[Senate Hearing 114-78]
[From the U.S. Government Publishing Office]
S. Hrg. 114-78
GETTING IT RIGHT ON DATA SECURITY
AND BREACH NOTIFICATION LEGISLATION
IN THE 114TH CONGRESS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON CONSUMER PROTECTION,
PRODUCT SAFETY, INSURANCE,
AND DATA SECURITY
OF THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
FEBRUARY 5, 2015
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
96-892 PDF WASHINGTON : 2015
________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
JOHN THUNE, South Dakota, Chairman
ROGER F. WICKER, Mississippi BILL NELSON, Florida, Ranking
ROY BLUNT, Missouri MARIA CANTWELL, Washington
MARCO RUBIO, Florida CLAIRE McCASKILL, Missouri
KELLY AYOTTE, New Hampshire AMY KLOBUCHAR, Minnesota
TED CRUZ, Texas RICHARD BLUMENTHAL, Connecticut
DEB FISCHER, Nebraska BRIAN SCHATZ, Hawaii
JERRY MORAN, Kansas EDWARD MARKEY, Massachusetts
DAN SULLIVAN, Alaska CORY BOOKER, New Jersey
RON JOHNSON, Wisconsin TOM UDALL, New Mexico
DEAN HELLER, Nevada JOE MANCHIN, West Virginia
CORY GARDNER, Colorado GARY PETERS, Michigan
STEVE DAINES, Montana
David Schwietert, Republican Staff Director
Nick Rossi, Republican Deputy Staff Director
Rebecca Seidel, Republican General Counsel
Jason Van Beek, Republican Deputy General Counsel
Kim Lipsky, Democratic Staff Director
Chris Day, Democratic Deputy Staff Director
Clint Odom, Democratic General Counsel and Policy Director
------
SUBCOMMITTEE ON CONSUMER PROTECTION, PRODUCT SAFETY, INSURANCE, AND
DATA SECURITY \1\
JERRY MORAN, Kansas, Chairman RICHARD BLUMENTHAL, Connecticut,
ROY BLUNT, Missouri Ranking
TED CRUZ, Texas CLAIRE McCASKILL, Missouri
DEB FISCHER, Nebraska AMY KLOBUCHAR, Minnesota
DEAN HELLER, Nevada EDWARD MARKEY, Massachusetts
DAN SULLIVAN, Alaska CORY BOOKER, New Jersey
CORY GARDNER, Colorado TOM UDALL, New Mexico
STEVE DAINES, Montana
\1\ On March 3, 2015 the Committee finalized Member assignments for
its subcommittees. The list below reflects March 3, 2015 assignments.
When this hearing was held, on February 5, 2015, formal assignments had
not yet been made.
C O N T E N T S
----------
Page
Hearing held on February 5, 2015................................. 1
Statement of Senator Moran....................................... 1
Statement of Senator Blumenthal.................................. 3
Statement of Senator Fischer..................................... 50
Statement of Senator Schatz...................................... 52
Statement of Senator Blunt....................................... 54
Statement of Senator Thune....................................... 55
Statement of Senator Klobuchar................................... 57
Statement of Senator Daines...................................... 60
Witnesses
Cheri F. McGuire, Vice President, Global Government Affairs and
Cybersecurity Policy, Symantec Corporation..................... 5
Prepared statement........................................... 6
Mallory B. Duncan, General Counsel and Senior Vice President,
National Retail Federation..................................... 11
Prepared statement........................................... 12
Ravi Pendse, Ph.D., Vice President and Chief Information Officer,
Brown University, Cisco Fellow, Professor of Practice, Computer
Science and Engineering........................................ 30
Prepared statement........................................... 32
Doug Johnson, Senior Vice President and Senior Advisor for Risk
Management Policy, American Bankers Association................ 34
Prepared statement........................................... 36
Hon. Lisa Madigan, Attorney General, State of Illinois........... 38
Prepared statement........................................... 40
Yael Weinman, Vice President, Global Privacy Policy and General
Counsel, Information Technology Industry Council (ITI)......... 43
Prepared statement........................................... 45
Appendix
Stephen Orfei, General Manager, Payment Card Industry Security
Standards Council, prepared statement.......................... 65
Response to written questions submitted by Hon. Roy Blunt to:
Cheri F. McGuire............................................. 66
Mallory B. Duncan............................................ 67
Response to written questions submitted to Doug Johnson by:
Hon. Jerry Moran............................................. 68
Hon. Roy Blunt............................................... 70
Response to written questions submitted by Hon. Roy Blunt to:
Yael Weinman................................................. 71
GETTING IT RIGHT ON DATA SECURITY
AND BREACH NOTIFICATION LEGISLATION
IN THE 114TH CONGRESS
----------
THURSDAY, FEBRUARY 5, 2015
U.S. Senate,
Subcommittee on Consumer Protection, Product
Safety, Insurance, and Data Security,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Subcommittee met, pursuant to notice, at 10 a.m. in
room SR-253, Russell Senate Office Building, Hon. Jerry Moran,
presiding.
Present: Senators Moran [presiding], Thune, Blunt, Fischer,
Daines, Klobuchar, Blumenthal, and Schatz.
OPENING STATEMENT OF HON. JERRY MORAN,
U.S. SENATOR FROM KANSAS
Senator Moran. As I indicated, this is the first
subcommittee hearing I have chaired in 8 years in Congress, and
I was nervous, apparently nervous enough not to turn on the
microphone.
We look forward to being educated and getting a good
understanding. First, I want to thank my colleagues and their
level of interest in this important topic. I would also like to
thank, as I said, our witnesses for joining us today. Expertise
is important to us as Members of Congress, and unfortunately,
this is a very timely topic.
The purpose of this hearing is in many ways somewhat
narrow, it is to examine the merits of the Federal data
security standard and the need for preemptive and uniform
Federal data breach notification.
We all know we live in a digital world where consumers have
embraced online products and services. Kansans, my folks at
home, they know they can make purchases, determine their credit
score, conduct banking and examine health care plans all from a
mobile phone, computer, or a tablet. That is true of consumers
across the country and increasingly around the globe.
This digital economy creates new risks. In a world where
one bad actor can battle against a team of highly trained
experts, we face challenges to make certain that consumers are
protected and that businesses have the tools and incentives to
protect their customers from harm.
For more than a decade, Congress, the Commerce Committee in
particular, has been contemplating issues surrounding data
security and data breach notification.
In 2004, the Committee held its first congressional hearing
to examine the high profile breach of ChoicePoint, a data
aggregation firm. This breach forced the first of many
conversations here in Congress, and today, we continue that
dialogue.
Recent high profile data breaches as well as the headline
grabbing Sony cyberattack from late last year are the latest
examples that highlight the ongoing and serious cyber threats
that face Americans and businesses.
Just this morning, we woke up to news of what experts are
calling the largest health care breach to date. This time, the
cyber criminals were able to infiltrate the nation's second
largest health insurer to steal names, birth dates, medical
I.D.'s, Social Security numbers, street addresses, e-mail
addresses, and employment information, including income data.
These high profile breaches are the most severe of what
have become a common occurrence in our digital society. As of
2015, the Privacy Rights Clearinghouse has estimated more than
4,400 breaches involving more than 932 million records that
have been made public since 2005.
The Verizon 2014 data breach investigation report reviewed
more than 63,000 security incidents and found 1,367 confirmed
data breaches in 2013. On average, that is just shy of four
breaches every day.
While Congress has developed sector specific data security
requirements for both financial institutions and companies that
handle particular types of health information, Congress has
been unable to reach consensus on the development of national
data security and data breach notification standards.
As a result, states have taken on this task by developing
their own standards and as of today, businesses are subjected
to a patchwork of over 50 different state, district, and
territory laws that determine how businesses must notify
consumers in the event of a breach. In addition, 12 states have
enacted laws regarding data security practices.
The need for Federal action becomes clearer each day. Last
month President Obama voiced his support for national data
breach notification legislation with strong preemptive language
in part because he recognizes the benefits to American
consumers and businesses of a predictable uniform data breach
notice.
The President's support along with bipartisan and bicameral
congressional interest has renewed optimism among stakeholders
that Congress can develop a balanced and thoughtful approach
with legislation in the near term.
Today, we will focus our attention on some of the key
questions and topics of this debate, including what are the
benefits of a national data breach notification standard?
Should Congress implement a basic data security standard, to
whom should that standard apply, should the Federal standard
preempt state standards?
What should be the trigger for notification, specific
conditions that represent a potential harm to consumers, should
there be exemptions and safe harbors, if so, for who, in what
circumstances? Within what time-frame should a company be
required to notify consumers?
Should Congress enact new or stronger penalties for
enforcement authorities and remedies? What lessons can we learn
from states that have implemented their own data breach
notification standards?
I am confident that our panel with its expertise can share
valuable insight into those questions and others that the
Committee members may have, and help us find the right balance
to these issues.
I would like to recognize the Subcommittee's Ranking
Member, Senator Blumenthal, for him to deliver his opening
statement, and I would indicate to Senator Blumenthal here in
public as we have in private, that I look forward to working
very closely with you in a very thoughtful and bipartisan way
to see that our Subcommittee accomplishes good things for the
country.
STATEMENT OF HON. RICHARD BLUMENTHAL,
U.S. SENATOR FROM CONNECTICUT
Senator Blumenthal. Thank you. First of all, my thanks to
Senator Moran for his leadership, and in a very bipartisan way,
for reaching out to me and also convening this subcommittee on
a critically important topic. I really look forward to his
continued insight and very thoughtful leadership on consumer
protection issues. I am proud to serve as the Ranking Member of
this very important subcommittee.
I have served on this subcommittee for two years now. It is
critical to consumer issues that affect every day Americans. We
have delved into the General Motors' recall and the deadly
Takata airbags.
Today, the issue of data breach is no less central to
American lives, even if it seems somewhat less spectacular.
2014 was known as the year of the data breach. The importance
of this issue was brought home, as Senator Moran said, just
this morning when we read about the Anthem breach, which is
absolutely breathtaking in its scope and scale.
It is not only breathtaking but mind-bending in its extent
and potential impact, and it is potentially heartbreaking for
consumers who may be affected, not only birthdays, addresses,
e-mail and employment information, but also Social Security
numbers and income data were taken from Anthem, and
potentially, although the company has said there is no evidence
of it so far, critical health information.
This breach comes after J.P. Morgan indicated a loss of
personal information to hackers of about 83 million households.
Of course, in November, hackers, the United States
Government has said, had ties to the North Korean government,
orchestrated a disruptive attack on Sony. The Sony attack would
be comedy, but it is literally no laughing matter to other
businesses, including financial institutions on Wall Street,
health insurers and others whose vital data may be taken.
To quote the FBI Agent in New York, Leo Taddeo, who
supervises the Cyber and Special Operations Division, ``We are
losing ground in the battle with hackers.''
In December 2013, we first learned about Target's data
breach, which affected credit card information and personal
contact information for as many as 110 million consumers.
The point here is that these losses of data are not only
losses to these companies; they are potentially life changing
losses to consumers. Target, J.P. Morgan, and Anthem failed not
only the companies, but they failed their customers and
consumers when these data breaches occurred.
This fact of life is more than the cost of doing business
for these companies. It is an invasion of their privacy. It is
an invasion of consumer privacy, potentially theft of identity
and personal assets.
The billions of dollars that could have been saved by
consumers, creditors, banks, and others if companies and
universities who were collecting sensitive data spent money and
resources on better protecting that information is one of the
facts that brings us here today.
As Attorney General, I brought a number of enforcement
cases against companies that violated Connecticut's data breach
law. I worked with my colleagues, including Lisa Madigan, who
is here today, and I express special appreciation to her for
her great work in this area, and I worked with Kelly Ayotte,
who is now a colleague.
This issue is hardly a partisan one. In fact, it is
distinctly bipartisan, involving stronger protections for
sensitive consumer data, and we recognize the states as
laboratories of democracy and the great work they have done in
this area.
Let me just conclude by saying I think we have a lot of
work that needs to be done, a lot of good work that should be
done, but one guiding principle is: first do no harm. That is
do no harm to the state protections and state enforcers who
every day are seeking to protect their citizens from the
scourge and spreading problem of data theft, in order for
consumers to trust retailers, banks, and online sales, they
need to know their data is secure without abuse, whether they
are shopping online or at a bricks and mortar stores.
Consumers expect retailers collecting their sensitive
personal information will do everything in their power to
protect that data. That is a reasonable expectation. They have
a right to expect better than they are now receiving from
retailers, companies, insurers, banks, all of the institutions,
including universities and non-profits that increasingly have
the coin of the realm, which is data about consumers.
Thank you, Mr. Chairman.
Senator Moran. Thank you, Senator Blumenthal. We now will
turn to our witnesses. With us today is Ms. Cheri F. McGuire.
She is Vice President of Global Government Affairs and
Cybersecurity Policy for Symantec Corporation.
Mr. Mallory Duncan, Senior Vice President and General
Counsel of the National Retail Federation.
Dr. Ravi Pendse, who is the Chief Information Officer at
Brown University, but easier for me to say Wichita State
University, his previous employer.
Ms. Yael Weinman, Vice President for Global Privacy and
General Counsel, Information Technology Industry Council.
The Honorable Lisa Madigan, the Attorney General of the
State of Illinois, and finally, Mr. Doug Johnson, Senior Vice
President and Senior Advisor for Risk Management Policy, Office
of the Chief Economist of the American Bankers Association.
Ms. McGuire, let's begin with you.
STATEMENT OF CHERI F. McGUIRE, VICE PRESIDENT,
GLOBAL GOVERNMENT AFFAIRS AND CYBERSECURITY
POLICY, SYMANTEC CORPORATION
Ms. McGuire. Thank you so much, Chairman Moran, Ranking
Member Blumenthal, and members of the Subcommittee. Thank you
for the opportunity to testify today on this very important
issue.
As the largest security software company in the world,
Symantec's global intelligence network is made up of millions
of sensors that give us an unique view of the entire Internet
threat landscape.
As we all have seen, even as of this morning, the recent
headlines about cyber attacks have focused mostly on data
breaches across a spectrum of industries. These network
intrusions that result in stolen data have deep and profound
impacts for the individuals who must worry about and clean up
their identities, for the organizations whose systems have been
penetrated, and for the governments trying to establish the
right notification policies as well as deter and apprehend the
perpetrators.
The magnitude of threats of personally identifiable
information is unprecedented. Over just the past 2 years alone,
the number of identities exposed through network breaches is
approaching one billion. Those are just the ones we know about.
While many assume breaches are the result of sophisticated
malware or well-resourced state actor, the reality is much more
troubling. According to a recent report from the Online Trust
Alliance, 90 percent of last year's breaches could have been
prevented if organizations implemented basic cybersecurity best
practices.
While the focus on data breaches and the identities put at
risk is certainly warranted, we also must not lose sight of the
other types of cyber attacks that are equally concerning and
can have dangerous consequences.
There are a wide set of tools available to the cyber
attacker, and the incidents we see today range from basic
confidence schemes to massive denial of service attacks to
sophisticated and potentially destructive intrusions into
critical infrastructure systems.
