b"<html>\n<title> - DISCUSSION DRAFT OF H.R., THE DATA SECURITY AND BREACH NOTIFICATION ACT OF 2015</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n\n\nDISCUSSION DRAFT OF H.R. ___, THE DATA SECURITY AND BREACH NOTIFICATION \n                              ACT OF 2015\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n           SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             MARCH 18, 2015\n\n                               __________\n\n                           Serial No. 114-21\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n\n      Printed for the use of the Committee on Energy and Commerce\n                        energycommerce.house.gov\n\n                               ______\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n22-433 PDF                     WASHINGTON : 2016 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                          FRED UPTON, Michigan\n                                 Chairman\n\nJOE BARTON, Texas                    FRANK PALLONE, Jr., New Jersey\n  Chairman Emeritus                    Ranking Member\nED WHITFIELD, Kentucky               BOBBY L. RUSH, Illinois\nJOHN SHIMKUS, Illinois               ANNA G. ESHOO, California\nJOSEPH R. PITTS, Pennsylvania        ELIOT L. ENGEL, New York\nGREG WALDEN, Oregon                  GENE GREEN, Texas\nTIM MURPHY, Pennsylvania             DIANA DeGETTE, Colorado\nMICHAEL C. BURGESS, Texas            LOIS CAPPS, California\nMARSHA BLACKBURN, Tennessee          MICHAEL F. DOYLE, Pennsylvania\n  Vice Chairman                      JANICE D. SCHAKOWSKY, Illinois\nSTEVE SCALISE, Louisiana             G.K. BUTTERFIELD, North Carolina\nROBERT E. LATTA, Ohio                DORIS O. MATSUI, California\nCATHY McMORRIS RODGERS, Washington   KATHY CASTOR, Florida\nGREGG HARPER, Mississippi            JOHN P. SARBANES, Maryland\nLEONARD LANCE, New Jersey            JERRY McNERNEY, California\nBRETT GUTHRIE, Kentucky              PETER WELCH, Vermont\nPETE OLSON, Texas                    BEN RAY LUJAN, New Mexico\nDAVID B. McKINLEY, West Virginia     PAUL TONKO, New York\nMIKE POMPEO, Kansas                  JOHN A. YARMUTH, Kentucky\nADAM KINZINGER, Illinois             YVETTE D. CLARKE, New York\nH. MORGAN GRIFFITH, Virginia         DAVID LOEBSACK, Iowa\nGUS M. BILIRAKIS, Florida            KURT SCHRADER, Oregon\nBILL JOHNSON, Ohio                   JOSEPH P. KENNEDY, III, \nBILLY LONG, Missouri                 Massachusetts\nRENEE L. ELLMERS, North Carolina     TONY CARDENAS, California\nLARRY BUCSHON, Indiana\nBILL FLORES, Texas\nSUSAN W. BROOKS, Indiana\nMARKWAYNE MULLIN, Oklahoma\nRICHARD HUDSON, North Carolina\nCHRIS COLLINS, New York\nKEVIN CRAMER, North Dakota\n\n                                 _____\n\n           Subcommittee on Commerce, Manufacturing, and Trade\n\n                       MICHAEL C. BURGESS, Texas\n                                 Chairman\nLEONARD LANCE, New Jersey            JANICE D. SCHAKOWSKY, Illinois\n  Vice Chairman                        Ranking Member\nMARSHA BLACKBURN, Tennessee          YVETTE D. CLARKE, New York\nGREGG HARPER, Mississippi            JOSEPH P. KENNEDY, III, \nBRETT GUTHRIE, Kentucky                  Massachusetts\nPETE OLSON, Texas                    TONY CARDENAS, California\nMIKE POMPEO, Kansas                  BOBBY L. RUSH, Illinois\nADAM KINZINGER, Illinois             G.K. BUTTERFIELD, North Carolina\nGUS M. BILIRAKIS, Florida            PETER WELCH, Vermont\nSUSAN W. BROOKS, Indiana             FRANK PALLONE, Jr., New Jersey (ex \nMARKWAYNE MULLIN, Oklahoma               officio)\nFRED UPTON, Michigan (ex officio)\n\n                                  (ii)\n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                                  \n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Michael C. Burgess, a Representative in Congress from the \n  State of Texas, opening statement..............................     1\n    Prepared statement...........................................     3\nHon. Janice D. Schakowsky, a Representative in Congress from the \n  State of Illinois, opening statement...........................     4\n    Prepared statement...........................................     5\nHon. Fred Upton, a Representative in Congress from the State of \n  Michigan, opening statement....................................     6\n    Prepared statement...........................................     7\nHon. Frank Pallone, Jr., a Representative in Congress from the \n  State of New Jersey, opening statement.........................     9\n    Prepared statement...........................................    10\n\n                               Witnesses\n\nHon. Jessica Rich, Director, Bureau of Consumer Protection, \n  Federal Trade Commission.......................................    11\n    Prepared statement...........................................    14\n    Answers to submitted questions...............................   215\nClete D. Johnson, Chief Counsel for Cybersecurity, Federal \n  Communications Commission......................................    30\n    Prepared statement...........................................    32\nJon Leibowitz, Co-Chairman, 21st Century Privacy Coalition.......    59\n    Prepared statement...........................................    61\n    Answers to submitted questions \\1\\...........................   217\nSara Cable, Assistant Attorney General, Commonwealth of \n  Massachusetts..................................................    68\n    Prepared statement...........................................    70\n    Answers to submitted questions...............................   218\nMallory B. Duncan, Senior Vice President and General Counsel, \n  National Retail Federation.....................................   100\n    Prepared statement...........................................   102\n    Answers to submitted questions \\1\\...........................   225\nLaura Moy, Senior Policy Counsel, Open Technology Institute, New \n  America........................................................   138\n    Prepared statement...........................................   140\n    Answers to submitted questions \\2\\...........................   226\nYael Weinman, Vice President for Global Privacy Policy and \n  General Counsel, Information Technology Industrial Council.....   153\n    Prepared statement...........................................   155\n    Answers to submitted questions...............................   227\n\n                           Submitted Material\n\nDiscussion Draft, H.R. ___, the Data Security and Breach \n  Notification Act of 2015, \\3\\ submitted by Mr. Burgess\nLetter of March 18, 2015, from Public Knowledge, et al., to Mr. \n  Burgess and Ms. Schakowsky, submitted by Mr. Pallone...........   183\n\n----------\n\\1\\ Mr. Leibowitz and Mr. Duncan did not answer submitted questions for \nthe record by the time of printing.\n\\2\\ Ms. Moy's answers have been retained in committee files and also \nare available at  http://docs.house.gov/meetings/IF/IF17/20150318/\n103175/HHRG-114-IF17-Wstate-MoyL-20150318.pdf.\n\\3\\ The discussion draft has been retained in committee files and also \nis available at  http://docs.house.gov/meetings/IF/IF17/20150318/\n103175/HHRG-114-IF17-20150318-SD003.pdf.\nLetter of March 18, 2015, from Ellen Bloom, Senior Director, \n  Federal Policy and Washington Office, et al., Consumers Union, \n  to Mr. Burgess and Ms. Schakowsky, submitted by Mr. Pallone....   186\nLetter of March 17, 2015, from Jim Nussle, President and CEO, \n  Credit Union National Association, to Mr. Burgess and Ms. \n  Schakowsky, submitted by Mr. Burgess...........................   187\nLetter of March 16, 2015, from Howard Fienberg, Director of \n  Government Affairs, Marketing Research Association, to Mr. \n  Burgess and Ms. Schakowsky, submitted by Mr. Burgess...........   190\nLetter of March 16, 2015, from Brad Thaler, Vice President of \n  Legislative Affairs, National Association of Federal Credit \n  Unions, to Mr. Upton, et al., submitted by Mr. Burgess.........   191\nLetter of March 17, 2015, from Craig D. Spiezle, Executive \n  Director and President, Online Trust Alliance, to Mr. Burgess \n  and Ms. Schakowsky submitted by Mr. Burgess....................   194\nStatement of National Association of Convenience Stores, March \n  18, 2015, submitted by Mr. Burgess.............................   202\nStatement of American Bankers Association, et al., March 18, \n  2015, submitted by Mr. Burgess.................................   210\nAnswers to House Committee on Energy and Commerce questions \n  submitted to the Secret Service, February 19, 2015, submitted \n  by Mr. Burgess.................................................   213\n\n \nDISCUSSION DRAFT OF H.R. ___, THE DATA SECURITY AND BREACH NOTIFICATION \n                              ACT OF 2015\n\n                              ----------                              \n\n\n                       WEDNESDAY, MARCH 18, 2015\n\n                  House of Representatives,\nSubcommittee on Commerce, Manufacturing, and Trade,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 10:02 a.m., in \nroom 2123 of the Rayburn House Office Building, Hon. Michael \nBurgess (chairman of the subcommittee) presiding.\n    Members present: Representatives Burgess, Lance, Blackburn, \nHarper, Olson, Pompeo, Kinzinger, Bilirakis, Brooks, Mullin, \nUpton (ex officio), Schakowsky, Clarke, Kennedy, Cardenas, \nRush, Butterfield, Welch, and Pallone (ex officio).\n    Also present: Representative McNerney.\n    Staff present: Charlotte Baker, Deputy Communications \nDirector; Leighton Brown, Press Assistant; Karen Christian, \nGeneral Counsel; James Decker, Policy Coordinator, Commerce, \nManufacturing, and Trade; Graham Dufault, Counsel, Commerce, \nManufacturing, and Trade; Melissa Froelich, Counsel, Commerce, \nManufacturing, and Trade; Howard Kirby, Legislative Clerk; Paul \nNagle, Chief Counsel, Commerce, Manufacturing, and Trade; \nOlivia Trusty, Professional Staff, Commerce, Manufacturing, and \nTrade; Michelle Ash, Democratic Chief Counsel, Commerce, \nManufacturing, and Trade; Christine Brennan, Democratic Press \nSecretary; Jeff Carroll, Democratic Staff Director; David \nGoldman, Democratic Chief Counsel, Communications and \nTechnology; Lisa Goldman, Democratic Counsel; Brendan \nHennessey, Democratic Policy and Research Advisor; and Tim \nRobinson, Democratic Chief Counsel.\n\nOPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE \n              IN CONGRESS FROM THE STATE OF TEXAS\n\n    Mr. Burgess. Chair will recognize himself for the purpose \nof a 5-minute opening statement. Again, welcome. Today's \nlegislative hearing is the first concrete step for this \nsubcommittee toward the goal of a single Federal standard on \ndata security and breach notification. In January we heard \ntestimony about the key elements of sound data security and \nbreach notification. I am pleased that so many of the elements \ndiscussed at that hearing have been incorporated into the draft \nlegislation.\n    I also know, and I am aware of, that we just had another \ndata breach that was in the news. I hope that the committee \nlooks at health care data. Health care data has its own set of \npolicy issues, where, if sharing data is done properly, could \nhave tremendous public benefits and save lives, but there is \nalready law in this area under HIPAA, and taking on health care \nprivacy data in this bill I feel would delay the consumer \nbenefits that we can provide under this draft.\n    I am very encouraged by the bipartisan approach and \ncommitment shown by my colleagues, vice chairman of the full \ncommittee Congresswoman Blackburn, and Congressman Welch, \nannouncing this draft legislation. This subcommittee has a \nhistory of bipartisan cooperation with the work of Congressman \nBarton and Congressman Rush, that they have put a lot into this \nissue over the years. I am encouraged that this may be the year \nthat we find the paths forward.\n    The issue of data breach has been before this subcommittee \nfor a decade, and it is in reference to that that this is such \nimportant work. I would just acknowledge the work of previous \nsubcommittee chairs on both sides of the dais who have worked \nin this space. Chairman Bono Mack is here with us in the \naudience this morning. I heard from former Chairman Terry \nyesterday on the eve of starting this hearing. And certainly \nChairman Rush, when I was in the minority and on this \nsubcommittee, I know put in a lot of work.\n    But all the while that we have been working, cybercriminals \nhave continued their operations. They steal, they monetize an \nindividual's personal information, all of that being done in \nthe absence of any national data security requirement. Even \ntoday the great majority of States do not have a data security \nrequirement. Ten years in, we do have greater insight into what \ncybercriminals are doing, and the impact of their activities. \nConservative estimates put cybercrime cost to the consumers at \n$100 billion annually, and cybercrime is estimated to cost the \nUnited States economy over a half million jobs each year.\n    The Secret Service tells us that data breaches are \nprimarily monetized through financial fraud. On average, a \nthird of data breach notification recipients became the victims \nof identity fraud in 2013, compared with a quarter in 2012, \nclearly increasing. On a more personal level, individuals are \nhit twice when there is a data breach. First they need to \nunderstand which of their accounts they need to reset, if they \nneed new bank cards, or if they need to freeze their credit \nreport. Luckily, there are many laws to help navigate the \nprocess.\n    Second, the cost across the ecosystem is $100 billion \nannually, and that is eventually passed on to the consumer in \nthe form of higher fees and prices. The existing patchwork of \nState laws on data security and breach notification do not seem \nto have been effective. The noted security blogger Brian Krebs \nposted an article this week about the new criminal tools to \nsteal customers' payment information, and he ended it with a \nsimple question, are online merchants ready for the coming e-\ncommerce fraud wave? The draft legislation before us this \nmorning addresses this question with both a security \nrequirement for personal information that leads to identity \ntheft and payment fraud, and a breach notification for \nconsumers so consumers can protect themselves.\n    Some will complain about what is not in the bill. If we \nactually want to pass legislation, it will be impossible to \nproof it against what can happen in the future. We cannot shade \ninto areas such as privacy. This administration, and our \nminority colleagues, over the past 6 years have worked on this \nand still can't agree on how to address privacy, and I just \nwant to be very clear on that topic. While we don't tackle \nprivacy in this legislation, we don't preempt it either. This \nbill is focused on unauthorized access that leads to identity \ntheft and financial fraud. It has nothing to do with permitted \naccess, or when that permission can be given, or what data can \nbe collected. I will also say that Congress must continue to \naddress privacy of all kinds, but not at the price of delaying \nconsumer protections for data security and breach notification.\n    Another complaint will be around moving the \ntelecommunications, cable, and satellite providers from the \nFederal Communications Commission to the Federal Trade \nCommission. I look forward to hearing which agency has been \nmore active--the more active consumer watchdog regarding data \nsecurity and breach notification in the last 10 years.\n    I certainly do look forward to continuing the bipartisan \ngood faith negotiations with all interested stakeholders. \nNegotiation remains open and ongoing, and, of course, the doors \nof the subcommittee are always open.\n    [The prepared statement of Mr. Burgess follows:]\n\n             Prepared statement of Hon. Michael C. Burgess\n\n    Today's legislative hearing is the first concrete step for \nthis subcommittee toward the goal of a single Federal standard \non data security and breach notification.\n    In January, we heard testimony about the key elements of \nsound data security and breach notification legislation. I am \npleased to see so many of the elements discussed at that \nhearing incorporated into the draft legislation.\n    I know we just had another healthcare data breach. And I \nhope that the committee looks at healthcare data. Healthcare \ndata has its own set of policy issues--where sharing data if \ndone properly--could have tremendous public benefits and save \nlives. But there is law in this area--HIPPA--and taking on \nhealthcare privacy and data in this bill would delay the \nconsumer benefits that we can provide under this draft.\n    I am very encouraged by the bipartisan approach and \ncommitment shown by my colleagues, vice chairman of the full \ncommittee Congresswoman Blackburn and Congressman Welch \nannouncing this draft legislation. This subcommittee has a \nhistory of bipartisan cooperation with the work Congressman \nBarton and Congressman Rush have also put into this issue over \nthe years. I am encouraged that this is the year we can find a \npath forward.\n    The issue of data breach has been before this subcommittee \nfor many years and all the while, cybercriminals continued \ntheir operations to steal and monetize individuals' personal \ninformation. All in the absence of any national data security \nrequirement. Even today, the great majority of States do not \nhave a data security requirement.\n    Ten years in--we do have greater insight into what \ncybercriminals are doing and on their impact. Conservative \nestimates put cybercrime costs to consumers at $100 billion \nannually. And cybercrime is estimated to cost the U.S. economy \n508,000 jobs each year.\n    The Secret Service tells us that data breaches are \nprimarily monetized through financial fraud. On average \\1/3\\ \nof data breach notification recipients became victims of \nidentity fraud in 2013, compared with \\1/4\\ in 2012.\n    On a more personal level, individuals are hit twice when \nthere is a data breach. First, they need to understand which of \ntheir accounts they need to reset, if they need new bank cards, \nor if they need to place a freeze on their credit report. \nLuckily, there are many laws to help navigate that process.\n    Second, the costs across the ecosystem, that $100 billion \nannually, are eventually passed to the consumer in the form of \nhigher fees and prices.\n    The existing patchwork of State laws on data security and \nbreach notification have not been effective.\n    The noted security blogger, Brian Krebs, posted an article \nthis week about new criminal tools to steal customers' payment \ninformation that ended with a simple question: ``Are online \nmerchants ready for the coming e-commerce fraud wave?''\n    The draft legislation addresses this question with both the \nsecurity requirement for personal information that leads to \nidentity theft and payment fraud, and the breach notification \nfor consumers so that they can protect themselves.\n    Some folks will complain about what is not in the bill. If \nwe want to actually pass legislation we cannot future proof \nthis bill. We cannot shade into areas such as privacy. This \nadministration and our minority colleagues have had 6 years, \nand they still can't agree on how to address privacy.\n    On the topic of privacy--let me be very clear--while we \ndon't tackle privacy we don't preempt privacy either. This bill \nis focused on unauthorized access that leads to identity theft \nand financial fraud. It has nothing to do with permitted \naccess, or when that permission can be given, or what data can \nbe collected. I will also say that Congress must continue to \naddress privacy of all kinds, but not at the price of delaying \nconsumer protections for data security and breach notification.\n    Another complaint will be around moving telecommunications, \ncable, and satellite providers from the Federal Communications \nCommission to the Federal Trade Commission. I look forward to \nhearing which agency has been the more active consumer watchdog \nregarding data security and breach notification in the last 10 \nyears.\n    I look forward to continuing the bipartisan and good faith \nnegotiations with all interested stakeholders. Negotiations \nremain ongoing, and our doors are always open.\n\n    Mr. Burgess. With that, I would like to recognize the \nranking member of the subcommittee, Ms. Schakowsky, 5 minutes \nfor an opening statement.\n\n       OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A \n     REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS\n\n    Ms. Schakowsky. Thank you, Mr. Chairman. I appreciate the \nhearing today on the draft legislation released last week, \nand--by Mr. Welch and Ms. Blackburn to require data breach \nsecurity and reporting. I do appreciate my colleagues' efforts \non this legislation, and I agree that there are some positive \nelements, FTC penalty authority and a data security provision \namong them.\n    That said, however, this bill does need significant \namendments to achieve the goal of both simplifying compliance \nfor business, and enhancing protections for consumers. I don't \nbelieve that goal is out of reach. I don't think that it \nexpands the time that it will take. Maybe by just a bit, but \nthe draft proposal would--has these problems, in my view. It \nwould prevent States from enforcing their own laws related to \ndata security and breach notification. It prevents all private \nrights of action on data breach and notification. As currently \ndrafted, it would override all common law, including tort and \ncontract law, as they apply to data. Those provisions would \nleave consumers with fewer protections than they currently \nhave.\n    This proposal also weakens existing consumer protections \nunder the Communications Act for customers of \ntelecommunications, satellite, and cable companies. And while I \nbelieve the FTC can, and should, be empowered to play a \nstronger role in protecting consumers' data, I don't believe \nthat should come at a cost of eliminating existing FCC \nprotections. The bill would also only require consumers to be \nnotified of a breach if it is determined that a breach has, or \nwill, likely lead to financial harm. That would only occur \nafter the companies regulated under this bill have concluded \ninvestigations of breaches to determine the risk of financial \nharm to each of their customers or users, a process that could \ntake months.\n    There are many types of harm that go beyond simply \nfinancial ones. For example, a data breach that revealed \nprivate communication might not have any measurable financial \nimpact, but could cause embarrassment, or even danger. The \ntypes of personal information covered by this bill are far too \nlimited. The bill doesn't cover over the counter drug \npurchases, or other health information not covered by HIPAA. By \ncontrast, the data laws in Texas and Florida protect those \ntypes of information. The bill does not cover metadata, which \ncan be used to acquire sensitive personal information. The bill \nalso does not provide FTC rulemaking authority for defining \npersonal information. This is a major weakness when we have \nseen the nature of personal information change significantly \nover time. For example, when the House passed the Data Act in \n2009, it did not include geolocation information as part of \npersonal information. Today I think we could all agree that \ngeolocation information should be protected, and that is why we \nneed legislation that allows the FTC to adapt as the nature of \npersonal information continues to evolve. Of course we can't \nanticipate everything, but we could create some flexibility.\n    In closing, this bill is very broad, in terms of preemption \nof State and other Federal laws, and narrow in terms of \ndefinitions of harm and personal information. I believe the \nbill should be narrow where it is now broad, and broad where it \nis now narrow. I look forward to hearing from our witnesses \nabout their perspectives on this bill, and to moving forward \nwith a strong bill that adequately protects consumers.\n    [The prepared statement of Ms. Schakowsky follows:]\n\n            Prepared statement of Hon. Janice D. Schakowsky\n\n    Thank you, Mr. Chairman, for holding today's important \nhearing on draft legislation released last week by Mrs. \nBlackburn and Mr. Welch to require data breach security and \nreporting.\n    I appreciate my colleagues' effort on this legislation, and \nI believe it has some positive elements--FTC penalty authority \nand a data security provision among them.\n    That being said, this bill needs significant amendment to \nachieve the goal of both simplifying compliance for businesses \nand enhancing protections for consumers.\n    The draft proposal would prevent States from enforcing \ntheir own laws related to data security and breach \nnotification. It prevents all private rights of action on data \nbreach and notification. As currently drafted, it would \noverride all common law--including tort and contract law--as \nthey apply to data. Those provisions would leave consumers with \nfewer protections than they currently have.\n    This proposal also weakens existing consumer protections \nunder the Communications Act for customers of \ntelecommunications, satellite, and cable companies. While I \nbelieve the FTC can and should be empowered to play a stronger \nrole in protecting consumers' data, I don't believe that should \ncome at a cost of eliminating existing FCC protections.\n    The bill would also only require consumers to be notified \nof a breach if it is determined that a breach has or will \nlikely lead to financial harm. That would onlyoccur after the \ncompanies regulated under this bill have concluded \ninvestigations of breaches to determine the risks of financial \nharm to each of their customers or users--a process that could \ntake months.\n    There are many types of harm that go beyond simply \nfinancial ones. For example, a data breach that revealed \nprivate communications might not have any measurable financial \nimpact, but could cause embarrassment or shame.\n    The types of personal information covered by this bill are \nfar too limited. The bill doesn't cover over-the-counter drug \npurchases or other health information not covered by HIPAA. By \ncontrast, the data laws in Texas and Florida protect those \ntypes of information. The bill also does not cover metadata, \nwhich can be used to acquire sensitive personal information.