[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


        WHAT ARE THE ELEMENTS OF SOUND DATA BREACH LEGISLATION?

=======================================================================

                                 HEARING

                               BEFORE THE

           SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            JANUARY 27, 2015

                               __________

                            Serial No. 114-4
                            
                            
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                            



      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov
                        
                        
                                 ____________
                               
                               
                          U.S. GOVERNMENT PUBLISHING OFFICE
20-396 PDF                       WASHINGTON : 2016                            
______________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].  





                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman

JOE BARTON, Texas                    FRANK PALLONE, Jr., New Jersey
  Chairman Emeritus                    Ranking Member
ED WHITFIELD, Kentucky               BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois               ANNA G. ESHOO, California
JOSEPH R. PITTS, Pennsylvania        ELIOT L. ENGEL, New York
GREG WALDEN, Oregon                  GENE GREEN, Texas
TIM MURPHY, Pennsylvania             DIANA DeGETTE, Colorado
MICHAEL C. BURGESS, Texas            LOIS CAPPS, California
MARSHA BLACKBURN, Tennessee          MICHAEL F. DOYLE, Pennsylvania
  Vice Chairman                      JANICE D. SCHAKOWSKY, Illinois
STEVE SCALISE, Louisiana             G.K. BUTTERFIELD, North Carolina
ROBERT E. LATTA, Ohio                DORIS O. MATSUI, California
CATHY McMORRIS RODGERS, Washington   KATHY CASTOR, Florida
GREGG HARPER, Mississippi            JOHN P. SARBANES, Maryland
LEONARD LANCE, New Jersey            JERRY McNERNEY, California
BRETT GUTHRIE, Kentucky              PETER WELCH, Vermont
PETE OLSON, Texas                    BEN RAY LUJAN, New Mexico
DAVID B. McKINLEY, West Virginia     PAUL TONKO, New York
MIKE POMPEO, Kansas                  JOHN A. YARMUTH, Kentucky
ADAM KINZINGER, Illinois             YVETTE D. CLARKE, New York
H. MORGAN GRIFFITH, Virginia         DAVID LOEBSACK, Iowa
GUS M. BILIRAKIS, Florida            KURT SCHRADER, Oregon
BILL JOHNSON, Ohio                   JOSEPH P. KENNEDY, III, 
BILLY LONG, Missouri                 Massachusetts
RENEE L. ELLMERS, North Carolina     TONY CARDENAS, California
LARRY BUCSHON, Indiana
BILL FLORES, Texas
SUSAN W. BROOKS, Indiana
MARKWAYNE MULLIN, Oklahoma
RICHARD HUDSON, North Carolina
CHRIS COLLINS, New York
KEVIN CRAMER, North Dakota

                                 7_____

           Subcommittee on Commerce, Manufacturing, and Trade

                       MICHAEL C. BURGESS, Texas
                                 Chairman
                                     JANICE D. SCHAKOWSKY, Illinois
LEONARD LANCE, New Jersey              Ranking Member
  Vice Chairman                      YVETTE D. CLARKE, New York
MARSHA BLACKBURN, Tennessee          JOSEPH P. KENNEDY, III, 
GREGG HARPER, Mississippi                Massachusetts
BRETT GUTHRIE, Kentucky              TONY CARDENAS, California
PETE OLSON, Texas                    BOBBY L. RUSH, Illinois
MIKE POMPEO, Kansas                  G.K. BUTTERFIELD, North Carolina
ADAM KINZINGER, Illinois             PETER WELCH, Vermont
GUS M. BILIRAKIS, Florida            FRANK PALLONE, Jr., New Jersey (ex 
SUSAN W. BROOKS, Indiana                 officio)
MARKWAYNE MULLIN, Oklahoma
FRED UPTON, Michigan (ex officio)

                                  (ii)
                                  
                                  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Michael C. Burgess, a Representative in Congress from the 
  State of Texas, opening statement..............................     2
    Prepared statement...........................................     3
Hon. Leonard Lance, a Representative in Congress from the State 
  of New Jersey, opening statement...............................     4
Hon. Janice D. Schakowsky, a Representative in Congress from the 
  State of Illinois, opening statement...........................     5
    Prepared statement...........................................     6
Hon. Fred Upton, a Representative in Congress from the State of 
  Michigan, opening statement....................................     8
    Prepared statement...........................................     8
Hon. Frank Pallone, Jr., a Representative in Congress from the 
  State of New Jersey, opening statement.........................    10
    Prepared statement...........................................    11

                               Witnesses

Elizabeth Hyman, Executive Vice President, Public Policy, 
  TechAmerica, Computing Technology Industry Association.........    12
    Prepared statement...........................................    15
    Answers to submitted questions...............................    97
Brian A. Dodge, Executive Vice President, Communications and 
  Strategic Initiatives, Retail Industry Leaders Association.....    26
    Prepared statement...........................................    28
    Answers to submitted questions \1\...........................   102
Jennifer Barrett-Glasgow, Global Privacy Officer, Acxiom 
  Corporation....................................................    34
    Prepared statement...........................................    36
    Answers to submitted questions...............................   103
Woodrow Hartzog, Associate Professor of Law, Cumberland School of 
  Law, Samford University........................................    43
    Prepared statement...........................................    45
    Answers to submitted questions...............................   108

                           Submitted Material

Letter of January 27, 2015, from Gary Shapiro, President and 
  Chief Executive Officer, Consumer Electronics Association, to 
  Mr. Burgess and Ms. Schakowsky, submitted by Mr. Burgess.......    74
Letter of January 26, 2015, from Peggy Hudson, Senior Vice 
  President, Government Affairs, Direct Marketing Association, to 
  Mr. Burgess and Ms. Schakowsky, submitted by Mr. Burgess.......    76
Letter of January 23, 2015, from American Bankers Association, et 
  al., to Mr. Burgess and Ms. Schakowsky, submitted by Mr. 
  Burgess........................................................    78
Letter of January 26, 2015, from Howard Fienberg, Director of 
  Government Affairs, Marketing Research Association, to Mr. 
  Burgess and Ms. Schakowsky, submitted by Mr. Burgess...........    80
Letter of January 27, 2015, from David French, Senior Vice 
  President, Government Relations, National Retail Federation, to 
  Mr. Burgess and Ms. Schakowsky, submitted by Mr. Burgess.......    81
Letter of January 23, 2015, from Carrie R. Hunt, Senior Vice 
  President of Government Affairs and General Counsel, National 
  Association of Federal Credit Unions, to Mr. Burgess and Ms. 
  Schakowsky, submitted by Mr. Burgess...........................    83

----------
\1\ Mr. Dodge did not answer submitted questions for the record by the 
time of printing.
Letter of January 27, 2015, from Consumer Data Industry 
  Association, et al., to Mr. Burgess and Ms. Schakowsky, 
  submitted by Mr. Burgess.......................................    86
Statement of National Association of Convenience Stores and 
  Society of Independent Gasoline Marketers of America, January 
  27, 2015, submitted by Mr. Burgess.............................    88

 
        WHAT ARE THE ELEMENTS OF SOUND DATA BREACH LEGISLATION?

                              ----------                              


                       TUESDAY, JANUARY 27, 2015

                  House of Representatives,
Subcommittee on Commerce, Manufacturing, and Trade,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 11:06 a.m., in 
room 2123 of the Rayburn House Office Building, Hon. Michael C. 
Burgess (chairman of the subcommittee) presiding.
    Members present: Representatives Burgess, Lance, Blackburn, 
Harper, Guthrie, Olson, Kinzinger, Bilirakis, Mullin, Upton (ex 
officio), Schakowsky, Clarke, Kennedy, Cardenas, Rush, 
Butterfield, Welch, and Pallone (ex officio).
    Staff present: Charlotte Baker, Deputy Communications 
Director; Leighton Brown, Press Assistant; Graham Dufault, 
Counsel, Commerce, Manufacturing, and Trade; Melissa Froelich, 
Counsel, Commerce, Manufacturing, and Trade; Kirby Howard, 
Legislative Clerk; Paul Nagle, Chief Counsel, Commerce, 
Manufacturing, and Trade; Olivia Trusty, Counsel, Commerce, 
Manufacturing, and Trade; Michelle Ash, Democratic Counsel, 
Commerce, Manufacturing, and Trade; Jeff Carroll, Democratic 
Staff Director; Lisa Goldman, Democratic Counsel, Commerce, 
Manufacturing, and Trade; Tiffany Guarascio, Democratic Deputy 
Staff Director; and Meredith Jones, Democratic Director of 
Outreach and Member Services.
    Mr. Burgess. Well, good morning, everyone. Before we begin 
our first subcommittee meeting of the 114th Congress, the 
ranking member and I would like to briefly recognize new 
members of the subcommittee. For the benefit of the ranking 
member, I am not a new member. I was on this subcommittee 
several terms ago. So I am back on the subcommittee. For that I 
am grateful, but on the majority side--I don't believe she has 
joined us yet--but we have Ms. Brooks representing the 5th 
District of Indiana and Mr. Markwayne Mullin representing 
Oklahoma's 2nd District. Welcome to the committee, welcome to 
the subcommittee. We are grateful and excited to have you on 
board. For the minority, Subcommittee Ranking Member Schakowsky 
will introduce her new members.
    Ms. Schakowsky. Thank you, Mr. Chairman, for just letting 
me say how much I look forward to working with you on this 
subcommittee. New members include Yvette Clarke. She represents 
New York's 9th Congressional District as a proud Brooklyn 
native with strong roots planted in her Jamaican heritage. She 
is an outspoken advocate for her district, always working to 
champion the middle class and those who aspire to reach it. Her 
district has become a center of innovation for health care and 
includes some of the best hospitals, trade associations, and 
businesses in the industry. I look forward to her bringing her 
tenacity, deep knowledge, and enthusiasm to this subcommittee.
    Next to her is Joe Kennedy, who serves the people of 
Massachusetts' 4th, has dedicated his life to public service, 
and brings with him a firm commitment to social justice and 
economic opportunity. Joe has previously served in the Peace 
Corps, worked as an International Development Analyst for the 
United Nations' Millennium Project, and as an anti-poverty 
consultant abroad. I know that he will bring that passion for 
public service and economic growth to everything he does on the 
subcommittee. And not here now but also a new member of the 
subcommittee is Tony Cardenas representing California's 29th 
Congressional District. He has made a name for himself by 
always advocating strongly on behalf of his constituents on 
issues like juvenile justice, immigration, higher education, 
and economic improvement. He has brought hard work and 
dedication to his 16 years of public service on behalf of the 
people of the Northeast San Fernando Valley. As a former small 
business owner, an engineer, head of the California Budget 
Committee, and as a leader in environmental progress in the 
City of Los Angeles, I am certain Tony will be able to lead his 
expertise to our subcommittee's progress. Thank you, Mr. 
Chairman.
    Mr. Burgess. Thank you, Ranking Member Schakowsky. We 
welcome all members of the subcommittee back and look forward 
to working with each and every one of you in the 114th 
Congress.
    Before I get started, I also want to recognize a visiting 
delegation of the legislative staff from the Parliaments of 
Georgia, Kosovo, Macedonia, and Nepal through the House 
Democracy Partnership. They are in town for a seminar on 
strengthening committee operations and are observing today's 
hearing as part of the program. I hope they are able to learn a 
great deal, both today and during their tenure here the rest of 
the week.
    Ms. Schakowsky. Mr. Chairman, could they acknowledge 
themselves so we can all see who they are. Great. Thank you.
    Mr. Burgess. Welcome. Thank you for coming. I am glad you 
were able to make it here with the weather.
    The Subcommittee on Commerce, Manufacturing, and Trade will 
now come to order. I will recognize myself for 5 minutes for 
the purposes of an opening statement.

OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE 
              IN CONGRESS FROM THE STATE OF TEXAS

    The purpose of today's hearing is to move one step closer 
to a single, Federal standard on data security and breach 
notification. Increasingly, our personal details, which we need 
to verify financial transactions, are converted into data and 
uploaded to networks of servers, and not always can those 
servers be protected with a simple lock and key. We benefit 
immensely from the quick access and command this system gives 
us. Global commerce is literally at our fingertips on a daily 
basis.
    And yet such a dynamic environment brings with it dynamic, 
evolving risks. As our options multiply, so must our defensive 
measures. Those defensive measures must adapt quickly. As 
several commentators have noted in testimony before this 
subcommittee, it is no longer a matter of if a breach occurs. 
It is when and what happens when.
    Even so, questions remain as to whether businesses are 
doing enough to prevent security breaches. That is why I 
believe Federal legislation should include a single but 
flexible data security requirement. Now, about 12 States have 
already implemented such a requirement on commercial actors 
that are not banks or health care providers.
    A single requirement across the States would give companies 
some confidence that their methods are sound in handling 
electronic data, an inherently interstate activity. Moreover, 
it would put all companies on notice that if you fail to keep 
up with other companies, if you aren't learning from other 
breaches, you will be subject to Federal enforcement.
    Indeed, too many resources are spent trying to understand 
the legal obligations involved with data security and breach 
notification. Certainty would allow those resources to be spent 
on actual security measures and notifications and their 
affected consumers.
    As we discuss the necessary elements of a data breach bill, 
there are a few considerations that I want to mention. First, 
there is a limited window for us to act. Criminal data breaches 
have grabbed the headlines for about a decade, but a consensus 
solution has thus far eluded Federal legislators. This 
committee is calling for action, the President asked for 
legislation with national breach notification, and the Senate 
has legislation in front of it with a national standard.
    But most importantly, it is our consumers who are calling 
for legislation, thus giving us the time to act.
    Second, this legislation is limited to this committee's 
jurisdiction. The surest way to deny consumers the benefits of 
Federal data security legislation is to go into areas beyond 
our jurisdiction. Specifically, the health care and the 
financial sectors have their own regimes. If we aim to rewrite 
rules for those sectors, then it will be years, perhaps 
decades, before a bill is signed into law. That is not to say 
that we will ignore those issues. But they may need to be taken 
up separately.
    Third, our aspiration at this point is that legislation 
comes forward with bipartisan support, and do sincerely believe 
that that is an achievable goal.
    With this hearing, I aim to understand the policy points 
where stakeholder compromise is possible. We are seeking to 
find agreement not only between the two sides of the dais but 
also between stakeholders with divergent interests. The sooner 
we understand the most important principles, the smoother 
negotiations will go over the next several months.
    [The prepared statement of Mr. Burgess follows:]

             Prepared statement of Hon. Michael C. Burgess

    The purpose of today's hearing is to move one step closer 
to a single, Federal standard on data security and breach 
notification.
    Increasingly, our personal details-which we need to verify 
financial transactions-are converted into data and uploaded to 
networks of servers that can't be protected with a simple lock 
and key.
    We benefit immensely from the quick access and command this 
system gives us-the world's merchants are at our fingertips.
    And yet such a dynamic environment brings with it a dynamic 
and evolving set of risks. As our options multiply, so must our 
defensive measures.
    Those defensive measures must adapt quickly. As several 
commentators have noted in testimony before this subcommittee, 
it is no longer a matter of if a breach occurs, but when.
    Even so, questions remain as to whether businesses are 
doing enough to prevent security breaches.
    This is why I believe Federal legislation should include a 
single-but flexible-data security requirement. Now, about 12 
States have already implemented such a requirement on 
commercial actors that are not banks or health care providers.
    A single requirement across the States would give companies 
some confidence that their methods are sound in handling 
electronic data, an inherently interstate activity.
    Moreover, it would put all companies on notice that if you 
fail to keep up with other companies and if you aren't learning 
from other breaches, you will be subject to Federal 
enforcement.
    Indeed, too many resources are spent trying to understand 
the legal obligations involved with data security and breach 
notification. Certainty would allow those resources to be spent 
on actual security measures and notifications to affected 
consumers.
    As we discuss the necessary elements of a data breach bill, 
there are a few considerations I want to mention.
    First, there is a limited window for us to act. Criminal 
data breaches have grabbed headlines for about a decade, but a 
consensus solution has thus far eluded Federal legislators.
    This committee is calling for action, the President is 
calling for legislation with a national breach notification 
regime, and the Senate has legislation with a national 
standard. But most importantly, consumers are calling for 
legislation-the time to act is now.
    Second, this legislation is limited to this committee's 
jurisdiction; the surest way to deny consumers the benefits of 
Federal data security legislation is to visit areas beyond our 
jurisdiction.
    Specifically, the healthcare and financial sectors have 
their own regimes. If we aim to rewrite rules for those sectors 
then it will be years before a bill is signed into law.
    That is not to say that we will ignore those issues. But 
they may need to be taken up separately. Third, our aspiration 
at this point is for legislation with bipartisan support and I 
believe that is achievable.
    With this hearing, I aim to understand the policy points 
where stakeholder compromise is possible. We are seeking to 
find agreement not only between the two sides of the aisle, but 
also between stakeholders with divergent interests.
    The sooner we understand the very most important 
principles, the smoother negotiations will go over the next 
couple months.

    Mr. Burgess. With that, I do want to thank our witnesses 
for the testimonies that they have provided us and representing 
their interests candidly in the spirit of compromise. And I 
would like to recognize the vice chair of the subcommittee, Mr. 
Leonard Lance of New Jersey.

 OPENING STATEMENT OF HON. LEONARD LANCE, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF NEW JERSEY

    Mr. Lance. Thank you, Mr. Chairman, and it is an honor to 
serve under your leadership as the new chair of the 
subcommittee, and I am sure you will do a superb job.
    Well, the debate over data breach legislation has continued 
for several years. The issue has been brought to the forefront 
by unfortunate, high-profile breaches recently, and of course, 
the most recent is the Sony Pictures hack at the end of last 
year.
    The question of how to proceed on data breach reform has 
wide implications for both businesses and consumers alike. 
Today businesses that attempt to report a breach must navigate 
through a complex labyrinth of 47 State laws which are not all 
the same. Each State has answered the following questions in 
its own way: What is defined as an event trigger? What is the 
appropriate timeframe by which companies must notify consumers 
that their identifiable information has been breached? Who is 
responsible for notifying affected consumers?
    The lack of certainty of these regulations places an undue 
burden on businesses trying to report a breach properly and an 
undue burden on consumers. Federal law will streamline 
regulations, give certainty to businesses resulting in greater 
compliance and also to consumers who suffer a data breach.
    However, it is my belief that it will only be effective if 
it preempts the patchwork of 47 State laws. The debate over 
Federal data breach legislation has continued over the span of 
several Congresses. It is my hope that we can pass effective, 
bipartisan data breach legislation this year.
    Thank you, Mr. Chairman.
    Mr. Burgess. The Chair thanks the gentleman. The Chair now 
recognizes the subcommittee ranking member, Ms. Schakowsky, for 
5 minutes for the purpose of an opening statement.

       OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A 
     REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS

    Ms. Schakowsky. Thank you, Mr. Chairman, for holding 
today's important hearing on what to include in Federal 
legislative approach to the challenges of data security and 
breach notification.
    I look forward to our work together in the 114th Congress, 
and this is a great issue to open up with.
    Data security is one of the most important issues that this 
subcommittee will consider this year. In the State of the Union 
last week, the President urged us to pass legislation that will 
better protect against cyberattacks and identity theft. I look 
forward to working with the White House and my colleagues on 
both sides of the aisle to meet that goal.
    Since 2005, over 900 million records with personally 
identifiable information have been compromised. The recent 
uptick in high-profile data breaches including those of Target, 
Home Depot, Neiman Marcus, and Michael's prove two important 
points: One, just about every retailer and many nonretailers 
that we engage with are collecting and storing our personal 
information, credit card numbers, contact information, and much 
more. And two, hackers are growing in number and becoming more 
sophisticated in their attempts to access that personal 
information, and they are having more success. From programming 
home security systems and thermostats from hundreds of miles 
away, to remembering shopping preferences and account 
information, to connecting with friends over the Internet, 
Americans benefit in many ways from an increasingly data-driven 
world. But that doesn't mean we should sacrifice our right to 
have our personal information appropriately protected or our 
right to know if and when that data has been compromised.
    There are a variety of State laws regarding data security 
standards and breach notification requirements. However, there 
is no comprehensive Federal standard for appropriate protection 
of personally identifiable information, nor are there Federal 
requirements in place to report data breaches to those whose 
personal information has been exposed. And I firmly believe 
that legislation to address that data breach threat must 
include those two safeguards.
    It is important to say that no legislation to require data 
security standards and breach notification will completely 
eliminate the threat of data breach. That being said, entities 
that collect and store personal information must take 
reasonable steps to protect data, and consumers must be 
informed promptly in the event of a breach.
    And while I clearly believe that the Federal Government 
should have a role in data breach--that is what we have been 
working toward--I also believe that there have been many 
important protections that are at the State level that we don't 
want to eliminate when we do Federal legislation, perhaps even 
eliminating rights and protections that would not be guaranteed 
under Federal statute. We have to be sure that we don't weaken 
protections that consumers expect and deserve. If we include 
Federal preemption of some of those things or if we don't 
include those good things in Federal legislation, then I think 
that would be a serious mistake at this point.
    I also believe that if we include Federal preemption, we 
must ensure that State Attorneys General are able to enforce 
the law, something my Attorney General has made very, very 
clear.
    So I think we can achieve all these goals working together, 
get a good, strong Federal bill that makes consumers feel 
confident that we have taken the appropriate steps.
    [The prepared statement of Ms. Schakowsky follows:]

            Prepared statement of Hon. Janice D. Schakowsky

    Thank you, Mr. Chairman, for holding today's important 
hearing on what to include in a Federal legislative approach to 
the challenges of data security and breach notification. I look 
forward to our work together in the 114th Congress, and this is 
a great issue to open with.
    Data security is one of the most important issues that this 
subcommittee will consider this year. In the State of the Union 
last week, the President urged us to pass legislation that will 
better-protect against cyberattacks and identity theft. I look 
forward to working with the White House and my colleagues on 
both sides of the aisle to meet that goal.
    Since 2005, over 900 million records with personally 
identifiable information have been compromised. The recent 
uptick in high profile data breaches--including those of 
Target, Home Depot, Neiman Marcus, and Michael's--proves two 
important points:
    1. Just about every retailer--and many nonretailers--that 
we engage with are collecting and storing our personal 
information--credit card numbers, contact information, and much 
more.
    2. Hackers are growing in number and becoming more 
sophisticated in their attempts to access that personal 
information--and they are having more success.
    From programming home security systems and thermostats from 
hundreds of miles away to remembering shopping preferences and 
account information to connecting friends over the Internet, 
Americans benefit in many ways from an increasingly data-driven 
world. But that doesn't mean we should sacrifice our right to 
have our personal information appropriately protected, or our 
right to know if and when that data has been compromised.
    There are a variety of State laws regarding data security 
standards and breach notification requirements. However, there 
are no comprehensive Federal standards for appropriate 
protection of personally identifiable information. Nor are 
there Federal requirements in place to report data breaches to 
those whose personal information has been exposed. I firmly 
believe that legislation to address the data breach threat must 
include those two safeguards.
    It is important to say that no legislation to require data 
security standards and breach notification will completely 
eliminate the threat of data breach. That being said, entities 
that collect and store personal information must take 
reasonable steps to protect data, and consumers must be 
informed promptly in the event of a breach.
    While I clearly believe the Federal Government should have 
a role on data breach, I am concerned about the impacts of 
Federal legislation that would pre-empt State law. Federal 
preemption could weaken important consumer protections--perhaps 
even eliminating rights and protections that would not be 
guaranteed under a Federal statute. We must be sure not to 
weaken the protections consumers expect and deserve. If we 
include Federal preemption, we must ensure that State Attorneys 
General are able to enforce the law.
    I look forward to hearing the views and perspectives of our 
panel on the Federal role in this important issue. I yield back 
the balance of my time.

    Ms. Schakowsky. And let me with my remaining time yield to 
Peter Welch for his comments.
    Mr. Welch. Thank you very much. Mr. Chairman and Ranking 
Member, you both nailed it with your description of what we are 
doing. It is pretty astonishing that with the use of computers, 
two things still have not been done at the Federal level: one, 
to provide data breach security, and number two, to provide 
notice to consumers. Consumers receive notice when they have 
been harmed, but they don't need notice just to scare them. And 
we have bipartisan momentum here, thanks to Chairman Upton and 
my colleague Marsha Blackburn, who I have been working with, 
and Congressman Rush has been working on this for a long time. 
So we have got a foundation here.
    The practical challenges, those are the ones we have to 
resolve. What do we do about a national standard? What do we do 
about having enforcement at the AG level, something I agree 
with Ms. Schakowsky on. What is the notice standard? When 
should consumers be notified? How do you give some time for a 
company that has been breached to do law enforcement, 
investigation, and inquiry into what the scope of the breach 
was? These are more or less practical issues. And I think the 
chairman has set a good tone here where we have a common 
objective, and we don't have ideological differences. We have 
practical differences. And the hope I think of all of us with 
the foundation that has been laid by my predecessors is to find 
some common-sense, legitimate balancing of the interests so 
that at the end of the day we do protect consumers with data 
breach security, we give some reasonable certainty to our 
companies, and we have a standard that is robust and strong. I 
yield back.
    Mr. Burgess. I thank the gentleman. The gentleman yields 
back. The Chair now recognizes the chairman of the full 
committee, Mr. Upton, for 5 minutes for an opening statement.

   OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Upton. Thank you, Mr. Chairman, and it has been noted 
this committee does have a strong tradition of bipartisan 
cooperation and problem solving. In this spirit, today we 
continue our focus on the key elements to pass a Federal data 
breach law, a priority that the President identified in his 
State of the Union address just last week. I look forward to 
working with the White House, Dr. Burgess, and members of this 
committee on both sides of the aisle to accomplish that goal.
    Criminal cyberhacking presents a serious risk of economic 
harm to consumers and businesses alike. From small mom-and-pop 
shops in my district in Southwest Michigan to global Fortune 
100 companies, the unfortunate reality is that companies of all 
sizes are at risk of having information hacked.
    This committee will be examining a series of issues 
relating to cybersecurity in this Congress. Where the 
conversation begins today is with a data breach bill, and I 
want to encourage all members and the public to focus on 
getting that issue right before we try to tackle some of the 
other concerns. There are significant privacy issues in an 
online economy, and some of those will have to be addressed 
separately.
    Let us also be clear that this isn't a financial services 
bill. We cannot let data breach legislation be sunk by 
extraneous issues.
    Today's hearing will examine two discrete issues related to 
the complex effects of cybercrime, commercial data security and 
breach notification to consumers. There is a real opportunity 
this Congress to set a single, national standard for data 
security and breach notification. I personally believe that a 
single, Federal standard is the key to passing a solution. The 
trade-off is that it has to be a strong, consumer-friendly law, 
one that has real protections and real enforcement. Both the 
FTC and State AGs have shown that this is an area that they 
would police very effectively. Our role is to strike the right 
balance on when notification is required, how timely it needs 
to be, and what information leads to identity theft.
    Setting a national standard benefits consumers by ensuring 
that every business must look at their activities and make 
certain that they are taking reasonable security measures. A 
national standard allows businesses to focus on securing 
information and systems instead of trying to figure out how to 
comply with a host of different State laws with their team of 
lawyers. Consumers benefit from consistency as well.
    We are particularly concerned with the impact that these 
criminal acts have on consumer confidence, economic growth, and 
job creation. So let us get to work. A data breach bill is the 
first step in securing that future.
    [The prepared statement of Mr. Upton follows:]

                 Prepared statement of Hon. Fred Upton

    This committee has a strong tradition of bipartisan 
cooperation and problem solving. In this spirit, today we 
continue our focus on the key elements to pass a Federal data 
breach law--a priority the president identified in his State of 
the Union address last week. I look forward to working with the 
White House, Dr. Burgess, and members of this committee to 
accomplish that goal.
    Criminal cyberhacking presents a serious risk of economic 
harm to consumers and businesses alike. From small mom-and-pop 
shops in Southwest Michigan to global fortune 100 companies--
the unfortunate reality is that companies of all sizes are at 
risk of having information hacked.
    This committee will be examining a series of issues 
relating to cybersecurity this new Congress. Where the 
conversation begins today is with a data breach bill, and I 
want to encourage members and the public to focus on getting 
that issue right before we try to tackle some of the other 
concerns. There are significant privacy issues in an online 
economy, and some of those will have to be addressed 
separately. Let's also be clear that this isn't a financial 
services bill. We cannot let data breach legislation be sunk by 
extraneous issues.
    Today's hearing will examine two discrete issues related to 
the complex effects of cybercrime: commercial data security and 
breach notification to consumers. There is a real opportunity 
this Congress to set a single, national standard for data 
security and breach notification.
    I personally believe that a single, Federal standard is the 
key to passing a solution. The trade-off is that it has to be a 
strong, consumer-friendly law--one that has real protections 
and real enforcement. Both the FTC and State AGs have shown 
that this is an area that they would police very effectively. 
Our role is to strike the right balance on when notification is 
required, how timely it needs to be, and what information leads 
to identity theft.
    Setting a national standard benefits consumers by ensuring 
that every business must look at their activities and make sure 
they are taking reasonable security measures. A national 
standard allows businesses to focus on securing information and 
systems instead of trying to figure out how to comply with a 
host of different State laws with teams of lawyers. Consumers 
benefit from consistency in security and breach notification no 
matter what State they live in.
    We are particularly concerned with the impact these 
criminal acts have on consumer confidence, economic growth, and 
job creation. The criminals are in this for the money, so we 
need to make it far harder to steal an identity or use stolen 
information to make purchases. The cost to consumers is well 
into the billions of dollars. No committee is more aware than 
this one about how central the online economy is to our future. 
A data breach bill is the first step to securing that future.

    Mr. Upton. I yield the balance of my time to the vice chair 
of the full committee, Marsha Blackburn.
    Mrs. Blackburn. Thank you, Mr. Chairman, and I want to 
thank the chairman of the subcommittee for calling the hearing, 
and I want to welcome all of our witnesses today. We are indeed 
looking forward to hearing what you have to say.
    As has been referenced by Mr. Welch, we have spent a couple 
of years working on the issues of privacy and data security. We 
have done this in a working group or a task force and drilling 
down, making certain that we have a good understanding of 
defining the problem and then looking at the opportunities for 
addressing that. So we come to you from that basis of work. And 
Ms. Schakowsky, Mr. Olson, both served on this task force with 
us.
    Last October Director Comey from the FBI said there are two 
kinds of big companies in the United States: those that know 
they have been hacked by the Chinese and those that don't know 
they have been hacked by the Chinese. That is pretty apropos, 
and we know that it applies to all sizes of companies, as 
Chairman Upton just said.
    Because of that, we understand that there are a few things 
that we need to look at: preemption and making certain that we 
have the standard, that this is easily communicated, that our 
constituents and the citizens understand what is the toolbox 
that they have for protecting, as I define it, the virtual you, 
whether that virtual you is they themselves individually, they 
themselves the small business person, or the corporate entity 
that is looking to protect its product and its name.
    Now, I come from Nashville. We have a lot of entertainment, 
healthcare, and financial services that are watching this issue 
closely. They want to make certain that we get this right the 
first time.
    With that, I yield back the balance of my time.
    Mr. Burgess. The gentlelady yields back. The Chair now 
recognizes the ranking member of the full committee, 5 minutes 
for an opening statement, Mr. Pallone from New Jersey.

OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE 
            IN CONGRESS FROM THE STATE OF NEW JERSEY

    Mr. Pallone. Thank you, Mr. Chairman. I first wanted to 
congratulate Dr. Burgess on his appointment as the chairman. I 
will say, though, that having spent last evening with you on 
rules, I am not going to congratulate you on continuing on 
rules because I don't know what possible reason you could have 
for continuing to stay there. But everyone makes their own 
decisions around here.
    I do look forward to working with you on many issues, 
starting with the issue of today's hearing, data security and 
breach notification. I also wanted to thank Ms. Schakowsky for 
her continued service as the Democratic Ranking Member.
    The title of this hearing, What are the Elements of Sound 
Data Breach Legislation?, assumes that legislation is needed, 
and I agree that it is time to legislate but only if the result 
is a strong bill that puts consumers in a better place than 
they are today. Right now millions of consumers are being hit 
with endless waves of breaches. Criminal hackers will always 
target our communities, and while we cannot expect to eliminate 
data breaches, we can work harder to reduce the number of 
breaches and better protect consumers' information. Just as we 
expect a bank to lock its vaults of money, we should expect 
that companies lock and secure personal consumer information. 
Unfortunately, that is not happening. According to the Online 
Trust Alliance, over 90 percent of data breaches in the first 
half of 2014 could have been prevented had businesses 
implemented security best practices. Firms must do a better job 
of protecting information they demand of consumers, and 
preventing breaches is not just best for the consumer, in the 
long run it is cheaper for companies as well.
    And I believe that we should also expect companies to 
notify consumers in the event of a breach. During this hearing 
we will hear the often-repeated statistic that 47 States plus 
Washington, DC, Guam, Puerto Rico, and the Virgin Islands 
already have data breach notification laws on the books. While 
no one on either side of the aisle wants to unnecessarily 
burden businesses with duplicative or overlapping requirements, 
these State laws provide baseline breach notification to most 
Americans. In addition, businesses that operate nationally 
often follow the strictest State laws, giving our constituents 
strong data security and breach notification protections 
coverage regardless of what is written in any individual State 
law. And therefore, I can't support any proposal that 
supersedes strong State protections and replaces them with one 
weak Federal standard.
    So Mr. Chairman, this subcommittee has had a tradition of 
being bipartisan, particularly on the issue of data security, 
and the 111th Congress' committee passed a compromise bill on 
the House Floor as H.R. 2221, and that bill was shepherded by 
then-Subcommittee Chairman Bobby Rush and was based on a bill 
crafted by former Subcommittee Chairman Cliff Stearns, and 
Chairman Upton, Vice Chairwoman Blackburn, and Chairman Barton 
were original cosponsors of these various bills.
    So I just want to say I look forward to working with the 
subcommittee on a bipartisan basis to craft similar legislation 
and legislation that requires companies to have reasonable 
security measures in place and to provide notification to 
consumers once a breach has occurred.
    [The prepared statement of Mr. Pallone follows:]

             Prepared statement of Hon. Frank Pallone, Jr.

    I want to start by congratulating Dr. Burgess on his 
appointment as chairman. I look forward to working with him on 
many issues, starting with the issue of today's hearing, data 
security and breach notification. I also want to thank Ms. 
Schakowsky for her service as the Democratic ranking member.
    The title of this hearing, ``What are the Elements of Sound 
Data Breach Legislation?,'' assumes that legislation is needed. 
I agree that it is time to legislate--but only if the result is 
a strong bill that puts consumers in a better place than they 
are today.
    Right now, millions of consumers are being hit with endless 
waves of breaches. Criminal hackers will always target our 
communities. And while we cannot expect to eliminate data 
breaches, we can work harder to reduce the number of breaches 
and better protect consumers' information. Just as we expect a 
bank to lock its vaults of money, we should expect that 
companies lock and secure personal consumer information.
    Unfortunately, that is not happening. According to the 
Online Trust Alliance, over 90 percent of data breaches in the 
first half of 2014 could have been prevented had businesses 
implemented security best practices. Firms must do a better job 
at protecting the information they demand of consumers. 
Preventing breaches is not just best for the consumer, in the 
long-run, it is cheaper for companies as well.
    I believe that we should also expect companies to notify 
consumers in the event of a breach. During this hearing, we 
will hear the often repeated statistic that 47 States, plus 
Washington, DC, Guam, Puerto Rico, and the Virgin Islands, 
already have data breach notification laws on the books. While 
no one, on either side of the aisle, wants to unnecessarily 
burden business with duplicative or overlapping requirements, 
these State laws provide baseline breach notification to most 
Americans. In addition, businesses that operate nationally 
often follow the strictest State laws, giving our constituents 
strong data security and breach notification protections 
coverage regardless of what is written in any individual State 
law. Therefore, I cannot support any proposal that supersedes 
strong State protections and replaces them with one weak 
Federal standard.
    Mr. Chairman, this subcommittee has had a tradition of 
being bipartisan, particularly on the issue of data security. 
In the 111th Congress, this committee passed a compromise bill 
on the House floor as H.R. 2221. That bill was shepherded by 
then-Subcommittee Chairman Bobby Rush and was based on a bill 
crafted by former Subcommittee Chairman Cliff Stearns. Chairman 
Upton, Vice Chairman Blackburn, and Chairman Emeritus Barton 
were original cosponsors of these various iterations.
    I look forward to working with this subcommittee on a 
bipartisan basis to craft similar legislation--legislation that 
requires companies to have reasonable security measures in 
place and to provide notification to consumers once a breach 
has occurred.
    Thank you.

    Mr. Pallone. I yield back, Mr. Chairman.
    Mr. Burgess. The gentleman yields back his time. The Chair 
would remind all members on the subcommittee that they are able 
to insert their written statements for the record.
    And I do want to welcome our witnesses for being here this 
morning. I thank all of you for agreeing to testify before the 
committee. Our witness panel for today's hearing will include 
Ms. Elizabeth Hyman who is the Executive Vice President of 
Public Advocacy for TechAmerica, and she will be testifying on 
behalf of the Computing Technology Industry Association. We 
also have Ms. Jennifer Glasgow, the Global Privacy Officer for 
Acxiom Corporation; Mr. Brian Dodge, who is the Executive Vice 
President of Communications and Strategic Initiatives on behalf 
of the Retail Industry Leaders Association; and Mr. Woodrow 
Hartzog, an Associate Professor of Law at Samford University's 
Cumberland School of Law in Birmingham, Alabama.
    Our first witness is Ms. Elizabeth Hyman, and you are 
recognized for 5 minutes.

STATEMENTS OF ELIZABETH HYMAN, EXECUTIVE VICE PRESIDENT, PUBLIC 
POLICY, TECHAMERICA, COMPUTING TECHNOLOGY INDUSTRY ASSOCIATION; 
 BRIAN A. DODGE, EXECUTIVE VICE PRESIDENT, COMMUNICATIONS AND 
  STRATEGIC INITIATIVES, RETAIL INDUSTRY LEADERS ASSOCIATION; 
   JENNIFER BARRETT-GLASGOW, GLOBAL PRIVACY OFFICER, ACXIOM 
 CORPORATION; AND WOODROW HARTZOG, ASSOCIATE PROFESSOR OF LAW, 
          CUMBERLAND SCHOOL OF LAW, SAMFORD UNIVERSITY