The attackers, of course, run the gamut and include highly
organized criminal enterprises, disgruntled employees,
individual cyber criminals, so-called ``hacktivists,'' and
state-sponsored groups.
While the continuing onslaught of data breaches is well
documented, what seems to get less attention are the causes of
data breaches and what can be done to prevent them. Targeted
attacks are the single largest cause, most of which rely on
social engineering, or in simple terms, tricking people into
doing something they would not do if fully aware of the
consequences of their actions.
Last year, nearly 60 percent of data breaches occurred
through network intrusions by unauthorized users. Another major
cause is a lack of basic computer hygiene practices. While good
security will stop most of these attacks, which often seek to
exploit older known vulnerabilities, many organizations do not
have up-to-date security or patch systems, do not make full use
of the security tools available to them, or have security
unevenly applied throughout their enterprise.
What can we do? Cybersecurity is about managing risk,
assessing one's risk and developing a plan is essential. For
organizations, there are many guidelines including, as you
discussed yesterday, the NIST Cybersecurity Framework, the FCC
guidelines for small businesses, the Online Trust Alliance data
protection and breach readiness guide, and many others.
For the individual, we provide resources for managing
online security to our Norton customers, and the FTC and others
have many tips available on their websites. In fact, just this
week the SEC published best practices for individual investors
to secure their online accounts. In short, there is no shortage
of available resources.
Strong security should include intrusion protection,
reputation based security, behavioral based blocking, data
encryption backups, and data loss prevention tools. While the
criminals' tactics are constantly evolving, basic cyber hygiene
is still the simplest and most cost effective first step.
Turning to the policy landscape, Symantec supports, as you
said, Chairman Moran, a balanced and thoughtful national
standard for data breach notification built on three
principles.
First, the scope of any legislation should apply equally to
all entities that collect, maintain, or sell significant
numbers of records containing sensitive personal information.
This covers both the Government and private sector.
Second, implementing pre-breach security measures should be
central to any legislation. New legislation should not simply
require notifications of consumers in case of a breach, but
should seek to minimize the likelihood of a breach in the first
place.
Third, encryption or other proven security measures that
render data unreadable and unusable at rest or in transit
should be a key element to establish the risk based threshold
for notification. This limits the burden for both consumers and
for the breached organizations.
At Symantec, we are committed to improving online security
across the globe, and we will continue to work collaboratively
with our partners on ways to do so.
Thank you again for the opportunity to testify today, and I
will look forward to your questions later.
[The prepared statement of Ms. McGuire follows:]
Prepared Statement of Cheri F. McGuire, Vice President, Global
Government Affairs and Cybersecurity Policy, Symantec Corporation
Chairman Moran, Ranking Member Blumenthal, distinguished members of
the Committee, thank you for the opportunity to testify today on behalf
of Symantec Corporation.
My name is Cheri McGuire and I am the Vice President for Global
Government Affairs and Cybersecurity Policy at Symantec. I am
responsible for Symantec's global public policy agenda and government
engagement strategy, which includes cybersecurity, data integrity,
critical infrastructure protection (CIP), and privacy. I lead a team of
professionals spanning the U.S., Canada, Europe, and Asia, and
represent the company in key policy organizations. In this capacity, I
work extensively with industry and government organizations, and
currently serve on the World Economic Forum Global Agenda Council on
Cybersecurity, as well as on the boards of the Information Technology
Industry Council, the U.S. Information Technology Office (USITO) in
China, and the National Cyber Security Alliance. From 2010 to 2012, I
was Chair of the Information Technology Sector Coordinating Council--
one of 16 critical sectors identified by the President and the U.S.
Department of Homeland Security (DHS) to partner with the government on
CIP and cybersecurity. I am also a past board member of the IT
Information Sharing and Analysis Center (IT-ISAC). Previously, I served
in various positions at DHS, including as head of the National Cyber
Security Division and U.S. Computer Emergency Readiness Team (US-CERT).
Symantec protects much of the world's information, and is a global
leader in security, backup and availability solutions. We are the
largest security software company in the world, with over 32 years of
experience developing Internet security technology and helping
consumers, businesses and governments secure and manage their
information and identities. Our products and services protect people's
information and their privacy across platforms--from the smallest
mobile device, to the enterprise data center, to cloud-based systems.
We have established some of the most comprehensive sources of Internet
threat data in the world through our Global Intelligence Network, which
is comprised of millions of attack sensors recording thousands of
events per second, and we maintain 10 Security Response Centers around
the globe. In addition, we process billions of e-mail messages and web
requests across our 14 global data centers. All of these resources
allow us to capture worldwide security data that give our analysts a
unique view of the entire Internet threat landscape.
The hearing today not only is timely--given the recent high profile
data breaches--but also is a critically important discussion that will
help focus attention on what businesses can do to protect themselves
from similar attacks and how Congress can craft effective data breach
legislation. Symantec welcomes the opportunity to provide comments to
the Committee as it looks at how to prevent and respond to data
breaches.
In my testimony today, I will discuss:
The current cyber threat landscape;
How breaches are happening, including the methods criminals
are using to steal data;
Security measures to protect data and prevent breaches; and
Key elements for data breach legislation.
The Current Cyber Threat Landscape
Most of the recent headlines about cyber attacks have focused on
data breaches across the spectrum of industries, which have become an
all too common occurrence. Breaches impact individuals whose identities
have been stolen, the organizations with systems that have been
penetrated, and governments that are seeking ways to set data breach
policies and to apprehend the perpetrators. Organizations that suffered
significant breaches over the past few years include the State of South
Carolina, Target, Neiman Marcus, Michael's, Home Depot, and Sony, just
to name a few.
The theft of personally identifiable information (PII) over this
time-frame is simply unprecedented--over just the past two years alone,
the number of identities exposed through breaches will likely approach
one billion. And this is just from known breaches as many go unreported
or undetected. Recent data breaches have touched all parts of society
and across the globe, from governments and businesses to celebrities
and individual's households. While many assume that breaches are the
result of sophisticated malware or a well-resourced state actor, the
reality is much more troubling. According to a recent report from the
Online Trust Alliance, 90 percent of last year's breaches could have
been prevented if organizations implemented basic cybersecurity best
practices.\1\
---------------------------------------------------------------------------
\1\ https://www.otalliance.org/news-events/press-releases/ota-
determines-over-90-data-breaches-2014-could-have-been-prevented
---------------------------------------------------------------------------
In addition, the statistics from our 2014 Internet Security Threat
Report are clear that the cyber threats we are facing on a day to day
basis are growing. More than 550 million identities were exposed in
2013, which was an increase of 62 percent over the prior year, and the
top eight breaches exposed more than 10 million identities each. These
breaches often exposed real names, birth dates and/or government ID
numbers (e.g., social security numbers). Some records also exposed
other highly sensitive data, such as medical records or financial
information.
While the focus on data breaches and the identities put at risk is
certainly warranted, we also must not lose sight of the other types of
cyber attacks that are equally concerning and can have dangerous
consequences. There are a wide set of tools available to the cyber
attacker, and the incidents we see today range from basic confidence
schemes to massive denial of service attacks to sophisticated (and
potentially destructive) intrusions into critical infrastructure
systems. The economic impact can be immediate with the theft of money,
or more long term and structural, such as through the theft of
intellectual property. It can ruin a company or individual's reputation
or finances, and it can impact citizens' trust in the Internet and
their government.
The attackers run the gamut and include highly organized criminal
enterprises, disgruntled employees, individual cybercriminals, so-
called ``hacktivists,'' and state-sponsored groups. The motivations
vary--the criminals generally are looking for some type of financial
gain, the hacktivists are seeking to promote or advance some cause, and
the state actors can be engaged in espionage (traditional spycraft or
economic) or infiltrating critical infrastructure systems. These lines,
however, are not set in stone, as criminals and even state actors might
pose as hacktivists, and criminals often offer their skills to the
highest bidder. Attribution has always been difficult in cyberspace,
and is further complicated by the ability of cyber actors to mask their
motives and objectives through misdirection and obfuscation.
How Data Breaches are Occurring
While the continuing onslaught of data breaches is well documented,
what is less understood is why data breaches happen and what can be
done to prevent them. Targeted attacks remain a major cause. Some are
direct attacks on a company's servers, where attackers search for
unpatched vulnerabilities on websites or undefended connections to the
Internet. But most rely on social engineering--in the simplest of
terms, tricking people into doing something they would not do if fully
aware of the consequences of their actions. E-mail is still a major
attack vector and can take the form of broad mailings (``phishing'') or
highly targeted messages (``spear phishing''). More and more we see the
latter variety, with publicly available information used to craft an e-
mail designed to dupe a specific victim or group of victims. The goal
of both varieties is to get victims to open an infected file or go to a
malicious or compromised website.
Another major cause of breaches is a lack of basic computer hygiene
practices. While good security will stop most of these attacks--which
often seek to exploit older, known vulnerabilities--many organizations
do not have up-to-date security or patched systems, do not make full
use of the security tools available to them, or have security unevenly
applied throughout their enterprise. Even today--despite the recent
focus on the loss of personal information--a large segment of the
workforce handles sensitive information on unprotected mobile devices,
servers, desktops, and laptops.
E-mail, web mail, and removable storage devices are another source
of breaches. Most of us, at one time or another, have e-mailed
something to our personal e-mail address from our office so that we can
work on it later. If our e-mail accounts or home computers are
compromised, or if we misplace the thumb drive we use to transport
files, any sensitive, unencrypted data is now lost and our organization
suffers a data breach. And of course, breaches can occur through
outright theft, often by a fired or disgruntled employee.
Cybercriminals are also targeting the places where we ``live and
play'' online in order to get at sensitive personal data. Social media
is an increasingly sinister tool for cybercriminals. It is particularly
effective in direct attacks, as people tend to trust things that appear
to come from a friend's social media feed. But social media is also
widely used to conduct reconnaissance for spear phishing or other
targeted attacks. It can provide just the kind of personal details that
a skilled attacker can use to get a victim to let his or her guard
down. The old cliche is true when it comes to cyber attacks: we have to
be right 100 percent of the time in protecting ourselves, while the
attacker only has to get it right once.
Security Measures to Protect Data and Prevent Breaches
Cybersecurity is about managing risk, whether at the individual or
the organizational level. Assessing one's risk and developing a plan is
essential. For the individual, the Federal Trade Commission's website
is an excellent starting point for doing so.\2\ The website provides
educational resources for how to better protect your identity and
privacy online as well as helpful tools to help you report and recover
if your personal information is ever stolen.
---------------------------------------------------------------------------
\2\ http://www.consumer.ftc.gov/topics/privacy-identity
---------------------------------------------------------------------------
For organizations of any size, the NIST Cyber Security Framework
\3\, developed by industry and government in 2014 and in which Symantec
was an active contributor, provides a solid structure for risk
management. It lays out five core cybersecurity functions (Identify,
Protect, Detect, Respond and Recover) that all organizations can use to
plan for managing cyber events and protecting against data breaches, as
well as useful references to international standards. As detailed
below, good security starts with the basics and includes measures
specific to one's needs.
---------------------------------------------------------------------------
\3\ http://www.nist.gov/cyberframework/
---------------------------------------------------------------------------
Basic Security Steps
When it comes to security, it starts with the basics. Though
criminals' tactics are continually evolving, good cyber hygiene is
still the simplest and most cost-effective first step. Strong passwords
remain the foundation of good security--on home and work devices, e-
mail, social media accounts, or whatever you use to communicate (or
really anything you log into). And these passwords must be different,
because using a single password means that a breach of one account
exposes all of your accounts. Using a second authentication factor
(whether through a text message, a smart card, biometrics, or a token
with a changing numeric password) significantly increases the security
of a login.
Patch management is also vital. Individuals and organizations
should not delay installing patches, or software updates, because the
same patch that closes a vulnerability can be a roadmap for a criminal
to exploit and compromise any unpatched devices. The reality is that a
large percentage of computers around the world, including some in large
organizations, do not get patched regularly, and cybercriminals count
on this. While so-called ``zero day exploits''--previously unknown
critical vulnerabilities--get the most press, it is older, unpatched
vulnerabilities that cause most systems to get compromised.
Modern Security Software
Poor or insufficiently deployed security can also lead to a breach,
and a modern security suite that is being fully utilized is also
essential. While most people still commonly refer to security software
as ``anti-virus'' or AV, advanced security protection is much more than
that. In the past, the same piece of malware would be delivered to
thousands or even millions of computers. Today, cybercriminals can take
the same malware and create unlimited unique variants that can slip
past basic AV software. If all your security software does is check for
signatures (or digital fingerprints) of known malware, you are by
definition not protected against even moderately sophisticated attacks.
Put differently, a check-the-box security program that only includes
installation of basic AV software may give you piece of mind--but that
is about all it will give you.
Modern security software does much more than look for known
malware: it monitors your system, watching for unusual Internet
traffic, activity, or system processes that could be indicative of
malicious activity. At Symantec we also use what we call Insight and
SONAR, which are reputation-based and behavior-based heuristic security
technologies. Insight is a reputation-based technology that uses our
Global Intelligence Network to put files in context, using their age,
frequency, location and other characteristics to expose emerging
threats that might otherwise be missed. If a computer is trying to
execute a file that we have never seen anywhere in the world and that
comes from an unknown source, there is a high probability that it is
malicious--and Insight will either warn the user or block it. SONAR is
behavior-based protection that uses proactive local monitoring to
identify and block suspicious processes on computers.
Tailoring Security to the Device
Security should also be specific to the device being protected. For
example, modern Point of Sale (PoS) systems, which were linked to a
number of major data breaches, are at their core just computers running
mainstream operating systems. Because a user on such a device typically
does not browse the web, send e-mails, or open shared drives, the
functionally of the machine and the files that actually need to be on
it are limited. This allows businesses to reduce the attack surface by
locking down the system and using application control tools, as well as
controlling which devices and applications are allowed to access the
network. Doing so can render many strains of malware useless because
they would not be allowed to run on the devices.
In addition, payment card system infrastructure is highly complex
and threats can be introduced at any number of points within the
system. Last year we released a report, Attacks on Point of Sale
Systems, that provides an overview of the methods that attackers may
use to gain entry into a system.\4\ It also describes the steps that
retailers and other organizations can use to protect PoS systems and
mitigate the risk of an attack.
---------------------------------------------------------------------------
\4\ Special Report on Attacks on Point of Sale Systems, Symantec
Security Response (February 2014). http://www.symantec.com/content/en/
us/enterprise/media/security_response/whitepap
ers/attacks_on_point_of_sale_systems.pdf
---------------------------------------------------------------------------
Encrypting and Monitoring Data
Encryption also is key to protecting your most valuable data. Even
the best security will not stop a determined attacker, and encrypting
your sensitive data provides defense in breadth, or across many
platforms. Good encryption ensures that any data stolen will be useless
to virtually all cybercriminals. The bottom line in computer security
is no different from physical security--nothing is perfect. We can make
it hard, indeed very hard, for an attacker, but if resourced and
persistent criminals want to compromise a particular company or site,
with time they are probably going to find a way to do it. Good security
means not just doing the utmost to keep them out, but also to recognize
that you must take steps to limit any damage they can do should they
get in.