\n    The bill also does not provide FTC rulemaking authority for \ndefining personal information. That is a major weakness when \nwe've seen the nature of personal information change \nsignificantly over time. For example, when the House passed the \nDATA Act in 2009, it did not include geolocation information as \npart of personal information. Today, I think we could all agree \nthat geolocation information should be protected. That is why \nwe need legislation that allows the FTC to adapt as the nature \nof personal information continues to evolve.\n    In closing, this bill is very broad in terms of preemption \nof State and other Federal laws and narrow in terms of \ndefinitions of harm and personal information. I believe the \nbill should be narrow where it is now broad, and broad where it \nis now narrow. I look forward to hearing from our witnesses \nabout their perspectives on this bill and to moving forward \nwith a strong bill that adequately protects consumers. With \nthat, I yield the remainder of my time to Mr. Kennedy.\n\n    Ms. Schakowsky. With that, I yield the remainder of my time \nto Mr. Kennedy.\n    Mr. Kennedy. Thank you very much to my colleague, and thank \nyou for--my colleagues on both sides of the aisle for their \nefforts in pulling this bill together. It is always nice to see \na Bay Stater here to testify before the committee, so I just \nwanted to give a warm welcome to Sara Cable, Massachusetts \nAssistant Attorney General with the Consumer Protection \nDivision. Ms. Cable investigates and prosecutes violations of \nthe Massachusetts Consumer Protections Act and the \nMassachusetts data notification laws and data security \nregulations. I have no doubt that the work that Ms. Cable does \nin enforcing Massachusetts data breach laws has protected many \nacross the Commonwealth, and I truly appreciate her being \nwilling to be here today and take some time to share her \nthoughts and expertise with us about an incredibly important \nissue.\n    And with that, Ms. Schakowsky, I will yield back. Thank \nyou.\n    Mr. Burgess. Chair thanks the gentlelady. Gentlelady yields \nback. The Chair now recognizes the chairman of the full \ncommittee, Mr. Upton, 5 minutes for an opening statement.\n\n   OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF MICHIGAN\n\n    Mr. Upton. Well, thank you. We are at a critical point for \nconsumer protection in the U.S. Our interconnected economy, \nwith many great benefits, also poses new threats from thieves, \nnew challenges to information security, that is for sure. And \nas the Internet weaves itself into the DNA of appliances, cars, \nclothing, the threats of exploitation multiply, but the most \nserious underlying criminal purpose remains the same, to steal \nand monetize personal information, and it has to be stopped.\n    As data breaches have evolved, the one constant is that \nidentity theft and payment card fraud are the crimes that pay \nthe criminals. According to the Bureau of Justice Statistics, \npersonal identity theft costs our economy nearly $25 billion in \n'12, making it the largest threat to personal property today. \nThere is not a single member of this committee who doesn't \nrepresent someone who has suffered either identity theft or \npayment fraud.\n    This bipartisan draft legislation that we consider today \nestablishes a reasonable national security standard, with \nflexibility to adapt to changing security technology. The FTC \nand the State Attorneys General will be policing companies to \nhold them accountable for protecting consumers. The draft also \nfocuses on the personal information that criminals have \ntargeted, the cyber gold that attracts today's \ncybersafecrackers. I want to thank my colleagues Blackburn and \nWelch for bringing us a big step closer to a bipartisan \nsolution. Other members of the committee, including Mr. Barton \nand Rush, have also rolled up their legislative sleeves over \nthe years. And I want to thank Chairman Burgess for making this \nissue a very top priority on this subcommittee.\n    I also commend the narrow approach. By targeting the most \nsought after personal information in the areas lacking current \nFederal protections, this bill avoids controversial issues that \nhave derailed past efforts. Our goal is to create clear \nrequirements to secure personal information from, and notify \nconsumers in cases of unauthorized access. The goal is not to \nbroadly regulate the use of data.\n    [The prepared statement of Mr. Upton follows:]\n\n                 Prepared statement of Hon. Fred Upton\n\n    We are at a critical point for consumer protection in the \nUnited States. Our interconnected economy, with many great \nbenefits, also poses new threats from thieves and new \nchallenges to information security. As the Internet weaves \nitself into the DNA of appliances, cars, and clothing, the \nthreats for exploitation multiply, but the most serious \nunderlying criminal purpose remains the same: to steal and \nmonetize personal information.\n    As data breaches have evolved, the one constant is that \nidentity theft and payment card fraud are the crimes that pay \nthe criminals. According to the Bureau of Justice Statistics, \npersonal identity theft cost our economy nearly 25 billion \ndollars in 2012, making it the biggest threat to personal \nproperty today. There is not a single member of this committee \nwho doesn't represent someone who has suffered from either \nidentity theft or payment fraud. I know in southwest Michigan \nit's a real concern.\n    The bipartisan draft legislation we consider today \nestablishes a reasonable national security standard with the \nflexibility to adapt to changing security technology. The FTC \nand the State AGs will be policing companies to hold them \naccountable for protecting consumers. The draft also focuses on \nthe personal information that criminals have targeted--the \ncyber gold that attracts today's cybersafecrackers.\n    I would like to thank Representatives Blackburn and Welch \nfor bringing us a big step closer to a bipartisan solution. \nOther members of the committee, including Mr. Barton and Mr. \nRush, have also rolled up their legislative sleeves over the \nyears on this. And I thank Chairman Burgess for making this \nissue the top priority of the subcommittee.\n    I also commend the narrow approach--by targeting the most \nsought-after personal information and the areas lacking current \nFederal protections, this bill avoids controversial issues that \nhave derailed past efforts. Our goal is to create clear \nrequirements to secure personal information from--and notify \nconsumers in cases of--unauthorized access; the goal is not to \nbroadly regulate the use of data.\n    Some have argued that our legislation should be in addition \nto State laws. But the truth is, the State approach has not \naddressed the problem and does not adequately protect all \nconsumers. We need a single, Federal set of rules. Companies \nand enforcers alike should focus on ensuring everyone is living \nup to that standard.\n\n    Mr. Upton. I yield the balance of my time to Ms. Blackburn.\n    Mrs. Blackburn. I thank the chairman for yielding, and I \nalso want to recognize the previous chairman of this committee, \nMs. Bono, with us today, who have worked so diligently on this \nissue through the years. I appreciate the guidance and the \nleadership there. I also want to commend Mr. Welch, who has \nbeen co-chairman of the Privacy Working Group, and the chairman \nfor allowing the Privacy Working Group a full 2 years to dig \ninto this issue, and to see where we could find agreement. And \nthat is the basis of the draft legislation that we have before \nus today.\n    The reason it is important that we do something now is \nbecause 2014 was dubbed the Year of the Breach. Think about the \nnumber of breaches that were out there. Our constituents have \nbegun to see this firsthand. It has affected someone in nearly \nevery family. And what they are saying is the issue is getting \nout of control, and we need to take steps to put the guidance \nin place so that individuals will know they have the tools that \nare necessary to protect their data, and, as I say, their \nvirtual you, their presence online.\n    And I appreciate Mr. Welch and the work he and the Privacy \nWorking Group did to help us come to this point, and I yield \nthe balance of my time to the gentleman from Vermont.\n    Mr. Welch. Congress hasn't been doing its job. We need to \npass legislation that is going to deal with this incredible \nproblem. You know, since 2005 a billion consumer records have \nbeen hacked into. The current status right now, we have got \nStates trying to do something. Forty-seven different State laws \non notice, 12 State laws on data security, but we don't have \nany national standard, and we don't have any legislative \nauthority for the FTC, or really, for that matter, the FCC to \ndo much, so we have to act and let there be a cop on the beat \nto protect people.\n    What this bill does--and this is a discussion draft, and I \nappreciate the back and forth, but we are going to have to have \nMr. Pallone and Ms. Schakowsky very much involved as we go \nforward. What this does, it gives--it is a narrow bill. In my \nview, that is smart, because we have got to solve a problem. It \ngives the FTC explicit statutory authority, and that is being \nlitigated in the Wyndham Hotels case. They can impose robust \ncivil penalties. That is good. It does preempt States, but it \ndoesn't limit the States with respect to the States, but it \ndoesn't limit States on privacy issues, where they want to \ncontinue having legislative interaction.\n    This bill does not do some things that would be \ncontroversial that are debatable, but should not be part of \nthis, because it will weigh it down. It is not a privacy bill. \nThe States have continued authority in that space. It is not a \nbill about net neutrality. Big debate on this panel about the \nrecent order. I happen to support it. Many of my colleagues \ndon't. This bill is not about that. This bill is not about the \ncommon law right of action under tort law. Again, a debate \nhere, but not something that we want to weigh this bill down.\n    Mr. Chairman, I appreciate the focus, the narrow focus on \nthis. I appreciate Jan Schakowsky, the opportunity you gave me \nto work with the Privacy Group, and I implore all of my \ncolleagues here to keep this going. We had good input from all \nof the affected parties, the FTC, the FCC consumer groups. We \nhave got to get something done, and we have got an opportunity \nin this committee to do it. I hope we can all be part of that.\n    I yield back.\n    Mr. Burgess. Chair thanks the gentleman, gentleman yields \nback. The Chair recognizes the ranking member of the full \ncommittee, Mr. Pallone, 5 minutes for an opening statement.\n\nOPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE \n            IN CONGRESS FROM THE STATE OF NEW JERSEY\n\n    Mr. Pallone. Thank you, Chairman Burgess. Today we are \ndiscussing a draft data security and breach notification bill \nreleased recently by the majority. Data breaches are a plague \non consumers, businesses, and our economy as a whole. Reducing \nthe incidences of breaches, and the adverse effects from them, \nhas rightfully been at the top of our agenda since 2005, yet it \nalso has proven to be a complicated issue, without an easy \nlegislative solution. I appreciate the efforts being taken to \naddress the data breach problem, and I appreciate the \ndifficulty of writing legislation that effectively protects \nconsumers and lessens the burdens on the businesses that are \nvictims of criminal breaches.\n    And while the sincerity of the efforts are not questioned, \nI do question the merits of the bill before us today. The bill \nsimply does not strike the right balance. There are clearly \nbenefits to creating a unified system for breach notification, \nbut we must be careful that a Federal law ensures that \nprotections for consumers are not being weakened. Many of the \n51 State and territorial breach notification laws provide \ngreater protections for consumers whose personal information is \nat risk as a result of data breach. For example, at least seven \nStates and DC do not require a harm analysis before providing \nnotice to consumers. At least 17 State laws also include a \nprivate cause of action. At least nine States' laws cover \nhealth information.\n    In contrast, the draft under discussion today preempts \nstronger State and Federal laws, requires a financial harm \nanalysis, preempts State private rights of action, and does not \ncover health or location information. Data breach notification \nis only part of the solution. The other crucial piece of any \nlegislation should be baseline data security to help prevent \nbreaches before consumers' personal information is put at risk. \nThe draft before us eliminates State data security laws and \nreplaces them with an unclear standard that will surely be \nlitigated and left to judicial interpretation.\n    As I said at a hearing this past January, I want to be \nsupportive of sound data security and breach notification \nlegislation, but to get there we must ask the right question. \nThe question is not whether any one Federal agency would be \nbetter off. The question must always be whether legislation \nputs consumers in a better place than they are today. And, \nunfortunately, the draft before us today does not put consumers \nin a better place, in my opinion.\n    So before I close, I have to raise a process issue. We \nreceived the draft bill last Thursday evening. The 114th \nCongress seems to have halted a long tradition of sharing text \nwith all members of the subcommittee at least a full week prior \nto a legislative hearing, and this is not the first time this \nhas happened this year in the Energy and Commerce Committee, as \nwe saw with our Communications Subcommittee. I suspect it is \nnot going to be the last.\n    Also, I know this may sound, you know, a little picky, but \nI have to take issue with Chairman Burgess' opening remarks and \nrepeat my longstanding belief that having some Democratic \nsupport does not make a measure bipartisan. I think that \nChairman Upton used better language when he said maybe it is a \nstep closer to being bipartisan. And I appreciate what Mr. \nWelch said, which is that--he mentioned having the support of \nmyself and Ms. Schakowsky on a bill. I would like to see this \nbill improved before it moves further through the legislative \nprocess so that all members of the committee can support it, \nand it can be a truly bipartisan legislative product, which it \nis not at this time.\n    I have some time left. Did you want additional time? All \nright. Yvette, or--everybody is OK? All right. Thank you, Mr. \nChairman. I will yield back the balance of my time.\n    [The prepared statement of Mr. Pallone follows:]\n\n             Prepared statement of Hon. Frank Pallone, Jr.\n\n    Thank you Mr. Chairman. Today we are discussing a draft \ndata security and breach notification bill released recently by \nthe majority.\n    Data breaches are a plague on consumers, businesses, and \nour economy as a whole. Reducing the incidences of breaches and \nthe adverse effects from them has rightfully been at the top of \nour agenda since 2005. Yet, it also has proven to be a \ncomplicated issue without an easy legislative solution.\n    I appreciate the efforts being taken to address the data \nbreach problem, and I appreciate the difficulty of writing \nlegislation that effectively protects consumers and lessens the \nburdens on the businesses that are the victims of criminal \nbreaches.\n    While the sincerity of the efforts are not questioned, I do \nquestion the merits of the bill before us today. This bill \nsimply does not strike the right balance.\n    There are clearly benefits to creating a unified system for \nbreach notification. But we must be careful that a Federal law \nensures that protections for consumers are not weakened.\n    Many of the 51 State and territorial breach notification \nlaws provide greater protections for consumers whose personal \ninformation is at risk as a result of a data breach. For \nexample, at least seven States and the District of Columbia do \nnot require a harm analysis before providing notice to \nconsumers. At least 17 States' laws also include a private \ncause of action. At least nine States' laws cover health \ninformation.\n    In contrast, the draft under discussion today preempts \nstronger State and Federal laws, requires a financial harm \nanalysis, preempts State private rights of action, and does not \ncover health or location information.\n    Data breach notification is only part of the solution. The \nother crucial piece of any legislation should be baseline data \nsecurity to help prevent breaches before consumers' personal \ninformation is put at risk. The draft before us eliminates \nState data security laws and replaces them with an unclear \nstandard that will surely be litigated and left to judicial \ninterpretation.\n    As I said at a hearing this past January, I want to be \nsupportive of sound data security and breach notification \nlegislation. But to get there, we must ask the right question. \nThe question is not whether any one Federal agency would be \nbetter off. The question must always be whether legislation \nputs consumers in a better place than they are today. \nUnfortunately, the draft before us today does not put consumers \nin a better place.\n    Before I close, I must raise process issues. We received \nthe draft bill last Thursday evening. The 114th Congress seems \nto have halted a long tradition of sharing text with all \nmembers of the subcommittee at least a full week prior to a \nlegislative hearing. This is not the first time this has \nhappened this year in Energy and Commerce, and as we saw with \nour Communications Subcommittee, I suspect it won't be the \nlast. Also, I must take issue with Chairman Burgess' opening \nremarks and repeat my longstanding belief that having token \nDemocratic support does not make a measure bipartisan.\n    In closing, I hope we can work together to improve this \nbill before it moves further through the legislative process so \nthat all members of the committee can support it and it can be \na truly bipartisan legislative product.\n\n    Mr. Burgess. Gentleman yields back. His observation is \nnoted. I do want to welcome all of our witnesses, and thank you \nfor agreeing to testify before the subcommittee today. Today's \nhearing will consist of two panels. Each panel of witnesses \nwill have the opportunity to give an opening statement, \nfollowed by a round of questions from our members. Once we \nconclude with questions for the first panel, we will take a \nbrief break to set up for the second panel.\n    For our first panel today, we have the following witnesses: \nMs. Jessica Rich, Director of the Bureau of Consumer Protection \nat the Federal Trade Commission; and Mr. Clete Johnson, the \nChief Counsel for Cybersecurity, Public Safety, and Homeland \nSecurity at the Federal Communications Commission. Thank you \nfor your participation today. Ms. Rich, you are recognized for \n5 minutes for the purpose of an opening statement.\n\n STATEMENTS OF HON. JESSICA RICH, DIRECTOR, BUREAU OF CONSUMER \n  PROTECTION, FEDERAL TRADE COMMISSION; AND CLETE D. JOHNSON, \n    CHIEF COUNSEL FOR CYBERSECURITY, FEDERAL COMMUNICATIONS \n                           COMMISSION\n\n                   STATEMENT OF JESSICA RICH\n\n    Ms. Rich. Dr. Burgess, Ranking Member Schakowsky, and \nmembers of the subcommittee, I am Jessica Rich, Director of the \nBureau of Consumer Protection at the Federal Trade Commission. \nI appreciate the opportunity to present the Commission's \ntestimony on the subcommittee's data security legislation.\n    Reports of data breaches affecting millions of Americans \nfill the headlines. These breaches involved not just financial \ndata, but other types of sensitive data, such as medical \ninformation, account credentials, and even the contents of \nprivate emails. These events serve as a constant reminder that \nconsumers' data is at risk. Hackers and others seek to exploit \nvulnerabilities, obtain consumers' sensitive information, and \nmisuse it in ways that can cause serious harms to consumers and \nbusinesses. Indeed, identity theft continues to be the FTC's \nnumber one source of consumer complaints, and data shows that \nover 16 million consumers were victimized in 2012 alone.\n    Every year, new incidents are reported that re-ignite \nconcern about data security, as well as debate about the best \nway to provide it. Companies must implement strong data \nsecurity measures to minimize consumers' risk of fraud, \nidentity theft, and other substantial harm. Poor data security \npractices also creates risks for businesses. Data breaches can \nharm a company's financial interest and reputation, and also \nresult in the loss of consumer trust. We need strong \nlegislation now for consumers and the health of the commercial \nmarketplace.\n    As the Nation's consumer protection agency, the FTC is \ncommitted to protecting consumer privacy and promoting data \nsecurity in the private sector. The FTC would like to thank the \nsubcommittee for proposing enactment of Federal data security \nand breach notification law, which the Commission has long \nsupported on a bipartisan basis.\n    The Commission supports a number of elements in the \nproposed legislation which will give us additional tools to \ndeter unlawful conduct. First, the bill includes a provision \nrequiring companies to implement reasonable data security \nstandards in addition to breach notification, both of which are \nessential to protect consumers. Second, the legislation gives \nthe FTC jurisdiction to bring cases against non-profits and \ncommon carriers. Third, the bill provides for civil penalties, \nwhich are important to ensure adequate deterrents.\n    However, other aspects of the draft legislation don't \nprovide the strong protections needed to combat data breaches, \nidentity theft, and other substantial consumer harms. First, \nthe bill does not cover precise geolocation and health data, \neven though misuse of this and other information can cause real \nharm to consumers, and even though a lot of health information \nis not, in fact, covered by HIPAA. For example, we brought a \ncase last year against a medical transcription company whose \nlax security practice resulted in psychiatrists' notes about \nindividual patients being made available on the Internet, \navailable through simple Google searches. Given the definition \nof personal information in this bill, we would not be able to \nrely on the legislation to bring that case and seek civil \npenalties.\n    In addition to companies being careless with consumer \ninformation, hackers have incentives to obtain this data, even \nwhen it is not financial. For example, in some of our recent \ninvestigations, we have seen bad actors hack into company \nsystems to steal consumers' information so they can extract \npayments from the companies for its return. A number of State \nlaws currently protect consumers' health information, but those \nprotections would be preempted under the bill.\n    Second, the Commission believes that data security \nprotection should apply to devices that collect data, such as \nsome Internet-enable devices. Breaches involving these devices \nraise broader safety concerns, even if no data is stolen. For \nexample, if a pacemaker isn't properly secured, a breach could \nresult in serious harm to the person using it. Similarly, a \nmalicious criminal who hacks into a car's network could disable \nits brakes, and other safety features.\n    Third, the FTC continues to believe that data security and \nbreach legislation should include rulemaking authority under \nthe Administrative Procedures Act. Rulemaking would allow the \nCommission to ensure that, as technology changes, and the risks \nfrom the use of certain types of information evolve, the law \nkeeps pace, and consumers are adequately protected.\n    Finally, the FTC believes that any trigger for providing \nnotification should be sufficiently balanced so that consumers \ncan protect themselves when their data is at risk without \nexperiencing over-notification. Accordingly, we support an \napproach that requires notice, unless a company can establish \nthat there is no reasonable likelihood of economic, physical, \nor other substantial harm.\n    Thank you very much for this opportunity to provide the \nCommission's views. The FTC remains committed to promoting \nreasonable security for consumer data, and stands ready to work \nwith the subcommittee as it develops and considers legislation \nto protect consumers' sensitive information.\n    [The prepared statement of Ms. Rich follows:]\n    \n    \n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    \n    \n    \n    \n   \n    Mr. Burgess. The Chair thanks the gentlelady. Mr. Johnson, \nyou are recognized for 5 minutes for the purpose of an opening \nstatement.\n\n                 STATEMENT OF CLETE D. JOHNSON\n\n    Mr. Johnson. Thank you very much. Dr. Burgess, Ranking \nMember Schakowsky, leaders of the full committee, distinguished \nmembers, thank you very much for having--for providing the \nopportunity to discuss the FCC's current programs and \nauthorities regarding consumer protections for communications \ndata, privacy, security, and breach notification. For decades \nCongress has recognized that information related to consumers' \nuse of communications services is especially sensitive for \nreasons that go beyond potential economic harm, such as \nfinancial fraud or identity theft. If Americans can't \ncommunicate privately, if we are not secure in the privacy of \ninformation about our communications, then we can't fully \nexercise the freedoms and rights of open democratic society. As \nwith medical and health care data, governed under HIPAA, and \nfinancial data, governed under Gramm-Leach-Bliley, and other \nstatutes, Congress has long treated communications-related \nconsumer information as a special category of consumer data \nthat calls for expert oversight, tailored protections, and \nspecific enforcement.