it is contained, a briefcase
that is lost or something that is easy to investigate.
A big, complicated breach like we saw with some of the
recent ones that you mentioned, take much longer. And so, you
know, we run the risk of extending a simple breach to 30 days
because that is the rule. But we also run the risk of not
having enough information to do the assessment. And the
notification process may be iterative. Through an
investigation, you don't always have all the facts immediately.
I mean, think about any criminal investigation that law
enforcement takes. You learn something, and from that you ask
more questions and from that you ask more questions. So it can
very much be an interactive process of learning over a fairly
extended period of time. So I think any kind of arbitrary
number is inappropriate.
You know, language like we suggested in our written
testimony that says without undue delay we think creates the
sense of urgency but doesn't necessarily penalize the very
complicated investigation.
Mr. Olson. And one final question about harmless breaches.
We all agree that there are breaches that are harmless, yes or
no? Ms. Hyman, yes or no, harmless breaches? We agree that some
breaches are harmless?
Ms. Hyman. Yes, there are some harmless breaches because of
the type of information that is accessed.
Mr. Olson. Mr. Dodge?
Mr. Dodge. Yes, of course there are situations where
intrusions can occur and no information has been taken.
Mr. Olson. Ms. Glasgow?
Ms. Barrett-Glasgow. Yes. I will give another example and
that is when the information that was taken is encrypted or is
essentially in some form that is unusable by the thief.
Mr. Olson. And Mr. Hartzog, Professor Hartzog?
Mr. Hartzog. I would say it depended on how you define
harm. There are lots of different ways to think about it. I
mean, was the breach a result of poor security practices, even
though it didn't result in financial harm? It resulted in
perhaps a breach of trust. Even if it is rendered unusable, if
the encryption standard--was it adequate to actually protect
the data? And so I would actually hesitate from saying yes to
that question simply because the way you define harm is
everything and that----
Mr. Olson. With you leaning yes, sir. I yield back.
Mr. Burgess. The gentleman yields back. The Chair thanks
the gentleman. The Chair now recognizes the former chairman of
the subcommittee, my longtime friend, Bobby Rush, from Chicago.
Mr. Rush. Thank you. Thank you, Mr. Chairman, and I want to
also congratulate you on your first hearing. It is an
outstanding hearing, and I want to congratulate all your
witnesses. They have provided fine testimony. And Mr. Chairman,
I am going to take your pronouncement under consideration that
you are always right, that you are never wrong. No, you said
you are always right. And I am going to really try to process
that because I am never wrong. So we have come to some kind of
mutual understanding and agreement on that, all right?
Mr. Chairman, I want to get to the matter of the day, and I
want to talk Dr. Hartzog. Dr. Hartzog, I am of the opinion that
somebody has got to be in charge of interpretation. Somebody
has got to be in charge of implementation, all right? And I
understand you call for regulation by multiple agencies in
their areas of expertise. Beauty is in the eye of the beholder,
and one of the issues that we are always struggling with in
this place is who has got the final say? Who has got
jurisdiction and what is it that they have jurisdiction over?
My question to you is, first of all, if you can kind of
explain to us and clarify what do you mean by regulation by
multiple agencies in their areas of expertise? Can you be a
little bit more clear in regards to that? And my second
question is do you believe that there should be one central
agency who could be the final authority on data security for
the Federal Government?
So will you try and clarify your perceptions in terms of
jurisdictional issues?
Mr. Hartzog. Sure. So thank you for the question. I think
that there should not be one entity that is in charge of data
security for the entire country simply because what constitutes
good data security and reasonable data security is so highly
dependent upon context and industry. And so we have already
existing numerous regulatory agencies, like the Federal
Communications Commission, HHS and HTSA, the FAA, many
different regulatory agencies, all of which have in some form
spoken and made some requirements for good data security or
looking into requirements for data security. And it is
imperative that we rely upon these multiple regulatory bodies
because they have expertise in very specific things. So the
Federal Communications Commission has well-developed expertise
in regulating telecommunications companies, satellite
companies, and cable companies and other intermediaries and the
specific data security requirements that apply in those
particular fields, which might differ than say a standard
commercial enterprise.
That being said, sometimes there is overlapping
jurisdiction, but what we have seen with multiple regulatory
agencies is we have seen that they can coexist. They work
together. Sometimes they have coordinated investigations.
Sometimes they reach memorandums of understanding where they
say, you know, you will handle certain kinds of data security
breaches, and we will handle other kinds.
And so that is what I meant by the importance of regulatory
bodies, multiple regulatory bodies.