Data loss Prevention (DLP) tools are also important in keeping your
most valuable data safe and securely on your system. The latest DLP
technology allows the user to monitor, protect and manage confidential
data wherever it is stored and used--across endpoints, mobile devices,
networks, and storage systems. It can help stop the theft of sensitive
data by alerting the system manager before the data is exfiltrated, or
moved outside the system.
Key Elements for Data Breach Legislation
In the U.S. today, there are at least 48 state-specific data breach
notification laws. This creates an enormous compliance burden,
particularly for smaller companies, and does little to actually protect
consumers. Symantec supports a national standard for data breach
notification, built on three principles:
1. Data security legislation should apply equally to all. The scope
of any legislation should include all entities that collect,
maintain, or sell significant numbers of records containing
sensitive personal information. Requirements should apply to
government and the private sector equally, and should include
educational institutions and charitable organizations as well.
By the same token, any new legislation should consider existing
Federal regulations that govern data breach for some sectors
and not create duplicative, additional, or conflicting rules.
2. Implementing pre-breach security measures should be a part of any
legislation. Breaches are much less costly for companies that
are proactive in applying security. New legislation should not
simply require notification of consumers in the event of a data
breach, but should seek to minimize the likelihood of a breach
by pushing organizations to take reasonable security measures
to ensure the confidentiality and integrity of sensitive
personal information. Numerous standards, best practices, and
guidelines already exist to help organizations establish a
cybersecurity program or improve an existing one.
3. The use of encryption or other security measures that render data
unreadable and unusable should be a key element in establishing
the threshold for the need for notification. Any notification
scheme should minimize ``false positives''--notices to
individuals who are later shown not to have been impacted by a
breach because their data was rendered unusable before it was
stolen. A clear reference to the ``usability'' of information
should be considered when determining whether notification is
required in case of a breach. Promoting the use of encryption
as a best practice would significantly reduce the number of
``false positives,'' thus reducing the burden on consumers,
businesses, and governments.
Conclusion
Data breaches are continuing at an unprecedented pace, putting
consumers at risk and damaging the public's trust in the Internet.
While we cannot prevent every cyber attack or every data breach,
applying cybersecurity best practices and using risk management
principles to protect data appropriately can significantly reduce the
attack surface and the impacts we see today. Moreover, legislation
cannot stop breaches from happening, but smart data breach legislation
can help businesses and governments respond effectively and
efficiently, and empower consumers with accurate and timely
information. At Symantec, we are committed to improving online security
and we look forward to continuing to work with government and industry
on ways to do so. Thank you again for the opportunity to testify, and I
will be happy to answer any questions you may have.
Senator Moran. Exactly 5 minutes. Thank you very much. Mr.
Duncan?
STATEMENT OF MALLORY B. DUNCAN,
GENERAL COUNSEL AND SENIOR VICE PRESIDENT,
NATIONAL RETAIL FEDERATION
Mr. Duncan. Chairman Moran, Ranking Member Blumenthal,
members of the Subcommittee, thank you for this opportunity.
Data breaches need to be correctly and forcibly addressed.
They fundamentally affect our economy's push toward greater
efficiency and cost effectiveness.
By way of context, there is a long history of interception
of private communications by individuals and by governments:
from steaming open letters to tapping into telephone
conversations. Today, we have super computers and the Internet.
Together, they are creating a public network with virtually no
boundaries, far more versatile and efficient than all the
technology that has gone before.
Governments entrust them with critical infrastructure,
businesses with their most valuable intellectual property, and
millions of people type their deepest secrets into Google, all
the while knowing the system is vulnerable to intrusion, both
by governments and by sophisticated bad actors.
This interconnected technology is in many ways still in its
infancy, having really commercially begun just a quarter
century ago. We are still discovering its capabilities, its
limitations and risks.
Today, we are here to address one of the most significant
risks to emerge--data breach. It is Congress' challenge to
incentivize companies to manage this risk in ways that preserve
the innovation and benefits this technology clearly offers.
How can Congress do that? There are three essential
elements--uniform notice, express preemption, and strong
consensus of the laws notice. Let's recognize that data
breaches affect everyone.
As the Chairman referenced, in the 2014 Verizon report,
retailers suffered their share of breaches, 11 percent.
Government agencies incurred a slightly higher percentage.
Hotels and restaurants combined constituted 10 percent of
breaches, while financial institutions represent 34 percent.
It is not because those with the most breaches have the
weakest security. It is because bad actors are always looking
for the biggest bang for the buck, and no single set of data
security standards is fully protective of any industry.
In a complex economy, each type of business is vulnerable
to data breaches in a different way, be it theft of account
numbers or Cloud data or intellectual property. Congress needs
to provide incentives for companies to increase their security,
and nothing motivates like sunlight. Requiring that every
company have the same public notice obligations will provide
this needed light.
Uniform notice has two benefits. It can help individuals
take steps to protect themselves, but equally important, the
consequences of requiring all companies to publicly expose
their data breaches is a powerful incentive for them to improve
security.
NRF members are some of the best known retail companies in
America. Recent very public breaches and discussions on how to
avoid them have engaged our members' most senior executives. As
a result, our members are investing in unique and tailored
solutions in an effort to address this ever morphing problem.
Our nation's economy is bigger than retail. Congress needs
to encourage disclosure and the incentive for security it
brings across the board from all entities that handle sensitive
information.
Preemption. There are more than 50 jurisdictions with
breach notice laws. Many have common elements but they are not
the same. Some cover different datasets, require particular
state officials to be notified, and so forth.
Mid-sized companies struggling with the consequences of a
breach face a morass of conflicting laws that have become
little more than traps for the unwary. In the midst of a breach
when a company should be focusing on securing its network and
identifying affected customers, they instead divert their
limited resources to paying law firms to clear them from
regulatory ``gotchas.''
We need an uniform preemptive Federal law. It would
simplify the process for businesses and provide consistent
notices for consumers nationwide, but it must be real
preemption, otherwise the Federal law just becomes the
52nd set of requirements that companies have to
follow, and you will have accomplished worse than nothing.
Finally, it would not be appropriate to preempt the states
only to adopt the weakest law. Rather, for a Federal standard,
you should be looking well above the median, not the most
excessive, perhaps, but language that reflects the strong
consensus of the state laws.
We at NRF urge you to go further, establish the same notice
obligations for all entities handling sensitive data. Congress
should not permit notice holes, situations where some entities
are exempt from reporting their known breaches. If we want
meaningful incentives to increase security, everyone needs to
have skin in the game.
In closing, NRF believes that those three elements, uniform
notice, express preemption, and a strong consensus law enforced
by Federal authorities and the state AGs, are essential steps
to properly and forcibly address the data breach conundrum that
is plaguing businesses and consumers.
Thank you.
[The prepared statement of Mr. Duncan follows:]
Prepared Statement of Mallory B. Duncan, General Counsel and Senior
Vice President, National Retail Federation
Chairman Moran, Ranking Member Blumenthal, and members of the
Subcommittee, on behalf of the National Retail Federation (NRF), I want
to thank you for giving us the opportunity to testify at this hearing
and provide you with our views on data breach notification legislation
and protecting American's sensitive information. NRF is the world's
largest retail trade association, representing discount and department
stores, home goods and specialty stores, Main Street merchants,
grocers, wholesalers, chain restaurants and Internet retailers from the
United States and more than 45 countries. Retail is the Nation's
largest private sector employer, supporting one in four U.S. jobs--42
million working Americans. Contributing $2.6 trillion to annual GDP,
retail is a daily barometer for the Nation's economy.
Collectively, retailers spend billions of dollars safeguarding
sensitive customer information and fighting fraud. Data security is
something that our members strive to improve every day. Virtually all
of the data breaches we've seen in the United States during the past
year--from attacks on the networked systems of retailers, entertainment
and technology companies that have been prominent in the news, to a
reported series of attacks on our largest banks that have received less
attention--have been perpetrated by criminals that are breaking the
law. All of these companies are victims of these crimes and we should
keep that in mind as we explore this topic and public policy
initiatives relating to it.
This issue is one that we urge the Committee to examine in a
holistic fashion: we need to reduce fraud or other economic harm that
may result from a data breach. That is, we should not be satisfied with
simply determining what to do after a data breach occurs--that is, who
to notify and how to assign liability. Instead, it's important to look
at why such breaches occur, and what the perpetrators get out of them,
so that we can find ways to reduce and prevent not only the breaches
themselves, but the follow-on harm that is often the goal of these
events. If breaches become less profitable to criminals, then they will
dedicate fewer resources to committing them, and our goals will become
more achievable.
With that in mind, these comments are designed to provide some
background on data breaches and on fraud, explain how these events
impact all business's networked systems, discuss some of the
technological advancements retailers have promoted that could improve
the security of our networks, offer additional ways to achieve greater
payment security, and suggest the elements of data breach notification
legislation that may provide the best approach to developing a uniform,
nationwide notification standard, based on the strong consensus of
state laws, that applies to all businesses that handle sensitive
personal information of consumers.
Data Breaches in the United States
Unfortunately, data breaches are a fact of life in the United
States, and virtually every part of the U.S. economy and government is
being attacked in some way. In its 2014 Data Breach Investigations
Report, Verizon determined there were 63,347 data security incidents
reported by industry, educational institutions, and governmental
entities in 2013, and that 1,367 of those had confirmed data losses. Of
those, the financial industry suffered 34 percent, public institutions
(including governmental entities) had 12.8 percent, the retail industry
had 10.8 percent, and hotels and restaurants combined had 10 percent.
Figure 1 below illustrates where breaches occur.
Where Breaches Occur (Figure 1)
Source: 2014 Data Breach Investigations Report, Verizon \1\
---------------------------------------------------------------------------
\1\ 2014 Data Breach Investigations Report by Verizon, available
at: http://www.verizon
enterprise.com/DBIR/2014/
It may be surprising to some, given recent media coverage, that
three times more data breaches occur at financial institutions than at
retailers. And, it should be noted, even these figures obscure the fact
that there are far more merchants that are potential targets of
criminals in this area, as there are one thousand times more merchants
accepting card payments in the United States than there are financial
institutions issuing cards and processing those payments. It is not
surprising that the thieves focus far more often on banks, which have
our most sensitive financial information--including not just card
account numbers but bank account numbers, social security numbers and
other identifying data that can be used to steal identities beyond
completing some fraudulent transactions.
These figures are sobering. There are far too many breaches. And,
breaches are often difficult to detect and carried out in many cases by
criminals with real resources behind them. Financially focused crime
seems to most often come from organized groups in Eastern Europe rather
than state-affiliated actors in China, but the resources are there in
both cases. The acute pressure on consumer-serving companies, including
those in e-commerce, as well as on our financial system, is due to the
overriding criminal goal of financial fraud. We need to recognize that
this is a continuous battle against determined fraudsters and be guided
by that reality.
Breaches Affect Everyone; Federal Legislation Should Be Similarly
Comprehensive
The Year of the Breach, as 2014 has been nicknamed, was replete
with news stories about data security incidents that raised concerns
for all American consumers and for the businesses with which they
frequently interact. Criminals focused on U.S. businesses, including
merchants, banks, telecom providers, cloud services providers,
technology companies, and others. These criminals devoted substantial
resources and expertise to breaching the most advanced data protection
systems. Vigilance against these threats is necessary, but we need to
focus on the underlying causes of breaches as much as we do on the
effects of them.
If there is anything that the recently reported data breaches have
taught us, it is that any security gaps left unaddressed will quickly
be exploited by criminals. For example, the failure of the payment
cards themselves to be secured by anything more sophisticated than an
easily-forged signature makes the card numbers particularly attractive
to criminals and the cards themselves vulnerable to fraudulent misuse.
Likewise, cloud services companies that do not remove data when a
customer requests its deletion, leave sensitive information available
in cloud storage for thieves to later break in and steal, all while the
customer suspects it has long been deleted. Better security at the
source of the problem is needed. The protection of Americans' sensitive
information is not an issue on which unreasonably limiting
comprehensiveness makes any sense.
In fact, the safety of Americans' data is only as secure as the
weakest link in the chain of entities that share that data for a
multitude of purposes. For instance, when information moves across
communications lines--for transmission or processing--or is stored in a
``cloud,'' it would be senseless for legislation to exempt these
service providers, if breached, from comparable data security and
notification obligations to those that the law would place upon any
other entity that suffers a breach. Likewise, data breach legislation
should not subject businesses handling the same sensitive customer data
to different sets of rules with different penalty regimes, as such a
regulatory scheme could lead to inconsistent public notice and
enforcement.
Given the breadth of these invasions, if Americans are to be
adequately protected and informed, Federal legislation to address these
threats must cover all of the types of entities that handle sensitive
personal information. Exemptions for particular industry sectors not
only ignore the scope of the problem, but create risks criminals can
exploit. Equally important, a single Federal law applying to all
breached entities would ensure clear, concise and consistent notices to
all affected consumers regardless of where they live or where the
breach occurs.
Third-Party Exemptions
Figure 2, below, illustrates what some legislative proposals,
introduced in the last Congress, would require in terms of notice by
third parties. This graphic illustrates a typical payment card
transaction in which this Committee has jurisdiction over all of the
entities except for the bank. In a typical card transaction, a payment
card is swiped at a card-accepting business, such as a retail shop, and
the information is transmitted via communications carriers to a data
processor, which in turn processes the data and transmits it over
communications lines to the branded card network, such as Visa or
MasterCard, which in turn processes it and transmits it over
communications lines to the card-issuing bank. (Typically there also is
an acquirer bank adjacent to the processor in the system, which figure
2 omits.) Some legislative proposals would only require the retail
shop, in this example, to provide notice of a breach of security. The
data processor, data transmitter or card company suffering a breach
would qualify as a third-party whose only obligation, if breached, is
to notify the retail shop of their breach--not affected consumers or
the public--so that the retailer provides notice on their behalf. And
the bank suffering a breach would be exempt from notifying consumers or
the public under most Federal legislative proposals to date. Not only
does this notice regime present an inaccurate picture to consumers, but
it is fraught with possible over-notification because payment
processors and card companies are in a one-to-many relationship with
retailers. If the retailers must bear the burden for every other entity
in the networked system that suffers a breach, then 100 percent of the
notices would come from entities that suffer only 11 percent of the
breaches. This is neither fair nor enlightened public policy.
Notice Obligations Should Apply to All Breached Entities (Figure 2)
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
A recent example illustrates this point about the risk of over-
notifying and confusing American consumers if this proposed third-party
notice rule illustrated in Figure 2 is adopted. The largest payment
card breach in history occurred at a payment processor, Heartland
Payment Systems, which was breached in 2008 resulting in the compromise
of over 130 million payment cards. If Heartland had only followed the
proposed third-party notice rule in Federal legislation, rather than
notifying the public of its breach (as it did), it would have only been
obligated to separately notify each of the merchants that it processed
payments for, letting them know the affected card numbers that were
breached. Those merchants (who were not breached) would, in turn, have
to request (and possibly pay for) the contact information for each
cardholder through some arrangement with each affected card company or
card-issuing bank, and then make notice to those affected customers
and/or make ``substitute'' notice (where individualized notice cannot
be made) by announcing the breach to the general public. If affected
consumers shopped at a number of retailers that all used the same
payment processor that suffered the breach (Heartland, in this
hypothetical), the consumers could potentially receive slightly
different notices from each store--all providing what they knew about
the breach of the same payment processor--when none of those branded
retail stores actually suffered the breach itself. This proposal
creates an untenable public policy solution that neither serves
consumers nor businesses that have secured their own networks.