\n    Given recent developments, the privacy and security of \nsensitive information held by communications networks is \nactually a much bigger issue now than ever before. For example, \npublic concerns about the availability of telephone call \nrecords, the widespread use of fixed and mobile broadband \ncommunications, privacy implications of crucial life-saving \nimprovements to next generation 911, and finally, recent \ncyberattacks, such as the one aimed at suppressing the release \nand viewing of a motion picture. As the expert agency that \nregulates communications networks, we continually seek to \nimprove these protections for the good of communications \nconsumers. I will now turn to the legal framework currently in \nplace to protect these communications consumers, and also the \nresponsibilities of communications providers to secure their \nnetworks in the first place. The draft bill would alter this \nlegal framework significantly, and would leave gaps, as \ncompared to existing consumer protections for communications \nconsumers.\n    First, Section 222 of the Act establishes a duty for \ntelecommunications carriers and interconnected VOIP providers \nto protect the confidentiality of consumers' proprietary \ninformation, including call records, location information, and \nother information related to the telephone service, such as the \nfeatures of the customer's service, or even the customer's \nfinancial status. FCC rules under Section 222 require carriers \nto notify law enforcement and consumers of breaches, and \ncarriers that fail to meet these requirements are subject to an \nenforcement action.\n    Second, Sections 631 and 338(i) apply to cable and \nsatellite TV providers, and they protect consumers' viewing \nhistory. That is the TV shows they watch, and the movies that \nthey order, as well as any other personally identifiable \ninformation available to the service provider. Here too the--\nthese protections are enforced by FCC enforcement activity. And \nI would note that many of these protections, including those \nprotections for several particular types of proprietary \ninformation, would no longer exist under the draft bill.\n    If enacted, Section 6(c) of the draft bill would declare \nsections of the Communications Act, as they pertain to data \nsecurity and breach notification, to ``have no force or \neffect'', except with regard to 911 calls. The Federal Trade \nCommission would be granted some, but not all, elements of the \nconsumer protection authority that the FCC presently exercises. \nFor example, if the draft bill were to become law, the FTC \nwould not have the authority to develop rules to protect the \nsecurity of consumers' data, or to update requirements as new \nsecurity threats emerge, and technology evolves.\n    Finally, while the draft bill attempts to maintain the \nprotections of the Communications Act for purposes other than \ndata security, the FCC's experience implementing privacy and \nsecurity requirements for communications consumer data shows \nthat there is no simple distinction between these two \ninterrelated concepts, privacy and security. Whether a company, \nnumber one, either by human or--human error or technical \nglitch, mistakenly fails to secure customer data, or, number \ntwo, if it deliberately divulges or uses information in ways \nthat violated consumer privacy regarding that data, that--the \ntransgression is at once a privacy violation and a security \nbreach. In many cases it is the very same thing, and they--\nthere--it is very difficult, practically or legally, to \nseparate the two.\n    I thank you again for the opportunity to provide a summary \nof the FCC's programs regarding data privacy and security, and, \nof course, look forward to answering any questions the \nsubcommittee may have. We at the FCC, of course, stand ready, \nand willing, and able to provide any input or assistance the \nsubcommittee may request as it completes this important work. \nThank you very much.\n    [The prepared statement of Mr. Johnson follows:]\n    \n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n  \n    \n    Mr. Burgess. Chair thanks both the witnesses for their \nforthright testimony. We will now go to the questioning portion \nof the hearing. I will recognize myself for 5 minutes for the \npurposes of questions.\n    Let me ask the same question to both of you. First, for the \nFederal Trade Commission, how many data security cases has the \nFederal Trade Commission brought to date? And, as a corollary, \ndo you have an idea as to how many investigative hours have \nbeen spent on data security cases?\n    Ms. Rich. We have brought 55 data security cases, that is \nsince the early 2000s, but we have actually brought hundreds \nof, combined, privacy and data security cases, held 35 \nworkshops, completed 50 reports. We have spent--I actually \nhaven't tabulated up man hours, but it is an enormous amount, \nbecause for every case we bring, there are actually quite a \nnumber of investigations that we look into, but we decide not \nto bring a Federal court action. So it is millions of hours.\n    Mr. Burgess. OK, but the total cases was 55, was your \nresponse?\n    Ms. Rich. In the data security area, but many of the \nprivacy cases have some data security element too, and there \nare hundreds of those.\n    Mr. Burgess. Very well. Mr. Johnson, let me just ask the \nsame question to you. How many data security cases has the \nFederal Communications Commission brought, and then, likewise, \nthe investigative hours that your commission has spent on the \ndata security cases?\n    Mr. Johnson. Thank you, Mr. Chairman. In the 18 years that \nSection 222 has been in place, and this is the section that \npertains primarily to telephone call records, there have been--\nI don't have the precise number, but I think it is in the realm \nof scores and scores of cases that pertain to what is called \ncustomer proprietary network information. This is call records, \nlocation information, time and duration of call, and a whole \nhost of other what is called CPNI protections. I don't have the \nprecise number, and I can certainly get you the precise number, \nnor the total accumulated hours, but it is scores and scores.\n    Mr. Burgess. To the extent--I think it would be helpful to \nthe subcommittee if you could make the actual numbers \navailable, and certainly----\n    Mr. Johnson. Of course.\n    Mr. Burgess [continuing]. I would allow you to do that for \nthe record. Let me just ask you a question. You brought up the \nConsumer Proprietary Network Information. How many years after \nthe 1996 Act did it take to fully implement the rules for CPNI \nat the Federal Communications Commission?\n    Mr. Johnson. Well, I think that that--I don't know which \nexact rule you are referring to, Mr. Chairman, but I think the \nbroad answer is that it has been underway for 18 years, and \nthere have been multiple improvements and shifts, including for \nCongressional expectation, technological development, for \ninstance, voice over IP, location information that pertains to \n911. And in 2013 there was a declaratory ruling that the \nCommission declared that CPNI pertains to information that is \ncollected on mobile devices.\n    So I guess the accurate answer is that it remains a work in \nprogress, and that is part of the value of having that \nrulemaking authority, is in order to adapt to Congressional \nexpectations, changes of technology.\n    Mr. Burgess. Maybe for the purposes of clarification for \nthe subcommittee, as we work through some of these issues, \ncould the Commission provide us a timeline, from 1996 to \npresent, where the rulemaking was involved, where it evolved? \nObviously the threat changed over that time as well. But I am--\nI guess, you know, that is part of my concern, is that it--I \nget the impression that it took some time from '96 to the point \nwhere the rulemaking had evolved to a point where there were \nactually consumer protections that were available. But I don't \nknow that, and you are----\n    Mr. Johnson. Absolutely. I will take that--I think that is \na very important homework assignment for me, and I--run through \nvery briefly--the section was established in 1996.\n    Mr. Burgess. Right.\n    Mr. Johnson. In 1999 location information was added. In \n2007 there was a major problem with what is called pre-texters. \nAnd in my old world in--working on intelligence policy, this is \nessentially a human intelligence collector, where pre-texters \nwould call the telephone company, ask----\n    Mr. Burgess. Right. We had a hearing on it here in this \ncommittee several years ago as well.\n    Mr. Johnson. And so that was something, again, that was at \nonce a privacy and security issue, and in 2007 the Commission \nissued rules specific to solving that problem. And, again, \nthere have been some other adjustments and improvements in \nrecent years. But we will get you the full story. It is \nactually--it is--it is an important story about the development \nof Section 222.\n    Mr. Burgess. The Chair appreciates the gentleman's \nwillingness to provide the information. The Chair recognizes \nMs. Schakowsky. Five minutes for questions, please.\n    Ms. Schakowsky. I just want to clarify that my concerns \nbetween the agencies is really with regard to the impact on \nconsumers. I don't want anything I say to seem to reflect a \npreference for one agency over another, but rather for the \nprotection of the consumers.\n    So my--if this draft were enacted, regulatory and \nenforcement authority over data security and breach \nnotification that is currently granted to the FCC would--under \ncertain sections of the Communications Act and its regulations \nwould have no force or effect. It is my understanding that the \ndata security and breach notification protections under the \nCommunications Act are broader than the protections afforded \nunder this draft. The Communications Act provides security \nprotections for information regarding telecommunications \nsubscribers' use of service, but this draft does not provide \nsecurity protections for all of that information. Instead, it \ncovers only ``the location of, number from which, and to which \na call is placed, and the time and duration of such call''.\n    So, Mr. Johnson, what other information is currently \nprotected under Title II of the Communications Act that would \nnot be covered under this draft?\n    Mr. Johnson. Ma'am, you are correct it--that there are \nspecific pieces of information, both under Section 222 and also \nthe cable/satellite provisions, that are not protected under \nthis draft. With regard to Section 222, information such as how \nmany calls a person has made, you know, sort of the peak \ncalling periods for that person, does this person make phone \ncalls in the morning, at night, lunchtime, specific features of \nthe service, like call waiting, caller ID, and then other \nthings that may be pertinent to call service, like the \nfinancial status of the customer. Is the customer--does the \ncustomer qualify for Medicaid, or SNAP, or other low income \nsupport? Those would explicitly not be protected by the \ndefinition in the draft bill.\n    On the cable and satellite side, it is--essentially all of \nit would not be protected. What television shows you watch on \ncable and satellite, what pay-per-view you order, what you \norder from the Home Shopping Network, none of this would be \nprotected under the draft bill, and it is----\n    Ms. Schakowsky. So----\n    Mr. Johnson [continuing]. Presently protected.\n    Ms. Schakowsky. So viewing preferences, or viewing history, \nnone of that would be covered?\n    Mr. Johnson. It is presently covered. It would not be \ncovered under the draft bill.\n    Ms. Schakowsky. No, that is what I am talking about. This \nbill also voids breach notification obligations required under \nthe Communications Act, Mr. Johnson, and its regulations, but \nas I read it, the bill would not require breach notification \nfor a breach of call information. Under the Communications Act, \nand associated regulations, a breach of customer information, \nsuch as call data and viewing habits, requires notice to law \nenforcement and affected customers. Is that right?\n    Mr. Johnson. That is correct.\n    Ms. Schakowsky. But as we established, much of the customer \ninformation currently required to be secured under the \nCommunications Act does not have to be secured under this bill. \nAnd if there is no requirement to protect the information, then \nthere is no requirement to provide notice in the event of a \nbreach, correct?\n    Mr. Johnson. That is correct.\n    Ms. Schakowsky. And even for the limited call information \nthat must be secured under this bill, a breached company would \nnot be required to provide notice because call information is \nnot financial in nature, do you agree?\n    Mr. Johnson. That is my interpretation, yes, ma'am.\n    Ms. Schakowsky. So I wondered, Ms. Rich, if you wanted to \ncomment on that. This is a concern that I have for consumers, \nthat I think if we allowed the FCC to continue in its \nregulations, that we could then make sure we cover everything.\n    Ms. Rich. We--for consumers--we are also looking at this \nbill in terms of its effect on consumers, and that is why, in \nour testimony, we have proposed that the bill apply to more \ninformation, geo, health. Communications would also be \nsomething that should be added to the bill. We also believe the \nbreach notification trigger should be a bit broader to \nencompass different harms. So that, we agree, would be an \nimprovement to the bill.\n    But I--as to jurisdiction, I should say that our position \nis that we should have jurisdiction in this bill. The FTC \nshould have jurisdiction over carriers in this bill because we \nhave brought so many cases in this area. We bring so much \nenforcement expertise to the table. We really have been working \non this issue since, really, the mid '90s. We also believe we \nshould be able to hold different companies that are collecting \nsome of the very same type of information to the same standards \non--in our enforcement. You know, Netflix, Google, and Verizon \nreally have a lot of the same information.\n    And, further, the--we haven't taken a position on \nreclassification, but one byproduct of reclassification is it \ndoes remove our FTC jurisdiction from over providers of \nbroadband service, so we would actually be--we are actually \nable to do less post-reclassification to help consumers than we \nwere able to do before. That being said, we believe--a majority \nat the Commission believes we should share jurisdiction with \nthe FCC, and not displace the FCC.\n    Ms. Schakowsky. Thank you. I yield back.\n    Ms. Rich. We work very well together.\n    Ms. Schakowsky. Thank you.\n    Mr. Burgess. Gentlelady's time has expired. The Chair \nrecognizes the gentleman from Michigan, the chairman of the \nfull committee, Mr. Upton. Did he--Ms. Blackburn, then, you are \nrecognized to have 5 minutes for questions, please.\n    Mrs. Blackburn. Thank you, Mr. Chairman, and I want to \nthank our witnesses for being here.\n    Mr. Johnson, to you first. Please get your facts and \nfigures all in order, as Chairman Burgess asked, and get that \nback to us. It is helpful----\n    Mr. Johnson. Yes.\n    Mrs. Blackburn [continuing]. To us, and we were hopeful to \nhave that information today to be able to define the number of \ndata security cases that you all have brought forward, not just \nterming it ``scores and scores.'' So let us tighten that up for \nthe record.\n    Ms. Rich, to you, you talked about the 55 cases that you \nall have brought forward, so I want you to walk me through what \nis the criteria that you utilize when you decide to bring a \ncase forward? What is--what goes into that decision matrix?\n    Ms. Rich. The core concept in our data security program, \nwhether--and we have several different laws we enforce, is \nreasonableness, and not whether there has been a breach. And we \nhave emphasized a process-based approach that is tech neutral. \nSo for years our education and our cases have been emphasizing \nthat the key to data security is to follow certain key, you \nknow, basic common elements, put somebody in charge, make \nsomebody responsible for the program, do a risk assessment to \ndetermine what are the risks in your business, not some \nchecklist that another business with a totally different \nbusiness model is using, develop a program to address the risks \nyou have just found, and focus in particular on things like the \nkey area----\n    Mrs. Blackburn. Let me interrupt you there.\n    Ms. Rich. Yes.\n    Mrs. Blackburn. Would you consider, then, that you all have \nan informal set of best practices that you refer back to? Would \nthat be a fair statement?\n    Ms. Rich. Yes. It is not really informal, because it has \nbeen widely publicized in the education materials we put out in \nour complaints and orders, which all re-iterate these same \nelements.\n    Mrs. Blackburn. OK. All right. Let me ask you this, then. \nDo you think the draft legislation would limit the FTC's \nSection 5 authority?\n    Ms. Rich. Well, there is a savings clause, and we are happy \nabout that, but, you know, as we understand it, this is a \ndiscussion draft, and so right now we have some concerns that \nit might weaken the protections that are currently in place. \nBut with some of the suggestions we have made for strengthening \nthe bill, we believe it could be quite strong.\n    Mrs. Blackburn. OK. So you would rather--OK, let me ask you \nabout this, then: What about consent orders? You all have to go \nahead and get that consent order to obtain civil penalties for \nunfair or deceptive practices, so do you believe consent orders \nare a strong incentive for industry for instituting data \nsecurity civil penalties?\n    Ms. Rich. You are making an excellent point, which is that \nthe bill's inclusion of civil penalties is critical, and we are \nvery supportive of that. Right now, as you note, in order for \nus to obtain civil penalties, which believe are an important \nincentive and deterrent from bad behavior, we have to obtain an \nadministrative order first, and then, if there is a violation, \nobtain civil penalties. So yes, you are absolutely right, that \ncivil penalties are a key ingredient to the success of \nlegislation.\n    Mrs. Blackburn. OK. With that, I am going to yield back my \ntime, Mr. Chairman, so we can move on with the rest of the \nquestions.\n    Mr. Burgess. Appreciate--the gentlelady yields back. Chair \nrecognize the gentleman from Massachusetts, Mr. Kennedy, 5 \nminutes for questions, please.\n    Mr. Kennedy. Thank you, Mr. Chairman. And, again, thank you \nto the witnesses for testifying. I appreciate the information \nthat you have already offered us today, and as we go through \nthis process.\n    The FCC has enacted strong regulations to implement their \nauthorities under the Communications Act, and I know you have \ntouched on that a little bit already. These regulations require \ntelecommunications providers to implement a number of specific \nprivacy and security measures to protect consumer proprietary \ninformation. I wanted to walk through, with both of you, a \nlittle bit about some of those requirements so we can flesh \nthis out a little bit.\n    So, Mr. Johnson, these regulations require that \ntelecommunications carriers take steps not only to secure \ncustomer information, but also discover attempts to gain \nunauthorized access to that information, isn't that right?\n    Mr. Johnson. That is correct.\n    Mr. Kennedy. So carriers also, then, must authenticate a \ncustomer before providing customer information over the phone, \nonline, or in a store as well?\n    Mr. Johnson. That is correct.\n    Mr. Kennedy. Carriers are required to train their employees \nin the use of that customer information, is that right?\n    Mr. Johnson. That is correct.\n    Mr. Kennedy. OK. Are there some other things that are \nrequired under the FCC's regulations that you would like to \nhighlight as well?\n    Mr. Johnson. In addition to those that you laid out, \nCongressman, carriers are also required to discipline abuses \nand to certify compliance with these rules. And, if I may, I \nwould add to that the distinction between enforcement and \nrulemaking clarity. Of course enforcement is a crucial part of \ncompliance, and the FCC has an Enforcement Bureau that is very \nactive in this space, as is the FTC in the--we partner together \non--in many areas, and expect to in the future as well.\n    The distinction between the present protections in 222 and \nan enforcement only approach is that the FCC, or in this case, \nthe FTC, if this bill were to be enacted, the FCC presently has \nthe ability to get out and engage the public, the providers, to \nwork together through advisory committees, through rulemaking \nprocesses, through a whole host of measures, to make clear what \nthe challenges are and what the solutions are before there is a \nproblem. So instead of post hoc enforcement only, there is a \nsolving the problem before it happens, or once it has been \nspotted, in the case of pre-texting, Mr. Chairman, that you can \ngo after this problem, and seek to solve it, instead of just \npost hoc----\n    Mr. Kennedy. So proactive versus reactive, right?\n    Mr. Johnson. That is right.\n    Mr. Kennedy. So would those requirements be preempted under \nthe current legislation?\n    Mr. Johnson. They would be eliminated.\n    Mr. Kennedy. So, Ms. Rich--thank you, Mr. Johnson. Ms. \nRich, if, for example, a telecommunications provider disclosed \nthe number of calls that I made from a specific phone number to \na third party, would the FTC be able to bring an enforcement \naction under this bill?\n    Ms. Rich. We believe that should be added to the bill.\n    Mr. Kennedy. OK. And would the FTC be able to require that \ntelecommunications providers not disclose that information \nunless they obtain customer consent, or should that be added as \nwell?\n    Ms. Rich. Well, that would be a privacy provision, so I am \nnot sure it would be addressed by this bill. But--and I don't \nthink that would be preempted by this bill, the privacy \nprovisions of the CPNI rules. But, in any event, we do think \ncommunications should be added to the bill as an element--a \ndata--a piece of data that should be covered.\n    Mr. Kennedy. OK. I appreciate the feedback. Thank you very \nmuch, and I yield back.\n    Mr. Burgess. Gentleman yields back. The Chair now will \nrecognize the vice chair of the subcommittee, Mr. Lance. 5 \nminutes for questions, please.\n    Mr. Lance. Thank you, Mr. Chairman. Good morning to you \nboth.\n    To Ms. Rich, the FTC has been a strong advocate for \nprotection of Social Security Numbers, and has often indicated \nthat Social Security Numbers are closely tied to identity \ntheft. I don't think there is any doubt about that. How many \nState data security and breach notification bills include \nSocial Security Numbers alone as personal information?\n    Ms. Rich. We have that information, but I don't have it at \nmy fingertips, but we would be happy to provide it to the \ncommittee.\n    Mr. Lance. Thank you very much. Mr. Johnson, did you have \nan opinion on that?\n    Mr. Johnson. I don't know the answer to that----\n    Mr. Lance. Certainly. Thank you. To Ms. Rich, do you \nsupport the inclusion of standalone Social Security Numbers as \npersonal information in the draft legislation?\n    Ms. Rich. Yes. We were very happy to see that in the bill.\n    Mr. Lance. Thank you. And are these data elements not \nlisted in the draft legislation that the FTC has seen tied to \nidentity theft and payment fraud? Are there any data elements \nnot listed in the draft legislation that you would like to see \nin it?\n    Ms. Rich. Yes. In addition to Social Security Number, \ndriver's license and passport number, and other Government-\nissued numbers can also be used to perpetrate identity theft, \nso we would like to see that information protected standalone, \nand now it needs to be coupled with other information.\n    We have also believed that health insurance numbers can \nlead to medical identity theft, where people place charges in \nhospitals billed to other people, and it can really accumulate, \nand they can do that with simply health insurance numbers. And \nI believe those are the main elements, besides health and \ngeolocation, which we are not talking about identity theft, we \nare talking about other information that should be protected. \nBut those are the main additional elements.\n    Mr. Lance. So, to reiterate, other than Social Security, \ndriver's license, and then health identification numbers?\n    Ms. Rich. Yes.\n    Mr. Lance. Thank you. Mr. Chairman, I yield back the \nbalance of my time.\n    Mr. Burgess. Chair thanks the gentleman, the gentleman \nyields back. The Chair recognizes the gentleman from Vermont, \nMr. Welch. Five minutes for questions, please.\n    Mr. Welch. Thank you very much. And I thank the witnesses \nfor your very helpful testimony. Just by way of introduction, I \nthink we have got some areas of real agreement here. Number \none, bipartisan agreement that this is a brutal problem. Number \ntwo, it is the Wild West. There is no clarity about who is in \ncharge, or what the enforcement is. Number three, there is a \ndesire to get things done that are going to add protection, \nrather than take it away.\n    There is some disagreement on policy matters. Like, for \ninstance, you, Ms. Rich, indicated you want, as you call it, a \nstronger trigger notice, and where that balance is--you used \nthat word, balance, that is a debatable proposition. You know, \nI happen to think that the notice provisions under Gramm-Leach-\nBliley--I don't know if you have refinanced your mortgage at \nall, but you get so much information it is useless, so I want \nto balance where consumers are protected and notified but not \nterrified, and that is a discussion in a debate.\n    But there are other areas where--for instance, with Ms. \nSchakowsky, she raised what I thought were some really valid \nconcerns, and this is with respect to the transition of \nauthority. Because my view of the language is that the CPNI \nthat would go to the FTC, you would have that enforcement \nauthority. And the bottom line for me is the concern, which I \nthink is what Ms. Schakowsky was expressing, do we protect the \nconsumers, as opposed to who is in charge.\n    And I actually do share that, but the privacy provisions \nthat you were talking about, Mr. Johnson, my understanding, and \nI think, Ms. Rich, you testified to this, the privacy \nprovisions that FCC has would be retained, and not preempted, \ncorrect? That is your view, Ms. Rich?\n    Ms. Rich. I would defer to my colleague on that.\n    Mr. Welch. No, I want to ask you, because if we have, \nessentially, a situation where we think we are in agreement, \nbut we have language that we are uncertain meets the agreement \nthat we think we have, then that is a different--the nature of \nthat is a different challenge. It is like trying to get the \nlanguage right. And I appreciate Ms. Blackburn and Mr. Burgess \nfor focusing on, you know, trying to define what the problem \nis, rather than create additional problems. But my \nunderstanding of your testimony was that you believe that \nprivacy was not preempted, correct?