                  STATEMENT OF ELIZABETH HYMAN

    Ms. Hyman. Good morning, and thank you very much for having 
us, Chairman Burgess, Ranking Member Schakowsky, and 
distinguished members of the Subcommittee on Commerce, 
Manufacturing, and Trade. We appreciate your convening this 
hearing and for giving us the opportunity to provide our 
insights on the important issue of consumer data breach 
notification.
    My name as you mentioned is Elizabeth Hyman. I am the 
Executive Vice President of Public Advocacy for TechAmerica, 
the public policy department of The Computing Technology 
Industry Association, CompTIA. CompTIA is headquartered in 
Downers Grove, Illinois, and we represent over 2,200 technology 
companies, a large number of which are small- and medium-sized 
firms.
    Technology companies take their obligations to protect 
consumers' information very seriously. Data is the life-blood 
of the Internet economy, and protecting consumers' information 
is not only a responsibility of the industry but also a crucial 
business practice. Failure to do so will lead to a loss in 
customer faith and damage to a business' reputation.
    Unfortunately, as has been pointed out, criminals remain 
intent on stealing information. Data breaches are sadly all too 
common in 2015, and thus we need strong rules in place to 
inform consumers when a harmful breach occurs and to provide 
the necessary information to enable consumers to take the 
necessary steps to protect themselves.
    As you are all well aware and has been stated, there 
currently is no Federal standard for data breach notification. 
Instead, 47 different States, the District of Columbia, Puerto 
Rico, Guam, and the Virgin Islands, all have their own separate 
data breach notification laws and requirements.
    Furthermore, States are regularly changing and updating 
their data breach notification laws. This year we have already 
seen 17 bills introduced in seven States in just the first 2 
weeks of State legislative sessions. With the increasingly 
mobile and decentralized nature of our economy, most companies 
are under the umbrella of multiple State laws at all times. 
This patchwork of State laws creates significant compliance 
costs with no additional protection for consumers since no two 
State data breach laws are exactly the same. In fact, many are 
in conflict with one another. A Federal data breach 
notification standard is thus necessary to protect consumers 
and ensure that companies can respond quickly and effectively 
after a breach.
    Responding to a data breach for a company of any size is 
difficult, especially given the need to assess whether the 
breach could trigger notification provisions in any one of 47 
States, whether they have any consumers that live in any of 
those States, who to notify, how to notify, what information to 
include, and what the timelines are for notification.
    Small- and medium-sized businesses face particularly 
difficult compliance challenges. To address their obligations 
to resolve the breach, gather information, and notify the 
necessary parties, these companies often rely on cyber-
insurance, payment processors, or outside counsel to help 
implement a response plan. None of these options is cheap.
    Thus, the key to any Federal data breach notification law 
will be finding a single standard that maintains strong 
requirements but allows companies to focus on the important 
work of protecting their customers in the wake of a breach.
    In crafting a Federal data breach standard, we would 
suggest a few key provisions that are further outlined in my 
statement for the record. For example, any Federal data breach 
notification law needs to be the standard for all companies to 
comply with. It cannot simply just become the 48th standard 
that State can add to. In order to avoid the risks associated 
with overnotification, a Federal standard should ensure that 
consumers only receive notification about a breach when their 
information has actually been accessed and only when that 
information is likely to be used in a harmful manner.
    Adequate time should be provided for companies to conduct a 
risk assessment in order to best assess the scope and depth of 
the breach. A circumscribed set of sensitive, personally 
identifiable information must be the basis for determining 
whether any notification should occur. We should try to avoid 
mandating specific technologies while also exempting companies 
from notification requirements where data is rendered unusable. 
Companies should not be punished for the criminal acts of 
others, and private rights of action regarding data breach 
notification should be explicitly banned.
    In closing, I would like to thank the subcommittee for 
working on the issue of data breach notification. 
Unfortunately, our patchwork of State laws, while well-
intentioned, has created a burdensome and complex compliance 
regime. A strong, single standard that applies throughout the 
country will ensure our consumers are safer and ensure our 
companies are well-informed about how to respond to the growing 
threat of data breaches.
    Security and economic growth are not mutually exclusive, 
and I would respectfully request that the solutions you draft 
through this subcommittee address both through a national data 
breach notification standard. Thank you.
    [The prepared statement of Ms. Hyman follows:]
    [GRAPHICS NOT AVAILABLE TIFF FORMAT] 
    
    Mr. Burgess. The gentlelady yields back. The Chair would 
now recognize Mr. Brian Dodge, the Executive Vice President of 
the Retail Industry Leaders Association, 5 minutes for your 
testimony, sir. Thank you.

                  STATEMENT OF BRIAN A. DODGE

    Mr. Dodge. Chairman Burgess, Ranking Member Schakowsky, and 
Members of the committee, my name is Brian Dodge, and I am an 
Executive Vice President with the Retail Industry Leaders 
Association. Thank you for the opportunity to testify today 
about data breach legislation and the steps that the retail 
industry is taking to address this important issue and to 
protect consumers.
    RILA is the trade association of the world's largest and 
most innovative companies. Retailers embrace innovative 
technology to provide American consumers with unparalleled 
services and products. While technology presents great 
opportunity, nation-states, criminal organizations, and other 
bad actors also are using it to attack businesses, 
institutions, and governments. As we have seen, no organization 
is immune from attacks. Retailers understand that defense 
against cyberattacks must be an ongoing effort.
    RILA is committed to working with Congress to give 
Government and retailers the tools necessary to thwart this 
unprecedented attack on the U.S. economy and bring the fight to 
cybercriminals around the world.
    As leaders in the retail community, we are taking new and 
significant steps to enhance cybersecurity throughout the 
industry. To that end, last year RILA formed the Retail Cyber 
Intelligence Sharing Center in partnership with America's most 
recognized retailers. The Center has opened a steady flow of 
information between retailers, law enforcement and other 
relevant stakeholders.
    In addition to the topics this hearing will cover today, 
one area of security that needs immediate attention is payment 
card technology. The woefully outdated magnetic stripe 
technology used on cards today is the chief vulnerability in 
the payments ecosystem. Retailers continue to press banks and 
card networks to provide U.S. consumers with the same chip and 
PIN technology that has proven to dramatically reduce fraud 
when it has been deployed elsewhere around the world.
    Before I discuss what RILA believes the components of sound 
data breach legislation are, I will briefly highlight the 
significant data breach and data notification laws with which 
retailers currently comply. As has been said, 47 States, the 
District of Columbia, Guam, Puerto Rico, and the U.S. Virgin 
Islands have adopted data breach notification laws. In addition 
to the 47-plus existing State data breach notice laws, 
retailers are subject to robust data security regulatory 
regimes as well. The Federal Trade Commission has settled at 
least 50 cases against businesses that it charged with failing 
to maintain reasonable data security practices. These actions 
have created a common law of consent decrees that signal the 
data security standards expected of businesses. Additionally, 
inadequate data security measures for personal information can 
lead to violations of expressed State data security laws. Also, 
many States has so-called little FTC acts that can be used to 
enforce against what Attorneys General deem to be unreasonable 
data security practices.
    Finally, retailers voluntarily and by contract follow a 
variety of security standards including those maintained by the 
payment card industry, NIST, and the International Organization 
of Standardization.
    While retailers diligently comply with this range of data 
security notice and data requirements, a carefully crafted 
Federal data breach law can clear up regulatory confusion and 
better protect and notify consumers.
    RILA supports a Federal data breach that is practical, 
proportional, and sets a single national standard. RILA urges 
the committee to consider data breach legislation that creates 
a single national notification standard that allows business to 
focus on quickly providing affected individuals with actionable 
information; that provides flexibility in the method and timing 
of notification; that ensures that notice is required only when 
there is a reasonable belief that the breach has or will result 
in identity theft, economic loss, or harm; that ensures that 
the responsibility to notify is that of the entity breached but 
provides the flexibility for entities to contractually 
determine the notifying party; that establishes a precise and 
targeted definition for personal information; that recognizes 
that retailers already have robust data security obligations 
and that security must be able to adapt over time.
    The final goal of data breach legislation should be to 
ensure fair, consistent, and equitable enforcement of data 
breach law. Enforcement of the law should be consistently 
applied by the FTC based on cases of actual harm. Similarly, if 
civil penalty authority is provided, it should be capped based 
on the actual harm to consumers. Also, any legislation should 
deny a private right of action as it would undermine consistent 
enforcement.
    We look forward to working with the committee on specific 
language to address each of these above goals. I thank the 
committee for considering the need for preemptive data breach 
legislation and look forward to answering your questions.
    [The prepared statement of Mr. Dodge follows:]
    [GRAPHICS NOT AVAILABLE TIFF FORMAT] 
    
    Mr. Burgess. The gentleman yields back. The Chair would now 
like to recognize Jennifer Barrett-Glasgow, the Global Privacy 
Officer for the Acxiom Corporation. Thank you for your 
testimony today, 5 minutes.

             STATEMENT OF JENNIFER BARRETT-GLASGOW

    Ms. Barrett-Glasgow. Chairman Burgess, Ranking Member 
Schakowsky, members of the committee, thank you for holding 
this hearing today. I am Jennifer Barrett-Glasgow, Global 
Privacy Officer for Acxiom, headquartered in Little Rock, 
Arkansas. Acxiom has two lines of business. We offer primarily 
to large businesses, not-for-profit organizations, political 
parties, and candidates and Government agencies. First, we 
offer computer processing services for our clients' information 
which includes ensuring that information is accurate, analyzing 
the information to help our clients understand their customers 
better so they can improve their offerings, and our digital 
reach services which enable our clients to market to audiences 
across all digital channels. These services represent over 80 
percent of our total business in the United States.
    Second, we provide a line of information products to 
clients in three categories: fraud management, telephone 
directories, and marketing. And these products support all 
channels of communication, offline, online, mobile, and 
addressable television.
    Acxiom supports enacting a data security and breach 
notification bill, and I would like to mention some of the 
provisions that we think should and should not be included. 
Regarding data breach notification provisions, first, the bill 
needs to include strong preemption for State laws. As stated 
earlier, 47 States and 4 territories have breach laws, and 
every year a number of these change. Businesses and consumers 
will benefit from having one recognizable standard.
    Second, there should be a harm-based trigger for 
notification. Consumers shouldn't get meaningless notices when 
there is no risk of harm. Businesses will have to evaluate 
whether there is a reasonable risk if there are penalties for 
failing to notify, and we will do that responsibly without 
Congress needing to spell out how it should be done.
    Third, legislation should also provide a reasonable 
timeframe for notification. Consumers do need to be notified 
promptly, but it is critical to understand the extent and means 
of the breach and to give law enforcement time to identify and 
hopefully even apprehend the bad guys. Fixed statutory 
deadlines do not accomplish these objectives.
    Fourth, penalty provisions should be reasonable, and we do 
not believe there should be a private right of action. 
Companies who take reasonable precautions but who still get 
breached are victims, too. Regarding data security language, 
just as with breach notification, having a single data security 
standard is more efficient for companies than multiple State 
standards. This is more important for some businesses and other 
entities than it is for Acxiom. We process data for other 
companies, and our security is assessed by clients upwards of 
80 times a year, plus we conduct our own audit internally. So 
we already meet multiple client standards in addition to those 
set by law.
    Next, because the bad guys' capabilities keep changing, 
legal and regulatory data security standards need to be 
extremely flexible to allow adaptive compliance to keep ahead 
of the threats.
    And last, Acxiom believes that businesses have a 
responsibility to educate their employees about security risks 
and that Government has a role to play in educating the general 
public on these topics.
    Where once the purpose of passing a data security law might 
have been to ensure companies were thinking enough about 
security, today we believe Congress should think about security 
breach legislation more like it has thought about cybersecurity 
legislation. How can the industry and Government and law 
enforcement work together to keep ahead of these threats.
    Finally, a comment on what should not be included in this 
legislation. Congress should keep this bill focused on data 
security and breach notification. There is bipartisan support 
for enacting a good bill into law on these issues. In the past, 
other issues have crept into data breach bills, and this has 
hurt the chances of enactment. For example, some previous bills 
have included provisions for data brokers, and while Acxiom 
would be considered a data broker under any definition, it 
already offers the kinds of provisions seen in past bills 
through our web portal, AboutTheData.com. The problem has been 
the definition of data brokers. It was quite broad and included 
many companies that don't consider themselves to be one. This 
has stymied enactment of these bills. We urge you to keep the 
bill clean so we can finally put a good consensus Federal data 
security and breach notification law into place.
    Thank you for the opportunity to testify today, and I look 
forward to your questions.
    [The prepared statement of Ms. Barrett-Glasgow follows:]
    [GRAPHICS NOT AVAILABLE TIFF FORMAT] 
    
    Mr. Burgess. Thank you. The witness yields back. The Chair 
now recognizes Mr. Hartzog, 5 minutes for your testimony. Thank 
you, sir, for being here.