Just as merchants, such as Target, who have publicly acknowledged a
breach have taken tremendous steps to heighten their security,
Heartland continued to harden its systems (after notifying of its own
breach) and now is recognized as one of the most secure platforms in
the industry. The threat of public notice has had a multiplier effect
on other commercial businesses.
Indeed, Congress could go further: it could establish the same data
breach notice obligations for all entities handling sensitive data that
suffer a breach of security. Congress should not permit ``notice
holes''--the situation where certain entities are exempt from reporting
known breaches of their own systems. If we want meaningful incentives
to increase security, everyone needs to have skin in the game.
Financial Institution Exemptions
Many legislative proposals last Congress, however, had ``notice
holes,'' where consumers would not receive disclosures of breaches by
certain entities. Perhaps the notice hole that has been left unplugged
in most proposals is the exemption from notification standards for
entities subject to the Gramm Leach Bliley Act (GLBA), which itself
does not contain any statutory language that requires banks to provide
notice of their security breaches to affected consumers or the public.
Interpretive information security guidelines issued by Federal banking
regulators in 2005 did not address this lack of a requirement when it
set forth an essentially precatory standard for providing consumer
notice in the event banks or credit unions were breached. Rather, the
2005 interagency guidelines state that banks and credit unions
``should'' conduct an investigation to determine whether consumers are
at risk due to the breach and, if they determine there is such a risk,
they ``should'' provide consumer notification of the breach.\2\ These
guidelines fall short of creating a notification requirement using the
language of ``shall,'' an imperative command used in proposed breach
notification legislation for entities that would be subject to Federal
Trade Commission enforcement. Instead, banks and credit unions are left
to make their own determinations about when and whether to inform
consumers of a data breach.
---------------------------------------------------------------------------
\2\ Interagency Guidance on Response Programs for Unauthorized
Access to Customer Information and Customer Notice, 70 Fed. Reg. 15736
(Mar. 29, 2005) promulgating 12 C.F.R. Part 30, app. B, Supplement A
(OCC); 12 C.F.R. Part 208, app. D-2, Supplement A and Part 225, app. F,
Supplement A (Board); 12 C.F.R. Part 364, app. B, Supplement A (FDIC);
and 12 C.F.R. Part 570, app. B, Supplement A (OTS), accessible at:
https://www.fdic.gov/news/news/financial/2005/fil2705.html.
---------------------------------------------------------------------------
Several accounts in 2014 of breaches at the largest U.S. banks
demonstrate the lack of any notice requirement under the interagency
guidelines. It was reported in news media last Fall that as many as one
dozen financial institutions were targeted as part of the same cyber-
attack scheme.\3\ It is not clear to what extent customers of many of
those institutions had their data compromised, nor to our knowledge
have the identities of all of the affected institutions been made
public The lack of transparency and dearth of information regarding
these incidents reflects the fact that banks are not subject to the
same requirements to notify affected customers of their own breaches of
security as other businesses are required now under 47 state laws and
would be required under most proposed Federal legislation, despite the
fact that financial institutions hold Americans' most sensitive
financial information. A number of the more seasoned and robust state
laws, such as California's breach notification law, have not exempted
financial institutions from their state's breach notification law
because they recognize that banks are not subject to any Federal
requirement that says they ``shall'' notify customers in the event of a
breach of security.
---------------------------------------------------------------------------
\3\ ``JP Morgan Hackers Said to Probe 13 Financial Firms,''
Bloomberg (Oct. 9, 2014).
---------------------------------------------------------------------------
Service Provider Exemptions
Another notice hole that has remained unplugged in legislative
proposals for many years is the service provider breach exemption,
similar to the bank breach exemption, that would permit an entity
providing data transmission or storage services to avoid providing
consumer or public notice when it is aware of a breach of its data
system. Other businesses, such as retailers, are required to provide
notice even if they don't have the contact information for the affected
consumers. The service provider exemption would, however, permit no
notice at all to be made, not even to the FTC or law enforcement for a
known breach of security affecting sensitive personal information.
Surely Congress should not pass a disclosure law that provides a free
pass for known breaches of security to certain service providers simply
because they have successfully had such an exemption inserted into some
past legislative proposals. Allowing this type of hole in notice
requirements does not make sense. Just because a telecommunications
provider, cloud data service, payment processor or other company
provides a service to another business does not mean it should not have
to provide notice of its data breaches. With an exemption for service
providers like these, there is real risk that the public won't get
information it needs and/or that other businesses will have to plug the
gap and take the attendant cost and blame for someone else's data
breach. And, of course, such a scheme would not create the incentives
for service providers to improve their data security systems.
General Principle for Notification
With respect to establishing a national standard for individual
notice in the event of a breach of security at an entity handling
sensitive personal information, the only principle that makes sense is
that these breached entities should be obligated to notify affected
individuals or make public notice when they discover breaches of their
own systems. Just as the Federal Trade Commission (FTC) expects there
to be reasonable data security standards employed by each business that
handles sensitive personal information, a Federal breach notification
bill should apply notification standards that ``follow the data'' and
apply to any entity in a networked system that suffers a breach of
security when sensitive data is in its custody. With respect to those
who have called upon the entity that is ``closest to the consumer'' to
provide the notice, we would suggest that the one-to-many relationships
that exist in the payment card system and elsewhere will ultimately
risk having multiple entities all notify about the same breach--someone
else's breach. This is not the type of transparent disclosure policy
that Congress has typically sought. An effort to promote relevant
notices should not obscure transparency as to where a breakdown in the
system has occurred. Indeed, a public notice obligation on all entities
handling sensitive data would create significant incentives for every
business that operates in our networked economy to invest in reasonable
data security to protect the sensitive data in its custody. By
contrast, a Federal law that permits ``notice holes'' in a networked
system of businesses handling the same sensitive personal information--
requiring notice of some sectors, while leaving others largely exempt--
will unfairly burden the former and unnecessarily betray the public's
trust.
More than 50 U.S. Jurisdictions Have Notice Laws; Congress Should Step
in Now to Establish a Nationwide, Uniform Standard to Benefit
Both Consumers and Businesses
For more than a decade, the U.S. federalist system has enabled
every state to develop its own set of disclosure standards for
companies suffering a breach of data security and, to date, 47 states
and 4 other Federal jurisdictions (including the District of Columbia
and Puerto Rico) have enacted varying data breach notification laws.
Many of the states have somewhat similar elements in their breach
disclosure laws, including definitions of covered entities and covered
data, notification triggers, timeliness of notification, provision
specifying the manner and method of notification, and enforcement by
state attorneys general. But they do not all include the same
requirements, as some cover distinctly different types of data sets,
some require that particular state officials be notified, and a few
have time constraints (although the vast majority of state laws only
require notice ``without unreasonable delay'' or a similar phrase.)
Over the past ten years, businesses such as retailers, to whom all
the state and Federal territory disclosure laws have applied, have met
the burden of providing notice, even when they did not initially have
sufficient information to notify affected individuals, through
standardized substitute notification procedures in each state law.
However, with an increasingly unwieldy and conflicting patchwork of
disclosure laws covering more than 50 U.S. jurisdictions, it is time
for Congress to acknowledge that the experimentation in legislation
that is at the state level that defines our federalist system has
reached its breaking point, and it is time for Congress to the step in
to create a national, uniform standard for data moving in interstate
commerce in order to ensure uniformity of a Federal act's standards and
the consistency of their application across jurisdictions.
For years, NRF has called on Congress to enact a preemptive Federal
breach notification law that is modeled upon the strong consensus of
existing laws in nearly every state, the District of Columbia, Puerto
Rico and other Federal jurisdictions. A single, uniform national
standard for notification of consumers affected by a breach of
sensitive data would provide simplicity, clarity and certainty to both
businesses and consumers alike. Importantly, a single Federal law would
permit companies victimized by a criminal hacking to devote greater
attention in responding to such an attack to securing their networks,
determining the scope of affected data, and identifying the and
customers to be notified, rather than diverting limited time and
resources to a legal team attempting to reconcile a patchwork of
conflicting disclosure standards in over 50 jurisdictions. In sum,
passing a Federal breach notification law is a common-sense step that
Congress should take now to ensure reasonable and timely notice to
consumers while providing clear compliance standards for businesses.
Preemption of state laws and common laws that create differing
disclosure standards is never easy, and there is a long history of
Supreme Court and other Federal courts ruling that, even when Congress
expresses an intent to preempt state laws, limiting the scope of the
preemption will not result in preemption. All it will accomplish is to
add yet another law, this time federal, to the state statutes and
common laws already in effect, resulting in the continuation of a
confusing tapestry of state law requirements and enforcement regimes. A
Federal act that leaves this in place would undermine the very purpose
and effectiveness of the Federal legislation in the first place.
In order to establish a uniform standard, preemptive Federal
legislation is necessary. But that does not mean (as some have
contended) that the Federal standard must or should be ``weaker'' than
the state laws it would replace. On the contrary, in return for
preemption, the Federal law should reflect a strong consensus of the
many state laws. Some have called for a more robust notification
standard at the Federal level than exists at the state level. Without
adding unnecessary bells and whistles, NRF believes that Congress can
create a stronger breach notification law by removing the exemptions
and closing the types of ``notice holes'' that exist in several state
laws, thereby establishing a breach notification standard that applies
to all businesses--as this Committee has done in previous consumer
protection legislation that is now Federal law. This approach would
enable members that are concerned about preempting state laws to do so
with confidence that they have created a more transparent and better
notification regime for consumers and businesses alike. It is a way
this Committee and Congress can work to enact a law with both robust
protection and preemption.
We urge you, therefore, in pursuing enactment of Federal breach
notification legislation, to adopt a framework that applies to all
entities handling sensitive personal information in order to truly
establish uniform, nationwide standards that lead to clear, concise and
consistent notices to all affected consumers whenever or wherever a
breach occurs. When disclosure standards apply to all businesses that
handle sensitive data, it will create the kind of security-maximizing
effect that Congress wishes to achieve.
Multi-Tiered Set of Data Security Standards Applicable to Retailers
Theoretically, security is like defense. One could spend all one's
money on defense and still not be 100 percent protected. In the real
world it is even more difficult.
Federal and State Data Security Standards
Data security standards vary depending on the nature of an entity's
business and where it operates. Over the past half-century, the United
States has essentially taken a sector-specific approach to data privacy
(including data security) requirements, and our current legal framework
reflects this. For example, credit reporting agencies, financial
institutions, and health care providers, just to name a few regulated
sectors, have specific data security standards that flow from laws
enacted by Congress, such as the Fair Credit Reporting Act (FCRA), the
Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and
Accountability Act (HIPAA), respectively. Those operating in other
industry sectors that are subject to the jurisdiction of the Federal
Trade Commission (FTC) must abide by the standards of care enforced by
the FTC under Section 5 of the FTC Act, which give the Commission
broad, discretionary authority to prosecute ``unfair or deceptive acts
or practices'' (often referred to as their ``UDAP'' authority). On top
of this Federal statutory and regulatory framework, states have
regulated businesses' data security practices across a variety of
industry sectors and enforced consumer protection laws through their
state consumer protection agencies and/or their attorneys general.
Legal exposure for data security failures is dependent on the
Federal or state laws to which a business may be subject and is alleged
to violate. The FTC, for example, has been very active in bringing over
50 actions against a range of companies nationwide that are not
otherwise subject to a sector-specific Federal data security law (e.g.,
GLBA, HIPAA, etc.). For example, under its Section 5 UDAP authority,
the FTC has brought enforcement actions against entities that the
Commission believes fall short in providing ``reasonable'' data
security for personal information. Nearly all of these companies have
settled with the FTC, paid fines for their alleged violations
(sometimes to the extent of millions of dollars), and agreed to raise
their security standards and undergo extensive audits of their
practices over the next several decades to ensure that their data
security standards are in line with the FTC's order.
Effect of Imposing GLBA-Like Standards with FTC Enforcement
Providing the FTC, however, with the authority to enforce
discretionary data security standards like those in the GLBA guidelines
would dramatically expand FTC authority. Banking regulators take an
audit/examination approach to regulating companies and work with them
through an iterative process to help the institution come into
compliance where it may be lacking without the threat of severe
penalties. The FTC, by contrast, takes an enforcement approach, which
under a GLBA guidelines standard, would require a post-hoc
determination of a company's compliance with an amorphous standard in a
world where the technological threat vectors are ever-changing. In an
enforcement approach, entities are either guilty or not, and more often
guilty by the mere fact of a breach; unlike with GLBA guidelines,
companies regulated by the FTC are not able to get several bites at the
apple working with regulators until they know they are in compliance
with the regulator's vision for the rule. Companies regulated by the
FTC would have to guess at what will satisfy the agency and, if their
security is breached, the strong enforcement presumption would be that
the company failed to meet the standard.
The different enforcement regimes between financial institutions
and entities subject to the FTC's jurisdiction is also evident in the
manner and frequency with which fines are assessed and civil penalties
imposed for non-compliance with a purported data security standard.
Banks are rarely (if ever) fined by their regulators for data security
weaknesses. But, as noted, commercial companies have been fined
repeatedly by the FTC. Providing an agency like the FTC, with an
enforcement approach, a set of standards with significant room for
interpretation is likely to lead to punitive actions that are different
in kind and effect on entities within the FTC's jurisdiction than the
way the standards would be utilized by banking regulators in an
examination. A punitive approach to companies already victimized by a
crime would not be appropriate nor constructive in light of the fact
that the FTC itself has testified before this Committee that no
system--even the most protected one money can buy--is ever 100 percent
secure.
Improving Payment Card Security
Using the best data security technology and practices available
still does not guarantee that a business can avoid suffering a data
security breach. Therefore, raising security standards alone may not be
the most efficient or effective means of preventing potential harm to
consumers. With respect to payment card numbers, for example, it is
possible that no matter how much security is applied by a business
storing these numbers, the numbers may be stolen from a business's
database in a highly sophisticated security breach that can evade even
state-of-the-art system security measures. Because of these risks, it
makes sense for industry to do more than just apply increased network
or database security measures. One sensible proposal is to minimize the
storage by businesses of the full set of unredacted and unencrypted
payment card numbers necessary to complete a transaction--a data
protection principle known as ``data minimization.'' Another method to
help prevent downstream fraud from stolen card numbers is to require
more data or numbers (such as a 4-digit PIN) from a consumer than
simply the numbers that appear on a card to authorize and complete
payment card transactions.