\n    Ms. Rich. If I have the current version of the legislation, \nI thought I saw in there that the privacy provisions of the \nCPNI rules, and other portions of the Communications Act, were \nretained.\n    Mr. Welch. Right. And, Mr. Johnson, is that your view as \nwell?\n    Mr. Johnson. Yes, sir. I do think that that is--the \nlanguage attempts to divide privacy from security.\n    Mr. Welch. All right. So let us say we got the language \nright to your satisfaction, and the FTC took over authority for \nCPNI, and you retained--the FCC retained the current \njurisdiction it has for privacy. From an agency standpoint, \nthat might not be your preference, but from a consumer \nstandpoint, you would still be holding folks harmless with a \nnew enforcer on some of the elements, is that right?\n    Mr. Johnson. Sir, I would actually say that it is not \npossible to divide privacy from security, because in most cases \nthe security of information is the privacy of the information, \nand vice versa. So, for instance, if you have an insider \nthreat, if there is a bad actor in your company, or a mistaken \nactor in your company, and that person has authorized access to \nthe information, but then mishandles it, or commits some sort \nof----\n    Mr. Welch. OK, I am--I appreciate that, and I am going to \nask you to help us here, because the spirit that our chairman \nhas provided here I think is really good. The big problem for \neveryday people in Vermont is their financial information. A \nlot of these other things that you have mentioned, they are \nimportant, and we have got a lot of work in this Congress to \ndeal with privacy questions----\n    Mr. Johnson. Um-hum.\n    Mr. Welch [continuing]. But 90 percent of the problem for \n100 percent of the people is loss of their identity and their \nfinancial information. And, you know, the bad guys out there, \nthat is what they want.\n    Mr. Johnson. Um-hum.\n    Mr. Welch. If they want my Social Security Number, it is \nnot for any reason other than to get to my bank account.\n    Mr. Johnson. Right.\n    Mr. Welch. So I think the focus here of a narrow approach \nthat Mr. Burgess has adopted, I think, makes some sense. Now, \nif there--we don't want to lose rights that people have, but we \nmay need the help of the FTC and the FCC to write that language \nso that we accomplish this goal that we are accepting is \nnarrow, but without compromising other rights.\n    Mr. Johnson. I----\n    Mr. Welch. So----\n    Mr. Johnson. And I--if I may, sir, I, of course, commend \nyou, and all of you, for trying to tackle this issue. When I \nwas a Senate staffer on the other side, I tried it as well, and \nwe didn't quite get there. The two things with regard to \nconsumer protections that I would like to mention are, number \none, with regard to communications consumer protections, it is \na different type of information.\n    And I think you will hear in this next panel some very \nexpert, knowledgeable witnesses say that data is data, a server \nis a server, and I would just respectfully disagree that, with \nregard to call data, with regard to data that flows over \nnetworks, cable/satellite, it is specific to the network \nengineering, and how these networks actually----\n    Mr. Welch. All right. My time is running out, but here is \nthe one request I am going to make of you. You have identified \na problem. We need you to identify a solution, because this is \nnot a policy difference that you are describing now. This is a \npractical challenge that you are describing. Let us get your \nhelp in solving that.\n    Mr. Johnson. Absolutely.\n    Mr. Welch. I yield back.\n    Mr. Burgess. Chair thanks the gentleman. Gentleman's time \nhas expired. The Chair recognizes the gentleman from Texas, Mr. \nOlson. Five minutes for questions, please.\n    Mr. Olson. I thank the Chair. Welcome, Mrs. Rich, and Mr. \nJohnson. Sadly, data breaches have become common news. Just \nthis morning we learned about Primera Health Care. 12 million \nof their customers lost their data, had it exposed to hackers. \nThey were attached in May, discovered the attack in January, \nand found out recently what had happened. We can do better, but \nwe need to take a balance approach to data breach \nnotifications. We have to protect consumers, but we can't be a \nburden to companies and hinder the legal uses of data.\n    This draft doesn't fix all the problems, but it is a small \nbut important step in the right direction. I have a few \nquestions for you this morning. The first ones are for you, Ms. \nRich. How many people work in your division in the FTC?\n    Ms. Rich. We have a privacy division of about 45 people, \nbut we have a number of regional offices, and a number of other \noffices that work on various privacy issues, like Do Not Call, \nor privacy issues related to financial information, so we have \nquite a number of people working on privacy. We, of course, \ncould always use more, but--yes.\n    Mr. Olson. How many folks on data security? All 45, or more \nthan 45? And how many people focus on data security within the \nFTC, or your division?\n    Ms. Rich. I don't have at my fingertips exactly, but almost \neveryone in the division works on both privacy and data \nsecurity. And then, as I said, there are people in other parts \nof the agency who also work on these issues. So--I can get you \nmore information, if you would----\n    Mr. Olson. Thank you.\n    Ms. Rich [continuing]. Like, but--yes.\n    Mr. Olson. Do they determine what a reasonable data \nsecurity practice is? Do they do that, as a matter of policy?\n    Ms. Rich. We have standards that we have put out, both in \nour original Gramm-Leach-Bliley safeguards rule, in all of our \ncomplaints and orders. As I said, we lay out a process that is \nreasonable security. We consider, you know, various factors, \nlike the sensitivity and volume of data, et cetera, and the \nstaff attorneys who work on this follow the standards that we \nfollow throughout the agency, and that we have announced to the \npublic in particular cases.\n    Mr. Olson. Do they make sure companies use good practices? \nIf so, how do they do that, ma'am?\n    Ms. Rich. We--in investigations, we evaluate whether \nreasonable security was followed, and whether these types of \nprocesses I talked about was--were followed.\n    Mr. Olson. And I am sure you have to have people with very \nspecial skills. How hard is it to find those people? Is that a \nproblem for you, ma'am, need more people with the skills to go \nafter these hackers?\n    Ms. Rich. We have very well trained attorneys and \ninvestigators. We also have a lab unit that helps with--if \nthere is any forensics involved. And we have experts and \ntechnologists, both on staff, and that we consult with.\n    Mr. Olson. Thank you, Ms. Rich. Mr. Johnson, for you, my \nfriend, how many folks in your department work on data \nsecurity? Not cybersecurity, but data security, within the FCC?\n    Mr. Johnson. Congressman, I can get you a specific answer. \nIt is not divided quite as neatly for us as it is at the FTC, \nin the Consumer----\n    Mr. Olson. Ballpark, 10, 20, 30?\n    Mr. Johnson. I would say dozens of people work on various \naspects of this in the Public Safety Bureau, that is the bureau \nthat I am in, in the Enforcement Bureau, also the Wireless \nBureau, the Wire Line Bureau, the Media Bureau. It is an issue \nthat covers--in the Consumer Protection Bureau, essentially \nevery bureau of the FCC has a role in this in some form or \nfashion.\n    Mr. Olson. And how about finding really qualified people? \nHard time finding the people and skills you need at the FCC to \ndo your job with these data breaches?\n    Mr. Johnson. I would say that the FCC is--has the most \nqualified network engineers and communications lawyers, and, \nimportantly, communications economists that I have run across. \nIt is an expert agency in the communications field.\n    Mr. Olson. So it sounds like you balanced enforcement with \nthe market, communications, economics, and so you are actually \na partner in this endeavor, so thank you for that. I am out of \nmy time. Yield back.\n    Mr. Burgess. The Chair thanks the gentleman. The Chair now \nrecognizes the gentleman from Illinois, former chairman of the \nsubcommittee, Mr. Rush. Five minutes for questions, please.\n    Mr. Rush. Thank you, Mr. Chairman. I really am enjoying the \ninput, and the conversation both ways, in regards to this \nparticular matter. I view the issue before us as an issue that \nis really--that we have to maintain the understanding that data \nsecurity and privacy are really like two sides of the same \ncoin, and we can't bifurcate these two issues.\n    I think we have to proceed with, really, the understanding \nthat, in order to be forced to really serve the American \npeople, and begin to deal with this issues--these issues that \nthey are confronted with, both in terms of privacy and also \ndata security, that we can't waste our time in trying to \nseparate these two issues. And I don't think the outcome would \nbe an outcome that we want to achieve, and that would really \nhelp us out in the problem that all of us are vitally concerned \nabout.\n    I want to ask Ms. Rich, recently the FC announced that \nbroadband providers would be regulated as common carriers. \nUnder these particular rules, if a broadband provider were to \nbe the subject of a data breach, which agency would have \nprimary responsibility for ensuring that any Federal standard \nis enforced? And, Mr. Johnson and Ms. Rich, I want you to \nanswer those question--this question, beginning with you, Ms. \nRich.\n    Ms. Rich. Prior--we have not taken a position on \nreclassification generally, but, as I mentioned, a byproduct of \nit is we--it limits our ability to protect consumers when the \ncompanies that perpetrate the violations are broadband \nproviders. So if a broadband provider had a breach, and it \nwas--pertained to their provision of broadband service, and not \nsome ancillary service, we would no longer be able to protect \nservice in that area. We would like, of course, to have \nsomebody, maybe somebody here, restore that jurisdiction to us. \nWe don't, however, object to the reclassification.\n    Mr. Rush. Mr. Johnson, what are your----\n    Mr. Johnson. Congressman----\n    Mr. Rush [continuing]. Comments?\n    Mr. Johnson. We are--my focus in work, and also at this \nhearing, is the--is--are the provisions that pertain to data \nsecurity of communications data. I am certainly aware of the \neffect that Title II reclassification has, particularly on \nSections 201, 202, and 222. And. if it is OK with you, I will \nleave it at that, because I have never practiced law with \nregard to the Federal Trade Commission Act, and I will defer to \nthe Federal Trade Commission, and----\n    Mr. Rush. OK. Well, thank you so much. Ms. Rich, can you \nclarify one piece of your testimony, if you will? You are \nadvocating to lift the common carrier exemption, but not to \ntake away regulatory or enforcement authority from the FCC, am \nI correct? That is--how would that be done? What do you \nsuggest?\n    Ms. Rich. Well, we share jurisdiction with a lot of \ndifferent agencies in a lot of different areas, and, you know, \nwe have--for example, with the CFPB, we have an MOU with them. \nWe have, for years, shared jurisdiction with the FCC as to do \nnot call. We did share jurisdiction over broadband providers, \nproprietor re-classification, and we can successfully \ncoordinate, and make sure there is no duplication.\n    So what we are saying is we think, as the agency that is \nmost experienced in the data security area has can be very \neffective in protecting consumers that we should be--we should \nhave jurisdiction over carriers, but that we--that the FCC--the \nmajority of our commission believes that that doesn't mean the \nFCC shouldn't--should be displaced in its jurisdiction.\n    Mr. Rush. OK. Is there--in terms of the--your practice that \nyou have regarding these memorandum of understandings, does \nthat create a burdensome issue for the consumer? Is there--does \nthat complicate their lives, or----\n    Ms. Rich. No, not for the consumer at all. In fact, the \nconsumer potentially has two cops on the beat. But what the \nMOUs and the coordination is usually for is to make sure that \nthere is no duplication and burdens created for businesses. For \nexample, the two agencies, without communicating with each \nother, both investigating the same company at the same time.\n    Mr. Rush. Mr. Johnson, you want to comment on----\n    Mr. Johnson. I think she stated it very well, sir.\n    Mr. Rush. Mr. Chairman, thank you, and I yield back.\n    Mr. Burgess. Chair thanks the gentleman, the gentleman \nyields back. The Chair recognizes the gentleman from Kansas, \nMr. Pompeo. Five minutes for questions, please.\n    Mr. Pompeo. Thank you, Mr. Chairman, and thank you both for \nbeing here today. I suppose I am not surprised, but I am \ntroubled by how little conversation there has been this morning \nabout cost to consumers. When you talk about protecting \nconsumers, there is very little discussion about what this will \nmean, right? If a business is paying money, it gets passed \nalong, and there is just remarkably little discussion about \nwhat it really means to someone who can least afforded whatever \nservices that we are dealing with. I think that is very \nimportant.\n    I would hope that the two of you would appreciate that too, \nbut instead what I get is two Government agencies, each of \nwhich wants increased authority, increased power, more control, \nthe capacity to define rights, sort of the historic \ngovernmental actions. I would hope, when you think about the \nconsumers that you are tasked to oversee that you would at \nleast consider their economic well-being as well.\n    Ms. Rich, in that vein, you have asked for a--you said that \nthe definition contained--really, the notice provision, you \nweren't happy with it. You suggested alternative language. You \nsaid you would support an approach that ``requires notice, \nunless a company can establish there is no reasonable \nlikelihood of economic, physical, or other substantial harm''. \nSo you have flipped the burden of proof now to the consumer, \nright? Right, to the business which they have contracted with \nto demonstrate that there is no harm. What do you think the \ncost of a change like that would be?\n    Ms. Rich. I think the burden is already flipped in the \ndraft. All we are proposing is that the--instead of it being \nlimited to financial harm, that it be--include economic, \nphysical, or other substantial harm.\n    Mr. Pompeo. Fair enough. I want to go on to Mr. Johnson. \nMr. Johnson, you--I think in response to a question you said \nthat there were--you didn't know the exact date, or you were \ngoing to bring us that, but you said there were scores of \ncases? Is that right?\n    Mr. Johnson. Yes, sir, of----\n    Mr. Pompeo. That you brought? And you identified two in \nyour written testimony, if I got it right. Is----\n    Mr. Johnson. I think the--if I remember correctly, the two \nthat are in the footnote in the written testimony----\n    Mr. Pompeo. Right.\n    Mr. Johnson [continuing]. Were just two examples from last \nyear that were concluded. I--we are--I would draw a distinction \nbetween cases that are investigated, cases that are pursued, \ncases that are settled, and not necessarily cases that all end \nin a----\n    Mr. Pompeo. Are these the only that have--that are of \nrecord? You said there are ``scores and scores.'' There are two \nidentified. Are there others that you could have put in this--\n--\n    Mr. Johnson. Absolutely. Yes, sir, and I committed \nearlier----\n    Mr. Pompeo. And would any of those have actually been data \nbreaches? Because neither of these, as described in your \ntestimony, are actually what we are dealing with here today.\n    Mr. Johnson. Well, I think the----\n    Mr. Pompeo. One is a Do Not Call case, according to your \ntestimony, and one was a violation of----\n    Mr. Johnson. Yes, sir, your question underscores the \ndistinction that we think is important with regard to \ncommunications data. It is not just breach of Social Security \nNumbers or credit card numbers. It is information about what \npeople do on the telephone, what do they do with cable and \nsatellite TV, and it is a much broader set of data that is \nspecific to the networks that hold, and manage, and deliver \nthat data.\n    So it is harder for us to hone in on, this was a data \nbreach of Social Security Numbers, than it is to talk about how \nwe prospectively and proactively protect the consumer in a way \nthat is actually, I think, to your original point, is cost \neffective, because it allows us to engage ahead of time with \nthe providers. And I can give a number of examples about how we \ndo that in a way that aligns it with business interests to \nprotect the consumer, while also letting the companies sort \nof----\n    Mr. Pompeo. Yes.\n    Mr. Johnson [continuing]. Lead the solutions, yes.\n    Mr. Pompeo. I am not sure I agree with you. I went back and \nread the Notice of Apparent Liability that you have issued, and \nthe language you used implies that if you have a breach, then \nyour security is, per se, unreasonable, and your privacy policy \nis deceptive. Is that the FCC's position?\n    Mr. Johnson. I don't know the exact line that you are going \nat there, but do you know which action you are referring to, \nsir?\n    Mr. Pompeo. I do, but I want to go more generically. I want \nto kick it out from the particular case. Is it the case that it \nis the FCC's view that it is, per se, unreasonable, and your \nprivacy policy is deceptive, if there was a breach?\n    Mr. Johnson. No, sir, I don't think that is the case. In \nfact, in our rules, on the 222 side, it requires reasonable \nmeasures to discover and protect against unauthorized access.\n    Mr. Pompeo. Great. Thank you. Mr. Chairman, my time is up. \nI yield back.\n    Mr. Johnson. If I might, sir, the one additional note is \nthat on the cable/satellite side, and this is another \ndistinction with the bill, the standard is not just reasonable. \nIt is as necessary to protect, so it is a much higher standard \nin the cable/satellite viewing preferences case.\n    Mr. Pompeo. Thank you.\n    Mr. Johnson. But I wouldn't say it is a per se violation.\n    Mr. Burgess. Chair thanks the gentleman. Gentleman's time \nhas expired. The Chair recognizes Mr. Cardenas. Five minutes \nfor questions, please.\n    Mr. Cardenas. Thank you very much, Mr. Chairman. I want to \nthank the witnesses for all of your service. It is an issue \nthat is becoming more and more important. But one thing that I \nwould like to underscore is that I look at this as similar to \nwhat we all, as Americans, thankfully, take for granted, that \nin any community we have Government police. And let me tell \nyou, when communities hire private policing, or what have you, \ntalk about things getting out of control, and talk about \nlowering the standard of the kind of security that community \nhas.\n    There is certainly a drastic difference between hiring a \nsecurity guard versus calling 911 and having the true police \nforce show up. So I want to thank both of you, and both of your \ndepartments, for what you do for us to keep us safe. And \ncertainly to keep the cost effectiveness of your purpose I \nbelieve is about American consumers, and making sure that we \nfortify you with the resources you need so you can have the \nintelligent individuals, and the hardworking individuals to go \nahead and make sure that breaches don't happen as often as \npossible, we can be preventative.\n    Because let me tell you, what we pay in taxes is nothing \ncompared to the person who gets their information breached. \nThey lose their house, their entire credit report goes to the \nwastebasket, and they lose everything. And then in many, many \ncases it is years and years and years before that individual, \nor that family, can actually get back to being right, and their \nentire reputation is, again, goes to the wastebasket. As far as \non paper, people think of them, because their bank account was \ncleaned out, they couldn't pay their mortgage, they lose their \nhome, they can't run their business, or what have you, because \nthey no credit, they can't get access to capital, et cetera. So \nlet me tell you, when you--when we allow you to do your job \nwell, I think that less and less of that does happen to our \nAmerican public.\n    So, with that, I only have time for perhaps one question. I \nwant to refer back to the--FTC recently released a staff report \non Internet of things. The Internet of things refers to the \nability of devices to connect to the Internet, and send and \nreceive data. As the report acknowledges, many of these devices \nare vulnerable to being hacked. About 60 percent of web enabled \ndevices have weak security, and that is what has been reported.\n    In September of 2013, the FTC took its first action against \nan Internet of things company when it brought a complaint \nagainst TRENDnet, a company that manufactures web-enabled \ncameras, for misrepresenting the security of its cameras. In \nthat case, it was not personal information in electronic form \nthat was accessed, but rather live feeds from the cameras, \nincluding the monitoring of babies.\n    So, Ms. Rich, do you agree that reasonable security \nmeasures include implementing procedures and practices that \nlimit the ability of hackers to remotely access control \nInternet connected devices?\n    Ms. Rich. Yes. You have touched on two things that are very \nimportant to us about this bill. First, device security. That \nis--it is because of our work on the Internet of things that we \nrealized that it is very important to security devices so they \ncan't--even regardless of the personal information involved, \nthey can't be taken over and used in ways--for example, medical \ndevices that--or automobiles, which I discussed in my--at the \nbeginning to hurt consumers.\n    And also, TRENDnet--our case against TRENDnet was an \nexample where it wasn't financial data that was exposed, it was \npictures of very private things happening in homes, and that \nkind of sensitive information does need to be protected.\n    Mr. Cardenas. OK. Thank you. Ms. Rich, what type of access \ncontrol measures would limit the ability of hackers to remotely \naccessing controlled devices, and how could companies implement \nthose measures to make consumers safer?\n    Ms. Rich. We believe the legislation should actually just \ninclude a reference to protecting device security in order to \nmake sure the--that is--that devices are protected from that \nkind of interception.\n    Mr. Cardenas. And also, generally, are the people who have \nbeen attempting to hack, and it is my understanding that it is \nin the millions and millions of attempts per year on American \ncompanies, and on our Government, et cetera, are those hackers \nlimited in their budgets? Do they seem to have a limited budget \nper year, and they stop doing what they do, and they wait until \nnext year's budget?\n    Ms. Rich. There are very sophisticated hackers out there \nwho are very motivated, and many of them aren't even in this \ncountry. And many of them do these--they are so good at what \nthey do, they don't actually require a huge budget.\n    Mr. Cardenas. OK. I don't know if we could ever even the \nplaying field, but I would love to see that we fortify you with \nthe resources you need to protect us. Thank you very much, Mr. \nChairman.\n    Ms. Rich. Can I just add something? I want to make sure--I \nfeel like I have been too modest in the way I described our 55 \ncases, because those were completed cases that ended in an \norder. And if we did include investigations, and all of the--\nand closing letters, and all of the activity we engage in that \ndoesn't lead to a signed order, there are hundreds of data \nsecurity cases.\n    Mr. Burgess. The Chair thanks the gentlelady for the \nclarification. The Chair now recognizes Ms. Brooke from \nIndiana. Five minutes for questions, please.\n    Mrs. Brooks. And I want to thank all of the witnesses for \nvaluable time educating the public, educating all of us on the \nproposed changes to further safeguard sensitive consumer \ninformation by providing the timely to these individuals. Also \nwant to commend the chairman on all the work that has been \ndone. As a new member to Energy and Commerce, I know there has \nbeen a lot of work done over the years, and, obviously, the \ngrowing nature of cyberinfrastructure in all of our lives, it \nmakes this so very important.\n    I have to tell you, we did--before the hearing today, in \n2014 alone, the Indiana Attorney General's Office received more \nthan 370 data breach notifications, and more than 1,300 \nidentity theft complaints in Indiana. Actually--that was, \nactually, I thought, kind of low, considering many of us have \njust received notification from our insurance company about the \nbreach in Indiana of potentially up to 80 million customers.\n    But I want to ask, from your perspective, Ms. Rich, at the \nFTC, how does a national security standard in the draft bill--\nwouldn't a national security standard help consumers, in \ntheory? And--because I am not hearing that you are interested \nin a national security standard, but that, in fact, we should \ncontinue to allow 47 to 50 different State standards to be in \nplace. Talk to me about a national security standard, and what, \nyou know, what your thoughts are on that. Because I am not \nhearing that you are in favor of that.\n    Ms. Rich. We absolutely agree that a national security \nstandard would be helpful. It would make very clear what the \nexpectations are. It would fill the gaps, not--only 12 States \nhave data security laws, even though 47 have data breach laws, \nif I am up to speed on all the laws that have passed. But we--\n--\n    Mrs. Brooks. Could you----\n    Ms. Rich. We absolutely----\n    Mrs. Brooks [continuing]. Explain to us the distinction \nbetween data security laws versus data breach laws?\n    Ms. Rich. I just want to qualify what I was saying, and \nthen I definitely----\n    Mrs. Brooks. OK.