                  STATEMENT OF WOODROW HARTZOG

    Mr. Hartzog. Thank you. Chairman Burgess, Ranking Member 
Schakowsky, and members of the committee, thank you very much 
for inviting me to appear before you and provide testimony. My 
name is Woodrow Hartzog, and I am an associate professor of law 
at Samford University's Cumberland School of Law and an 
affiliate scholar at the Center for Internet and Society at 
Stanford Law School. I have spent the last 3 years researching 
the law and policy of data protection, data security, and 
responses to data breaches. My comments today will address what 
I have learned from this research.
    In order to be sound, data breach legislation must further 
three fundamental goals: transparency, data protection, and 
remedies for affected individuals. The patchwork of existing 
State and Federal sector-specific laws further these goals, but 
aggressively preemptive Federal legislation risks counteracting 
these goals and weakening our critical data protection 
infrastructure. Hard-won consumer protections could be lost. In 
short, any data breach legislation that fails to advance these 
three goals will be counterproductive.
    I would like to make two main points regarding the elements 
of sound data breach legislation. First, sound data breach 
legislation should be minimally preemptive of existing State- 
and sector-specific data breach laws. Data breach laws are 
relatively new. It is not yet clear what the most effective 
approach to data protection and data response is or should be. 
We need multiple regulatory bodies to ensure the adequate 
resources and experimentation necessary to respond to 
constantly evolving threats and new vulnerabilities. 
Additionally, preemption threatens to water down important 
existing robust data breach protections. There is a real risk 
that preemptive Federal legislation would do more harm than 
good. For example, Federal data breach legislation would reduce 
the level of protection many or most Americans currently have 
if it narrowed existing definitions of personal information, if 
it mandated a showing of harm before companies were required to 
send notification, or if it failed to require a notice to a 
centralized organization, like the office of the State Attorney 
General.
    Data breach legislation would also be counter-productive if 
it created gaps in protection. Federal data breach legislation 
that preempts all State data breach laws could fail to cover 
data breaches that only affect the residents of one State. 
Additionally, preemptive legislation that only covered 
digitized records would fail to cover breaches involving paper 
records which remain a significant target for data thieves.
    The second point I would like to make is that sound data 
breach legislation must also incorporate requirements for data 
security. While data breach notification is important, we must 
be sure not to ask too much of it. Under a pure data breach 
notification scheme, providing reasonable data security would 
be voluntary. The law should require not just encourage that 
companies reasonably secure their personal data. If people 
cannot trust that the entities that collect and store our 
personal information, the commerce, innovation, public health, 
our personal relationships, and our culture will all suffer. 
Ensuring that companies must provide reasonable data security 
will ensure that fewer breach notifications need to be sent at 
all.
    One important way to fortify data security would be to give 
the Federal Trade Commission rule-making authority. Specific 
authority for data security would help the FTC further clarify 
data security standards, require data security from nonprofit 
entities such as educational institutions, and issue civil 
penalties.
    Federal legislation should also preserve the regulation of 
data security by States and sector-specific agencies. The 
numerous Federal agencies that require data security are not 
redundant. Rather, they can and do coexist with unique 
expertise and regulatory authority. Even agencies with 
overlapping jurisdiction contribute valuable resources and have 
relatively harmonized approaches to data security.
    Finally, data breach legislation must preserve the ability 
of States to regulate data security. Data security is both a 
national and a local issue sometimes affecting small but 
significant groups of State residents. Even in the case of 
large national breaches, residents of some States are hit 
harder than others. States are nimble and capable of continued 
experimentation regarding the best approach to regulating data 
security. They are also closer to those whose data was 
compromised and provide additional resources to alleviate the 
strain and cost to enforcement on Federal agencies.
    The modern threat to personal data is still relatively new. 
The concept of data breach legislation is newer still. It is 
too early to start rolling back protections and consolidating 
agencies to cut costs. Instead, sound data breach legislation 
should reinforce the current trajectory of data breach law 
which involves multiple approaches and constantly evolving 
robust consumer protection. Thank you very much, and I look 
forward to your questions.
    [The prepared statement of Mr. Hartzog follows:]
    [GRAPHICS NOT AVAILABLE TIFF FORMAT] 
    