For example, a decade ago, the National Retail Federation asked the
branded card networks and banks to lift the requirement that retailers
store full payment card numbers for all transactions. Retailers have
also pushed to phase-out signature-authentication for cards and,
instead, use a more secure authentication method for credit and debit
card transactions, such as the PIN-based authentication that banks
require for accessing bank accounts through ATM machines. PINs can
provide an extra layer of security against downstream fraud even if the
card numbers (which the card companies already emboss on the outside of
a card) are stolen in a breach. In PIN-based transactions, for example,
the stored 20-digits from the card would, alone, be insufficient to
conduct a fraudulent transaction in a store without the 4-digit PIN
known to the consumer and not present on the card itself. These
business practice improvements are easier and quicker to implement than
any new Federal data security law, and they hold the promise of being
more effective at preventing the kind of financial harm that could
impact consumers as companies suffer data security breaches affecting
payment cards in the future.
On October 17, 2014, the President signed an executive order
initiating the BuySecure Initiative for government payment cards.\4\
The order provided, among other things, that payment cards issued to
government employees would include PIN and chip technology and that
government equipment to handle and process transactions would be
upgraded to allow acceptance of PIN and chip. These are common-sense
actions that recognize that while it may not be possible to ensure
there is never another data security breach, it is still possible to
minimize the harms that can come from those breaches--and reduce the
incentives from criminals to try to steal some data in the first place.
---------------------------------------------------------------------------
\4\ Executive Order--Improving the Security of Consumer Financial
Transactions, The White House, October 17, 2014. Accessible at: http://
www.whitehouse.gov/the-press-office/2014/10/17/executive-order-
improving-security-consumer-financial-transactions
---------------------------------------------------------------------------
PCI-DSS Standards
When it comes to protecting payment card data, however, retailers
are essentially at the mercy of the dominant credit card companies. The
credit card networks--Visa, MasterCard, American Express, Discover and
JCB--are responsible for an organization known as the PCI (which stands
for ``Payment Card Industry'') Data Security Council. PCI establishes
data security standards (PCI-DSS) for payment cards. While well-
intentioned in concept, these standards have not worked quite as well
in practice. They have been inconsistently applied, and their avowed
purpose has been significantly altered.
PCI has, in critical respects over time, pushed card security costs
onto merchants even when other decisions might have more effectively
reduced fraud--or done so at lower cost. For example, retailers have
long been required by PCI to encrypt the payment card information that
they have. While that is appropriate, PCI has not required financial
institutions to be able to accept that data in encrypted form. That
means the data often has to be de-encrypted at some point in the
process in order for transactions to be processed.
Similarly, merchants are expected to annually demonstrate PCI
compliance to the card networks, often at considerable expense, in
order to benefit from a promise that the merchants would be relieved of
certain fraud inherent in the payment system, which PCI is supposed to
prevent. However, certification by the networks as PCI Compliant
apparently has not been able to adequately contain the growing fraud
and retailers report that the ``promise'' increasingly has been
abrogated or ignored. Unfortunately, as card security expert Avivah
Litan of Gartner Research wrote recently, ``The PCI (Payment Card
Industry) security standard has largely been a failure when you
consider its initial purpose and history.'' \5\
---------------------------------------------------------------------------
\5\ ``How PCI Failed Target and U.S. Consumers,'' by Avivah Litan,
Gartner Blog Network, Jan. 20, 2014, available at http://
blogs.gartner.com/avivah-litan/2014/01/20/how-pci-failed-target-and-u-
s-consumers/.
---------------------------------------------------------------------------
Retailers have spent billions of dollars on card security measures
and upgrades to comply with PCI card security requirements, but it
hasn't made them immune to data breaches and fraud. The card networks
have made those decisions for merchants and the increases in fraud
demonstrate that their decisions have not been as effective as they
should have been.
Improving Technology Solutions to Better Protect Consumers in Payment
Transactions
PIN-Authentication of Cardholders
There are technologies available that could reduce fraud. An
overhaul of the fraud-prone cards that are currently used in the U.S.
market is long overdue. As I noted, requiring the use of a PIN is one
way to reduce fraud. Doing so takes a vulnerable piece of data (the
card number) and makes it so that it cannot be used on its own. This
ought to happen not only in the brick-and-mortar environment in which a
physical card is used but also in the online environment in which the
physical card does not have to be used. Many U.S. companies, for
example, are exploring the use of a PIN for online purchases. This may
help directly with the 90 percent of U.S. fraud which occurs online. It
is not happenstance that automated teller machines (ATMs) require the
entry of a PIN before dispensing cash. Using the same payment cards for
purchases should be just as secure as using them at ATMs.
End-to-End Encryption
Another technological solution that could help deter and prevent
data breaches and fraud is encryption. Merchants are already required
by PCI standards to encrypt cardholder data but, not everyone in the
payments chain is required to be able to accept data in encrypted form.
That means that data may need to be de-encrypted at some points in the
process. Experts have called for a change to require ``end-to-end'' (or
point-to-point) encryption which is simply a way to describe requiring
everyone in the payment-handling chain to accept, hold and transmit the
data in encrypted form.
According to the September 2009 issue of the Nilson Report ``most
recent cyberattacks have involved intercepting data in transit from the
point of sale to the merchant or acquirer's host, or from that host to
the payments network.'' The reason this often occurs is that ``data
must be decrypted before being forwarded to a processor or acquirer
because Visa, MasterCard, American Express, and Discover networks can't
accept encrypted data at this time.'' \6\
---------------------------------------------------------------------------
\6\ The Nilson Report, Issue 934, Sept. 2009 at 7.
---------------------------------------------------------------------------
Keeping sensitive data encrypted throughout the payments chain
would go a long way to convincing fraudsters that the data is not worth
stealing in the first place--at least, not unless they were prepared to
go through the arduous task of trying to de-encrypt the data which
would be necessary in order to make use of it. Likewise, using PIN-
authentication of cardholders now would offer some additional
protection against fraud should this decrypted payment data be
intercepted by a criminal during its transmission ``in the clear.''
Tokenization and Mobile Payments
Tokenization is another variant that could be helpful. Tokenization
is a system in which sensitive payment card information (such as the
account number) is replaced with another piece of data (the ``token'').
Sensitive payment data could be replaced with a token to represent each
specific transaction. Then, if a data breach occurred and the token
data were stolen, it could not be used in any other transactions
because it was unique to the transaction in question. This technology
has been available in the payment card space since at least 2005.\7\
Still, tokenization is not a panacea, and it is important that
whichever form is adopted be an open standard so that a small number of
networks not obtain a competitive advantage, by design, over other
payment platforms.
---------------------------------------------------------------------------
\7\ For information on Shift4's 2005 launch of tokenization in the
payment card space see http://www.internetretailer.com/2005/10/13/
shift4-launches-security-tool-that-lets-merchants-re-use-credit.
---------------------------------------------------------------------------
In addition, in some configurations, mobile payments offer the
promise of greater security as well. In the mobile setting, consumers
won't need to have a physical card--and they certainly won't replicate
the security problem of physical cards by embossing their account
numbers on the outside of their mobile phones. It should be easy for
consumers to enter a PIN or password to use payment technology with
their smart phones. Consumers are already used to accessing their
phones and a variety of services on them through passwords. Indeed, if
we are looking to leapfrog the already aging current technologies,
mobile-driven payments may be the answer.
Indeed, as much improved as they are, the proposed chips to be
slowly rolled out on U.S. payment cards are essentially dumb computers.
Their dynamism makes them significantly more advanced than magstripes,
but their sophistication pales in comparison with the common
smartphone. Smartphones contain computing powers that could easily
enable comparatively state-of-the-art fraud protection technologies. In
fact, ``the new iPhones sold over the weekend of their release in
September 2014 contained 25 times more computing power than the whole
world had at its disposal in 1995.'' \8\ Smart phones soon may be
nearly ubiquitous, and if their payment platforms are open and
competitive, they will only get better.
---------------------------------------------------------------------------
\8\ ``The Future of Work: There's an app for that,'' The Economist
(Jan. 3, 2015).
---------------------------------------------------------------------------
The dominant card networks have not made all of the technological
improvements suggested above to make the cards issued in the United
States more resistant to fraud, despite the availability of the
technology and their adoption of it in many other developed countries
of the world, including Canada, the United Kingdom, and most countries
of Western Europe.
In this section, we have merely described some of the solutions
available, but the United States isn't using any of them the way that
it should be. While everyone in the payments space has a responsibility
to do what they can to protect against fraud and data theft, the card
networks have arranged the establishment of the data security
requirements and yet, in light of the threats, there is much left to be
desired.
Legislative Solutions Beyond Breach Notification
In addition to the marketplace and technological solutions
suggested above, NRF also supports a range of legislative solutions
that we believe would help improve the security of our networked
systems, ensure better law enforcement tools to address criminal
intrusions, and standardize and streamline the notification process so
that consumers may be treated equally across the Nation when it comes
to notification of data security breaches.
Legislation Protecting Consumers' Debit Cards to the Same Extent as
Credit Cards
From many consumers' perspective, payment cards are payment cards.
As has been often noted, consumers would be surprised to learn that
their legal rights, when using a debit card--i.e., their own money--are
significantly less than when using other forms of payment, such as a
credit card. It would be appropriate if policy makers took steps to
ensure that consumers' reasonable expectations were fulfilled, and they
received at least the same level of legal protection when using their
debit cards as they do when paying with credit.
NRF strongly supports legislation like S. 2200, the ``Consumer
Debit Card Protection Act,'' cosponsored by Senators Warner and Kirk
last Congress. S. 2200 was a bipartisan solution that would immediately
provide liability protection for consumers from debit card fraud to the
same extent that they are currently protected from credit card fraud.
This is a long overdue correction in the law and one important and
productive step Congress could take immediately to protect consumers
that use debit cards for payment transactions.
Legislation Protecting Businesses that Voluntarily Share Cyber-Threat
Information
In addition, NRF supports the passage by Congress of legislation
like H.R. 624, the ``Cyber Intelligence Sharing and Protection Act,''
cosponsored last Congress by Congressmen Rogers and Ruppersberger, and
which passed the House of Representatives with bipartisan support. This
legislation would protect and create incentives for private entities in
the commercial sector to lawfully share information about cyber-threats
with other private entities and the Federal government in real-time.
This would help companies better defend their own networks from cyber-
attacks detected elsewhere by other business.
Legislation Aiding Law Enforcement Investigation and Prosecution of
Breaches
We also support legislation that would provide more tools to law
enforcement to ensure that unauthorized network intrusions and other
criminal data security breaches are thoroughly investigated and
prosecuted, and that the criminals that breach our systems to commit
fraud with our customers' information are swiftly brought to justice.
Conclusion
In summary, a Federal breach notification law should contain three
essential elements:
1. Uniform Notice: Breached entities should be obligated to notify
affected individuals or make public notice when they discover
breaches of their own systems. A Federal law that permits
``notice holes'' in a networked system of businesses handling
the same sensitive personal information--requiring notice of
some sectors, while leaving others largely exempt--will
unfairly burden the former and unnecessarily betray the
public's trust.
2. Express Preemption of State Law: A single, uniform national
standard for notification of consumers affected by a breach of
sensitive data would provide simplicity, clarity and certainty
to both businesses and consumers alike. Passing a Federal
breach notification law is a common-sense step that Congress
should take now to ensure reasonable and timely notice to
consumers while providing clear compliance standards for
businesses.
3. Reflect the Strong Consensus of State Laws: A national standard
should reflect the strong consensus of state law provisions.
NRF believes that Congress can create a stronger breach
notification law by removing the exemptions and closing the
types of ``notice holes'' that exist in several state laws,
thereby establishing a breach notification standard that
applies to all businesses, similar to the comprehensive
approach this Committee has taken in previous consumer
protection legislation that is now Federal law.
Appendix
What Retailers Want You To Know About Data Security \9\
---------------------------------------------------------------------------
\9\ Slides Available at: http://www.slideshare.net/
NationalRetailFederation/thingsto-know-data
security?ref=https://nrf.com/media/press-releases/retailers-reiterate-
support-federal-data-breach-notification-standard
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
---------------------------------------------------------------------------
______
Senator Moran. Thank you, Mr. Duncan.
Dr. Pendse?
STATEMENT OF RAVI PENDSE, Ph.D., VICE PRESIDENT AND CHIEF
INFORMATION OFFICER, BROWN UNIVERSITY, CISCO FELLOW, PROFESSOR
OF PRACTICE, COMPUTER SCIENCE AND ENGINEERING
Dr. Pendse. Good morning, Chairman Moran, Ranking Member
Blumenthal, and distinguished members of the Committee and my
eminent panelists here. Thank you so much for the opportunity
to testify today about the data breach and notification
legislation. It is truly an honor.
I want to commend you for investing your valuable time to
discuss this important area of cyber infrastructure and
protection. As younger citizens get online in schools
leveraging the power of the Internet to learn and create
knowledge, your work on this legislation will be critical to
protect our youth.
As the amount of data continues to increase exponentially,
primarily driven by our mobile and highly connected lifestyle,
your work on this legislation will be critical to protect our
``netizens.''
As Internet connected devices on the ``Internet of Things''
increase in number from 10 billion to a projected 50 billion by
2020, impacting our economy by as much as $19 trillion,
according to many experts, your work on this legislation will a
critical catalyst to empower connected innovation and wealth
generation.
As connected robots and 3D printing fundamentally change
how we manufacture goods and manage our supply chain, your work
on this legislation will be critical to supporting next
generation innovation and our leadership in the world. We are
truly looking at some exciting times.
My name is Ravi Pendse. I have the privilege and honor to
serve as Vice President and Chief Information Officer at Brown
University. I am a Brown University Cisco Fellow and a senior
member of IEEE. I am also a faculty member in both computer
science and engineering.
My area of expertise and research is in ``Internet of
Things,'' cybersecurity, and aviation network security. I take
great pride in admitting that I am a nerd.
The Privacy Rights Clearinghouse, as the Chairman pointed
out, has reported there have been over 932 million records
compromised in over 4,000 plus breaches since 2005.
Just yesterday, as was mentioned, Anthem reported a very
large breach, and that breach may impact people in this room
since many Federal employees, as I understand, are covered by
some of the programs Anthem offers.
We as individuals, organizations, and the Nation must
continue to focus in this area for the protection of our
consumers and national security.
Currently, 47 states, including Rhode Island, where Brown
is located, the District of Columbia, Guam, Puerto Rico, and
the Virgin Islands, have enacted data breach legislation. While
there are similarities between these state laws, no two are
exactly alike.
As a university with students from all 50 states, we are
impacted by all of them. Maintaining the necessary standards
for each state is challenging and very difficult. This can
create a barrier for small innovative organizations lacking the
expertise to address the specifics of state laws. In my view,
this type of burden will stifle innovation.
Breach notification is a national issue, so I would
encourage you to consider a single national legislation. In my
view, such legislation should clearly define the rules and
actions that are required in the case of a breach. It should
identify the methods, speed, delivery, and content of
notifications.
A hard time limit for breach notification may be
unattainable for small organizations, non-profits, and
educational institutions. A tiered approach based upon the size
and designation of an organization would make compliance
possible for all.
It should also encourage organizations that collect data to
be cognizant about the use of such data. Consumers, especially
the young ones, appear to be happy to give away their data and
their privacy to services, including social media sites, for
the sake of convenience.