\n    Ms. Rich [continuing]. Will. But we are concerned about a \nnational standard if it would water down protections that are \ncurrently in place today, which is why we are suggesting some \nmodification to this discussion draft to strengthen it, so that \nit wouldn't weaken the protections in place today. Because if \nit preempts the State laws, and the main thing there is health. \nTo preempt State laws that provide data security for health \ninformation, and that is already provided now, then there \nwon't--there would be fewer protections for health information. \nSo that is our concern. But yes, in theory, we absolutely do \nsupport a national standard.\n    In terms of the difference between data security and data \nbreach, data security is protecting the data so there isn't a \nbreach. And, in fact, the FTC's focus has been chiefly on that, \nnot as much breach notification, in part, because we don't have \nbreach notification authority, except in a narrow area. So data \nsecurity is very, very important, and that is why, right at the \noutset, I thanked the subcommittee for including data security, \nand not just data breach notification, which is, you know, \nafter the breach happens you tell consumers, but the horse is \nalready out of the barn.\n    Mrs. Brooks. Can you explain--in your prepared testimony \nyou talked about it is critical that companies implement \nreasonable security measures in order to prevent data breaches. \nCan you elaborate? I was just Googling to try to find out what, \nunder FTC, reasonable security measures mean. And I know that \nis a broad question, but yet--can you please, you know, share \nwith us what reasonable security measures mean to the FTC? \nBecause that is actually how you determine which cases to take \nor not take. Is that not really the crux of the issue?\n    Ms. Rich. Yes. So we--in reasonableness, we are referring \nto a bunch of factors which we have laid out again and again. \nThe sensitivity and volume of information involved, you might \nwant to have stronger security if you are talking about, you \nknow, Social Security Numbers, than simply what, you know, size \ndress a person wears. The size and complexity of the data \noperations, a small company won't need to put as many \nprotections in place if they have smaller data operations. And \nthe cost of available tools to secure data and protect against \nknown vulnerabilities. If there are not available tools out \nthere that a company can learn about and use, it would not be--\neven if it could cause harm to consumers, it would not be \nreasonable to expect them to have known that.\n    Now, those are factors to look at, but we also really \nemphasize a process-based approach. Because if you undertake a \nresponsible process, you should be able to get to the outcome \nof reasonable security. And also, process-based approach is \ntech neutral, so put somebody in charge. I was talking about \nthis a bit earlier. Make somebody responsible. Somebody should \nbe lying awake at night, worrying about this. You know, do a \nrisk assessment. Put procedures in place to address those \nrisks, focusing on such areas as training. Oversee your service \nprovider. Periodically do evaluations and updates of your \nprogram. If you do those procedural things, and read all the \ninformation out there that provide guidance on what is \nreasonable security, you should be able to get to the \nreasonable security outcome.\n    Mrs. Brooks. Thank you very much, and I look forward to \nalso learning, in the future, Mr. Chairman, how the FTC--we are \nall focused on preventing the breach, enforcing if there has \nnot been adequate security. I would love to know more about \nwhat we are doing to go after the hackers, and whether we never \nhear that we ever catch the hackers. Thank you, and I yield----\n    Mr. Burgess. Chair thanks the gentlelady for that \nobservation. Chair recognizes the ranking member of the full \ncommittee, Mr. Pallone. Five minutes for questions, please.\n    Mr. Pallone. Thank you, Mr. Chairman. I wanted to ask Mr. \nJohnson these questions. I have a lot, so I am going to try to \ngo through it quickly, if you could answer quickly. If this \nbill were to pass, Sections 201, 202, and 222 of the \nCommunications Act, and all associated regulations, which \ninclude broad consumer privacy and data security protections, \nwould no longer be in effect with respect to security of data \nin electronic form and breach notification.\n    So, Mr. Johnson, can you walk us through some examples of \nthe types of consumer information that could have been required \nto be protected by Internet service providers under those \nsections? You know, first start, you know, could Internet \nbrowsing history have been protected?\n    Mr. Johnson. Well, I think that section, Section 222, has, \nfor 18 years, been focused mostly on telephone communications. \nAs of last month, the Commission's reclassification of \nbroadband Internet access service expanded 222 to broadband \nproviders, and there are presently no specific rules in place \nthat pertain to the broadband service providers.\n    But I think that underscores the value of having public \nnotice and comment rulemaking procedures to determine what \nexactly--what precisely that requires in----\n    Mr. Pallone. So would you say that Internet browsing \nhistory could have been protected? Yes or no.\n    Mr. Johnson. It could be, potentially.\n    Mr. Pallone. All right. How about the unique identifiers \nfor wireless devices?\n    Mr. Johnson. By unique identifiers, could you tell me a \nlittle bit more?\n    Mr. Pallone. Well, just tell me what you think would be \nprotected, or could be protected----\n    Mr. Johnson. Well, what would----\n    Mr. Pallone [continuing]. If it isn't at this point.\n    Mr. Johnson. The bill does transfer some of the protections \nfor CPNI for call records data to the FTC, but what it doesn't \ntransfer is a number of other things that pertain to the call \nservice. And this is just on 222. For instance, how many calls \na person makes in a day, what time they call, specific features \nof their call service, call waiting, caller ID. And, \nimportantly, things that are not related to the telephone \ncalls, but could be related to the service that they have, \ntheir financial status, whether they are low income. And that \nis just on 222. The bill also would remove all of the existing \nprotections for cable and satellite and television viewing \nhistory, and related information.\n    Mr. Pallone. So let me just ask a couple more. I know there \nare only 2 minutes. If the bill were enacted, the FCC would not \nbe able to require Internet service providers to protect \nsensitive customer information?\n    Mr. Johnson. I think that is true. I think that is----\n    Mr. Pallone. And the FCC would not be able to bring \nenforcement actions against Internet service providers that did \nnot protect that information?\n    Mr. Johnson. I think that is correct.\n    Mr. Pallone. And as you read this bill--and this is really \nthe most important thing. As you read this bill, with regard to \nInternet service providers, would there be any protections for \nthese types of customer info, beyond what is listed as personal \ninformation, in the definition section?\n    Mr. Johnson. I think there would not be beyond that \ndefinition, which is specific to financial harm and fraud----\n    Mr. Pallone. All right.\n    Mr. Johnson [continuing]. And identity theft.\n    Mr. Pallone. All right. Thanks so much.\n    Mr. Burgess. Chair thanks the gentleman. Gentleman yields \nback his time. The Chair recognizes the gentleman from \nMississippi, Mr. Harper. Five minutes for questions, please.\n    Mr. Harper. Thank you, Mr. Chairman, and thank you both for \nbeing here. Ms. Rich, I just have a question. The legislative \ndraft calls for uniform data breach and information security \nrequirements housed at the FTC, including leveling the playing \nfield by bringing telecommunication, cable, and satellite \nproviders under the FTC regime. In your opinion, is the FTC the \nappropriate agency to oversee data security for the Internet, \nhow shall we say, ecosystem?\n    Ms. Rich. We have been the lead agency on data security for \nnow over 15 years, and we believe we should continue to provide \nthat leadership, which is why we appreciated nonprofits being \nin the bill, and we appreciated carriers in the bill. The bill \neven, though, recognizes that others have a role to play. It \nallows the States to enforce, even if--as it preempts, it \nallows the States to enforce, and we would welcome that \npartnership with the States.\n    And as I mentioned before, we are--want to have common \ncarrier authority so we can protect consumers, but we would \nbe--we don't believe we should displace the FCC, or the \nmajority of the Commission don't believe we should displace the \nFCC, so we would like to partner with them too in protecting \nconsumers in the carrier area.\n    Mr. Harper. Thank you, Ms. Rich, and I yield back the \nbalance of my time.\n    Mr. Burgess. Chair thanks the gentleman. Gentleman yields \nback. The Chair recognizes the gentleman from North Carolina, \nMr. Butterfield. Five minutes for questions, please.\n    Mr. Butterfield. Thank you very much, Mr. Chairman. Thank \nyou for holding today's hearing. Thank you to the witnesses for \ntheir testimony. This is absolutely an important issue, Mr. \nChairman, that many members of this subcommittee are familiar \nwith. You know, we have worked over the past few Congresses \nprecisely on these concerns. As members of the subcommittee \nknow, data breaches are occurring in alarming numbers all \nacross the country. Just in North Carolina, our Attorney \nGeneral estimates that about 6.2 million North Carolinians have \nbeen affected by data breaches since 2005, that is over the \nlast 10 years, so I am glad we are addressing this issue today.\n    Our good friend and former chairman of the subcommittee, \nMr. Rush, introduced a bipartisan bill entitled ``The Data \nAccountability and Trust Act'', and during my time as ranking \nmember of this subcommittee, I worked very closely with then \nChairwoman Bono, who I think I see here today, on the Secure \nand Fortify Electronic Data Act. There is plenty of precedent \nfor finding bipartisan solutions on this subject.\n    There are some issues with the discussion draft before us \ntoday, and I encourage the majority to work with us so we can \nfinally produce meaningful legislation that will give consumers \nthe protections that they deserve, and businesses they--that--\nand businesses. They certainly need to grow and thrive.\n    Let me just address one or two questions to the witnesses. \nI may not take up the full 5 minutes, but I want to discuss the \nAPA rulemaking authority for just a moment. One important thing \nabout that authority is that it allows an agency, such as \nyours, any agency with that authority, to implement a law over \ntime. It is particularly important for laws concerning issues \nin which technical advances are common, and fairly quick, to be \nflexible and agile. As lawmakers, one thing we hate is having \nto revisit a law we recently passed because it is already out \nof date.\n    When Congress passed the Children's Online Privacy Law, it \nallowed the FTC to amend the definition of personal information \nthrough regular APA rulemaking procedures. Mr. Johnson, can you \nexplain how the FCC has been able to ensure that Section 222 of \nthe Act has stayed relevant at all times? How has Section 222 \nbeen updated to deal with problems over time, such as, most \nrecently, when carriers were pre-installing software onto \ndevices that had security flaws?\n    Mr. Johnson. Yes, sir, and I have already committed to \nproviding a detailed timeline of FCC's history with 222, but I \nthink that is a--your question is--gets right to the heart of \nthe value of having the flexibility and the agility to adapt a \nstatute to the changing technological landscape, and also the \nchanging public expectations and Congressional expectations.\n    So since the--since Section 222 was enacted in 1996, \nentitled ``Privacy of Consumer Information'', there have been a \nnumber of shifts. Obviously technologically, but also with \nregard to Congressional expectation. The first was in 1999, \nwhen, as part of the Wireless Communications Public Safety Act, \nthe Commission added location information into the protected \ninformation under Section 222, and that is because 911 location \naccuracy is crucial.\n    There was just a--tragically, a woman in Georgia who made a \n911 call on the border of a county line, and neither of the two \ncall centers knew where she was, and it cost her her life, and \nthis is something that we are trying to improve. And now, under \na new rule that the Commission voted on earlier this year, \nhopefully soon the location accuracy will include being able to \npinpoint where a person is, which room in a multi-story \nbuilding they are in if they need help. But there are obviously \nincredibly specific privacy concerns that come with that type \nof location information.\n    Mr. Butterfield. Absolutely.\n    Mr. Johnson. So that is the type of thing that was added in \n1999, and it has been improved over time, and--including the \none that you mentioned, with regard to information collected on \nmobile devices in 2013.\n    Mr. Johnson. Right. All right. Let me go to Ms. Rich. Ms. \nRich, your testimony called for FTC to be granted APA \nrulemaking authority to carry out the draft bill. Can you give \nus an example, beyond COPA, where such limited authority has \nallowed the FTC to deal with problems over time? And, finally, \nare there any instances where not having APA rulemaking \nauthority inhibited the Commission's ability to effectively \ndeal with problems?\n    Ms. Rich. The chief reason we want rulemaking authority in \nthis area is, as you note, to allow us to adapt the consumer \nprotections to make sure consumers are effectively protected, \neven as technology changes. So the Ranking Member mentioned \ngeolocation as one type of information that we wouldn't have \nthought to protect not too many years ago, but another example \nis, we now know that the information that is collected through \nfacial recognition is very sensitive, and we wouldn't have \nthought of that. It was only recently that it was recognized \nthat Social Security Number alone could be used to perpetrate \nidentity theft, particularly in the case of children, who don't \nhave rich credit histories, and so it is very easy to take the \nSocial Security Number, and pass it off as somebody else's.\n    So those are some examples of information we wouldn't have \neven known to protect a few years ago. And yes, we have a \nnumber of instances where we have used our rulemaking to not \njust adapt to change, but to respond when there were needless \nburdens on businesses in a law. We did that in CAN-SPAM. We \nused our rulemaking there. So there are a lot of examples.\n    Mr. Butterfield. Thank you very much, and thank you, Mr. \nChairman, for not calling time prematurely on the witness. \nThank you.\n    Mr. Burgess. Chair thanks the gentleman. Chair recognizes \nthe gentleman from Oklahoma, Mr. Mullin. Five minutes for \nquestions, please.\n    Mr. Mullin. Thank you, Mr. Chairman. Mr. Johnson, I would \nlike to spend most of my time, if not all my time, visiting \nwith you. Do you believe that a breach of information involving \na number of someone's calls could maybe lead to theft or \nfinancial fraud? You mentioned about the cell phones a while \nago. Do you see this could maybe cause a bigger problem down \nthe road?\n    Mr. Johnson. As--let me make sure I understand your \nquestion. Could a breach of call data----\n    Mr. Mullin. Of information. A breach of information \ninvolving the number of someone's call. Could this lead to a \nbigger problem?\n    Mr. Johnson. Let me not engage in hypotheticals, but I \nguess you could come up with some scenarios in which a breach \nof nonfinancial telecom information----\n    Mr. Mullin. I mean, when you open that box, it leads down a \nroad that is unknown. Like you said, you are being hypothetical \non it.\n    Mr. Johnson. Um-hum.\n    Mr. Mullin. And I think there is a lot of work that needs \nto be done. Now, obviously we want to protect the consumer. It \nis tragic what you brought up a while ago. I think most of us \nhere read about that. We want to be able to protect people. I \nmean, I live way out in the middle of nowhere. My driveway is \nliterally a mile long. The only way I get cell phone coverage \nis----\n    Mr. Johnson. Best way to----\n    Mr. Mullin [continuing]. With the antenna that goes up my \nchimney, and I would want someone to be able to respond. There \nis no 911 address----\n    Mr. Johnson. Right.\n    Mr. Mullin [continuing]. Where I live.\n    Mr. Johnson. Right.\n    Mr. Mullin. And I get that. But at the same time, I don't \nwant to open it up to exposing us to even a bigger risk. All of \nus live in fear of fraud. The first time I had experience with \nthat, someone went to school on my Social Security Number in \nCalifornia. At that time, I hadn't even been to California, and \nI got a phone call wanting to know what has happened. So it is \nsomething that we need to worry about.\n    Going on--you pointed out in your testimony, under the \nproposed bill, the FCC could lose rulemaking authority over \ndata security. Has there been a--has the FCC effective--have \nbeen effective in using the authority to protect consumers in \nthe 21st century?\n    Mr. Johnson. I would say, sir, that this will always be, as \na cybersecurity--focus of my work is cybersecurity, and has \nbeen for years--this will always be a work in progress.\n    Mr. Mullin. Right.\n    Mr. Johnson. We are not going to solve this problem. But I \nwould say that I have--since I have been at the FCC, I have \nbeen very impressed with the clarity of the expectations that \nhave developed, particularly on Section 222 of----\n    Mr. Mullin. Well, do you know how many regulatory documents \nthe FCC has published since '96?\n    Mr. Johnson. I don't know. You mean new rules?\n    Mr. Mullin. Yes, new rules. Yes.\n    Mr. Johnson. We are committed to providing a full list of \nnot just rules, but activities.\n    Mr. Mullin. Well, according to the Federal Registry, the \nFCC has published nearly 14,000 rules since '96.\n    Mr. Johnson. Pertaining to----\n    Mr. Mullin. No.\n    Mr. Johnson. Overall?\n    Mr. Mullin. Overall. Do you know how many of those pertain \nto our 21st century security issues that we are having?\n    Mr. Johnson. I would have a ballpark, but it sounds like \nyou----\n    Mr. Mullin. Give me a ballpark.\n    Mr. Johnson [continuing]. An answer.\n    Mr. Mullin. I don't, because--seriously, we did a lot of \nresearch trying to find it, and I really could not find it. In \nfact, my follow-up was, could you provide the information----\n    Mr. Johnson. There have been a few rulemakings and \ndeclaratory rulings on--specifically pertaining to 222, and we \nwill get you those exactly.\n    Mr. Mullin. Are they being implemented right now?\n    Mr. Johnson. Yes, sir.\n    Mr. Mullin. Do you know how long it is going to take?\n    Mr. Johnson. Well, it is--I--it has been, and will always \nbe, an ongoing process, but they are being implemented, and----\n    Mr. Mullin. So it takes years to implement this?\n    Mr. Johnson. Well, I don't know if I would--I think the \npremise of your question may be that it finishes at some point, \nand the----\n    Mr. Mullin. Technology doesn't finish----\n    Mr. Johnson. Right.\n    Mr. Mullin [continuing]. And it seems like we are being \nvery reactive, and we are not being proactive. We are \nresponding to issues that happened years ago, and what we are \ntrying to do is be in front of it.\n    Mr. Johnson. I understand.\n    Mr. Mullin. And if we continue to be reactive, how are we \never going to get ahead of the game?\n    Mr. Johnson. Actually, I think you are absolutely right \nabout the need to be proactive, and that is the value of having \nrulemaking authority.\n    Mr. Mullin. And I agree with that, but the problem that I \nhave is, just recently, the FCC went all the way back to 1930. \nSo how is that being proactive? I mean, we are wanting--you are \nwanting to keep the authority and have more authority. We are \nwanting to move forward. We are wanting to start being \nproactive, not reactive. You are making the argument that you \nwant to keep it, but the recent actions of going all the way \nback to 1930 to a rule, how in the world, with today's \ntechnology, is that being proactive?\n    Mr. Johnson. You are referring to the open Internet----\n    Mr. Mullin. Yes.\n    Mr. Johnson [continuing]. Order?\n    Mr. Mullin. Of course I am.\n    Mr. Johnson. I will stay disciplined and remain in my lane \non that. My focus is ensuring that the laws and policies are in \nplace to ensure that telephone calls go through, that 911 calls \nhave----\n    Mr. Mullin. So let us finish on this, then. Do you really \nbelieve the FCC can continue to be proactive, or do you feel \nlike you guys are being reactive?\n    Mr. Johnson. I think, actually, we are not only trying to \nbe, but we are being proactive, and I can give you two \nexamples. One is----\n    Mr. Mullin. No, my time is out, but I am just going to tell \nyou, from my opinion, it looks like we are being extremely \nreactive. Mr. Chairman, thank you. Mr. Johnson, thank you for \nyour time. I yield back.\n    Mr. Burgess. Chair thanks the gentleman. Gentleman yields \nback. Chair recognizes the gentleman from Illinois. Five \nminutes for questions, please, Mr. Kinzinger.\n    Mr. Kinzinger. Well, thank you, Mr. Chairman, and thank the \nwitnesses for being here and spending a little time with us \ntoday, and thank the chairman for calling this hearing. I \nprobably won't take all 5 minutes. I basically just have one \nquestion. I want to explore the issue of emails, and in this \ndraft bill, email, data breach, et cetera. I know in Florida, \ntheir data breach and security notification law actually allows \nfor email addresses, passwords, and--because in many cases many \npeople have the same email and passwords into different sites, \nas well as, you know, they use it for login into something \nbigger.\n    Ms. Rich, in your testimony you note that within the draft \nlegislation the definition of personal information does not \nprotect some of the information which is currently protected \nunder State law, I would guess that would be part of it with \nthe email. Could you please expand on which elements that exist \nin the State law that would be most important for us to \nconsider within a Federal statute, and would you include email \nand passwords in that?\n    Ms. Rich. I believe passwords are already in there in \nvarious capacities, but yes, the most important elements would \nbe health, geolocation, and email--and communications. And \ndevice security. And as I mentioned earlier, we have seen \nevidence that passport, driver's license, and other Government-\nissued numbers could be used, like Social Security Number, to \nperpetrate identity theft. So that is my list.\n    Mr. Kinzinger. So let us talk a little more about email \naddress and password. Could an email address and password \ncombination, could that lead to economic harm, and how could \nyou see that happen? Is it more than just somebody has access \nto your email? Could that lead to bigger economic harm if that \nis stolen?\n    Ms. Rich. I can't spin out all the hypotheticals, but email \naddress and password could get you into somebody's account, \nallow you to read their emails, allow you to communicate with \nperhaps accounts they have already set up with some sort of \nautomated, you know, I know when I interact with accounts, I \nhave often set it up, I know this is not a great practice--\nsecurity practice, so that I can pretty quickly get on, it \nremembers me. So I think there are probably a lot of scenarios \nwe can spin out with email and password.\n    Mr. Kinzinger. OK. And do you have any ideas as to, like, \nhow do we reach that right balance of, you know, finding out \nwhat can be breached, and there is a problem, and also \nunderstand that we don't want to create legislation that is \nentirely too burdensome to people?\n    Ms. Rich. I think that the current draft already covers a \nnice broad class of information, and we are very complementary \nof the current draft. These were just a few additional items \nthat we believe could cause consumer harm if they are \nintercepted by somebody else. And it is not an endless list. \nThese are a few things we believe should be added.\n    Mr. Kinzinger. OK, great. And I will yield back a minute \nand 40 seconds, Mr. Chairman.\n    Mr. Burgess. Thank you. Chair thanks the gentleman, \ngentleman yields back. Seeing there are no further members \nwishing to ask questions, I do want to thank both of you for \nyour forbearance today. It has been very informative. Thank you \nfor participating in today's hearing. This will conclude our \nfirst panel, and we will take a no-more-than-2-minute recess to \nallow the staff to set up for the second panel. Thank you, and \nthis panel is dismissed.\n    [Recess.]\n    Mr. Burgess. Mr. Leibowitz, we will begin with you. Five \nminutes for your opening statement, please.\n\nSTATEMENTS OF JON LEIBOWITZ, CO-CHAIRMAN, 21ST CENTURY PRIVACY \nCOALITION; SARA CABLE, ASSISTANT ATTORNEY GENERAL, COMMONWEALTH \nOF MASSACHUSETTS; MALLORY B. DUNCAN, SENIOR VICE PRESIDENT AND \nGENERAL COUNSEL, NATIONAL RETAIL FEDERATION; LAURA MOY, SENIOR \n  POLICY COUNSEL, OPEN TECHNOLOGY INSTITUTE, NEW AMERICA; AND \n  YAEL WEINMAN, VICE PRESIDENT FOR GLOBAL PRIVACY POLICY AND \n    GENERAL COUNSEL, INFORMATION TECHNOLOGY INDUSTRY COUNCIL\n\n                   STATEMENT OF JON LEIBOWITZ\n\n    Mr. Leibowitz. Thank you so much, Mr. Chairman. Chairman \nBurgess, Ranking Member Schakowsky, members of the panel, I \nwant to thank you for inviting me to testify at this important \nhearing. Chairman Burgess, you and I worked together in the \npast on FTC related health care issues, and you bring a wealth \nof experience to your new role. And Ranking Member Schakowsky, \nyou have been a leader on consumer protection issues, going \nback to your work at Illinois Public Action. Just as \nimportantly, listening to this--to the panel and the questions, \nI can just tell that both of you are committed to finding \npractical solutions to real problems, which is why you will \ncertainly develop many bipartisan initiatives going forward.\n    Along with Mary Bono, your former chairman--who is sitting \nover there, your former chairman--I serve as co-chair of the \n21st Century Privacy Coalition. Our group is composed of the \nNation's leading communications companies, which have a strong \ninterest in modernizing data security laws to bolster \nconsumers' trust in online services, and confidence in the \nprivacy and data security of personal information. We are very \nsupportive of the discussion draft legislation and what it \nseeks to accomplish.