    Mr. Burgess. The gentleman yields back, and I thank all the 
witnesses for their testimony and participating in today's 
hearing. We will now move into the question-and-answer portion 
of the hearing, and for that purpose, I will recognize myself 
for 5 minutes. And I do again thank you all for being here.
    Let me just ask a general question to the entire panel, and 
we will start with Ms. Hyman and work our way down to Ms. 
Hartzog. Reading through the testimony and listening to you 
this morning, it is clear that most of the panelists agree on--
I guess I could say three out of four panelists agree on 
preemption, that it is necessary for a successful piece of 
legislation on data security and breach notification. The 
question is why is it important to have a single standard 
rather than allowing new requirements to be developed in State 
courts on top of a Federal law? Ms. Hyman, let us start with 
you.
    Ms. Hyman. Thank you, Chairman Burgess. It is important 
because right now we have all these different laws, many of 
which are in conflict with one another. Many of our member 
companies are small- and medium-sized IT firms, and they are 
trying to do business across State lines. They don't 
necessarily have the in-house resources to cover all the 
different State requirements. So having a more simplified 
Federal standard, strong but a Federal standard, would allow 
these companies to do business across State lines with 
confidence that they are serving their consumers.
    The only other thing I would point out is, and I mentioned 
this in my opening remarks, this is a very unsettled area. As I 
mentioned just in the last couple of weeks, we have seen a 
number of bills introduced in State legislatures, and again, if 
there is some way that we can come up with a strong, 
appropriate Federal standard, I think it would alleviate a fair 
amount of ambiguity for both the consumer and for the business.
    Mr. Burgess. Thank you. Mr. Dodge?
    Mr. Dodge. So I would say the States deserve a lot of 
credit for acting in the place where the Federal Government 
hasn't yet. But if Congress intends to or chooses to pass a 
Federal standard, we believe it should be preemptive because 
first, it will allow consumers to have a clear set of 
expectations regardless of where they live about what kind of 
notification they will get, at what time post-breach. We think 
that is important. Consumers need to know what to expect in the 
wake of a breach. And also for a breach of institution or 
business, they want to put all of their energy towards making 
sure they are quickly communicating actionable information to 
the consumers. And a national standard would allow them to do 
that instead of the complexity of complying with 47-plus 
different laws.
    Mr. Burgess. Ms. Glasgow?
    Ms. Barrett-Glasgow. Breach notification laws that are in 
place today in the States vary widely as has been said, and in 
some instances, we don't even have a security requirement in 
certain State laws. So enacting a Federal law that includes 
both a security requirement and a breach notification 
requirement will raise the level across the country. And I 
think if you study those laws to any great degree, you will 
find that there are very few exceptions that would make a State 
regime more protective from any consumers.
    Secondarily, from a consumer perspective, we don't live in 
one State all our lives often. I grew up in Texas and moved to 
Arkansas. And different States with different regimes with 
different requirements for the types of notices that need to be 
given create inconsistency for the consumer if they happen to 
have received a notice in one State and then receive a 
different notice in another State. As I said in my testimony, I 
hope that we will look at much more cooperation between law 
enforcement and companies to educate consumers about the risks 
that are out there so that they can help in protecting 
themselves and not rely solely on companies or Government 
notifying them when there has been a problem.
    Mr. Burgess. Thank you. Mr. Hartzog?
    Mr. Hartzog. So I think that preemption on a very limited 
scale could actually be useful. I think the important thing to 
remember is that preemption is not an all-or-nothing game, 
right? So we can preempt minimally or we can have aggressive 
preemption. So one of the reasons I recommend minimal 
preemption is so we can move closer towards having a national 
standard but then preserve some of the hard-won consumer 
protections and also make sure that Federal legislation doesn't 
create gaps that things that were protected are no longer 
protected, so for example, solely interstate, intrastate data 
breaches. And I think that as far as the differences between 
the 47 different pieces of legislation, they do vary, but I 
think that maybe sometimes the differences can be overstated 
possibly. I mean, I think that sometimes it is compared so that 
it is apples to oranges, which I don't think is true. I think 
the more appropriate metaphor might be Fuji to red delicious 
apples, and the idea that it is very burdensome to comply with 
all 47 State laws, I think that is also possibly, potentially 
an overstated claim in the sense that (a) businesses comply 
with 50 different State laws all the time, and (b) a very 
robust support network exists to provide companies of all sizes 
with the adequate help they need to respond to data breach 
requirements.
    Mr. Burgess. I thank the gentleman. The Chair now 
recognizes Ms. Schakowsky, 5 minutes for the purposes of 
questions.
    Ms. Schakowsky. Thank you. Professor, I wanted to direct my 
question to you. Authors of some State laws and some Federal 
legislative proposals have chosen to require notification to 
consumers to be determined by a standard in which notification 
is dependent on the presence of a risk of harm or actual 
financial harm to consumers. And I am just wondering if you are 
concerned about harms beyond identity theft, fraud, or other 
economic loss, and if so, if you could give us some examples 
that might narrow too much the definition of risk.
    Mr. Hartzog. Sure. Thank you very much. I think that the 
harm trigger as it has been described, the idea that you only 
have to notify if there is some kind of finding of harm, is a 
dubious proposition in several different ways, mainly because 
the concept of harm within privacy law is hotly contested, and 
to limit the idea of harm to something like financial harm I 
think is really constraining because there are lots of 
different harm that can result from data breaches. So fraud and 
identity theft are not the only two. When health data gets 
stolen, you risk things like discrimination, adverse employment 
decisions, emotional distress. The Sony hack made it very clear 
that sometimes when information is breached, it is not used to 
commit financial harm. It is posted online for everyone to see.
    And so that brings me to my next point which is the harm 
trigger is dubious mainly because it is very difficult to draw 
a line of causation between a breach that occurred and likely 
harm that can happen sometime in the future. So it is not as 
though data gets stolen and it is a one-to-one that harm occurs 
as a result of it. Oftentimes data gets flooded downstream and 
aggregated with other pieces of data, and it can be extremely 
difficult to meet the burden of proof that harm is actually 
likely in any one particular instance. And when you mandate a 
harm trigger in notification, then what that means is if you 
don't have enough information to prove some kind of likelihood 
of harm, which is often the case in many different kinds of 
data breaches, then the harm doesn't go out. So as a matter of 
default, the notification isn't extended.
    And so I think that it is important to remember the many 
different ways in which harm can occur and the many different 
ways in which harm is a relatively dubious concept within data 
breach law, not the least of which is that we haven't even 
talked about the ways in which information can be used against 
people, not just to harm you for identity theft purposes but to 
trick you into revealing more information. This is a common 
phishing attack, right, which is what they call where they use 
your own personal information into tricking you into think this 
is a communication from a trusted source. You click on it, then 
disclose more personal information. And this is more than just 
a threat to the individual who is tricked. One of the most 
common ways to hack into companies is through exploiting human 
vulnerabilities, and one of the ways in which we do that is we 
take information about people and use that to trick them into 
revealing more information.
    Ms. Schakowsky. Answer a question then. Is there a way to 
identify harm or define harm that would include everything you 
are talking about? Or are you saying that a harm trigger 
itself? In other words, what you are suggesting is there needs 
to be notification of a breach without having to establish harm 
at all or are you saying we need to define harm better?
    Mr. Hartzog. That is correct. So generally speaking, I want 
to caution against overleveraging the concept of harm, and the 
easiest way to overleverage the concept of harm is to create a 
harm trigger. And so as a result, my recommendation would be to 
have the default be noticed because any definition that you use 
to come up with harm is probably going to be pretty flawed. It 
is either going to be overinclusive in which it would include 
every single possibility of harm we can imagine, or it is going 
to be underinclusive and leave out huge chunks of things that 
we want to protect against.
    And so as a result, my recommendation would be let us not 
overleverage the concept.
    Ms. Schakowsky. I know in the Sony breach we saw employment 
records, for example, that were revealed. And so, you know, 
that would be I think a problem for a lot of people.
    Well, let me just put this on the table, and maybe others 
would want to answer it at some other point, the concern that 
there would be some sort of problem of overnotification.
    Mr. Hartzog. The problem of overnotification is also one 
that I think can tend to be overinflated. So of course you 
don't want consumers and people getting 45 emails a day saying, 
oh, hey, guess what? You know, another piece of your data has 
been breached. But I think we are a very long way from reaching 
some kind of point where consumers would just flippantly ignore 
some kind of piece of advice and--
    Ms. Schakowsky. I am going to go ahead actually and cut you 
off because my time has expired, but I thank you.
    Mr. Burgess. The gentlelady yields back. The Chair now 
recognizes the vice chair of the full committee, Ms. Blackburn, 
5 minutes for questions, please.
    Mrs. Blackburn. Thank you so much, Mr. Chairman. I want to 
talk a little bit about doing a technology-neutral data 
security requirement, and it seems like when we talk about 
privacy, when we talk about data security, when we talk about 
entertainment delivery, more and more we are hearing, you know, 
don't get specific on the delivery system or don't get specific 
on the technology because it takes us forever, forever, to 
bring legislation into line with where technology is.
    So we are going to start. Mr. Hartzog, I will start with 
you. We will go all the way down the panel, and I just want to 
hear your thoughts on technology-neutral or specific and how 
you think we are best served to approach that.
    Mr. Hartzog. I would agree with you that we should strive 
to be as technology-neutral as possible. We have seen time and 
time again when we pass laws that are highly technically 
specific that they are almost outdated the moment they are 
passed. And so----
    Mrs. Blackburn. They are.
    Mr. Hartzog [continuing]. This is why things like 
reasonable data security standards tend to make sense, and it 
also is another good strong word of caution against really 
being overly specific in any one particular area, and if to the 
point where you have to be overly specific, being sure that you 
have enabled the definition to change where possible. So I 
would agree.
    Mrs. Blackburn. OK.
    Ms. Barrett-Glasgow. I agree that the bill should be 
technology-neutral. I think a good example of language 
regarding security is the Gramm-Leach-Bliley security 
provisions which have now stood the test of 15, 16 years or so 
in the marketplace.
    And I would also, which actually may touch on Ms. 
Schakowsky's question a little bit, in the Rush bill, H.R. 
2221, the definition of harm reads determination that there is 
no reasonable risk of identity theft, fraud, or other unlawful 
conduct. And I think that other unlawful conduct picks up a lot 
of opportunities as technology involves, as new unlawfuls 
occur, for us to not have to come back and revisit the 
language.
    Mrs. Blackburn. Got it.
    Mr. Dodge. So we would agree, of course, that we should be 
technology-neutral. I don't think we can ever lose sight of the 
fact that the criminals in this space are highly sophisticated 
and rapidly evolving as we have seen in some of the more recent 
reports, sometimes backed by nation-states. So allowing 
businesses to evolve as the threat evolves is really important, 
and technology is a big part of that.
    Mrs. Blackburn. OK.
    Ms. Hyman. And we would agree as well, technology-neutral 
is an important principle. You know, we have gone from simple 
redaction to encryption to more sophisticated versions, and as 
has just been pointed out, you know, we have to keep ahead of 
those that wish to cause harm. And the innovation of the 
private sector is a great opportunity to lead on behalf of the 
consumers.
    Mrs. Blackburn. OK. Thank you. Now, Ms. Hyman, we are going 
to stay with you and come right back down the row. When we are 
talking about preemption language, I want to hear--and this is 
the lightning round. We have got a minute and a half left on 
the clock. So what language do you want to see us consider as 
we look at preemption?
    Ms. Hyman. Well, as I stated previously, we want to make 
sure that we are not just ending up with the 48th standard--
    Mrs. Blackburn. OK.
    Ms. Hyman. --that it needs to be strong enough to actually 
matter in terms of preemption and simplification.
    Mr. Dodge. A strong preemption sets a single, national 
standard.
    Mrs. Blackburn. OK.
    Mr. Dodge. Again, States deserve credit for the work they 
have done, but you can't create a 48th law.
    Ms. Barrett-Glasgow. In my written testimony, I actually 
suggested some language that you might want to take a look at. 
I am not going to get into that right here.
    Mrs. Blackburn. Thank you.
    Mr. Hartzog. My recommendation would be preemption that 
served as a floor but not a ceiling and at worst would only 
preempt the very specific provisions listed by the Federal 
legislation.
    Mrs. Blackburn. OK. Thank you all. I yield back.
    Mr. Burgess. The gentlelady yields back. The Chair now 
recognizes Ms. Clarke for 5 minutes for your questions, please.
    Ms. Clarke. Thank you, Mr. Chairman, and I thank the 
ranking member. I would like to drill down a bit more on the 
breach notification issue.
    Breach notification laws and legislative proposals can vary 
greatly in how they treat the question of when a company 
affected by a breach is required to notify consumers. The Data 
Accountability Trust Act, H.R. 2221, affirmatively presumed a 
company affected by a breach would notify consumers in the 
breach unless it determined that there is a reasonable risk of 
identity theft, fraud, and other unlawful conduct. There have 
also been proposals with a ``negative presumption,'' in other 
words, that a company does not have to notify consumers unless 
an investigation reveals that a certain level of risk exists to 
the consumers whose information was breached. The burden to 
prove risk in this case is not on the breached holder of 
consumers' personal information but rather on those challenging 
its breach notification practices.
    So Professor Hartzog, have you thought through what should 
be the presumption for firms to notify consumers of a breach 
and if so, why?
    Mr. Hartzog. Thank you very much. I have, and my 
recommendation would be to a presumption of notification in 
terms of breach. There are some interesting options available 
with respect to granting a safe harbor that are still 
debatable. Maybe if you make information unusable, unreadable, 
using things like encryption standards, then that is something 
that States have been experimenting with. That is a positive 
element, although that is not free from controversy with 
respect to the effectiveness of encryption. But when the 
presumption is that you don't have to notify unless an 
assessment of risk of harm proves that it is likely, then you 
miss out on a great deal of notifications. And it is important 
to remember that notifications are important not just for the 
individual that is being notified but also for other companies 
that are similarly situated so that they can know about threats 
that are facing them and perhaps practically respond to them, 
for State AGs, for the public so that they can be aware, just 
become more aware of the issues about data breach generally 
speaking.
    So when the default is set and a practical effect will 
result in far fewer notifications, then I think that the public 
and other companies and individuals are----
    Ms. Clarke. So that brings me back around to the question 
raised by Ranking Member Schakowsky. She broached this issue of 
overnotification with you, and one of the concerns raised about 
breach notification is notification fatigue or 
overnotification. Would a negative presumption for notification 
be effective in preventing overnotification?
    Mr. Hartzog. I think that it is not so much as to whether 
the presumption of harm trigger would be effective in 
preventing overnotification. Certainly it would probably result 
in fewer notifications. So then the question becomes is that a 
good thing or a bad thing? And I again state that we 
collectively lose out when notifications drop, even though 
there have been breaches because there is value we can get from 
notification. And also, overnotification is a problem not just 
aided by reduction in notification, but we also need to 
continue to experiment with the way notification is given. 
There is a presumption maybe that notification is just a big 
dense block of text that individuals would--it is very easy 
just to look at and throw in the trash. One of the reasons we 
still need to experiment, perhaps at the State law level, is 
that we need to focus on the way notification is actually 
delivered because there is a lot of opportunity there to avoid 
oversaturation as well.
    Ms. Clarke. Did any of you want to weigh in on the issue of 
overnotification or concerns that your industries may have? Ms. 
Glasgow?
    Ms. Barrett-Glasgow. Yes. I will go back to H.R. 2221, and 
the language that is in there I think is reasonable and good in 
terms of both the risk of harm as well as the presumption of 
notification unless it says the person shall be exempt from the 
requirement, meaning the notification, if certain conditions 
apply.
    I think we have to be very careful about overnotification. 
I think we have learned through not just breach notification 
laws that exist today but also other requirements such as 
Gramm-Leach-Bliley privacy notices that when consumers get 
repeated information about risks or about even what a bank may 
do with their data and there is no clear instruction as to what 
to do, and there may not be any recourse other than watch your 
accounts, that is possible, then they tend to get far more 
complacent about them and potentially even not read the one 
that really was the one that they needed to react and respond 
to. So I think industry in general is very sensitive to the 
overnotification problem.
    Ms. Clarke. Let me just say very quickly in closing, is 
there something that we can learn? Is there value to proceeding 
with notifications simply in terms of uncovering what works 
best? We are really in the advent of understanding exactly what 
is taking place. We wanted to get a sense of whether in fact 
there is value. Mr. Hartzog?
    Mr. Hartzog. One of the great benefits of breach 
notification statutes is it allows us to collect information 
and then issue reports which could then benefit not only 
companies but the field of data security generally because it 
helps us know where threats are coming from, what the response 
to those threats are, and how long it takes to respond.