All acts should clearly define expectations of security for
organizations collecting and storing personally identifiable
data. Given the highly publicized breaches that have been
mentioned, it is apparent that more work is needed. No matter
what the size of the company, certain expectations of security
should be defined when data is collected and stored.
Most importantly, it should provide incentives to establish
education to better combat breaches, so preventive actions are
necessary. It is important for us to develop cybersecurity
expertise within the U.S. Our national security cannot be
offshored.
In conclusion, I applaud your efforts and appreciate the
opportunity for this dialogue. I have more details in my
written testimony. I stand by to assist you in any way I can.
Cybersecurity and cybersecurity education is critical. Our
national security cannot be offshored.
Thank you.
[The prepared statement of Dr. Pendse follows:]
Prepared Statement of Ravi Pendse, Ph.D., Vice President and Chief
Information Officer, Brown University, Cisco Fellow, Professor of
Practice, Computer Science and Engineering
Executive Summary
With an ever-increasing collection of databases, the impact of
``big data'' on privacy, and the monetary value of personal data used
for identity and financial theft, today's America is in need of sound
and achievable legislation around data security, privacy, and the
notification of consumers after a data breach. Such legislation would
benefit all U.S. citizens as well as the organizations collecting and
protecting their data.
National legislation governing data breaches will have many
advantages over existing state laws and reduce the burden that these
dissimilar state laws place on complying organizations. While it's
necessary for us to pursue centralized standards, it's important to
produce legislation that accommodates organizations of all sizes. In
addition to laws regarding data breaches, we should create incentives
for proactive measures to reduce the likelihood of breaches, one of the
most important being the development of a trained cybersecurity
workforce through education and training.
Introduction
Good morning Chairman Moran, Ranking Member Blumenthal, and
distinguished Members of the Committee. Thank you so much for the
opportunity to testify today about the data breach and notification
legislation, it is truly an honor.
I want to commend you for investing your valuable time to discuss
this important area of cyberinfrastructure and protection. As younger
citizens get online in schools leveraging the power of the Internet to
learn and create knowledge, your work on this legislation will be
critical to protect our youth. As the amount of data continues to
increase exponentially, primarily driven by our mobile and highly
connected lifestyle, your work on this legislation will be critical to
protect our netizens. As internet-connected devices on the ``Internet
of Things'' increase in number from 10 billion to a projected 50
billion by 2020, impacting our economy by as much as $19 trillion, your
work on this legislation will be a critical catalyst to empower
connected innovation and wealth generation. As connected robots and 3-D
printing fundamentally change how we manufacture goods and manage our
supply chain, your work on this legislation will be critical to
supporting next-generation innovation and our leadership in the world.
My name is Ravi Pendse. I have the privilege and honor to serve as
the Vice President and Chief Information Officer at Brown University. I
am a Brown University Cisco Fellow and a senior member of IEEE. I am
also a faculty member in both Computer Science and Engineering. My area
of expertise and research is in the ``Internet of Things'',
cybersecurity, and aviation network security; I also teach classes in
these fields. Currently, I am teaching a class called ``Internet of
Everything'' so your work on this legislation is critical to many young
people I interact with each day who I know will change our world for
the better.
Thank you again for the opportunity to provide written and verbal
testimony relative to a uniform Federal law concerning the definition,
protection, and notification of the personally identifiable information
of consumers. This is a necessary and extremely relevant topic in our
hyper-connected world. The Privacy Rights Clearinghouse reports that
there have been over 932,700,000 records compromised in over 4,450 U.S.
breaches since April 2005. Countless high-profile security breaches
have appeared in the news in the last year. My university witnesses an
average of 30,000 attempted attacks each day.
As long as there is a black market for the sale of personal and
financial data, and these breaches are attainable, the attacks will
continue. At the same time, we are living a mobile and highly connected
lifestyle, American children are getting online at a younger age, and
ten billion of our household devices are connected to the Internet.
This ubiquity of connectivity makes sound security principles and
postures a necessity. We, as individuals, enterprises, and a nation,
must continue to focus on this area for the protection of our consumers
and national security.
Background
Security breach notification laws have been written in most U.S.
states since 2002. The first such law, California SB 1386, became the
de facto standard for all states nationwide. Since then, other states
have been more descriptive in their remedies, making each, in effect, a
standard as they appear.
Forty-seven states (including Rhode Island, where Brown is
located), the District of Columbia, Guam, Puerto Rico, and the Virgin
Islands have enacted legislation requiring private or government
entities to notify individuals of security breaches involving
personally identifiable information. Many of these state security
breach laws have provisions regarding which entities must comply with
the law; how ``personal information'' is defined (such as name combined
with Social Security number or driver's license number); what
constitutes a breach; how, when, and to whom a notice must be sent; and
which situations are exempt (such as a breach of encrypted
information). No two are exactly alike.
As a university with students from 49 states, we are impacted by
them all. Maintaining the necessary standards for each state has been
not only onerous, but also difficult to completely and legally address.
This can create a barrier for small, innovative organizations lacking
the expertise or legal team to address the specifics of state laws.
Breach notification is a national issue, and the definition of
entities, timing, and requirements should not be left to the individual
states. Of course, the state Attorney General would have the ability to
protect the citizens of their jurisdiction and make claims as such.
Having one standard for this conduct would be beneficial to those who
protect the information and respond when a security incident occurs.
Recommendations for Cybersecurity Breach Legislation
A single national legislation governing data breaches should be
established to replace disparate state laws. This legislation should .
1. . . . define the rules and actions that are required in the case
of a breach, including the method, speed, delivery, and content
of notifications.
2. . . . adjust for the size, nature, and scope of both the breach
and the organization. For example, a hard time limit for breach
notification may be unattainable for small organizations,
nonprofits, and educational institutions without skills in deep
forensics and data science. A tiered approach based upon the
severity of the breach and size and designation of the
organization would make compliance achievable to all.
3. . . . be compliant with current national legislation (such as
HIPAA, GLBA, and HITECH) and prevent the possibility of
conflict with other Federal laws.
4. . . . mandate that organizations disclose what happens to
customer data. Consumers appear to be happy to give away their
data (and their privacy) to services including social media
sites for the sake of convenience. A requirement to inform
consumers how their data and information will be used is a
relevant response to this changing landscape of data exchange.
5. . . . define expectations of security for organizations
collecting and storing personally identifiable data. Given the
highly publicized breaches that have occurred in the past
twelve to eighteen months, it is apparent that even many larger
enterprises do not provide necessary security. No matter what
the size of the company, certain expectations of security
should be defined when data is collected and stored.
6. . . . create incentives for the formation of industry forums such
as the Financial Services Information Sharing and Analysis
Center (FS-ISAC). Such forums provide an opportunity to share
threats and approaches within an industry.
7. . . . consider compliance with the accepted framework by the
National Institute of Standards and Technology (NIST), or any
framework that meets or exceeds the NIST standards, in order to
establish the baseline against which to audit.
8. . . . most importantly, provide measures or incentives that
establish education to better combat breaches. It is important
for us to develop cybersecurity expertise within the U.S.; our
national security cannot be offshored. Cisco's 2014 Security
Report estimated a global shortage of more than a million
security professionals. While efforts like the National
Initiative for Cybersecurity Education (NICE) have attempted to
address this shortage, the numbers and expertise of available
professionals are still lacking. Cybersecurity programs should
be encouraged both in K-12 and higher education. A K-12 program
would prepare students to protect themselves as well as join
the workforce. Incentives for the expansion of certified
cybersecurity programs in higher education, including emerging
graduate programs, could make a more immediate impact on the
size of the workforce. Similar to the Teach for America
program, we could create a conduit for trained security
graduates to enter the workforce by establishing a loan
forgiveness program dependent upon a designated amount of years
in the profession.
Conclusion
We must continue to work on multiple fronts to mitigate the impact
of data breaches. Legislation that sets national standards will provide
clarity for organizations and balanced protections for all U.S.
citizens. As this is a global problem, we must continue to leverage and
maximize resources whenever possible to understand and detect
persistent threats.
I would be supportive of an effort to create a single, national law
around data security and breaches; a national law will remove the undue
burden of complying with forty-seven disparate state laws. However, we
must be careful to avoid a ``one size fits all'' model that could be
impossible to attain for small organizations, nonprofits, and
education. Established tiers of responsibility and compliance levels
may better serve all, while legislating a single set of standards that
can be embraced and addressed successfully.
In addition to reactive legislation around the handling of data
breaches, we need to be proactive. I strongly recommend incentives for
proactive measures to reduce the likelihood of breaches, one of the
most important being educational initiatives to develop a trained
cybersecurity workforce. From additional Americans with forensics
expertise to an engaged and educated nation of consumers, we should
remember that people provide one of the most critical lines of defense.
Senator Moran. Doctor, thank you. Good to see you again.
Mr. Johnson?
STATEMENT OF DOUG JOHNSON, SENIOR VICE PRESIDENT AND SENIOR
ADVISOR FOR RISK MANAGEMENT POLICY, AMERICAN BANKERS
ASSOCIATION
Mr. Johnson. Yes, good morning, Chairman Moran, Ranking
Member Blumenthal, members of the Subcommittee. My name is Doug
Johnson, Senior Vice President at the American Bankers
Association. I currently lead the Association's physical and
cybersecurity business, Continuity and resiliency policy
efforts at the Association.
ABA shares the concerns of Congress about protecting
consumers in this increasingly sophisticated world of
electronic commerce and recordkeeping. It is clear consumers
enjoy the efficiency and convenience of conducting transactions
electronically.
Notwithstanding these recent breaches, our payment system
remains strong and functional, and it is absolutely mandatory
that we maintain that trust in the system so that it remains
essentially a system that our customers can continue to trust.
While the majority of the transactions are conducted
safely, occasional breaches will occur and will continue to
occur. Consumers have the right to swift, accurate, and
effective notification of these breaches. They also have a
right to trust that whenever they conduct business
electronically the business is doing everything it can to
prevent that the breach is occurring in the first place.
Mr. Duncan mentioned the Verizon study, international
sample of private companies and police stations around the
world. Other organizations, such as the Identity Theft Resource
Center, noted that United States' businesses reported over 30
percent of the reported breaches for 2014, while financial
institutions represented 6 percent.
While our numbers may differ and we do believe the United
States' numbers are more appropriate to cite, I believe that
our intent frankly is the same, and our intent is to ensure
that we are protecting customer data, and I think that is
essentially both of our goals.
The banking industry supports effective cybersecurity
policy and will continue to work with Congress to achieve that
goal. Banks are acknowledged leaders in defending against cyber
threats. Therefore, from the financial services' perspective,
it is critical that legislation takes a balanced approach that
builds upon but does not duplicate or undermine what is already
in place and effective for the financial sector.
There are three key points that must be considered with
regard to data protection standards. First, as others have
noted, we do need a national data standard, a data breach
standard. Consumer electronic payments are not confined by
borders between states. As such, a national standard for data
security and breach notification is of paramount importance.
Currently, 46 states, three U.S. territories, and the
District of Columbia have enacted laws governing data security
in some fashion. Although some of these laws are similar, many
have inconsistent and conflicting standards, forcing businesses
to comply with multiple regulations and leaving many consumers
without proper recourse or protection.
Inconsistent state laws and regulations should be preempted
in favor of strong Federal data protection and notification
requirements.
Second, any Federal data protection and notification
requirement must recognize existing national data protection
and notification requirements. Some industries, including
financial services, are already required to by law to develop
and maintain robust internal protections. They are also
required to protect consumer financial information and notify
customers when a breach occurs within their systems that would
put customers at risk.
We believe the extensive breach reporting requirements
currently in place for banks provide an effective basis for any
national data breach reporting requirement for businesses
generally.
Finally, there must be a strong national data protection
requirement associated with any data breach law. All parties
must share the responsibility and cost for protecting
consumers. The cost of the data breach should ultimately be
borne by the entity that incurs the breach.
To limit such breaches, any comprehensive data breach
requirement must have strong data protection requirements
applicable to any party with access to important consumer
financial information.
Thank you, and I will be happy to answer any questions you
may have.
[The prepared statement of Mr. Johnson follows:]
Prepared Statement of Doug Johnson, Senior Vice President and Senior
Advisor for Risk Management Policy, American Bankers Association
Chairman Moran, Ranking Member Blumenthal, my name is Doug Johnson,
Senior Vice President, payments and cybersecurity policy, of the
American Bankers Association. In that capacity, I currently lead the
association's physical and cybersecurity, business continuity and
resiliency policy and fraud deterrence efforts on behalf of our
membership. I appreciate the opportunity to be here to represent the
ABA and discuss the importance of instituting a uniform Federal data
breach law in place of disparate state laws. The ABA is the voice of
the Nation's $15 trillion banking industry, which is composed of small,
regional and large banks that together employ more than 2 million
people, safeguard $11 trillion in deposits and extend over $8 trillion
in loans.
As the 114th Congress engages in public debate on the important
issue of data security, we share your concerns about protecting
consumers in this increasingly sophisticated world of electronic
commerce and record keeping. It is clear that consumers enjoy the
efficiency and convenience of conducting transactions electronically.
Notwithstanding these recent breaches, our payment system remains
strong and functional. No security breach seems to stop the $3 trillion
that Americans spend safely and securely each year with their credit
and debit cards. And with good reason: Customers can use these cards
confidently because their banks protect them from losses by investing
in technology to detect and prevent fraud, reissuing cards and
absorbing fraud costs. While the vast majority of these transactions
are conducted safely, occasional breaches will continue to occur.
Consumers have a right to swift, accurate, and effective notification
of such breaches. They also have a right to trust that, wherever they
transact business electronically, the business is doing everything it
can to prevent that breach from occurring in the first place.
The banking industry supports effective cyber security policy and
will continue to work with Congress to achieve that goal. Banks are
acknowledged leaders in defending against cyber threats. Therefore,
from the financial services perspective it is critical that legislation
takes a balanced approach that builds upon--but does not duplicate or
undermine--what is already in place and highly effective in the
financial sector.
In my testimony I will focus on three main points:
The value of a national data breach standard. Consumers'
electronic payments are not confined by borders between states.
As such, a national standard for data security and breach
notification is of paramount importance.
The importance of recognizing existing Federal breach
requirements. Any Federal data protection and notification
requirement must recognize existing national data protection
and notification requirements.
The need for strong national data protection requirements.
All parties must share the responsibility, and the costs, for
protecting consumers. The costs of a data breach should
ultimately be borne by the entity that incurs the breach. To
limit such breaches, any comprehensive data breach requirement
must have strong data protection requirements applicable to any
party with access to important consumer financial information.
I. The Value of a National Data Breach Standard
Our existing national payments system serves hundreds of millions
of consumers, retailers, banks, and the economy well. It only stands to
reason that such a system functions most effectively when it is
governed by a consistent national data breach policy.
Currently, 46 states, three U.S. territories, and the District of
Columbia have enacted laws governing data security in some fashion,
such as standards for data breach notification and for the safeguarding
of consumer information. Although some of these laws are similar, many
have inconsistent and conflicting standards, forcing businesses to
comply with multiple regulations and leaving many consumers without
proper recourse and protection. Inconsistent state laws and regulations
should be preempted in favor of strong Federal data protection and
notification requirements. In the event of a breach, the public should
be informed where it occurred as soon as reasonably possible to allow
consumers to protect themselves from fraud.