\n    Data security is an issue that I have cared deeply about \nfor many years, going back to my time as a commissioner on the \nFTC. In fact, on behalf of the FTC, I testified before this \nsubcommittee on this issue back in 2006. In testimony then, and \nit was testimony for a unanimous Federal Trade Commission, we \nurged Congress to ``enact strong data security legislation that \nrequires all businesses to safeguard sensitive personal \ninformation, and gives notice to consumers if there is a \nbreach.'' And since then, as you know, the need for legislation \nhas only grown dramatically.\n    You know all the statistics. Members have mentioned them. \nIn 2014 we saw a number of data breaches. Just this morning in \nthe Washington Post I read about a hack that may have exposed \n11 million people, Primera customers, and their sensitive \npersonal information. And when these breaches happen, they \ntypically expose sensitive information. That is what all of the \nmembers had said in the first panel, how important that \ninformation is to consumers.\n    Data breaches resulting in the exposure of personal \ninformation can result in substantial harm to consumers. \nCompanies that fail to take responsible measures to protect \nthis information need to be held accountable. And that is why \nour coalition commends Representatives Blackburn and Welch, for \nreleasing the Data Security and Breach Notification Act draft. \nThe discussion draft contains elements we believe are essential \nfor effective data breach and data security legislation. Let me \nhighlight just a few of them now.\n    First, the draft includes both breach notification \nstandards and substantive data security requirements. While \nnotifying consumers that a breach has occurred is important, it \nis ultimately of little value if companies are not required to \nput into place reasonable data security systems to protect \nconsumers' sensitive information. In the first instance, these \nsecurity requirements have to be strong, they should be clear, \nand they should be flexible to give consumers confidence, while \ngiving companies a fair opportunity to comply with the law.\n    And some of this--I was listening to the back and forth \nwith Mr. Pallone and the two witnesses earlier. It seems to me \nthat some of the information they were talking about that might \nnot be covered by the FCC could be covered, and would be \ncovered--currently would be covered by the FTC in its UDAP \nstatute, its Unfair and Deceptive Act or Practice statutes. We \ncan talk about that more in the Q and A.\n    Second, the bill would replace the ever-changing patchwork \nof 47 different breach laws with a single Federal standard. A \nsingle Federal law reflects the reality that data is in cabin \nwithin individual States, but inherently moves in interstate \ncommerce. Consumers in every part of the country are entitled \nto the same robust protections, and companies are entitled to a \nlogical and coherent compliance regime, and only a bill with \nState law preemption can accomplish that.\n    Third, the draft smartly puts enforcement authority in the \nhands of America's top privacy cop, the Federal Trade \nCommission, while also empowering each State's Attorney General \nto enforce the Federal standard. The Federal Trade Commission, \nunder both Democratic and Republican leadership, has, for many \nyears, been our country's foremost protector of data security. \nThe FTC has brought, and you heard this before from Jessica \nRich, brought more than 50 data security enforcement actions in \nthe last 10 years. And the draft would give the FTC more \npowerful tools, including fining authority, which it doesn't \nhave now, to protect consumers and punish companies for \ninadequate protections. And moreover, by empowering State AGs \nto enforce the new Federal standard, the bill will ensure there \nare no gaps in enforcement. I think this bill is better for \nconsumers than current law.\n    Mr. Chairman, given the President's strong endorsement for \ndata breach legislation, as well as the growing support of the \nFTC, we believe you are poised to enact a law that provides \nstrong protections for consumers, and holds companies to a \nsingle robust standard. In short, this measure would provide a \npractical solution to a real problem facing all Americans, and \nI commend members of this subcommittee for working on a \nbipartisan legislation.\n    With your permission, I ask that my full statement be put \ninto the record. Thank you.\n    [The prepared statement of Mr. Leibowitz follows:]\n    \n    \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   \n    \n    \n    \n    Mr. Burgess. Without objection, so ordered.\n    Ms. Cable, welcome to the subcommittee. You are recognized. \n5 minutes for your opening statement, please.\n\n                    STATEMENT OF SARA CABLE\n\n    Ms. Cable. Thank you. Good morning, Chairman Burgess, \nRanking Member Schakowsky, distinguished members of the \nsubcommittee. Thank you for inviting me here today to testify. \nMy name is Sara Cable, and I am an Assistant Attorney General \nwith the Office of the Massachusetts Attorney General, Maura \nHealey, and I am here today on behalf of my office to present \nsome of our concerns with the bill.\n    My comments today are informed by my office's experience \nenforcing Massachusetts data security and breach laws, which \nare regarded as among the strongest in the country. My office \nworks hard to use those laws to protect our residents, and we \nbelieve that our consumers are better protected as a result. We \nare encouraged that the subcommittee recognizes a critical \nnecessity of data security and breach protections. We share \nthis goal. This is our most sensitive information. Yours, mine, \nour children, our parents, our co-workers, our friends. We are \nall impacted, and we all deserve robust protections.\n    We understand Federal standardization is the thrust of this \nbill. We do, however, have serious concerns that the standards \nset by this bill are too low, preempt too much, and hamstring \nthe ability of my office, and that of the other Attorney \nGeneral offices across the country, to continue our important \nwork of protecting our consumers. It is our concern that this \nbill would--as drafted would set aside the robust consumer \nprotections that already exist in Massachusetts and many other \nStates, and replace them with weaker protections at a time when \nstrong protections are imperative.\n    My first point focuses on the bill's proposed data security \nstandard. We agree strong data security standards are \nessential. This is how breaches are prevented. This is how the \nwhole business of providing notice of breaches can be \nprevented. The bill would require ``reasonable security \nmeasures and practices.'' Our concern, however, is that it does \nnot specify of delineate precisely what practices or measures \nare required. It may be true reasonableness is a useful \nstandard in general, but it--standing alone, it is not \nparticularly useful when trying to understand what actual \npractices and measures are required.\n    We think that the only way reasonable can be determined \nunder the bill as drafted will be through piecemeal protracted \nlitigation, and the standard will differ from case to case and \ncompany to company. It will cause needless confusion, expense, \nand risk for companies, who are forced to guess what measures \nand practices will ultimately be considered by--considered \nreasonable.\n    We think Massachusetts has the better approach. It has in \nplace data security regulations that are tech neutral, process-\noriented, and, importantly, describe the basic minimum \ncomponents of a reasonable data security program. Some of those \ncomponents are--you have heard them from the FTC earlier today, \nconducting a risk assessment, developing, implementing, and \nmaintaining a written information security program, \nestablishing computer security controls, and many others. The \nMassachusetts regulations are consistent with those currently \nin place under Gramm-Leach-Bliley and HIPAA. We believe that \nthey provide stronger protections to our consumers. Our view is \nthat the bill as drafted would erase these strong protections, \nand, we believe, would ultimately be harmful to consumers.\n    My second point concerns the scope of the bill's \npreemption. Put simply, we think it is too broad. It would \nrestrict my office's ability to enforce our own consumer \nprotection laws. It would prevent innovative States from \nlegislating in this field in response to purely local concerns, \nfor example, a breach involving a Massachusetts company and \nMassachusetts residents only. Under my interpretation, I think \nthe bill might even go further, and it might possibly restrict \nStates from enforcing, for example, criminal laws relating to \nthe unauthorized access of electronic communications. It might \npossibly also preempt a State's ability to enforce the security \nobligations under HIPAA, an enforcement power given to the \nStates under the High Tech Act. These laws, and others, relate \nto the issue of unauthorized access to data in electronic form, \nand under the current language of the bill, we believe our \nState's ability to enforce those laws would be preempted.\n    Finally, the bill hamstrings my office's ability to protect \nMassachusetts consumers. Currently, under Mass law, we get \nnotice of any breach involving one or more Massachusetts \nresidents. From January 2008 through July 31, 2014 \nMassachusetts has received notice of over 8,600 breaches, \nimpacting over five million Massachusetts consumers. That is in \nMassachusetts alone. Under this bill, we would receive none of \nthose notices. We believe this is a critical omission in the \nbill. It restricts our ability to enforce the requirements of \nthe bill, and we believe ultimately it will make our job of \nprotecting our consumers a lot more difficult.\n    And with that, I thank the subcommittee for their efforts \nand for inviting me today. Thank you very much.\n    [The prepared statement of Ms. Cable follows:]\n    \n    \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   \n    \n    \n    \n    \n    \n    Mr. Burgess. The Chair thanks the gentlelady.\n    Mr. Duncan, welcome to the subcommittee. You are recognized \n5 minutes for the purpose of an opening statement.\n\n                 STATEMENT OF MALLORY B. DUNCAN\n\n    Mr. Duncan. Thank you, Dr. Burgess, Ranking Member \nSchakowsky, members of the committee for inviting us here \ntoday, and particularly Congressmen Blackburn and Welch for \ntheir efforts to produce this draft legislation. Thank you too \nfor the courtesy and consideration you and your staffs have \nshown to us and our members over the past many months. The \nresult of those discussions, and undoubtedly many more, is a \nworking draft that is significantly better than introducing--\nlegislation introduced in prior Congresses. We look forward to \ncontinue working with you to help turn the draft into a \nlegislative product that will provide increased security and \nprotection for consumers, ameliorate burdens on business, and \nestablish meaningful and reasonable standards for all.\n    I would like to set out three or four principles that have \nguided our work. Number one, breaches affect everyone. Every \nentity that has a significant breach of sensitive data should \nhave an obligation to make that fact publicly known. Public \nnotice serves two goals. First, it provides consumers with \ninformation they might be able to use to better protect \nthemselves from identity theft. Second, the fear of public \nnotice strongly incentivizes companies to improve their \nsecurity. Both goals are important. Enacting legislation that \nexempts some entities from public notice, or that perpetuates \nnotice holes that would allow companies to hide breaches \nundermines both.\n    Two, if one is a mid-sized regional company, or an e-\ncommerce startup struggling with the consequences of a breach, \nthe existing morass of inconsistent laws are little more than \ntraps for the unwary. We need Federal preemption that works.\n    Three, if we are going to preempt the State laws, we owe it \nto the States, and to their citizens, not to adopt a weak law. \nWe should seek legislation that reflects a strong consensus of \nthe State laws and carefully strengthen them where doing so \nsupports the other two principles.\n    And four, if we are to specifically adopt data security \nstandards, they should not be defined technical standards, and \nthey must be comprehensible and actionable from the perspective \nof the companies against whom they will apply.\n    With those principles in mind, I would like to address a \nfew areas of the draft. One, there is not good reason why a \nbreach law should apply a high standard for reporting against \nsome companies, such as retailers, restaurants, dry cleaners, \nand other small businesses, while requiring little or no notice \nfrom some of the biggest firms in America holding the same \nsensitive data, be they cloud services like Apple, or payment \nprocessors like Hartline when they suffer a breach. Not only \ndoes the draft excuse them from general public notice, \nundermining security incentives, the draft allows big \nbusinesses to shift liability for their breaches onto smaller \nbusiness. This is worse than what exists under the State laws. \nIt must be fixed.\n    Two, preemption. In general, the preemption language in the \ndraft is much better than in previous Congresses' bills. If the \nnotice holes are filled, it could replace the conflicting \nwelter of State requirements with a single strong law. The one \narea for concern is the clause that specifically excludes some \nlaws from preemption. Federal jurisprudence suggests that when \nthat is done, the entire preemption clause could be placed in \njeopardy.\n    Three, there are portions of the draft that are \ninconsistent with the considered strong consensus of State \nlaws. For example, we know of no State law that expressly \nexempts communication service providers, and that would allow \nthem, even when they know they have a serious breach, to get \naway with providing no notice to anyone at all. That is a \nnotice hold you could drive a truck through.\n    Finally, as to data security, when the FTC applies \ngeneralized standards to businesses, such as unfairness or \ndeception, as--or, as should be proposed here, reasonable \nsecurity standards, they are enforced under Section 5 of the \nFTC Act, which calls for a cease and desist order before \npenalties can be imposed. The law allows businesses to \nunderstand what is intended by the vague standards before they \nare made subject to massive penalties.\n    While going directly to damages might be appropriate for an \nobjective on/off requirement, like giving notice within 30 \ndays, it does not make sense when the legal requirement is \nsimply to do something reasonable, or not to be unfair. That is \nthe way the Commission has worked very effectively for over 100 \nyears. Congress should not leave companies subject to fines for \npractices they could not know in advance, or unreasonable in \nthe eyes of the FTC. That must be remedied.\n    Thank you for the opportunity to speak today. We look \nforward to working with you to craft a strong, effective, and \nfair law.\n    [The prepared statement of Mr. Duncan follows:]\n    \n    \n  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  \n    \n   \n    \n    Mr. Burgess. The Chair thanks the gentleman.\n    The Chair now recognizes Ms. Moy. Five minutes for your \nopening statement, please.\n\n                     STATEMENT OF LAURA MOY\n\n    Ms. Moy. Thank you. Good morning, Dr. Burgess, Ranking \nMember Schakowsky, distinguished members of the subcommittee. \nThank you for your shared commitment to addressing data \nsecurity and data breaches, and for the opportunity to testify \non this important issue.\n    Consumers today share tremendous amounts of information \nabout themselves. Consumers benefit from sharing information, \nbut they can also be harmed if that information is compromised. \nFor that reason, 47 States, and the District of Columbia, all \ncurrently have data breach laws on the books, and several \nStates have specific data security laws. Many States also use \ngeneral consumer protection provisions to enforce privacy and \nsecurity.\n    To preserve strong State standards, and the ability to \nprotect protections to the needs of their own residents, a \nFederal law should set a floor for disparate State laws, and \nnot a ceiling. But, in the even that Congress seriously \nconsiders broad preemption, the new Federal standard should \nstrengthen, or at least preserve, import protections that \nconsumers currently enjoy. This bill, however, would weaken \nconsumer protections in a number of key ways. These concerns \nmust be addressed, and if they are not addressed, it would be \nbetter for privacy to pass no bill than to pass this bill as \ncurrently drafted. I will highlight five particular concerns.\n    First, the bill's definition of personal information is too \nnarrow. The bill threatens to weaken existing protections by \neliminating State laws covering information that falls outside \nof its narrow terms. For example, health information, as others \nhave mentioned, falls outside this bill's definition of \npersonal information. As a result, passing this bill would mean \neliminating breach notification coverage of that information in \nFlorida, Texas, and seven other States.\n    Second, this bill would condition breach notification on a \nnarrow financial harm trigger. Data breaches may lead to a \nnumber of serious harms beyond merely those that are financial \nin nature, one reason why seven States and the District of \nColumbia have no harm trigger at all, and why triggers in \nanother 26 States are not specifically financial in nature.\n    Third, the bill's general reasonableness security standard \nwould replace the more specific security standard set forth in \nmany State laws, and the FCC's rules implementing the \nCommunications Act. Some States have specific data security \nstandards in place, and the FCC's CPNI rules require carriers \nto train personnel on CPNI, have an express disciplinary \nprocess in place for abuses, and certify on an annual basis \nthat they are in compliance with the rules. This bill threatens \nto eliminate these carefully designed security requirements, \nreplacing them with a general reasonableness standard.\n    Fourth, this bill would supersede important provisions of \nthe Communications Act that protect telecommunications, cable, \nand satellite customers. Consumers rely on the Communications \nAct, and the FCC's implementation of it, to protect the very \nsensitive information that they cannot avoid sharing with the \ngatekeepers of communications networks. But this bill threatens \nto replace those protections with weaker standards. In \naddition, this bill would eliminate protections for the viewing \nhistories of cable and satellite subscribers that fall outside \nthe bill's definition of personal information. The proposed \nreduction of FCC authority could not come at a worse time for \nconsumers, right as the FCC is poised to apply its Title 2 \nauthority over data security and breach notification to \nbroadband.\n    The bill strives to eliminate FCC authority only insofar as \nit relates to information security or breach notification, \nwhile preserving the FCC's authority to set privacy controls. \nBut privacy rules that give consumers the right to control \ntheir information are of greatly diminished value when there \nare no security standards to protect against unauthorized \naccess.\n    Fifth, the bill could eliminate a wide range of existing \nconsumer protections that may be used to enforce both privacy \nand data security. The bill is designed to preempt State law \nand supersede the Communications Act only with respect to \ninformation security and breach notification, but in practice \nit would be exceedingly difficult to draw the line between \ninformation security and breach notification on the one hand, \nand privacy and general consumer protection on the other.\n    We are not unequivocally opposed to the idea of Federal \ndata security and breach notification legislation, but any such \nlegislation must strike a careful balance between preempting \nexisting laws and providing consumers with new protections. The \ndraft Data Security and Breach Notification Act of 2015 falls \nshort of that balance, but we at the Open Technology Institute \ndo appreciate your commitment to addressing these issues, and \nwe hope to work with you to strengthen the bill and strike a \nbetter balance as it moves forward.\n    Thank you, and I look forward to your questions.\n    [The prepared statement of Ms. Moy follows:]\n    \n  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  \n    \n    Mr. Burgess. Thank you for your testimony.\n    Ms. Weinman, welcome to the subcommittee. You are now \nrecognized for 5 minutes for the purpose of an opening \nstatement.\n\n                   STATEMENT OF YAEL WEINMAN\n\n    Ms. Weinman. Thank you. Chairman Burgess, Ranking Member \nSchakowsky, and members of the subcommittee, thank you for the \nopportunity to testify today. My name is Yael Weinman, and I am \nthe Vice President for Global Privacy Policy and the General \nCounsel at the Information Technology Industry Council, known \nas ITI. Prior to joining ITI in 2013, I spent more than 10 \nyears as an attorney at the Federal Trade Commission, most \nrecently as an attorney advisor to Commissioner Julie Brill.\n    The 60 technology companies that ITI represents are leaders \nand innovators in the information and communications technology \nsector. These are companies that are committed to the security \nof their customers' information. The reality remains, however, \nthat while organizations race to keep up with hackers, these \ncriminals attempt to stay one step ahead. And when a network is \ncompromised, and personal information has been breached, \nindividuals may be at risk of identity theft or financial \nfraud.\n    Consumers can take steps to protect themselves from \nidentity theft or other financial fraud following a data \nbreach. Federal breach notification legislation would put \nconsumers in the best possible position to do so. In the \nwritten testimony I provided to you in advance of this hearing, \nI included the set of nine principles that ITI recommends be \nincluded in Federal breach notification legislation. The draft \nlegislation that is the subject of this hearing reflects a \nnumber of these important principles. I highlight three.\n    First, the legislation preempts the existing patchwork in \nthe United States of 51 different regimes. That is 47 States \nand four territories. Such preemption is critical in order to \nstreamline notices and avoid consumer confusion. Second, the \nlegislation's timeline for notification recognizes that \nnotification can only take place once an organization \ndetermines the scope of the data breach, and has remedied \nvulnerabilities. The timeline included in the draft legislation \nalso permits the necessary flexibility to enable companies to \ndelay notification at the request of law enforcement. Third, \nthe legislation does not require notification if data is \nunusable, recognizing that power security tools have been \ndeveloped that avoid risks if data has been compromised.\n    ITI appreciates how these three important elements are \nincorporated into the draft legislation. Greater clarity and \ndiscussion is needed, however, in a number of areas, and I \nhighlight three today.\n    First, the description of the level of risk, and the \npotential ensuing harm that would trigger the notification, \nappears to be broad. The threshold of reasonable risk, combined \nwith the phrase economic loss or economic harm could lead to \nover-notification. It is unclear how economic loss or economic \nharm is being distinguished from the phrase financial fraud \nthat also appears in the text. Year after year, identity theft \ntops the list of consumer complaints reported to the FTC, and \nidentity theft or financial fraud are the appropriate triggers \nfor providing consumer notice. And, upon notification, \nconsumers can then take the necessary steps to protect \nthemselves.\n    Second, with regard to the timing of notification, as \ncurrently written, the timeline for a covered entity to notify \nconsumers if a third party suffered a data breach is unclear. \nThe third party needs to remedy vulnerabilities and restore its \nsystems before the covered entity provides notice. The draft \nshould be clarified that the third party will be given the \nopportunity to restore its system prior to the point in time \nthat the covered entity is required to provide notice to \nconsumers.\n    Third, the maximum penalty amounts set in the draft \nlegislation are high, $2.5 million maximum for each violation \nof the data security section, and a $2.5 million maximum for \nnotice related violations arising from a single incident. These \namounts appear punitive, and do not seem to reflect that an \norganization that suffered a data breach, in most cases, is the \nvictim itself of criminal hackers.\n    As ITI and its member companies continue to study the \ndraft, and as we gather feedback, we look forward to sharing \nthat with members of the committee. Thank you, and I am happy \nto answer any questions.\n    [The prepared statement of Ms. Weinman follows:]\n    \n   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n    \n    \n  \n    \n    Mr. Burgess. The Chair thanks the gentlelady, thanks all \nthe witnesses for your forthright testimony today. We will move \ninto the question and answer portion of this panel. Recognize \nmyself for 5 minutes for questions.\n    And, Mr. Leibowitz, if I could, let me start with you. You \nare familiar with the draft legislation before us. Do you think \nconsumers would be more or less protected with respect to \ninformation held by telecom providers under this draft?\n    Mr. Leibowitz. I think--look, my view is that consumers--if \nthis bill were to pass tomorrow, be signed into law, consumers \nwould be in a better position, and let me just tell you why I \nthink that.\n    First of all, the, you know, the FTC, as the witnesses--\nboth witnesses acknowledged in the previous panel, has been a \nleader, America's top consumer protection cop, including in the \ndata security area, with more than 50 cases, and hundreds of \ninvestigations. There is an emerging consensus, and I think \nthis is critically important, that the most appropriate way to \nprotect personal information, and this is at the core of your \nbill, is with strong, but flexible, data security standards. It \nis not with prescriptive rules.