    Mr. Burgess. The gentlelady's time has expired. The Chair 
thanks the gentlelady. The Chair now recognizes the vice chair 
of the subcommittee, Mr. Lance, for 5 minutes for questions, 
please.
    Mr. Lance. Thank you, Mr. Chairman. This is a very 
complicated issue, and we don't want to become the 48th and yet 
we want strong protection. And I think it is going to be a 
difficult needle to thread.
    Ms. Glasgow, as I understand your testimony, you believe 
that we threaded the needle relatively well in Gramm-Leach-
Bliley, is that accurate?
    Ms. Barrett-Glasgow. As in regards to the security rule, 
yes.
    Mr. Lance. Yes. And do other distinguished members of the 
panel have an opinion on that and how it might relate to what 
we are attempting to do here? Ms. Hyman?
    Ms. Hyman. As we think about harm and the risk of 
overnotification and how we should be looking at this, we want 
to make sure that the information that is exposed actually is 
significant harm. So just having for example a name or address 
on its own without other identifiable information like a Social 
Security, these things need to be seen in context, and how we 
thread that will be important.
    Mr. Lance. Mr. Dodge?
    Mr. Dodge. So I think the regulatory regimes that cover 
businesses should reflect the businesses themselves, but 
specific to notification, I believe that consumers should have 
a strong expectation of how they would be notified if certain 
information, personally identifiable information, is lost 
regardless of the business itself. It should be based on the 
data.
    Mr. Lance. Professor Hartzog?
    Mr. Hartzog. I think the Gramm-Leach-Bliley safeguards 
protections have been quite effective. They are technology-
neutral and recognize data security as a process rather than 
just a one-time thing. So I would say that that has been very 
effective.
    Mr. Lance. So this might be an area of agreement in the 
panel, and I think this subcommittee and then the full 
committee want to reach a point where we can report to the 
floor a bipartisan bill that moves the Nation forward.
    It has been a long time since I went to law school, but do 
we look ultimately to fundamental principles of tort law, 
Professor Hartzog, as to what we should be doing here?
    Mr. Hartzog. I would caution against relying on tort law 
too heavily, mainly because tort law is entrenched in a harm-
based mindset.
    Mr. Lance. That is why I asked the question.
    Mr. Hartzog. And we see that because of causation issues, 
because it is very difficult to prove that one piece of 
notification when compromised results in some kind of tangible 
harm on the other end. I teach tort law, and causation is one 
of the things you always end up getting tripped up on. And so I 
would actually caution away against looking to tort law and 
look into more general proactive regulatory principles.
    Mr. Lance. I was taught tort law by John Wade who is the 
reporter of the restatement in the law school not too far from 
where you teach, just a little north of where you teach. How 
about others on the panel regarding should we look at all to 
tort law or is it not broad enough given our desire in a 
bipartisan fashion to protect the public. Mr. Dodge?
    Mr. Dodge. I know when I am out over my skis, so I 
wouldn't----
    Mr. Lance. I see.
    Mr. Dodge [continuing]. Be able to comment on that.
    Mr. Lance. I see. Ms. Glasgow?
    Ms. Barrett-Glasgow. No, I am a technologist, not a lawyer 
so--
    Mr. Lance. OK. That speaks well of you. Ms. Hyman?
    Ms. Hyman. Unfortunately, I have to join my colleagues on 
that.
    Mr. Lance. I see. I won't take all of my time, but let me 
say that the chairman and I have discussed this at some length, 
and we want to be able to report a bipartisan bill. But we 
don't want this to be the 48th State. We want to move the 
Nation forward, and we want strong consumer protection. And I 
know the chairman is dedicated to that as am I, and I hope that 
we can all work together. And I see some areas of agreement. 
Thank you, Mr. Chairman.
    Mr. Burgess. The Chair thanks the gentleman. The gentleman 
yields back. The Chair recognizes the gentleman from 
Massachusetts, Mr. Kennedy, 5 minutes for your questions, 
please.
    Mr. Kennedy. Thank you, Mr. Chairman. Thank you to the 
witnesses for testifying today. Insightful hearing. I want to 
build off actually some of the comments that my colleague, Mr. 
Lance, just talked about and touched on and try to see if we 
can thread that needle a little bit.
    As he indicated, 47 States, the District of Columbia, Guam, 
Puerto Rico, and the Virgin Islands have all enacted their own 
laws requiring notification of security breaches involving 
personal information. Some States, such as Massachusetts and 
California, have mandated strong requirements. California's 
data breach notification law requires that a person be notified 
when their encrypted personal information has been or is 
reasonably believed to have been acquired by an unauthorized 
person, and the consumer has the right to know about all 
breaches of personal information, not just those deemed capable 
of doing harm.
    Massachusetts law mandates that data owners provide notice 
of a security breach to the State's Consumer Affairs Office, 
State Attorney General, and the affected resident and include 
any steps the data-holder has taken relating to the incident.
    Professor Hartzog, some legislative proposals include 
preemption of ``any provision of a law, rule, regulation, 
requirement, standard, or other provision having force and 
effect of law relating to either data security of personally 
identifiable information or notification following a breach of 
personal, identifiable information.'' As I understand it, that 
would not be limited to the 47 States' statutes but it could, 
building off of a comment a moment ago, also preempt tort law 
and contract law. Seeing as you are a tort professor, is that 
correct and can you just walk us through that a little bit?
    Mr. Hartzog. Sure. So that strikes me as very broad 
preemptive language and the kind of which I would recommend 
against, precisely because while tort law isn't our best hope, 
we still might actually find some hope in tort law, maybe not 
in the tort of negligence which is very harm based, but perhaps 
other theories. So some of the more successful theories at the 
State level with regard to data security have been promises 
made by companies about data security which is sort of a tort 
and contract mixture. And for legislation to preempt that I 
think would be very problematic, and I think we have to be very 
careful about broad preemption with respect to Federal sector-
specific data security law as well because there are some 
extremely important protections that exist throughout in 
various different sectors.
    And so that kind of preemptive language is exactly the kind 
of preemptive language that would strike me as one that would 
ultimately end up doing more harm than good based on how 
significant it would seem to scale back protections for 
consumers.
    Mr. Kennedy. So building off of that, Professor, as I 
understand it, Massachusetts data breach law has some strong 
data security requirements which include the authority of the 
Massachusetts Department of Consumer Affairs and Business 
Regulation to issue regulations regarding data security. Would 
those regulations then be preempted potentially by that 
language that I just referenced? We obviously, yes, don't want 
to add in another layer of regulation but want to make sure 
that there is some strong consumer protection standards and 
allow States to innovate here as well.
    Mr. Hartzog. That is correct. That language would seem to 
preempt the State law protections in Massachusetts as well as 
all the other States that have data security requirements 
related to it, and this is potentially problematic because 
while the general approach to regulating data security seems 
relatively consistent--we all want reasonable data security 
practices which are relatively tethered to industry standards--
States and policymakers in general are still trying to figure 
out exactly the best approach to that. And it would seem to be 
a problem to set something in stone when we are still trying to 
grapple with this very important issue.
    Mr. Kennedy. OK. Thank you, Professor. I will yield back.
    Mr. Burgess. The gentleman yields back. The Chair 
recognizes the gentleman from Mississippi, Mr. Harper, 5 
minutes for your questions, please.
    Mr. Harper. Thank you, Mr. Chairman, and thanks to each of 
you for being here. It is a great concern as to how you protect 
the consumers and reduce the burden here and maybe prosecute 
the bad guys. So there is a lot to be done. I don't know of a 
company that is not greatly impacted and truly troubled by 
this.
    First question would be a follow-up, Mr. Dodge. Some have 
suggested that consumers should receive notice from the company 
that was breached, even if they have never interacted with that 
company. Wouldn't it be clear for a consumer if they receive 
notification about a breach from the company that they actually 
gave the information to directly?
    Mr. Dodge. So we think that the obligation to notify 
creates a very important incentive to keep systems strong and 
protect the information that companies hold. We would urge the 
committee as it considers this to maintain that obligation but 
allow for flexibility for businesses to contractually determine 
the notifying party because I think there are situations that 
you describe where that is appropriate. But to try to 
contemplate all those situations would be problematic and could 
undermine that important incentive.
    Mr. Harper. Is there a risk to consumers that you could 
create some confusion by duplicate notification from the 
company they gave information to and also a third party? What 
do you say about that?
    Mr. Dodge. So again, I think the objective from all the 
parties involved would be to make sure that it was a 
streamlined and clear notification. And so that is why we would 
argue that the value of maintaining that incentive is high, but 
allowing flexibility for the parties involved as you described 
to contractually determine who would distribute that notice.
    Mr. Harper. And this would be a question to Ms. Hyman, you, 
Mr. Dodge, and Ms. Glasgow. Some States trigger notification to 
individuals after the company determines that there has been an 
unauthorized access to their information while the majority of 
States require notice upon a reasonable belief that the data 
was acquired by an unauthorized party. So the data was actually 
removed from the system. Is there a danger of overnotification 
to consumers if the duty to notify individuals is triggered by 
access but not acquisition?
    Ms. Hyman. Yes, there is, and we think it is very important 
that companies have an opportunity to do an appropriate risk 
assessment to determine whether there has been actual access to 
the information.
    Mr. Harper. Mr. Dodge?
    Mr. Dodge. We believe that it has to be at the time of the 
confirmed breach. You want to be able to, in the wake of a 
breach, to define the universe of affected individuals so that 
the notice goes to the people who truly were or could be 
impacted, rather than overly broad and catching people that 
perhaps weren't affected.
    Mr. Harper. OK. Ms. Glasgow?
    Ms. Barrett-Glasgow. You know, the subtle difference 
between access and acquisition is really kind of lost I think 
in this debate in that if there is access and it is from an 
unauthorized person, you more than likely have some potential 
risk.
    So if a company is assessing that, I think responsible 
companies are going to err on the side of caution.
    Mr. Harper. And Ms. Glasgow, earlier you testified when we 
were talking about a national notification standard, you 
mentioned a harm-based standard. In your eyes, who is best able 
to determine if there is harm?
    Ms. Barrett-Glasgow. Well, I think it is determined by a 
number of parties. First, the company is the one that is on the 
line to begin with to make that assessment based on their 
understanding of what has happened. But beyond that, there are 
various regulatory agencies, the FTC at the Federal level and 
of course State AGs at the State level, that put teeth into 
that analysis to make sure that that assessment is done 
effectively and fairly for all parties.
    Mr. Harper. Just as a comment. When you have 47 standards 
and you have a company, most companies are national companies. 
It is extremely confusing and difficult for them, and that is 
why as we look toward a bipartisan approach to this, it is 
going to be very important how we move forward.
    Mr. Dodge, if I could ask you, while there are ongoing 
discussions on how to establish a sensible time period in which 
companies are required to notify consumers of a breach, I am 
also interested in understanding what exactly or who exactly 
would start the notification timeframe so there is no room for 
misinterpretation of when companies are required to notify 
consumers. I would imagine that your members would not want 
this left up for interpretation after the fact. What are your 
thoughts on when this clock should start and who should be 
responsible for starting it?
    Mr. Dodge. So we believe that the trigger should be the 
confirmation of a breach, and at that point of course there are 
lots of players who would be involved from law enforcement to 
presumably regulators if Congress were to go down this path. I 
think what is important to remember that there needs to be 
flexibility in that timeline because there are a number of 
steps that need to occur in order to ensure that the notice 
that goes out provides actionable information. So you want to 
first define the universe as I said a moment ago. Then you need 
to train your staff because invariably when these notices are 
received, it is going to lead to a number of questions. It 
won't be limited to the phone number or whatever the method of 
contact is on the notice. So you need to train staff in order 
to be able to respond and help consumers protect themselves.
    And then there is the complex process of sending out a 
notice. It could be extremely large scale and making sure that 
notices aren't just going into junk mailboxes.
    Mr. Harper. And not meaning to cut you off, my time is 
expired. Thank you, Mr. Chairman.
    Mr. Burgess. The gentlelady yields back. The Chair thanks 
the gentleman. The Chair now recognizes the gentleman from 
Vermont, 5 minutes for your questions, please.
    Mr. Welch. Thank you. I didn't know whether Mr. Rush was 
ahead of me or not, but he tells me he is not from Vermont. So 
I am OK to go. We would love to have you.
    Thank you very much. This is extremely helpful. A couple of 
the issues we are wrestling with is, number one, is preemption, 
and in general, I favor nonpreemption but I have been persuaded 
that if we can get the right standard, this is one of those 
situations where it really makes sense to have preemption.
    Let me just go down the line like my colleague, Marsha 
Blackburn, did. If we have preemption, it is going to give I 
think a lot more comfort to those of us who are willing to take 
that step if the standard is stronger, and we have got a strong 
standard in Illinois. We have got a strong standard in 
California. In my conversations with some folks in the 
industry, the advantage of a single standard makes them 
supportive of a strong standard. And I want to just get each of 
your views on that. In other words, if we have preemption, do 
you support a relatively robust standard?
    Ms. Hyman. We have spoken out in favor of significant harm 
to the consumer. States are justifiably proud of the work that 
they have done. The chairman of our IT security group is from 
Massachusetts, but he, too, has shared with us the notion that 
the patchwork has become unworkable----
    Mr. Welch. Right. So----
    Ms. Hyman [continuing]. For companies such as theirs. So--
--
    Mr. Welch [continuing]. You get a single standard, a strong 
standard is something you could support if you got preemption?
    Ms. Hyman. Yes.
    Mr. Welch. And how about you, Mr. Dodge?
    Mr. Dodge. Again, based on the recognition in the case of 
harm or risk to consumers, yes, we totally agree, and we 
believe that the preemption is really, really critical.
    Mr. Welch. OK. Thank you. Ms. Glasgow?
    Ms. Barrett-Glasgow. Yes, the harm-based trigger tied with 
Federal preemption is very acceptable.
    Mr. Welch. OK. And Mr. Hartzog?
    Mr. Hartzog. Well, I would say that if Federal legislation 
is really going to move the ball forward and not actually strip 
away existing protections, then we should not have a harm-based 
trigger, and we should also, even to the extent that we should 
have broad definitions of things like PII which we have now, 
that may actually change in the future. And so we need to be 
sure that we can change the law----
    Mr. Welch. If I understood your testimony, though, you had 
reservations about preemption, but you weren't categorically 
opposed to it.
    Mr. Hartzog. That is correct. That is right.
    Mr. Welch. Your concern is that whatever our standard is, 
it be robust.
    Mr. Hartzog. That is right.
    Mr. Welch. Correct?
    Mr. Hartzog. So, so long as the standard is at or above 
what we currently have now, then I think that we can continue 
to move in the correct trajectory for data breach.
    Mr. Welch. OK. Thank you for that. The other question is if 
you have a single standard, can you have that be enforceable at 
the local Attorney General level as well as at the Federal 
level? And folks like Illinois, the Attorney General has been 
very active in this. I know Vermont has been active in local 
enforcement. Would there be any problem with allowing the 
enforcement of that standard, both at the Federal and at the 
State level, where people would have I think more confidence 
that they would be heard? Let us go down the line.
    Ms. Hyman. Sure. We understand and accept the notion that 
the State Attorneys General should have the opportunity to 
enforce or the FTC or the Federal body, but we would argue that 
one should extinguish the other. In other words, you shouldn't 
have those contemporaneously.
    Mr. Welch. I see. OK. Mr. Dodge?
    Mr. Dodge. Just building off that, I think we do recognize 
that there is an important role for the State AGs to play in 
this.
    Mr. Welch. Thank you.
    Ms. Barrett-Glasgow. Yes, I agree, and so long as the 
coordination between State AGs and FTC is in place.
    Mr. Welch. OK. Mr. Hyman [sic]?
    Mr. Hartzog. I would agree that enforcement of the State 
AGs would be desirable for a data breach.
    Mr. Welch. OK. The other question I want to go to is this 
whole issue of tort law, and I understand that is somewhat 
injected into this. My understanding is, and correct me if I am 
wrong, the issue of tort law just applies in general across 
commerce and across noncommercial activity, and this committee, 
I am not sure--fMr. Chairman, I thought you were correct in 
your opening statement for acknowledging in some areas we 
simply don't have the jurisdiction to get involved. And I am 
thinking----
    Mr. Burgess. Would the gentleman yield?
    Mr. Welch. Yes, I will.
    Mr. Burgess. For his purposes going forward, the Chair is 
always correct.
    Mr. Welch. That more or less settles it. But I see that 
this whole question of tort law and whether there should be 
some carve-out as really a separate question from the heart of 
this legislation. There are a lot of folks that would love to 
not ever have to worry about tort law, but that is across the 
whole spectrum of any kind of activity in society, and taking 
that challenge on in this legislation may be a burden that is 
inappropriate to bear and too great to bear.
    So I just want to get your comment as to whether some tort 
provision in here in your mind is essential to getting some of 
the good things that both sides seem to be supporting.
    Ms. Hyman. Well, again, I will point out I am recovering 
lawyer. So my familiarity with tort law is a little bit 
obscured at this point in time. But the one thing I would say 
is that we need to separate out and distinguish between good 
actors and bad actors. And what this effort about data breach 
notification is about is trying to provide clear lines of 
responsibility between the companies and the consumer. There 
are always going to be people that are bad actors, and they 
should be punished.
    Mr. Welch. Right.
    Ms. Hyman. That is a different subject.
    Mr. Welch. OK. Mr. Dodge?