Given the mobile nature of our Nation's citizens, it is clear that
the existing patchwork of state data breach laws are unduly complicated
for consumers as well as businesses. For instance, consider a couple
residing in a northern state who winter in a southern one and have
their credit card data compromised at a merchant in a third state. In
this instance, the couple wants to be alerted that their financial data
has been compromised and that they are protected. Determining where the
couple may or may not reside and which state laws may or may not apply
unduly complicates the simple need to protect the couple from financial
harm. It also diverts resources at the merchant and the bank toward
determining how to comply with a myriad of laws as opposed to fixing
the problem.
We believe that the following set of principles should serve as a
guide when drafting legislation to provide stronger protection for
consumer financial information:
1. Inconsistent state laws and regulations should be preempted in
favor of strong Federal data protection and notification
standards.
2. Strong national data protection and consumer notification
standards with effective enforcement provisions must be part of
any comprehensive data security regime, applicable to any party
with access to important consumer financial information.
3. Requirements for industries that are already subject to robust
data protection and notification requirements must be
recognized.
4. In the event of a breach, the public should be informed where it
occurred as soon as reasonably possible to allow consumers to
protect themselves from fraud. The business with the most
direct financial relationship with affected consumers should be
able to inform their customers and members about information
regarding the breach, including the entity at which the breach
occurred.
5. The costs of a data breach should ultimately be borne by the
entity that incurs the breach.
II. The Importance of Recognizing Existing Federal Breach Requirements
As we enact a national data breach requirement, some industries--
including the financial industry--are already required by law to
develop and maintain robust internal protections to combat and address
criminal attacks, and are required to protect consumer financial
information and notify consumers when a breach occurs within their
systems that will put their customers at risk.
Title V of the Gramm-Leach-Bliley Act (GLBA) requires banks to
implement a ``risk-based'' response program to address instances of
unauthorized access to customer information systems. At a minimum, a
response program must:
1. Assess the nature and scope of any security incident and identify
what customer information systems and customer information may
have been accessed or misused;
2. Notify the institution's primary Federal regulator ``as soon as
possible'' about any threats ``to sensitive customer
information.''
3. Notify appropriate law enforcement authorities and file
Suspicious Activity Reports in situations involving Federal
criminal violations requiring immediate attention;
4. Take appropriate steps to contain the incident to prevent further
unauthorized access to or use of customer information, and
5. Notify customers ``as soon as possible'' if it is determined that
misuse of customer information has occurred or is reasonably
possible.
A critical component of the GLBA guidelines is customer
notification. When a covered financial institution becomes aware of a
material breach of ``sensitive customer information,'' it must conduct
a reasonable investigation to determine whether the information has
been or can be misused. If it determines that misuse of the information
``has occurred or is reasonably possible,'' it must notify affected
customers ``as soon as possible.''
Under GLBA, sensitive customer information includes the customer's
name, address or telephone number in conjunction with the customer's
Social Security number, driver's license number, credit card, debit
card or other account number or personal identification number.
Sensitive customer information also includes any combination of
components of customer information that would allow someone to log onto
or access the customer's account, such as user name and password.
A covered financial institution must also provide a clear and
conspicuous notice. The notice must describe the incident in general
terms and the type of customer information affected. It must also
generally describe the institution's actions to protect the information
from further unauthorized access and include a telephone number. The
notice also must remind customers to remain vigilant over the next 12
to 24 months and to promptly report incidents of suspected identity
theft to the institution.
Where appropriate, the notice also must include:
1. Recommendation to review account statements immediately and
report suspicious activity;
2. Description of fraud alerts and how to place them;
3. Recommendation that the customer periodically obtain credit
reports and have fraudulent information removed;
4. Explanation of how to receive a free credit report; and
5. Information about the FTC's identity theft guidance for
consumers.
We believe the extensive breach reporting requirements currently in
place for banks provide an effective basis for any national data breach
reporting requirement for businesses generally.
III. The Need for Strong National Data Protection Requirements
Any legislation focused on creating a national standard for breach
notification should also include a complementary national data security
standard for covered entities. If Congress does not address data
security standards now it misses the opportunity to instill a greater
overall level of data security protections for consumers.
Every business must share in the responsibility to protect
consumers. With that responsibility should come the requirement for
that business, whether it be a bank, merchant, third party processor or
other entity, to bear the costs for any breach they incur.
To limit the potential for data breaches in the first place, any
comprehensive national data breach requirement should be enacted in
tandem with strong data protection requirements applicable to any party
with access to important consumer financial information. Limiting the
potential for such breaches through strong data protection is the
first, essential, line of defense in our efforts to maintain customer
trust and confidence in the payments system
Effective data protection requirements are scalable. For instance,
bank regulations, through GLBA, recognize that the level of risk to
customer data varies significantly across banks. Large banks require
continual, on-site examination personnel, while community-based
institutions are subject to periodic information security examinations.
Data security is also an ongoing process as opposed to the state or
condition of controls at a point in time. As opposed to proscribing
specific technological security requirements, GLBA and the associated
bank regulatory requirements are risk and governance-based. Bank
security programs are required to have ``strong board and senior
management level support, integration of security activities and
controls throughout the organization's business processes, and clear
accountability for carrying out security responsibilities.'' \1\
---------------------------------------------------------------------------
\1\ Federal Financial Institution Examination Council IT Handbook,
available at http://ithandbook.ffiec.gov/it-booklets/information-
security/introduction/overview.aspx
---------------------------------------------------------------------------
IV. The Path Forward
The legal, regulatory, examination and enforcement regime regarding
banks ensures that banks robustly protect American's personal financial
information. We believe that this regime provides an appropriate,
scalable model for other businesses entrusted with sensitive customer
financial and other information.
Senator Moran. Attorney General Madigan, welcome.
STATEMENT OF HON. LISA MADIGAN, ATTORNEY GENERAL, STATE OF
ILLINOIS
Ms. Madigan. Thank you, Chairman Moran, Ranking Member
Blumenthal, and members of the Subcommittee. I appreciate
having an opportunity to testify today.
Data security is one of the biggest challenges that we face
as a nation. It is an ongoing struggle for all Americans and
the companies, non-profits, and government agencies that hold
our personal information.
While last year's massive data breaches reawakened many in
the public, breaches are not a new problem. Because of that, 10
years ago, I joined 43 other Attorneys General, including at
the time Attorneys General Blumenthal and Ayotte, in a
bipartisan call for a strong, meaningful national breach
notification law, and for over a decade, my office has helped
people clean up identity theft damage and investigated major
breaches.
In 2005, I drafted Illinois' breach notification law to
ensure consumers are told when their personal financial
information is compromised, and in 2006, I created an identity
theft unit and hotline to help consumers restore their credit
when their information was obtained and used without their
authorization. So far, we have helped over 37,000 people remove
over $27 million worth of fraudulent charges from their credit.
At this point, Americans realize that it is not a matter of
if but when they will be a victim of some form of identity
theft. The question now is what we do to best assist them to
prevent data breaches and reduce identity theft.
First, I want you to recognize that for the most part, we
already have data breach notification in this country. As you
are aware, 47 states have laws requiring companies to notify
people when their personal financial information is
compromised. Many states are working to pass their second or
third update to their laws in response to the constant threats
that are revealed by the almost 4,500 publicly known breaches
that have affected over 900 million records since 2005. In this
environment, Americans need and expect more transparency of
data breaches, not less. Last year, I held over 25 roundtables
on data breaches throughout Illinois with nearly 1,000
residents, including local government officials, law
enforcement, small business owners, religious leaders, senior
citizens, heads of social service agencies, as well as regular
consumers.
Here is what they told me. First, they are concerned by the
increasing number of breaches and when their information is
stolen, they want to know. Second, they want to know what they
can do to protect themselves from identity theft. And third,
they want to know whether entities are doing enough to prevent
breaches and protect their information.
A weak national law that restricts what most state laws
have long provided will not meet Americans' increasing
expectation that they be told when their information has been
stolen. Instead, any definition of ``protected personal
information'' should be broad and include the growing types of
sensitive information that entities are collecting from
individuals, and the FTC should be able to update the
definition in response to new threats.
In terms of whether entities are doing enough to protect
people's data, unfortunately, as you have already heard from
Ms. McGuire and I can tell you from my office's investigations,
it has been revealed that entities too often fail to take basic
data security precautions.
We have found numerous instances where entities allowed
sensitive personal data to be maintained unencrypted, failed to
install security patches for known software vulnerabilities,
collected sensitive data that was not needed, retained data
longer than necessary, and failed to protect against
compromised log-in credentials.
Congress should include a provision that requires entities
holding sensitive information to take reasonable steps to
protect that information.
Next, an entity who suffers a breach should not be
conducting a self-serving harm analysis to determine whether
consumers get notified about a data breach. Imagine if a
landlord learned that a renter's home was robbed and that
landlord had the opportunity to decide whether the stolen items
were significant enough to let the renter know about the
robbery. This is what you will allow when data is stolen with
the so-called ``harm analysis.''
Further, Congress should designate a Federal entity to
investigate when massive data breaches that affect millions of
Americans, similar to how the NTSB can investigate accidents.
Finally, I know that Congress will consider preempting
states' breach notification laws. As a state official, I oppose
Federal legislation that limits our ability at the state level
to respond to and to safeguard our residents.
If Congress does preempt the states, the preemption
provision must be narrow. The law should preserve the states'
ability to use their own consumer protection laws and Congress
should give the states the right to enforce the Federal law.
I will be happy to answer any questions that you have.
[The prepared statement of Ms. Madigan follows:]
Prepared Statement of Hon. Lisa Madigan, Attorney General,
State of Illinois
Introduction
Chairman Moran, Ranking Member Blumenthal, and members of the
Subcommittee, thank you for giving me the opportunity to speak with
you. Data security is one of the biggest challenges we face in the
United States today. It is an ongoing struggle for companies, non-
profits, government agencies, and consumers.
While last year's massive data breaches were a national turning
point for public awareness, this is not a new problem. For over a
decade, my office has been investigating major data breaches and
helping consumers respond to identity theft.\1\
---------------------------------------------------------------------------
\1\ Since 2006, identity theft and data breaches have either been
the most common complaint, or the second most common complaint,
received in the Illinois Attorney General's office. Only complaints
related to debt have had a higher total.
---------------------------------------------------------------------------
In 2005, we passed a data breach notification law in Illinois to
ensure consumers are notified when an entity suffers a breach of their
sensitive personal information. And in 2006, I created an Identity
Theft Unit and Hotline to help consumers restore their credit when
their information was used without their authorization. So far, we have
helped remove over $27 million worth of fraudulent charges for over
37,000 Illinois residents.\2\
---------------------------------------------------------------------------
\2\ In 2014, the Illinois Attorney General's office received 2,618
complaints regarding identity theft and helped return over $918,000 to
consumers who suffered identity theft.
---------------------------------------------------------------------------
At this point, everyone knows it is not a question of if they will
be a victim of some form of identity theft, but when. Because at every
hour of every day, any entity that maintains a database of sensitive
information could be under attack.
The economic impacts have been, and will continue to be, enormous.
Everyone agrees that we need to do something. Everyone wants to prevent
data breaches. And everyone wants to prevent identity theft. The
question is--how do we best do this?
I have long supported the push for a national law on data breach
notification. In 2005, I joined forty-three other state attorneys
general to call for a national law on breach notification,\3\ so I am
heartened that Congress looks poised to pass a law. But simply passing
a law that replicates state laws will do very little to protect
consumers that is not already being done.
---------------------------------------------------------------------------
\3\ Letter to Congressional Leaders from the National Association
of Attorneys General (NAAG) (Oct. 27, 2005).
---------------------------------------------------------------------------
Congress must move beyond a debate about data breach notification.
For the most part, we already have data breach notification in this
country. Forty-seven states have passed laws requiring companies to
notify consumers when they suffer data breaches. Many states have
either passed, or are working to pass, a second or third-generation
version of their laws.
II. The Need for Transparency
We need more transparency on data breaches and data security, not
less. We should not hide from the fact that our data can be
compromised, and we should not hide data breaches when they occur. I
have recently heard an argument that consumers are experiencing data
breach fatigue, and that additional notification may be counter-
productive. I strongly disagree.
In my experience, consumers may be fatigued over data breaches, but
they are not asking to be less informed about them.
Last year, I held over twenty-five roundtables on data breaches
throughout Illinois, with nearly 1,000 Illinois residents from all
walks of life--law enforcement officials, small business owners,
consumers, and senior citizens.
Here is what they told me. When their information is stolen, they
want to know. They also want to know what they can do to protect
themselves from identity theft and data breaches. And they want to know
whether entities are doing enough to protect their information and
prevent breaches.
Unfortunately, my office's investigations have revealed that
entities have repeatedly failed to take basic data security
precautions. We have found instances where entities:
allowed sensitive personal data to be maintained
unencrypted;
failed to install security patches for known software
vulnerabilities;
collected sensitive data that was not needed;
retained data longer than necessary; and
failed to protect against compromised login credentials.
Understanding where data security failures occur is what leads to
data security fixes. Without transparency, data breaches and their
causes will remain hidden. Notification also allows consumers to take
steps to protect themselves following the aftermath of a breach. This
transparency is not possible without laws mandating it.
III. Information that Triggers Notification
Therefore, Congress should pass a data breach notification law that
covers the growing amount of sensitive personal information that
entities are collecting. Any definition of protected ``personal
information'' should be broad, and the Federal Trade Commission should
be given the power to update the definition as needed. It is not just
stolen social security numbers or stolen credit card numbers that
consumers have to worry about now.
When I first worked to pass a law in Illinois on this issue nearly
a decade ago, we were focused solely on protecting consumers against
identity theft and fraud.\4\ In the intervening ten years, the Internet
has grown more than we imagined possible. This growth has been great
for our economy and it has made our lives easier. But it has also made
individuals more vulnerable to data breaches because more entities are
collecting increasingly specific data about them. Any law designed to
protect consumers should reflect this fact.
---------------------------------------------------------------------------
\4\ Illinois Personal Information Protection Act, 815 ILCS 530/1
et. seq. The Illinois Personal Information Protection Act requires
notification to Illinois consumers in the event of a data breach. A
breach is the unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of ``personal
information.'' Currently, ``personal information'' is defined as an
individual's first name (or first initial) and last name combined with
any of the following: social security number; driver's license or state
identification card number; or account number or credit or debit card
number, or an account number or credit card number in combination with
any required security code, access code, or password that would permit
access to an individual's financial account.
---------------------------------------------------------------------------
Congress should seek to pass legislation that ensures notification
of breaches related to pieces of information that can do us any kind of
harm, whether that is financial harm or reputational harm. For example,
this kind of data includes:
login credentials for online accounts;
medical information shared on the Internet that is outside
the scope of the Health Information Technology for Economic and
Clinical Health (HITECH) Act;\5\
---------------------------------------------------------------------------
\5\ Title XIII of the American Recovery and Reinvestment Act of
2009, Pub. L. 111-5.