\n    And there is also an ever-changing patchwork of State \nlegislation. Now, I have seen legislation, when I was at the \nFTC, that sometimes took State AGs entirely out of the business \nof enforcing the law. You do not do that, and I think that is \ncritically important, because you want State AGs to be a top \ncop here. And nobody wants to see any gaps in the legislation. \nI do not read this legislation as having any gaps, but we \ncertainly want to work with you, to do some tweaking, if that \nis necessary.\n    Mr. Burgess. And I thank you for that response. So just in \ngeneral, with your experience as Chairman of the Federal Trade \nCommission, you would interpret this draft legislation as \nstrengthening consumer protections across the board?\n    Mr. Leibowitz. I do. And let me just come back to one \nquestion, because it came back in the--came up in the first \npanel, about the issue dual jurisdiction. And I understand that \nsometimes the FTC and the FCC work together, and sometimes they \ncan work together very collaboratively.\n    But just as I believe that the FTC should be the sole \nFederal enforcer of data security, because I think it does a \nreally good job, and it has expertise, and it is concentrated \non that for decades, really going back to the Fair Credit \nReporting Act passed in the 1970s, you know, I also wouldn't \nwant to see, for example, the FCC go into the business of \nspectrum auctions, right? That is something that the FCC does \nreally well. It is a terrific agency at that, and, you know, I \nthink you should just let each agency play to its strengths and \nto its expertise. Shouldn't be any gaps in the legislation, I \ndon't believe there are, but that is the way, I think, to sort \nof improve the protections that companies have to have, and \nultimately improve the lives of consumers.\n    Mr. Burgess. Thank you, sir. Ms. Weinman, let me just ask \nyou, you are a former FTC attorney advisor. Tell me what you \nsee is the difference between privacy and security.\n    Ms. Weinman. Thank you for the question. Privacy relates to \nhow an organization uses data, with whom it chooses to disclose \nthat data. Security relates to the underlying security of that \ninformation, and the access to which would be unauthorized. \nThat, to me, is the key word in distinguishing between privacy \nand data security.\n    Mr. Burgess. And is that difference important for the \nsubcommittee to consider in its drafting of the bill?\n    Ms. Weinman. Absolutely. I think that, in some ways, \nprivacy and data security are often conflated. But I think, \nwith respect to this bill, you do a good job of separating out \nthe two, and focusing on data security. So I think it is \nsomething to keep in mind, because there is often conflation, \nbut I think it is important to keep those two concepts \ndistinguished, and I think this bill does a good job of that.\n    Mr. Burgess. Mr. Leibowitz, let me come back to you just on \nthat issue of privacy and data security requirements. Do you \nfeel the bill is doing an adequate job in that regard?\n    Mr. Leibowitz. I do, Mr. Chairman, and, you know, you can \nlook at them as sort of Venn diagrams with a slight overlap. \nYou can look at them as--along the lines of a continuum. But I \nthink you can separate them. I think you do a very good cut in \nyour discussion draft. And you concentrate on what Mr. Welch \nsaid, and Mr. Cardenas, and others had said, is the most--and \nMs. Brooks said is the most important information here is the \npersonally identifiable information. It is what the hackers \nreally care about, right? And that is what you need to have the \nhighest level of protection for, data security, and you need to \ngive notification to consumers.\n    Mr. Burgess. Very good. My time has expired. I will yield \nback. I just want to--time for questions is limited, and I do \nhave some questions that I am going to submit, and ask for a \nwritten response, Ms. Cable, in particular for you, and some of \nthe issues that happened around the High Tech Act of \nMassachusetts, but I will do that in writing.\n    And I will recognize Ms. Schakowsky. Five minutes for \nquestions, please.\n    Ms. Schakowsky. Before--because he has a bill on the floor, \nI am going to yield right now out of order, Mr. Kennedy, for \nquestions.\n    Mr. Kennedy. I want to thank the Ranking Member for the \ngenerosity, and, Mr. Chairman, thank you for calling the \nhearing. To all of our witnesses today, thank you for spending \nthe time, thank you for your testimony. I had the pleasure of \nintroducing Ms. Cable this morning from Massachusetts, so thank \nfor being here, ma'am. And I wanted to get your thoughts, as an \nenforcement lawyer from Massachusetts--we have heard a number \nof criticisms of the draft bill today, but I would much rather \nfocus on how we can make this bill stronger, or the data \nsecurity and breach notification aspects a bit better.\n    So, in your opinion, ma'am, what are some of the most \ncritical data security standards in Massachusetts law that you \nbelieve are not represented within the framework of the \nproposed bill?\n    Ms. Cable. Sure, of course, and I will echo what was \npreviously said by the FTC, and I alluded to in my testimony. \nYou know, this is a framework that includes, at the first step, \nan evaluation and assessment. What personal information does \nthe company have, where is it, how do they use it? What are the \nreasonably foreseeable risks to that information, both internal \nand external? It is the process of taking stick and evaluating \nwhat the risks are that is not reflected in this current draft \nof the bill that I believe is critically necessary. And you can \nsee that reflected in Gramm-Leach-Bliley standards, and I \nbelieve the HIPAA security rule as well.\n    Stemming from that process are, then, the safeguards that \nneed to be put in place. Again, Massachusetts law leaves open, \nand gives companies some flexibility, what are the specific \nsafeguards. They include things like restricting employee \naccess to information on an--on a business need basis only. It \nincludes simple things you might not even think about, changing \npasswords when someone leaves the company, for example.\n    There is--computer security systems need to be paid careful \nattention to because of the volume of data they can store, and \nthe many points of access to that data. So perimeter security, \nsuch as firewalls, anti-virus protection, software patches. The \nMassachusetts data security regulations are technology neutral. \nThey leave open, and they contemplate changes in technology and \nimprovement in procedures, but they establish a minimum concept \nof protecting your computer's security network. There are many \nmore, but, you know, I think it is a process-oriented--it \nrequires a company to take an introspective look at itself and \nits information, and it is an iterative, evolving process, and \nI think that is what is important about it.\n    Mr. Kennedy. So, given that, Ms. Cable, do you think that \nshould be--or that framework should be a national benchmark, or \nwhat additional requirements do you think you could suggest to \nfurther enhance the protection of consumers' data?\n    Ms. Cable. Well, I think it was suggested in the first \npanel, and it is the concept of FTC rulemaking authority. And I \nthink that is something----\n    Mr. Kennedy. Um-hum.\n    Ms. Cable [continuing]. That our office would support a \ncloser look at.\n    Mr. Kennedy. And maybe that is the answer to this next \nquestion, but how can we ensure that the data security standard \nis responsive to rapidly evolving technologies and increasingly \nsophisticated cyberattacks?\n    Ms. Cable. I think, you know, giving the FTC the authority \nand flexibility to, you know, enact regulations that are \nsufficiently flexible and responsive is one way to do it. And, \nyou know, I haven't heard anyone espouse the opposite of this \nproposition, which is these need to be neutral, they need to be \nflexible. There is a way to do that. There are established \nframeworks in Federal law that do that.\n    Mr. Kennedy. So if I--just got about a minute left, and a \ndiscussion that has come up over this legislation a couple of \ntimes now is over preemption. And so, in your mind, and as a \npractitioner, can you give us some suggestions on--does it have \nto be all or nothing, or are there some ways we can preempt \nsome things, like the content of the notice, for example, but \nnot others, to allow for that flexibility?\n    Ms. Cable. Absolutely, yes. Thank you for the question. I \nthink preemption absolutely does not need to be an all or \nnothing approach. We have heard the patchwork 47 or 51 \ndifferent data notice regimes, approximately 12 data security \nstandards. What I hear more, regarding a compliance burden, is \nwith responding to a breach, versus how do you prevent a breach \nin the first instance.\n    I think there is some work that might be done in limiting \nthe scope of the preemption to address the specific burdens \nthat are being articulated, and enable a rapid response to a \nbreach. But I think the States are innovative in the field of \ndata security, I think they are nimble. You know, our view is \nthe preemption is just simply too broad.\n    Mr. Kennedy. I have only got about 10 seconds left. I might \nsubmit in writing a question about the--any concerns over the \nenforcement mechanisms, or the limits on the civil penalties \nfor your consideration.\n    Ms. Cable. Of course.\n    Mr. Kennedy. Thank you for coming here.\n    Ms. Cable. Happy to answer.\n    Mr. Leibowitz. And if I could just add point to respond to \nyour question? I mean, these are----\n    Mr. Kennedy. Yes.\n    Mr. Leibowitz. It is on my time, or----\n    Mr. Kennedy. It is not.\n    Mr. Leibowitz [continuing]. On your time?\n    Mr. Kennedy. It is up to the chairman.\n    Mr. Leibowitz. If the chairman----\n    Mr. Burgess. Gentleman may respond.\n    Mr. Leibowitz [continuing]. Unanimous consent? Thank you. \nAgain, you raise very good questions about how to think through \nthe next iteration----\n    Mr. Kennedy. Um-hum.\n    Mr. Leibowitz [continuing]. And, obviously, we want to work \nwith you to----\n    Mr. Kennedy. Um-hum.\n    Mr. Leibowitz [continuing]. Do that.\n    Mr. Kennedy. OK. Thank you. I appreciate it.\n    Mr. Burgess. Chair thanks the gentleman, gentleman yields \nback. Chair recognize the gentlelady from Tennessee, Ms. \nBlackburn. Five minutes for questions, please.\n    Mrs. Blackburn. Thank you all, and I appreciate the \nconversation, and--that you would be here and weigh in on the \ndiscussion draft. Mr. Leibowitz, I have to say, it looks normal \nand natural to see you at that witness table, and we are happy \nto have you back.\n    Ms. Weinman, I want to come to you first. We haven't talked \na lot about the third party notice obligations, so I would like \nto have you walk through what you see as the strengths and \nweaknesses of the third party notice obligations.\n    Ms. Weinman. Thank you for the question. I will begin by \nsetting the stage with some defined terms. So the covered \nentity is generally the entity that has the relationship with \nthe customer, or the consumer, use whichever word you are more \ncomfortable with. And then the third party, or another term \nused in here would be a service provider, is the one that might \nperform services on behalf of that covered entity, but would \nalso have personal information in their possession as a result \nof their B to B relationship with the covered entity, business \nto business.\n    So the gap that I pointed out in my oral statement is that \nit is unclear when the covered entity would be required to \nprovide notice to its customers when the third party suffered a \nbreach. It is very clear when the covered entity would have to \nprovide notice when it itself had been breached, but when the \nthird party had been breached, it is unclear whether the \ntimeline begins when that third party has had the opportunity \nto determine the scope of its breach, and had taken steps to \nremedying vulnerabilities, and restored its systems.\n    Mrs. Blackburn. OK. Let me ask you something else. You \nmentioned the amount of compliance time, with businesses having \nto comply with all the different State laws. So is there any \nway that you can quantify what this would save to businesses by \nhaving preemption in place, and having a national standard? \nHave you thought through it in that regard, as--the cost \nsavings to business?\n    Ms. Weinman. I don't have a quantifiable number, in terms \nof compliance costs. That is not something that I have put \ntogether. I can point out, though, in terms of--the compliance \ncosts would be considerable, considering the legal time. The \nredirection of resources that could be devoted to other \ncritical areas once a data breach occurs is also a question of \nopportunity cost. If you are spending a lot of time figuring \nout your notice regime with 51 different frameworks, that is \ntaking time and money away from other areas that you can be \nfocusing on----\n    Mrs. Blackburn. OK.\n    Ms. Weinman [continuing]. Following a data breach.\n    Mrs. Blackburn. Mr. Duncan, I saw you shaking your head. \nLet me come to you on that, because you mentioned in your \ntestimony that you all have for years called on Congress to do \nsomething on breach notification. You also talk about modeling \na Federal bill on strong consensus of existing State laws, and, \nin the context of third party notification, all of the existing \nState laws require notice from a third part to a covered entity \nafter a breach.\n    So I want you to talk to me about two things. I want you to \nreconcile your support for a national standard based on the \nState laws with your issues regarding the structure of the \nState laws for the third party. And then also I want you to \ntalk a little bit about cost, and the preemption, and what it \nwould do to--what it would save consumers and businesses in the \nprocess.\n    Mr. Duncan. Thank you, Congressman Blackburn. There are \nthree very good questions. In terms of the States, virtually \nall of the States do have an arrangement by which third parties \nwould report directly to the entity for whom they were \nproviding, say, a service, and that would be the general rule. \nWhat has become increasingly clear to a number of State \nAttorneys General is that trying to provide notice like that in \nevery situation actually will not provide effective notice.\n    There is an example, for example, in our testimony that \ntalks about the Hartline breach, which was a huge breach. 80 \nmillion data points, I believe, realized. And in that case, \nHartline did the right thing. It didn't follow the State laws. \nIn fact, it went beyond them, and provided the notice itself \ndirectly. Had they done otherwise, because Hartline was a \npayment processor for hundreds of retailers, it would have \nhad--told each of them, and each of them would have had to tell \nall their customers about Hartline's breach, so consumers would \nhave received hundreds of notices for what was actually one \nbreach.\n    So there is becoming a realization among the State AGs that \nwe are--really should be focusing on effective notice, rather \nthan this strictured--structured notice that is contained in \nsome of the State laws. So it is an evolution of that. This \npresents a double problem when we go to the subset that Ms. \nWeinman just talked about, which was service providers, because \nin this case, under the draft language, in some circumstances, \nthey would provide no notice at all, and that certainly--it \nshouldn't be a situation that someone who knows they have a \nnotice--knows they have a breach can find themselves in a \nsituation in which they say nothing to anyone, not even to law \nenforcement.\n    And finally, as to cost, this is a very significant \nconsideration. You must consider that this law is going to \napply not just to the largest companies in America. It is going \nto apply to the first person who has 15 dry cleaner front--\nshops. How much will he or she have to stay up at night, \nwondering about whether or not they have met an amorphous data \nsecurity standard to--going forward? And that imposes \ntremendous costs on the operation of our businesses.\n    Mrs. Blackburn. Mr. Chairman, my time has expired, and I \nwill yield back, but I would ask Mr. Leibowitz, I can see that \nhe was trying to respond to that, just to submit in writing his \nresponse, or someone later can call on him for his response to \nthat question.\n    Mr. Burgess. Chair thanks the gentlelady. Gentlelady yields \nback. Recognize Ms. Schakowsky. Five minutes for questions, \nplease.\n    Ms. Schakowsky. Thank you, Mr. Chairman. So I haven't heard \nanyone, except for Mr. Leibowitz, say that if the bill were to \npass as is that consumers would be better protected. I didn't \nhear the first panel or the second panel--it seemed to me that \nlots of people--everyone had suggestions of how the bill could \nbe made better. If I am wrong, would you tell me that? OK. So \nI--and Mr. Leibowitz also said he is happy to work with us, so \nI think we have some work to do.\n    I wanted to ask a question about personal information that \nhas come up several times. And--so when--let me ask Ms. Cable. \nIn terms of personal information, what does your law include? \nAnd I want to ask Ms. Moy kind of a more global--other States \nas well. Go ahead, Ms. Cable.\n    Ms. Cable. Thank you for the question. For Massachusetts, \nthe definition of personal information is actually narrower \nthan what is being considered in this bill. It includes name--\nfirst name and last name, or first initial and last name, plus \none of the following components, Social Security Number, \ndriver's license number, or other Government-issued ID number, \nand that is State Government-issued ID number, or a financial \naccount number with or without the security code required to \naccess the account.\n    Ms. Schakowsky. So many of us, I think, think that the \nrequirement in the bill is too narrow, that it is just \nfinancial harm. And I would like to get Ms. Moy, if you could \nanswer, what kind of information do you think is missing now \nthat we are taking this important step of looking toward \nprotecting consumers. What do you think ought to be there?\n    Ms. Moy. Thank you. Thanks so much for this important \nquestion. So, as I mentioned in my testimony, there are a \nnumber of pieces of information that are covered by other laws. \nIn particular, health information is covered by a lot of \nStates. But I think, you know, we could go back and forth about \nparticular pieces of information that should or should not be \nincluded in the definition of personal information here, but \nthe big picture here is really--the bottom line is that there \nare broad categories of personal information that are currently \ncovered under a number of State laws, and under the----\n    Ms. Schakowsky. Well, let me ask you this, then, because I \nthink it would be--help to outline for us. You noted that this \nbill does not protect the serious harms that a breach of \ninformation could cause, so I am wondering if you could draw a \npicture for us of what some of those serious harms could be.\n    Ms. Moy. Sure. So, for example, you could imagine that if \nyour email address and password were compromised. So that might \nnot be an account identifier and a password that is necessarily \nfinancial in nature, and would fall within the scope of this \nbill, but if my personal emails were compromised, I would \ncertainly experience some harm. I am sure I would experience \nnot only emotional harm, but perhaps harm to relationships, \nperhaps harm to reputation. And, you know, and I think that a \ncommon sense question here is just, if my email address and \naccount password were compromised, would I want to be notified? \nAnd--absolutely. I think that is just some common sense there.\n    Ms. Schakowsky. Let me ask you this. Let us say a woman is \na victim of domestic violence----\n    Ms. Moy. Um-hum.\n    Ms. Schakowsky [continuing]. But geolocation is not \nprotected. Could she be at risk in some way?\n    Ms. Moy. Right, thank you. So I think one of the things \nthat I did highlight in my written testimony is that because \nboth of--the definition of personal information, and the harm \ntrigger that is premised on financial harm, there are \ncategories of information, like geolocation information, or \nlike information about call records, that, if compromised, \ncould result in physical harm. So a domestic violence victim, \nfor example, might be concerned not only about her geolocation \ninformation, but perhaps about her call records. If she called \na hotline for victim assistance, or if she called a lawyer, \nthose are pieces of information that she absolutely would not \nwant to be compromised.\n    Ms. Schakowsky. In terms of the role of the FTC having some \nflexibility in defining what personal information would be, \nwhat position have you taken?\n    Ms. Moy. Right. So I think it is--I think that it is \ncritical that we provide for flexibility in the definition of \npersonal information in one way or another. Whether it is \nthrough agency rulemaking, or through State law, it is really \nimportant that we be able to adapt a standard to changing \ntechnology, and changing threats.\n    So I mentioned in my testimony the growing trend of States \nincluding medical information in their definition of personal \ninformation. In fact, two States just this year have passed \nbills that will include that information in their breach \nnotification later this year, and that is not an arbitrary \nchange. The reason that that is changing is because there is a \ngrowing threat of medical identity theft, and it is really \nimportant to build in flexibility to account for those changes.\n    Mr. Leibowitz. And if I could just follow up on Ms. Moy's \npoints very quickly, in support, I think, of most of them. You \nknow, I think geolocation--and your point. I think geolocation \nis critically important. When we were at the FTC, we expanded \ngeolocation under COPPA to be a condition present. It is \nsomething you may want to take a look at.\n    It is also important to note that the Massachusetts law, \nwhich is one of the most progressive laws of the State, has a \nnarrower definition of data security. This is a well-\nintentioned piece of legislation, and reasonably we can \ndisagree about where to draw the line, but it is broader than \n38 States, that don't have it.\n    And then the other two very quick points I want to make, on \nthe ISP point that you mentioned before, Mr. Duncan, you know, \nif a service--aware of a data security breach, they must notify \nthe company of the breach, and they have an obligation to \nreasonably identify any company, to try to reasonably identify.\n    And then, finally, on rulemaking, obviously, I came from \nthe FTC, I came and testified in support of this legislation, \nor signed testimony. I would just say, and maybe this is \noverall for the legislation, this is my belief in it, it always \nwas when I was there, is you just don't want to let the perfect \nbe the enemy of the good here. You want to make sure you move \nforward for consumers. Reasonable people can disagree about \nexactly where that is, but getting some things sometimes is \nbetter than, you know, not getting everything.\n    Mr. Burgess. The Chair thanks the gentleman for his \nobservations. Gentlelady's time has expired. Chair recognizes \nthe gentlelady from Indiana, Ms. Brooks. Five minutes for \nquestions, please.\n    Mrs. Brooks. Thank you, Mr. Chairman, and I want to build \non what the gentleman from Massachusetts was saying, is that we \nhave to get this right, and--perfect is the enemy of good here. \nAnd I have heard--I am not familiar with Massachusetts statute, \nand, obviously, with there being so many statutes, the problem \nis that we in Congress, while we have been talking about it for \nyears and years and years, and I applaud all the work that has \nbeen done in Congress in the past, we have got to move \nsomething forward here, because terrorist organizations, \nnation-state organizations, they are going to always continue \nto come up with more ways and new ways to hack and get this \ninformation.\n    And it is becoming, I think, one of our constituents' \ngreatest security concerns, truly, and we have got to get this \nright. And I don't believe that having 51 different standards \nis good. We have got to get, you know, we have got to move on \nthis and improve. And I think--my previous question to the \ndirector of the FTC, the reasonable security practice, and if \nwe were to adopt, for instance, Massachusetts, how you have set \nout, and what I would love to see is the State Attorneys \nGeneral work with the committee and the members who have put \nforth this legislation, and let us get this right.\n    And so, for instance, if the reasonable security practices \nthat you delineate in Massachusetts, those are flexible, but \nyet they set out the process, would that satisfy you on the \nreasonable security piece, Ms. Cable?\n    Ms. Cable. Yes, thank you for the question, and I agree and \nappreciate this is a critical issue, and there needs to be \naction, and I really applaud the subcommittee for taking up \nthis issue, because it is complicated and it is difficult.\n    I think, you know, I happen to very much like the \nMassachusetts data security regulations, but, of course, I have \nto say that.\n    Mrs. Brooks. Sure.\n    Ms. Cable. I think they are, however, a good framework, a \nrecognized framework, and something that commercial entities \nare used to seeing. And I think the issue with preemption, what \nmakes it concerning to us, is the standard of data security \nthat is being set. We don't think it is sufficiently defined, \nand therefore we think, as a result, it may not be sufficiently \nrobust. And so, at least from Massachusetts perspective, this \nis not better off for our consumers if reasonable security \nmeasures and practices result in a downward harmonization \nacross the Nation of a lower standard of security.\n    And I might add, lower security, logically, I think, will \nresult in an increased incidence of breaches, an increase in \nnotice obligation, and an increase of all of the problems we \nare discussing today. I really think the data security standard \nis a critical element. I think the reasonableness standard is \nmaybe a good lode star guidepost, but this--the measures and \npractices need to be more defined.