    Mr. Dodge. I, too, am not a lawyer, so I can't speak to the 
details of tort law. But I would say that, you know, this whole 
exercise is about empowering customers, consumers, with 
expectations around how they would receive notice and 
empowering businesses to conform to a standard.
    Mr. Welch. All right. I see my time is expired. So the last 
two dodged the bullet. Thank you. I yield back.
    Mr. Burgess. The Chair thanks the gentleman. The Chair now 
recognizes the gentleman from Texas, Mr. Olson, 5 minutes for 
your questions, please.
    Mr. Olson. Thank you, Mr. Chairman, and congratulations on 
your first hearing of this important subcommittee, and welcome 
to all of our witnesses. I assure you, I went to law school, 
but you won't hear the word tort come out of my mouth through 
my questions.
    Unfortunately, in today's world, data breaches are 
happening more and more often. Target, Home Depot, Neiman 
Marcus, Sony Pictures all have been attacked by very different 
bad actors. We have to be aggressive on account of this threat, 
but it is a bit but, we must craft a balanced approach that 
protects consumers without undue burdens upon business.
    My first line of question is about notification. I want to 
bore down the issue a little bit. My first question to you, Ms. 
Hyman, is it realistic to require any company to notify 
consumers within a set number of days after a breach occurs?
    Ms. Hyman. Thank you, Congressman. First of all, I just 
want to reiterate, businesses are incented to be responsible to 
the consumer. This is about trying to make sure that the 
consumer has information quickly and it is actionable.
    There needs to be a reasonable period of time to do a risk 
assessment to find out, as was pointed out by my colleague, was 
there actual harm? You know, are there opportunities to remedy 
that harm? What kind of messaging is being provided to the 
workforce so that they can respond to the consumer when a 
notice goes out? So a reasonable period of time needs to be in 
place for risk assessment. Thereafter, if there is an 
appropriate timeframe for the actual notification, that makes a 
lot of sense.
    Mr. Olson. How about if they have some notification, when 
did this breach occur? Wouldn't we say that is where it 
happened, that is where the notification period starts? I mean, 
I am so confused when this clock starts running. Any idea when 
that clock starts running, ma'am?
    Ms. Hyman. I think you are saying does the clock start----
    Mr. Olson. Yes, when does it start? You said it is 
reasonable.
    Ms. Hyman. When there is an actual breach.
    Mr. Olson. OK. When does it start if it is reasonable? When 
do we start the clock? When has the breach occurred?
    Ms. Hyman. As soon as there is any type of information for 
the company to take a look and do the risk assessment, they 
have to do that within a reasonable period of time.
    Mr. Olson. OK. Mr. Dodge, how about you, sir? Is there 
reasonable required notification within a set number of days?
    Mr. Dodge. So we would urge flexibility in determining what 
that length of time is. As we have talked about, there are a 
number of steps that need to occur. But in every instance, the 
business entity that I am aware of has a desire to communicate 
that quickly because they want to make sure they are limiting 
any exposure or risk to those affected by the breach itself.
    Mr. Olson. Ms. Glasgow, I know you are a UT Longhorn and 
probably want to talk about this issue. Any concerns about 
requiring notification of breaches?
    Ms. Barrett-Glasgow. Yes. I think there are two. First, any 
kind of deadline tends to become the norm, and some breaches 
are a very simple or small breach. Notification can take place 
in a matter of days or weeks if it is contained, a briefcase 
that is lost or something that is easy to investigate.
    A big, complicated breach like we saw with some of the 
recent ones that you mentioned, take much longer. And so, you 
know, we run the risk of extending a simple breach to 30 days 
because that is the rule. But we also run the risk of not 
having enough information to do the assessment. And the 
notification process may be iterative. Through an 
investigation, you don't always have all the facts immediately. 
I mean, think about any criminal investigation that law 
enforcement takes. You learn something, and from that you ask 
more questions and from that you ask more questions. So it can 
very much be an interactive process of learning over a fairly 
extended period of time. So I think any kind of arbitrary 
number is inappropriate.
    You know, language like we suggested in our written 
testimony that says without undue delay we think creates the 
sense of urgency but doesn't necessarily penalize the very 
complicated investigation.
    Mr. Olson. And one final question about harmless breaches. 
We all agree that there are breaches that are harmless, yes or 
no? Ms. Hyman, yes or no, harmless breaches? We agree that some 
breaches are harmless?
    Ms. Hyman. Yes, there are some harmless breaches because of 
the type of information that is accessed.
    Mr. Olson. Mr. Dodge?
    Mr. Dodge. Yes, of course there are situations where 
intrusions can occur and no information has been taken.
    Mr. Olson. Ms. Glasgow?
    Ms. Barrett-Glasgow. Yes. I will give another example and 
that is when the information that was taken is encrypted or is 
essentially in some form that is unusable by the thief.
    Mr. Olson. And Mr. Hartzog, Professor Hartzog?
    Mr. Hartzog. I would say it depended on how you define 
harm. There are lots of different ways to think about it. I 
mean, was the breach a result of poor security practices, even 
though it didn't result in financial harm? It resulted in 
perhaps a breach of trust. Even if it is rendered unusable, if 
the encryption standard--was it adequate to actually protect 
the data? And so I would actually hesitate from saying yes to 
that question simply because the way you define harm is 
everything and that----
    Mr. Olson. With you leaning yes, sir. I yield back.
    Mr. Burgess. The gentleman yields back. The Chair thanks 
the gentleman. The Chair now recognizes the former chairman of 
the subcommittee, my longtime friend, Bobby Rush, from Chicago.
    Mr. Rush. Thank you. Thank you, Mr. Chairman, and I want to 
also congratulate you on your first hearing. It is an 
outstanding hearing, and I want to congratulate all your 
witnesses. They have provided fine testimony. And Mr. Chairman, 
I am going to take your pronouncement under consideration that 
you are always right, that you are never wrong. No, you said 
you are always right. And I am going to really try to process 
that because I am never wrong. So we have come to some kind of 
mutual understanding and agreement on that, all right?
    Mr. Chairman, I want to get to the matter of the day, and I 
want to talk Dr. Hartzog. Dr. Hartzog, I am of the opinion that 
somebody has got to be in charge of interpretation. Somebody 
has got to be in charge of implementation, all right? And I 
understand you call for regulation by multiple agencies in 
their areas of expertise. Beauty is in the eye of the beholder, 
and one of the issues that we are always struggling with in 
this place is who has got the final say? Who has got 
jurisdiction and what is it that they have jurisdiction over?
    My question to you is, first of all, if you can kind of 
explain to us and clarify what do you mean by regulation by 
multiple agencies in their areas of expertise? Can you be a 
little bit more clear in regards to that? And my second 
question is do you believe that there should be one central 
agency who could be the final authority on data security for 
the Federal Government?
    So will you try and clarify your perceptions in terms of 
jurisdictional issues?
    Mr. Hartzog. Sure. So thank you for the question. I think 
that there should not be one entity that is in charge of data 
security for the entire country simply because what constitutes 
good data security and reasonable data security is so highly 
dependent upon context and industry. And so we have already 
existing numerous regulatory agencies, like the Federal 
Communications Commission, HHS and HTSA, the FAA, many 
different regulatory agencies, all of which have in some form 
spoken and made some requirements for good data security or 
looking into requirements for data security. And it is 
imperative that we rely upon these multiple regulatory bodies 
because they have expertise in very specific things. So the 
Federal Communications Commission has well-developed expertise 
in regulating telecommunications companies, satellite 
companies, and cable companies and other intermediaries and the 
specific data security requirements that apply in those 
particular fields, which might differ than say a standard 
commercial enterprise.
    That being said, sometimes there is overlapping 
jurisdiction, but what we have seen with multiple regulatory 
agencies is we have seen that they can coexist. They work 
together. Sometimes they have coordinated investigations. 
Sometimes they reach memorandums of understanding where they 
say, you know, you will handle certain kinds of data security 
breaches, and we will handle other kinds.
    And so that is what I meant by the importance of regulatory 
bodies, multiple regulatory bodies.
    Mr. Rush. I have a second question here, and this is 
directed to Ms. Glasgow. The Federal Trade Commission called on 
Congress to enact the legislation to allow consumers with 
access to information held by data brokers. The Commission has 
also recommended that one centralized Web site be created where 
consumers can learn about how their data is used, correction to 
inaccuracies of their data, and to opt out for marketing if 
desired. Do you support these recommendations?
    Ms. Barrett-Glasgow. We actually have gone so far as to 
implement the recommendation to have one central site where 
consumers can come and look at the data that Acxiom holds and 
correct it and change it. And we continue to work with industry 
on whether or not having a central site where everyone lists 
themselves and a consumer goes there, how that might be 
effective in terms of transparency. We certainly support the 
objective that the FTC has stated relative to transparency.
    Mr. Rush. I only have a few seconds, but can you share with 
the committee some of your experiences? I mean, how do the 
consumers, how do they go about it? How do they grade their 
experience with Acxiom?
    Ms. Barrett-Glasgow. Yes. The site requires the consumer to 
log in and identify themselves because we are going to be 
sharing the data that we have about them on that site. So we 
have to know who they are, but once they have logged in and 
established an account, then they can look at all the data that 
we used for any of our marketing products. They can delete an 
element. They can change an element, or they can completely opt 
out of the whole process online, and it happens in real time. 
We would encourage you to maybe go to the site and take a look. 
It is called AboutTheData.com.
    Mr. Rush. Thank you, Mr. Chairman. I yield back.
    Mr. Burgess. The Chair thanks the gentleman. The gentleman 
yields back. The Chair now recognizes the gentleman from 
Florida, Mr. Bilirakis, 5 minutes for your questions.
    Mr. Bilirakis. Thank you, Mr. Chairman. I appreciate it 
very much, and again, thanks for holding this very important 
hearing, and I really thank the panel as well. This is so 
important to our consumers.
    Consumers must be able to trust that information they 
provide. They want to make sure that it is safe. They provide 
the information to retailers, and the digital world where sales 
are increasing online--you know, this trust is vital to our 
economy. However, I do not believe such trust will be preserved 
by the current patchwork of laws. We need a stable law that 
ensures merchants are appropriately protecting consumers 
without sacrificing prosperity.
    The first question is for Mr. Dodge. You mentioned in your 
testimony the benefits of the chip and PIN that we are 
transitioning to nationwide. However, my understanding is that 
a potential weakness exists for online transactions because the 
payment card is not actually present. Doesn't that mean that 
this technology and every other technology can be made obsolete 
by criminals that quickly adapt to new technologies? It seems 
to me that we need to ensure that what we pass into law meets 
the threat and is not prescriptive of one type of technology? 
Do you agree and what do you recommend?
    Mr. Dodge. So just a couple of points first, specifically 
chip and PIN is not scheduled to be rolled out later this year. 
This has been a major point of tension between the merchant 
community and the financial services community because the 
expectation is the chip only is coming out. Chip and PIN has 
been in place around the world for many, many years and has 
been proven to dramatically reduce fraud. Retailers have argued 
for a very long time that we should be moving to this 
technology as quickly as possible because of its proven fraud 
protection and because in the context of today's hearing, that 
it has an important effect and devaluing the data that 
businesses hold. So the information that flows through a 
retailers system, at the point of sale, would be rendered 
useless to criminals if they were able to captured, if you use 
the chip and PIN system. We think it is absolutely critical.
    To your point about evolving technologies, that is 
absolutely true. It is the best technology. Chip and PIN is the 
best technology that is available today, and we are years 
behind the rest of the world in catching up to it. And as a 
result, we are behind. When chip and PIN was introduced in 
Europe, we saw fraud flow in two directions, online in Europe 
to you point and to the United States because it became the 
lowest common denominator.
    As for long-term solutions, we believe the chip and PIN 
serves a near-term need, and we need to evolve to next 
generation because as you suggest, the world is moving online. 
E-commerce is booming online.
    Mr. Bilirakis. Thank you very much. The next question is 
for the entire panel. Some of the recent data breaches were 
caused by third parties, such as contractors. What 
recommendations would you make if any to address when these 
situations occur? We will start over here, if that is OK with 
Ms. Hyman.
    Ms. Hyman. Well, first of all, with regard to third 
parties, again, many of our member companies are solution 
providers, those third parties that you may be talking about. 
Human error continues to be one of the greatest causes of data 
breach, and I think doing best practices for the industry and 
for all companies involved on how to mitigate some of those 
human errors is very important. Education, ongoing efforts, we 
have an IT trust mark, security trust mark, which is a 
benchmark for an organization to undertake appropriate 
practices for data security. So all of these pieces come into 
play, but having a standard for data breach notification also 
puts everybody on notice about what the consumer needs to know 
in a timely and actionable way.
    Mr. Bilirakis. Mr. Dodge?
    Mr. Dodge. The questions about third-party----
    Mr. Bilirakis. The third party, with regard to third 
parties, correct.
    Mr. Dodge. Yes. So we think that it is important. It is 
important incentive that the breached entity be obligated to 
make the notice, but flexibility should exist for parties to 
contractually determine in the instance of a breach who should 
issue the notice.
    Mr. Bilirakis. Thank you. Yes, ma'am.
    Ms. Barrett-Glasgow. As a vendor, we see lots of increasing 
requirements from our clients to not only adhere to security 
standards but to have indemnification if a breach occurs in our 
environment of the data that we are holding and processing for 
them.
    Mr. Bilirakis. Thank you. Mr. Hartzog?
    Mr. Hartzog. My recommendation would be maybe, if there is 
even a possible compromise here, which is if breached entities 
have no relationship to the consumer whose data they hold. Then 
perhaps there could be some kind of requirement where you would 
have to disclose the relationship--say, ``We got this 
information from an entity that collected your personal 
information, which is why you don't recognize us. But we were 
breached.'' So that could be one way to handle that.
    Mr. Bilirakis. OK, Mr. Chairman. I actually have one more 
question if you----
    Mr. Burgess. Ask unanimous consent that the gentleman be 
able to ask his question. Without objection, so ordered.
    Mr. Bilirakis. Thank you.
    Mr. Burgess. It is an immense power that I wield here, Gus.
    Mr. Bilirakis. OK, for the panel again, keeping in mind the 
touchstone of this process is notifying an individual in the 
event that they need to mitigate the economic risks associated 
with a breach, which entity is in the best position to notify 
individuals after a breach? Is there a reason to deviate from 
the structure that the States have used? And we will start with 
Ms. Hyman, please.
    Ms. Hyman. Are you asking in terms of who is responsible 
for the notification or which enforcement agency?
    Mr. Bilirakis. Who would be responsible for the 
notification.
    Ms. Hyman. We want to make sure that we are, again, not 
overnotification or confusing the consumer. So that entity with 
which they have provided their information to that would have 
done the transaction would be the first source. Then 
contractually--and I come back to the previous question about 
third parties. There are contractual relationships beyond that.
    Mr. Bilirakis. Again, with regard to the States, how would 
you----
    Ms. Hyman. We said that the State Attorneys General should 
have enforcement opportunities. If it is also the FTC that is 
undertaking enforcement, one should extinguish the other. They 
should not happen simultaneously.
    Mr. Bilirakis. Very good. I am sorry. I am having a little 
trouble hearing. I apologize. Mr. Dodge, please.
    Mr. Dodge. Sure. We strongly believe that the obligation to 
notify should be with the breached entity and then again, 
flexibility among parties to contractually determine who sends 
the notification, if it makes more sense for somebody else to 
send it. And we agree the State Attorneys General have an 
important role to play in this.
    Mr. Bilirakis. Very good. Thank you. Please.
    Ms. Barrett-Glasgow. In the interest of time, I will agree.
    Mr. Bilirakis. OK. Very good.
    Mr. Hartzog. And I would agree that the current trajectory 
of the State law is what I would recommend.
    Mr. Bilirakis. Thank you very much. I appreciate it. I 
yield back, Mr. Chairman. Thanks for allowing me to ask that 
last question.
    Mr. Burgess. The Chair thanks the gentleman. The gentleman 
does yield back. Seeing no further members wishing to ask 
questions, I would like to thank the witnesses and members for 
their participation in today's hearing. Before we conclude, I 
would like to include the following documents to be submitted 
for the record by unanimous consent: a letter on behalf of the 
Consumer Electronics Association; a letter on behalf of the 
Direct Marketing Association; a joint letter on behalf of the 
American Bankers Association, the Consumer Bankers Association, 
the Credit Union National Association, Financial Services 
Roundtable, Independent Community Bankers Association, the 
National Association of Federal Credit Unions; an additional 
letter on behalf of the Marketing Research Association; a 
letter on behalf of the National Retail Federation; a letter on 
behalf of the National Association of Federal Credit Unions; a 
joint letter on behalf of the Consumer Data Industry 
Association, the Interactive Advertising Bureau, the National 
Business Coalition on E-Commerce and Privacy, and the National 
Retail Federation, the United States Chamber of Commerce; and a 
joint statement for the record on behalf of the National 
Association of Convenience Stores and the Society of 
Independent Gasoline Marketers of America.
    Pursuant to committee rules, I remind members that they 
have 10 business days to submit additional questions for the 
record, and I ask the witnesses submit their response within 10 
business days upon receipt of the questions.
    Without objection, all of the statements are entered into 
the record.
    And without objection, the subcommittee is adjourned.
    [Whereupon, at 12:50 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]
    [GRAPHICS NOT AVAILABLE TIFF FORMAT] 

                                 [all]