Mr. Rush. I have a second question here, and this is
directed to Ms. Glasgow. The Federal Trade Commission called on
Congress to enact the legislation to allow consumers with
access to information held by data brokers. The Commission has
also recommended that one centralized Web site be created where
consumers can learn about how their data is used, correction to
inaccuracies of their data, and to opt out for marketing if
desired. Do you support these recommendations?
Ms. Barrett-Glasgow. We actually have gone so far as to
implement the recommendation to have one central site where
consumers can come and look at the data that Acxiom holds and
correct it and change it. And we continue to work with industry
on whether or not having a central site where everyone lists
themselves and a consumer goes there, how that might be
effective in terms of transparency. We certainly support the
objective that the FTC has stated relative to transparency.
Mr. Rush. I only have a few seconds, but can you share with
the committee some of your experiences? I mean, how do the
consumers, how do they go about it? How do they grade their
experience with Acxiom?
Ms. Barrett-Glasgow. Yes. The site requires the consumer to
log in and identify themselves because we are going to be
sharing the data that we have about them on that site. So we
have to know who they are, but once they have logged in and
established an account, then they can look at all the data that
we used for any of our marketing products. They can delete an
element. They can change an element, or they can completely opt
out of the whole process online, and it happens in real time.
We would encourage you to maybe go to the site and take a look.
It is called AboutTheData.com.
Mr. Rush. Thank you, Mr. Chairman. I yield back.
Mr. Burgess. The Chair thanks the gentleman. The gentleman
yields back. The Chair now recognizes the gentleman from
Florida, Mr. Bilirakis, 5 minutes for your questions.
Mr. Bilirakis. Thank you, Mr. Chairman. I appreciate it
very much, and again, thanks for holding this very important
hearing, and I really thank the panel as well. This is so
important to our consumers.
Consumers must be able to trust that information they
provide. They want to make sure that it is safe. They provide
the information to retailers, and the digital world where sales
are increasing online--you know, this trust is vital to our
economy. However, I do not believe such trust will be preserved
by the current patchwork of laws. We need a stable law that
ensures merchants are appropriately protecting consumers
without sacrificing prosperity.
The first question is for Mr. Dodge. You mentioned in your
testimony the benefits of the chip and PIN that we are
transitioning to nationwide. However, my understanding is that
a potential weakness exists for online transactions because the
payment card is not actually present. Doesn't that mean that
this technology and every other technology can be made obsolete
by criminals that quickly adapt to new technologies? It seems
to me that we need to ensure that what we pass into law meets
the threat and is not prescriptive of one type of technology?
Do you agree and what do you recommend?
Mr. Dodge. So just a couple of points first, specifically
chip and PIN is not scheduled to be rolled out later this year.
This has been a major point of tension between the merchant
community and the financial services community because the
expectation is the chip only is coming out. Chip and PIN has
been in place around the world for many, many years and has
been proven to dramatically reduce fraud. Retailers have argued
for a very long time that we should be moving to this
technology as quickly as possible because of its proven fraud
protection and because in the context of today's hearing, that
it has an important effect and devaluing the data that
businesses hold. So the information that flows through a
retailers system, at the point of sale, would be rendered
useless to criminals if they were able to captured, if you use
the chip and PIN system. We think it is absolutely critical.
To your point about evolving technologies, that is
absolutely true. It is the best technology. Chip and PIN is the
best technology that is available today, and we are years
behind the rest of the world in catching up to it. And as a
result, we are behind. When chip and PIN was introduced in
Europe, we saw fraud flow in two directions, online in Europe
to you point and to the United States because it became the
lowest common denominator.
As for long-term solutions, we believe the chip and PIN
serves a near-term need, and we need to evolve to next
generation because as you suggest, the world is moving online.
E-commerce is booming online.
Mr. Bilirakis. Thank you very much. The next question is
for the entire panel. Some of the recent data breaches were
caused by third parties, such as contractors. What
recommendations would you make if any to address when these
situations occur? We will start over here, if that is OK with
Ms. Hyman.
Ms. Hyman. Well, first of all, with regard to third
parties, again, many of our member companies are solution
providers, those third parties that you may be talking about.
Human error continues to be one of the greatest causes of data
breach, and I think doing best practices for the industry and
for all companies involved on how to mitigate some of those
human errors is very important. Education, ongoing efforts, we
have an IT trust mark, security trust mark, which is a
benchmark for an organization to undertake appropriate
practices for data security. So all of these pieces come into
play, but having a standard for data breach notification also
puts everybody on notice about what the consumer needs to know
in a timely and actionable way.
Mr. Bilirakis. Mr. Dodge?