\n    Mrs. Brooks. Mr. Leibowitz, would you like to comment on \nthose remarks?\n    Mr. Leibowitz. Well, I mean, at 50,000 feet I agree that \nyou don't want to ratchet down, you want to ratchet up the \nlevel of data security. I think the fact that 38 States don't \nhave any data security obligations at all is very telling. And, \nagain, as Ms. Cable acknowledged, you know, one of the most \nprogressive pieces of legislation that States have written is \nthe Massachusetts law. On the data security side, it has a \nnarrower definition.\n    So I think, again, and going back to Mr. Welch's point and \nMr. Cardenas' point, it is like what do people care about \nwhen--what hackers care about, they care about the personal \nidentification and the financial information. And what do \nconsumers care about, and at the FTC--and the FTC continues to \ndo great work here, you know, they care about their Social \nSecurity Number. They care about their financial information \nbeing taken. They care about, you know, economic harm more than \nanything else. And that is what drives this problem more than \nanything else. It is not ideological groups. It is, you know, \npeople engaged in fraud and criminal activities that the FTC \nand the State AGs have been prosecuting, will continue to be \nable to do in the bill.\n    Mrs. Brooks. Thank you. And one completely different issue, \nMs. Weinman, you talked about the providers must restore their \nsystem, that entities should restore their system before \nnotification. Can you explain why that would be necessary when \nit does seem that speed in getting out notifications--although \nwe know that often those who are breaching and hacking can sit \non this information for years, they don't often use it \nimmediately. But why do you propose that an entity needs to \nhave the time to restore its system, as you have said, before \nnotification?\n    Ms. Weinman. As currently drafted, the bill does allow that \nrestoration of system for a covered entity, and I think it is \ncritical that that be the case because if an entity provides \nnotification, it is essentially making public that its system \nhas been compromised, and it could render itself further \nvulnerable to additional attacks by those same hackers, or \nother hackers. So I thank, and applaud, the subcommittee for \nrecognizing that point in time when notification should begin \nshould be at a time when the system has been restored.\n    Mrs. Brooks. Thank you. I yield back.\n    Mr. Burgess. The Chair thanks the gentlelady, and Chair \nrecognizes the gentleman from Vermont, Mr. Welch for 5 minutes \nfor questions.\n    Mr. Welch. Thank you very much, sir. I want to take up a \nbit from where my colleague, Ms. Brooks, was with the Attorney \nGeneral's Office from Massachusetts. First of all, thank you \nfor your testimony. Second, thanks for the good work that \nMassachusetts does. Third, we are pretty proud of our Attorney \nGeneral and consumer protection in Vermont. They have a \nstandard and an--they have a solid standard, and an aggressive \nconsumer protection division, like you do, and they have made \nsome of the same arguments to me about this bill that you just \nmade, so message received.\n    But I just wanted to go through a few things. Number one, \nthe bill does use this term reasonableness, and I think there \nhas been a debate, even--not--on all sides, including among \nconsumer activists, whether something that is flexible has the \npotential to meet the challenges as they emerge, as opposed \nto--what I heard in your testimony is a more detailed set of \nguidelines that is--according to your testimony is working for \nyou.\n    But I guess I am just looking for some acknowledgment that \nthere is a legitimate argument to approach it in a prescriptive \nway, or in a general way that gives a little more flexibility \nto the enforcer, in this case Massachusetts. Would you agree \nwith that?\n    Ms. Cable. Yes, thank you for your question, and I would \nreiterate I work closely with colleagues from the Vermont \nAttorney General's Office. It is a fantastic office, and I \nenjoy working with them. I think the issue of data security \nstandards, and whether they are flexible----\n    Mr. Welch. Right.\n    Ms. Cable [continuing]. Flexible or prescriptive, I think \nyou can have standards that articulate components of what a \ndata security system framework should look like, but an awful \nlot of flexibility with how you meet those standards, and I----\n    Mr. Welch. Well, right, and that is where it is genuinely \ndifficult. Because, you know, if Ms. Brooks was able to get all \nthe Attorney Generals to come up with what was the best \napproach, that might be persuasive to all of us, because there \nare Republican and Democratic Attorney Generals out there.\n    A second thing that I wanted to talk about is this question \nof an obligation on the part of the companies. There is an \nenormous incentive for thieves, criminals, to try to hack our \ninformation. They get our money. There is an enormous \nincentive--I am looking for all you--your reaction on this--for \ncompanies to have their computer systems be as safe as \npossible, because they are victims too in this case. I mean, \nlook what happened at Target. People lose their jobs. It is \nbrutal on the bottom line for these companies. So I see that as \na practical reality that we can take advantage of. I mean, is \nthat consistent with you, as an enforcer?\n    Ms. Cable. I would absolutely agree, and I would note, you \nknow, much of my effort is not spent trying to find gotcha \nmoments and----\n    Mr. Welch. Right.\n    Ms. Cable [continuing]. Enforcing. We have received notice \nof over 8,600----\n    Mr. Welch. Yes.\n    Ms. Cable [continuing]. Breaches, and I think, we ran the \nnumbers, we have had 13 actions.\n    Mr. Welch. But you would be in agreement----\n    Ms. Cable. I would, and I would----\n    Mr. Welch. Yes.\n    Ms. Cable. Most of my time is spent----\n    Mr. Welch. I don't have much time, so let me get a----\n    Ms. Cable. Of course. I apologize.\n    Mr. Welch [continuing]. Few more. You have been very \nhelpful. The other thing Mr. Duncan was talking about, \neffective notice, and this goes back, again, to kind of \npracticality. If I get these bank notices when I do this \nmortgage refinancing, it literally gives me a headache, and I \nget less information. All I need to know are three things, what \nis my rate--what is my interest rate, when is the payment due, \nand what is the penalty if I don't meet the time? That is all I \nneed to know. And--so this effective notice issue, I think, is \nsomething that, on a practical level, all of us want to take \ninto account.\n    So let me go, Ms. Moy, to you. I want to, first of all, \nthank you and your organization for the great work you have \ndone, and also for being available to try to answer my \nquestions.\n    Ms. Moy. Thank you.\n    Mr. Welch. You had mentioned something that every single \none of us would be really concerned about, if there was any way \nthat we were passing legislation that was going to make a woman \nof domestic violence more vulnerable. All of us would be \nagainst that, OK? So I don't see in this legislation how that \nis happening, but if, in your view, it is, I would really \nwelcome a chapter and verse specification as to what we would \nhave to do to make sure that didn't happen. And I think we \nwould all want to be on board on that. So could you help us \nwith that----\n    Ms. Moy. Thank you, I appreciate that question, and I have \nappreciated working with your office as well. So I think, you \nknow, this question mostly gets to what standard is set for the \nharm trigger, right? I mean, because there are certain types of \ninformation, or certain situations where information may be \ncompromised or accessed in an unauthorized manner, and you \ncould look at that situation and say, this information really \ncouldn't be used for financial harm, or we think it is unlikely \nthat that is the--that was the motivation of the person who \naccessed that information.\n    Mr. Welch. OK. My time is running up, so I----\n    Ms. Moy. Yes.\n    Mr. Welch [continuing]. Apologize for interrupting, but \nif----\n    Ms. Moy. Um-hum.\n    Mr. Welch [continuing]. You sent us a memo on that, and----\n    Ms. Moy. Absolutely.\n    Mr. Welch [continuing]. Attorney Cable, if you sent us some \nspecifics, that would be helpful to the committee, because I \nknow Ms. Schakowsky was very interested in a lot of the points \nyou made, as well as all of us, I think.\n    Ms. Moy. Absolutely.\n    Mr. Welch. Thank you.\n    Ms. Moy. Thank you.\n    Mr. Welch. I yield back.\n    Mr. Burgess. Chair thanks the gentleman. Chair recognizes \nthe vice chair of the subcommittee, Mr. Lance. Five minutes for \nquestions, please.\n    Mr. Lance. Thank you very much, Mr. Chairman.\n    Mr. Leibowitz, in your opinion, what benefit have class \nactions brought to consumers after a data breach?\n    Mr. Leibowitz. Well, let me start by saying, I think class \nactions have an enormous value in a lot of areas. Civil rights \nareas, others as well. In this area, I don't think that class \nactions have much benefit, except for the lawyers who bring \nthem. And what they also do is they incentivize, or the create \nincentives, I think, for companies to emphasize legal \nprotections, rather than actual reasonable data security.\n    And I will just make sort of one other point, which goes \nback to the FTC, which is, if the FTC brings a case, and it \ngets compensation for consumers, all that compensation goes \nback to the consumers. They--$200 million to 400,000 people who \nwere victims of mortgage service fraud by Countrywide, and that \nis one other benefit. But I also believe that, you know, class \nactions can be vitally important, as I am sure you do, in some \nareas.\n    Mr. Lance. In other words, your point is that when the FTC \ndoes it, the--FTC personnel are in the public sector, and the \nfull benefit goes to those----\n    Mr. Leibowitz. The entire----\n    Mr. Lance [continuing]. Who have been harmed?\n    Mr. Leibowitz. Yes.\n    Mr. Lance. It is an indication why we should be supportive \nof our Federal workforce----\n    Mr. Leibowitz. And----\n    Mr. Lance [continuing]. And for colleagues who serve in \nFederal service. Would others like to comment on that? Attorney \nGeneral Cable?\n    Ms. Cable. If I may?\n    Mr. Lance. Certainly.\n    Ms. Cable. Thank you, Congressman.\n    Mr. Lance. Certainly.\n    Ms. Cable. I would just note--consumer restitution is a \ncritical tool that we have in our toolbox under our Consumer \nProtection Act. We use it--we like to use it. If we can get the \nmoney, we distribute it. I noted under this version of this \nbill, it does not expressly allow us to seek consumer \nrestitution, and it also denies the consumer a private right of \naction. We think that is a bit of an oversight in the event a \nconsumer is actively harmed here. State AGs under this bill \nwould not be able to seek consumer restitution, under one \ninterpretation.\n    Mr. Lance. Thank you, Attorney General. Mr. Leibowitz, do \nyou wish to comment further or not? No? Thank you.\n    Mr. Leibowitz. No, sir.\n    Mr. Lance. Ms. Weinman, do you have a concern about State \ncommon law claims adding additional security or notification \nrequirements for companies if a Federal law is enacted?\n    Ms. Weinman. I think that this bill strikes a useful \nbalance in pre-empting the current State data security \nrequirements and the breach notification, so I think this bill \nstrikes a good balance in that area.\n    Mr. Lance. And you believe that because the country would \nmove forward uniformly, and this would be something that would \nbe on the books for the entire Nation?\n    Ms. Weinman. Yes, and it would streamline the notification \nprocess across the board, across the 51 regimes for which I \nhave, you know, a 19 page chart. So I think that would \ndefinitely be useful.\n    Mr. Lance. Yes. Thank you. Mr. Chairman, I yield back the \nbalance of my time.\n    Mr. Burgess. Chair thanks the gentleman. Chair recognizes \nthe gentleman from New Jersey, Mr. Pallone. Five minutes for \nquestions, please.\n    Mr. Pallone. Thank you, and I have been to, like, three \ndifferent meetings since I was last here, so hopefully I will \nbe understandable here. Under current law the FTC does not have \nenforcement authority over common carriers, including \ntelecommunications, cable, and satellite services, and the \ndiscussion draft lifts the common carrier exception to allow \nthe FTC to bring enforcement actions for violations of the \nprovisions of this bill.\n    And I wanted to ask each member of the panel, and I am just \nlooking for a yes or no because I have a whole series of things \nhere, if you could just say yes or no, assuming the draft did \nnot include preemption of the Communications Act in Section 6C, \ndo you support lifting the common carrier exceptions in the \ncontext of data security and breach notifications, yes or no? \nWe will start to the left.\n    Mr. Leibowitz. Yes.\n    Mr. Pallone. Ms. Cable?\n    Ms. Cable. I apologize, I think I am out of my expertise, \nso----\n    Mr. Pallone. You have no response?\n    Ms. Cable. I have no response.\n    Mr. Pallone. All right. Mr. Duncan?\n    Mr. Duncan. We don't have a preference as to which agency \ncovers it.\n    Mr. Pallone. That is----\n    Mr. Duncan. The only requirement is that everyone be \ncovered.\n    Mr. Pallone. OK. Ms. Moy, yes, no?\n    Ms. Moy. If it did not eliminate provisions of the \nCommunications Act, yes.\n    Mr. Pallone. OK. And our last----\n    Ms. Weinman. I will give a similar response to Mr. Duncan, \nthat it is not an issue that would implicate ITI members, so--\n--\n    Mr. Pallone. All right.\n    Ms. Weinman [continuing]. I am not expressing a preference \none way or the other.\n    Mr. Pallone. All right. Now I just want to ask my next two \nquestions of Ms. Moy, because I may not have a lot of time. \nLifting the common--I have two. First, lifting the common \ncarrier exception without nullifying the data security and \nbreach notification provisions of the Communications Act would \nmean that there are two cops on the beat, so to speak, so what \nare the benefits to joint jurisdiction among the FCC and the \nFTC? To Ms. Moy only.\n    Ms. Moy. Thank you, thank you so much. So I think one of \nthe major benefits is that the two agencies have different \nstrengths, and they could work together to use their strengths \nto complement each other and ensure the best protection for \nconsumers. For example, the FCC is primarily a rulemaking \nagency that uses its authority to set standards prospectively, \nand the FTC is primarily an enforcement authority. It would be \nreally nice if they could work together to establish the \nstandards in the first place, and then enforce them in the \nsecond place.\n    I think also the FCC has a lot of very important expertise \nin this area, working with telecommunications networks, and \nother communications networks, and just--and the focus on \nprivacy is a little bit different. The focus on privacy at the \nFCC is more about the reliability of the networks, and the fact \nthat consumers have no choice but to share information with \nthese very important networks in their lives, whereas the focus \nof the FTC on privacy is a little bit more about what is fair \nwith respect to consumers. And, again, it would just be really \nnice if those agencies could work together in that area to use \ntheir expertise, or their respective expertise, in a \ncomplementary manner.\n    Mr. Pallone. And then I have a second one to you only, and \nif I have time, we are going to go to the others. Do you think \nthere are any drawbacks to having FTC and FCC enforcement? Are \nyou concerned about consumers being confused by having two \nenforcing agencies?\n    Ms. Moy. I am not concerned about that. I think that where \nwe have seen agencies work together in the past, I don't think \nthat there really is confusion for consumers. For example--I am \nsorry, I am blanking, but the FTC and the FCC have worked \ntogether on the, for example, Do Not Call, of \ntelecommunications customers. And I really don't think that \nthere is any risk of confusion for consumers of having those \nagencies work together.\n    Mr. Pallone. All right, one more question. I will start \nwith you, and then--we have time, we will go to the others. Do \nyou have any suggestions for how legislation can ensure that \ncompanies are not burdened by duplicative enforcement?\n    Ms. Moy. I am sorry, that companies are not burdened by----\n    Mr. Pallone. By duplicative enforcement. Any suggestions \nfor how legislation could ensure that companies are not \nburdened by duplicative enforcement?\n    Ms. Moy. Well, the premise of the question is that \nduplicative enforcement is necessarily more burdensome for \ncompanies, and I don't think that that is necessarily the case. \nYou know, as I said, the FCC and the FTC can work together to \nformulate standards and enforce them in a uniform way. And I \nthink that they would have an incentive to do that, so as to \nmaximize the efficiency of their resources toward that goal. \nAnd I think that that incentive would sync up quite nicely with \nthe incentive of having the two agencies work in step with each \nother, so as not to seem like two totally separate regimes.\n    Mr. Pallone. All right, thanks. I think I have run out of \ntime, Mr. Chair.\n    Mr. Duncan. If I----\n    Mr. Pallone. Thank you.\n    Mr. Duncan. If I might just mention, on that point, under \nthe structure of the bill, both the FTC and the State AGs would \nhave enforcement authority, and that is an option that works, \nat least in that context. From our perspective, as long as \neveryone has the same obligations, and duties, and \nresponsibilities, then it is less of an issue.\n    Mr. Leibowitz. Yes. And the only thing I would add is that \nthere sort of an evolving consensus that what you really want, \nMr. Pallone, is a flexible enforcement standard that is strong \nwith enforcement. And you also want to treat the same \ninformation the same way, not under different regimes. So, you \nknow, Google can collect information, Verizon can collect \ninformation, Comcast can collect information. A variety of \nother companies can.\n    And, for the most part, I think where this bill wants to go \nis in a data breach context. And in the data security context, \nmore importantly, treat them equally.\n    Mr. Burgess. Chair thanks the gentleman. Gentleman's time \nhas expired. Chair recognizes Mr. McNerney. Five minutes for \nyour questions, please.\n    Mr. McNerney. Well, I want to thank the chairman and the \nranking member for allowing me to participate in this hearing, \neven though I am not a member of the subcommittee. I appreciate \nthat. And I want to say I appreciate the efforts of my \ncolleagues, Mr. Welch, Mr. Burgess, and Mrs. Blackburn for \ncrafting this bill. It is clearly needed. And it may not be \nperfect yet, but it can be improved, and it is much better to \nstart from the draft than to start over--than to over to start \nover. So I have a couple of questions here.\n    Ms. Weinman, you mentioned that the civil penalties for \nbreach of notification are excessive for a company that is a \nvictim of a criminal act. Do you think it would be OK to lower \nthe penalties, or to have some flexibility? And if you think \nflexibility is the way to go, how can you do that in this kind \nof a bill?\n    Ms. Weinman. I think lowering would be a good step, and I \nthink there is flexibility built into the assessment of civil \npenalties within the bill, but I think lower the maximum \npenalties would make sense in the context of the fact that \ncompanies themselves are the victims of criminal hackers. So \nthere is some discretion with regard to civil penalties within \nthe bill, however I do think the maximum amounts set out in \nthere should be lower. And I note that the current figures in \nthere are, in fact, five times higher than what we have \npreviously seen in other proposals, so I just make a note of \nthat.\n    Mr. McNerney. Well, I mean, you could consider some \nbreaches to be gross negligence, and deserving of significant \npenalties, so----\n    Ms. Weinman. Well, that flexibility is built into the \nlanguage, but I do think that the ceiling could be lower in the \ndraft.\n    Mr. McNerney. Thank you. Ms. Moy, you know, preemption is a \nvery tricky issue. We want States to have flexibility, but you \nmention that there ought to be a floor. But how could you \ncreate legislation that had a floor, but allowed States like \nMassachusetts flexibility to go, you know, more stringent, if \nthey wanted?\n    Ms. Moy. Thank you for the question, and thank you. I do \nrecognize that it is very difficult to craft the appropriate \nstandard here, and thank you for taking up this difficult \nissue. I, you know, I think that you could set a standard that \nsays, this is the minimum standard, and that State laws will \nnot be preempted to the extent that they create additional \nstandards above that, or beyond that.\n    But, you know, but also, as I have said in the written \ntestimony, and as I mentioned earlier, we are not necessarily \nopposed to the idea of preemptive legislation, but I do think \nthat it is important, if we are going to do that, to ensure \nthat the new Federal standard, the new uniform Federal \nstandard, is better for consumers than the current draft. I \njust--I think it is really important to strike the proper \nbalance between preemption and protections for consumers, and \nthis just doesn't quite get us there.\n    Mr. McNerney. Now, you mentioned that you felt that the \ndraft would lower consumer protections over a wide range of \nconsumer protections. Could the bill be strengthened to include \nthose current protections?\n    Ms. Moy. I believe that it could be, and I think--I would \nbe very happy to work with the subcommittee to figure out ways \nthat we could get there.\n    Mr. Duncan. Congressman----\n    Mr. McNerney. Thank you.\n    Mr. Duncan [continuing]. One of the reasons that we are \nhere today is because there are already 51 conflicting laws out \nthere. If Congress doesn't simplify the system to some extent, \nthen we will simply have 52 laws out there, and that is not \nmoving us forward.\n    Mr. McNerney. Thank you. Well, Mr. Duncan, you mentioned \nthat--the importance of enacting laws that holds accountable \nall entities that handle personal information. Can you discuss \nhow you would improve the draft legislation to modify the \ncovered entities?\n    Mr. Duncan. Certainly. We would expect that a good law \nwould require that every covered entity have the same \nobligation, that third parties--for example, the way the bill \nis written now, some entities do not even have a duty to \ndetermine--to examine and determine whether or not they can \nfind information out about a breach. There has got to be the \nsame level requirement all the way across the board.\n    Congresswoman Schakowsky asked earlier whether or not we \ncould support this legislation. I would say this draft is a \nmajor improvement over what we have seen before, but if we \ncould have equal applicability across all entities, and fix \nsome of the issues with the FTC, we could support this.\n    Mr. McNerney. Thank you--a lot of good information has come \nout that might help improve the bill, so, Mr. Chairman, I yield \nback. Thank you again.\n    Mr. Burgess. Chair thanks the gentleman. Gentleman does \nyield back. The Chair recognizes Mr. Pallone of New Jersey for \na unanimous consent request.\n    Mr. Pallone. Thank you, Mr. Chairman. I ask unanimous \nconsent to submit for the record a letter from 12 consumer \ngroups to yourself and Ms. Schakowsky.\n    Mr. Burgess. Without objection, so ordered.\n    [The information appears at the conclusion of the hearing.]\n    Mr. Pallone. I guess we have another one, too, Mr. \nChairman, from the Consumers Union, in addition to the one from \neveryone else.\n    Mr. Burgess. The Chair thanks the gentleman. Without \nobjection, so ordered.\n    [The information appears at the conclusion of the hearing.]\n    Mr. Burgess. Seeing that there are no further members \nseeking to ask questions, I do want to thank all of our \nwitnesses. I know this has been a long hearing, but I thank you \nfor participation today.\n    Before we conclude, I would like to include the following \ndocuments to be submitted for the record by unanimous consent: \na letter on behalf of the Credit Union National Association; a \nletter on behalf of the Marketing Research Association; a \nletter on behalf of the National Association of Federal Credit \nUnions; a letter on behalf of the Online Trust Alliance; a \nletter on behalf of the Consumers Union; statement on behalf of \nthe National Association of Convenience Stores; a letter on \nbehalf of the American Bankers Association, The Clearing House, \nConsumer Bankers Association, Credit Union National \nAssociation, Financial Services Roundtable, Independent \nCommunity Bankers of America, and the National Association of \nFederal Credit Unions; and the response of the Secret Service \nto questions submitted for the record at our previous \nsubcommittee data breach hearing on January 27, 2015.\n    [The information appears at the conclusion of the hearing.]\n    Mr. Burgess. Pursuant to committee rules, I remind members \nthey have 10 business days to submit additional questions for \nthe record, and I ask witnesses to submit their response within \n10 business days upon receipt of the questions. I thank \neveryone for their participation this morning. This \nsubcommittee hearing is adjourned.\n    [Whereupon, at 1:16 p.m., the subcommittee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n    \n    \n    \n    \n  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  \n    \n    \n    [Mr. Leibowitz did not answer submitted questions for the \nrecord by the time of printing.]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n    [Mr. Duncan did not answer submitted questions for the \nrecord by the time of printing.]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n    [Ms. Moy's answers to submitted questions for the record \nhave been retained in committee files and also are available at \n http://docs.house.gov/meetings/IF/IF17/20150318/103175/HHRG-\n114-IF17-Wstate-MoyL-20150318.pdf.]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n                                 [all]\n</pre></body></html>\n"