Mr. Dodge. The questions about third-party----
Mr. Bilirakis. The third party, with regard to third
parties, correct.
Mr. Dodge. Yes. So we think that it is important. It is
important incentive that the breached entity be obligated to
make the notice, but flexibility should exist for parties to
contractually determine in the instance of a breach who should
issue the notice.
Mr. Bilirakis. Thank you. Yes, ma'am.
Ms. Barrett-Glasgow. As a vendor, we see lots of increasing
requirements from our clients to not only adhere to security
standards but to have indemnification if a breach occurs in our
environment of the data that we are holding and processing for
them.
Mr. Bilirakis. Thank you. Mr. Hartzog?
Mr. Hartzog. My recommendation would be maybe, if there is
even a possible compromise here, which is if breached entities
have no relationship to the consumer whose data they hold. Then
perhaps there could be some kind of requirement where you would
have to disclose the relationship--say, ``We got this
information from an entity that collected your personal
information, which is why you don't recognize us. But we were
breached.'' So that could be one way to handle that.
Mr. Bilirakis. OK, Mr. Chairman. I actually have one more
question if you----
Mr. Burgess. Ask unanimous consent that the gentleman be
able to ask his question. Without objection, so ordered.
Mr. Bilirakis. Thank you.
Mr. Burgess. It is an immense power that I wield here, Gus.
Mr. Bilirakis. OK, for the panel again, keeping in mind the
touchstone of this process is notifying an individual in the
event that they need to mitigate the economic risks associated
with a breach, which entity is in the best position to notify
individuals after a breach? Is there a reason to deviate from
the structure that the States have used? And we will start with
Ms. Hyman, please.
Ms. Hyman. Are you asking in terms of who is responsible
for the notification or which enforcement agency?
Mr. Bilirakis. Who would be responsible for the
notification.
Ms. Hyman. We want to make sure that we are, again, not
overnotification or confusing the consumer. So that entity with
which they have provided their information to that would have
done the transaction would be the first source. Then
contractually--and I come back to the previous question about
third parties. There are contractual relationships beyond that.
Mr. Bilirakis. Again, with regard to the States, how would
you----
Ms. Hyman. We said that the State Attorneys General should
have enforcement opportunities. If it is also the FTC that is
undertaking enforcement, one should extinguish the other. They
should not happen simultaneously.
Mr. Bilirakis. Very good. I am sorry. I am having a little
trouble hearing. I apologize. Mr. Dodge, please.
Mr. Dodge. Sure. We strongly believe that the obligation to
notify should be with the breached entity and then again,
flexibility among parties to contractually determine who sends
the notification, if it makes more sense for somebody else to
send it. And we agree the State Attorneys General have an
important role to play in this.
Mr. Bilirakis. Very good. Thank you. Please.
Ms. Barrett-Glasgow. In the interest of time, I will agree.
Mr. Bilirakis. OK. Very good.
Mr. Hartzog. And I would agree that the current trajectory
of the State law is what I would recommend.
Mr. Bilirakis. Thank you very much. I appreciate it. I
yield back, Mr. Chairman. Thanks for allowing me to ask that
last question.
Mr. Burgess. The Chair thanks the gentleman. The gentleman
does yield back. Seeing no further members wishing to ask
questions, I would like to thank the witnesses and members for
their participation in today's hearing. Before we conclude, I
would like to include the following documents to be submitted
for the record by unanimous consent: a letter on behalf of the
Consumer Electronics Association; a letter on behalf of the
Direct Marketing Association; a joint letter on behalf of the
American Bankers Association, the Consumer Bankers Association,
the Credit Union National Association, Financial Services
Roundtable, Independent Community Bankers Association, the
National Association of Federal Credit Unions; an additional
letter on behalf of the Marketing Research Association; a
letter on behalf of the National Retail Federation; a letter on
behalf of the National Association of Federal Credit Unions; a
joint letter on behalf of the Consumer Data Industry
Association, the Interactive Advertising Bureau, the National
Business Coalition on E-Commerce and Privacy, and the National
Retail Federation, the United States Chamber of Commerce; and a
joint statement for the record on behalf of the National
Association of Convenience Stores and the Society of
Independent Gasoline Marketers of America.
Pursuant to committee rules, I remind members that they
have 10 business days to submit additional questions for the
record, and I ask the witnesses submit their response within 10
business days upon receipt of the questions.
Without objection, all of the statements are entered into
the record.
And without objection, the subcommittee is adjourned.
[Whereupon, at 12:50 p.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
[GRAPHICS NOT AVAILABLE TIFF FORMAT]
[all]