---------------------------------------------------------------------------
biometric data; and
geolocation information.
The recent attack on Sony was a lesson for all of us. Reputational
harm can be far worse than financial harm. It can hurt companies, and
it can destroy lives. In Illinois, I will be seeking to update our law
to protect the type of data about individuals that entities are
regularly collecting, and I encourage the Subcommittee to do the same.
IV. A ``Harm Analysis'' Hurts Consumers
Next, an entity should not be conducting a ``harm analysis'' to
determine whether it should notify consumers about a data breach. If an
entity holds our sensitive information and loses it, most people want
to know. The very loss of sensitive personal information should be
viewed as harmful generally, and it is nearly impossible to truly
determine what specific harm may or may not occur following a breach.
Imagine if a landlord learned that a renter's home was robbed and
that landlord had the opportunity to decide whether the stolen items
were significant enough to let the renter know about the robbery. We
are considering allowing this for stolen data with a so-called ``harm
analysis.'' It will not lead to better data security, only fewer breach
notifications.
V. Federal Role in Data Security
Finally, data breach notification alone, no matter how expansive,
will not be enough to secure our data. Congress also needs to ensure
entities holding sensitive information are taking reasonable steps to
protect that information. To do that, it should require companies to
implement reasonable security standards and it should give the Federal
Trade Commission the authority to promulgate regulations as needed.
Congress should also focus its attention on the current authority
of the Federal government to investigate massive data breaches that
affect millions of Americans. When such breaches occur, the Federal
government should have the general authority to investigate in the same
manner the National Transportation Safety Board (NTSB) can investigate
accidents. Currently, the Federal government has no such authority.
Federal law enforcement agencies can conduct a criminal investigation
to determine who was responsible for an attack, and the Federal
government, through the Federal Trade Commission and other agencies,
can conduct an investigation to determine whether the entity's data
security practices were adequate. However, no Federal agency is tasked
with simply uncovering what happened in massive data breaches,
regardless of whether an entity's data security practices were
adequate.
If a Federal agency had this authority, that Federal agency would
develop much-needed expertise in data security. It could issue reports
about data breaches so that the private sector would better understand
what vulnerabilities led to breaches. Our country would also have a
much better sense of the general state of our data security.
VI. Role of the States
I understand that Congress will consider preempting states on data
breach notification laws. As a state official, I oppose any Federal
legislation that limits our ability at the state level to protect our
residents. In 2005, along with forty-three other state attorneys
general, I wrote to Congress to caution against broad preemption.\6\ In
the letter, we wrote:
---------------------------------------------------------------------------
\6\ Letter to Congressional Leaders from the National Association
of Attorneys General (NAAG) (Oct. 27, 2005).
Preemption interferes with state legislatures' democratic role
as laboratories of innovation. The states have been able to
respond more quickly to concerns about privacy and identity
theft involving personal information, and have enacted laws in
these areas years before the Federal government. Indeed,
Congress would not be considering the issues of security breach
notification and security freeze if it were not for earlier
enactment of laws in these areas by innovative states.\7\
---------------------------------------------------------------------------
\7\ Id.
In the decade since we wrote that letter, it has become clear that
preemption would have been a mistake for consumers.
Additionally, a narrow view of preemption has been adopted in other
Federal data security laws. The Gramm-Leach-Bliley Act (GLBA), which
established data security standards for financial institutions, only
preempts those state laws that are inconsistent with Federal law and
``then only to the extent of the inconsistency.'' \8\
---------------------------------------------------------------------------
\8\ 15 U.S.C. Sec. 6807(a).
---------------------------------------------------------------------------
Similarly, in 2009, Congress took a narrow approach to preemption
in the breach notification provisions in the Health Information
Technology for Economic and Clinical Health (HITECH) Act.\9\ That law
imposes the HIPAA preemption standard, which only preempts contrary
provisions of state law.\10\ For those laws that protect the privacy of
individually identifiable health information, the HIPAA Security Rule
goes even further, to save any state law that is more stringent than
the HIPAA protections.\11\ Together, these provisions illustrate a
reasonable and workable approach to preemption. If Congress does
preempt the states, for the benefit of consumers:
---------------------------------------------------------------------------
\9\ Title XIII of the American Recovery and Reinvestment Act of
2009, Pub. L. 111-5.
\10\ 42 U.S.C. Sec. 1320(d-7).
\11\ 45 C.F.R. Sec. 160.203.
the law should be a ``floor'' with a narrow preemption
---------------------------------------------------------------------------
provision;
the law should preserve a state's ability to use its
consumer protection laws to investigate data security
practices; and
states should have the right to enforce the Federal law.
VII. Conclusion
The roundtables on data security that I convened throughout
Illinois last year showed me that data breach notification is working.
Consumers are well aware of data breaches generally. But one challenge
is making sure the affected consumers learn about the right breaches.
Understandably, in certain circumstances, state laws allow
companies to comply with notification requirements by notifying the
media.\12\ Bills being considered in Congress allow similar
notification exceptions. But the most often comment I received during
these roundtables was that consumers did not know where to go to learn
about breaches. It has become clear to me that it is not enough to
require companies to notify the media.
---------------------------------------------------------------------------
\12\ See, e.g., Illinois Personal Information Protection Act, 815
ILCS 530/10(c).
---------------------------------------------------------------------------
As a result, in Illinois, I am proposing a requirement that
companies also notify my office when they suffer a breach. Fifteen
states already require entities to notify their Attorney General in the
event of a breach.\13\ If given that authority, I intend to create a
website that will enable Illinois residents to see all the breaches
that have occurred in Illinois.
---------------------------------------------------------------------------
\13\ Cal. Civ. Code 1798.29(e); Conn. Ch. 669 Sec. 36a-7041b(b)(2);
Fla. Stat. Sec. 501.171(3); Ind. Code Art. 24-4.9-3-1(c); Iowa Senate
File 2259 (to be codified at 715C.2.8); LA Admin. Code Title 16
Sec. 701; Maine Stat. Tit. 10 Sec. 1348(5).; Md. Comm. Code Sec. 14-
3504(h); Mass. Gen. Law Ch. 93H Sec. 3(a); Mo. Stat. Sec. 407.1500(8);
N.H. Ch. 359-C:20(b); N.Y. Sec. 899-aa(8)(a); N.C. Gen. Stat. Sec. 75-
65(e1); Vt. Stat. Ann. Tit. 9 Sec. 2435(b)(3); Va. Code Sec. 18.2-
186.6(E).
---------------------------------------------------------------------------
Such a website is only possible at the state level because we can
include information about national breaches, as well as those that are
local or regional. I believe such a service would greatly benefit
Illinois residents, and I do not believe they would want Congress to
prevent my office from offering it, or the other work we are doing on
data security and data breaches.
I am happy to answer any questions you have.
Thank you.
Senator Moran. Thank you very much. Ms. Weinman?
STATEMENT OF YAEL WEINMAN, VICE PRESIDENT, GLOBAL PRIVACY
POLICY AND GENERAL COUNSEL, INFORMATION TECHNOLOGY INDUSTRY
COUNCIL (ITI)
Ms. Weinman. Thank you, Chairman Moran, Ranking Member
Blumenthal, and Senators of the Subcommittee, for the
opportunity to testify today.
My name is Yael Weinman, and I am the Vice President for
Global Privacy Policy and the General Counsel at the
Information Technology Industry Council, known as ITI.
Prior to joining ITI in 2013, I spent more than 10 years at
the Federal Trade Commission, most recently as an attorney
advisor to Commissioner Julie Brill. I began my career at the
FTC in the Enforcement Division, ensuring that companies
subject to FTC data security consent orders were in fact
complying.
The 59 technology companies that ITI represents are leaders
and innovators in the information and communications technology
sector.
When consumer information is breached, individuals may be
at risk of identity theft or other financial harm. Year after
year, identity theft tops the list as the number one complaint
reported to the FTC.
Consumers can take steps to protect themselves from
identity theft or other financial harm following a data breach.
Federal breach notification legislation would put consumers in
the best possible position to protect themselves.
I take this opportunity to outline three important
principles in connection with Federal data breach notification
legislation. First is preemption. A Federal breach notification
framework that preempts the existing state and territory breach
notification laws provides an opportunity to streamline the
notification process.
Complying with 51 laws (47 states, three territories, and
one district), each one with its own unique provisions, is
complex, and it slows down the notification process to
consumers while an organization addresses the nuances in each
of these 51 laws.
Complying with 51 different laws also results in notices
across the country that are inconsistent and thus confusing to
consumers. A Federal breach notification law without state
preemption would merely add to the mosaic, resulting in a total
of 52 different frameworks.
The second principle is the timing of consumer
notifications. An inflexible mandate that would require
organizations to notify consumers of a data breach within a
prescribed time-frame is counterproductive. Following a breach,
there is much to be done. Vulnerabilities must be identified
and remedied. The scope of the breach must be determined.
Cooperation with law enforcement is imperative, and impacted
consumers must be notified. Premature notification could
subject organizations to further attack if they have not yet
been able to secure their systems, further jeopardizing
sensitive personal information.
Premature notification might interfere with law
enforcement's efforts to identify the intruders. The hackers
might cover their tracks more aggressively upon learning that
the breach had been discovered.
Notification to consumers before an organization has
identified the full scope of the breach could yield to
providing inaccurate and incomplete information.
Organizations have every incentive to notify impacted
consumers in a timely manner, but a strict deadline does not
afford the necessary flexibility.
The third principle is determining which consumers should
be notified. Notifying individuals that their information has
been compromised enables them to take protective measures. It
is not productive, however, if all data breaches result in
notifications.
If inundated with notices, consumers would be unable to
determine which ones warrant action. Notifications should be
made to consumers if they are at a significant risk of identity
theft or financial harm.
A number of factors would be considered in making that
determination, including the nature of the breached information
as well as whether that information was unreadable. Unreadable
information would not warrant a notification. Upon receiving a
notice, individuals can then take steps to help avoid being
financially damaged.
The three principles I have outlined today are included in
the full set of principles that ITI has developed in connection
with Federal data breach legislation, and I respectfully
request that these be submitted for the record.
2014 has been referred to as ``the year of the data
breach,'' and I think many of us would like to see 2015 as the
``year of Federal data breach notification legislation.''
I would be happy to answer any questions. Thank you.
[The prepared statement of Ms. Weinman follows:]
Prepared Statement of Yael Weinman, Vice President, Global Privacy
Policy and General Counsel, Information Technology Industry Council
(ITI)
Chairman Moran, Ranking Member Blumenthal, and Senators of the
Subcommittee, thank you for the opportunity to testify today. My name
is Yael Weinman and I am the Vice President for Global Privacy Policy
and the General Counsel at the Information Technology Industry Council,
also known as ITI. Prior to joining ITI, I spent more than 10 years as
an attorney at the Federal Trade Commission, most recently as an
Attorney Advisor to Commissioner Julie Brill.
ITI is the global voice of the technology sector. The 59 companies
ITI represents--the majority of whom are based in the United States--
are leaders and innovators in the information and communications
technology (ICT) sector, including in hardware, software, and services.
Our companies are at the forefront developing the technologies to
protect our networks. When a data breach occurs, however, we want a
streamlined process that helps guide how consumers are informed in
cases when there is a significant risk of identity theft or financial
harm resulting from the breach of personally identifiable information.
In my testimony today, I will focus on several of the critical elements
necessary to be considered by Congress in developing a Federal
legislative framework for data breach notification in the United
States.
``Year of the Breach''
We have all heard 2014 referred to as ``the year of the breach,''
but the reality is that data breaches did not just come on the scene
last year--they surfaced quite some time ago. While companies and
financial institutions spend tremendous resources to defend their
infrastructures and protect their customers' information, it is an
ongoing virtual arms race. Organizations race to keep up with hackers
while the criminals scheme to stay one step ahead. Unfortunately, it is
no longer a matter of if, but a matter of when, a criminal hacker will
target an organization. And when certain information about individuals
is exposed, those consumers may be at a significant risk of identity
theft or other financial harm. Year after year, identify theft is the
number one category of fraud reported to the Federal Trade
Commission.\1\ I would expect that when the 2014 statistics are
released, identity theft will continue to top the list.
---------------------------------------------------------------------------
\1\ See Federal Trade Commission, Consumer Sentinel Network Data
Book for January--December 2013 (February 2014) available at http://
www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-
data-book-january-december-2013/sentinel-cy2013.pdf; and Federal Trade
Commission, Consumer Sentinel Network Data Book for January--December
2012 (February 2013) available at http://www.ftc.gov/sites/default/
files/documents/reports/consumer-sentinel-network-data-book-january/
sentinel-cy2012.pdf.
---------------------------------------------------------------------------
51 Different Breach Notification Requirements
As a result of this troubling landscape, over the years, state
legislatures across the country enacted data breach notification
regimes. Currently, there are 51 such regimes--47 states and four U.S.
territories.\2\ Consumers across the country have received
notifications pursuant to these laws. I have received more than one
such notice myself, and I imagine some of you may have as well.
---------------------------------------------------------------------------
\2\ The District of Columbia, Guam, Puerto Rico, and the U.S.
Virgin Islands each adopted a data breach notification law. New Mexico,
South Dakota, and Alabama have not yet enacted breach notification
laws.
---------------------------------------------------------------------------
The current scope of legal obligations in the United States
following a data breach is complex. Each of the 51 state and territory
breach notification laws varies by some degree, and some directly
conflict with one another. For example, Kansas requires that
notification to consumers ``must be made in the most expedient time
possible and without unreasonable delay, consistent with the legitimate
needs of law enforcement and consistent with any measures necessary to
determine the scope of the breach and to restore the reasonable
integrity of the computerized data system.'' \3\ Connecticut's
notification requirement to consumers is similar, but not identical. It
requires notification to ``be made without unreasonable delay, subject
to [a law enforcement request for delay] and the completion of an
investigation . . . to determine the nature and scope of the incident,
to identify individuals affected, or to restore the reasonable
integrity of the data system.'' \4\ Florida, however, mandates a strict
timeline and requires that notification be made to consumers no later
than 30 days unless law enforcement requests a delay, regardless of the
status of the forensic investigation into the scope of the breach.\5\
---------------------------------------------------------------------------
\3\ Kan. Stat. Sec. 50-7a02(a).
\4\ Conn. Gen Stat. Sec. 36a-701b(b).
\5\ Fla. Stat. Sec. 501.171.
---------------------------------------------------------------------------
The complexities, however, are not limited to the timeline for
notification. There are other significant variances among these state
and territory laws, including what circumstances give rise to a
notification requirement, how notifications should be effectuated, and
what information should be included in notifications.
A Way Forward: A Single Uniform Data Breach Notification Standard
Federal data breach notification legislation offers the opportunity
to develop a single uniform standard. ITI is currently updating a set
of principles that we believe should be reflected in any Federal data
breach legislation you consider. I will be happy to share those with
you upon their completion, which I expect to be very soon. Outlined
below are several of these key policy recommendations.
Consumer Notification
Notifying individuals that their information has been compromised
is an important step that then enables them to take protective
measures. Notification to consumers, however, is not productive if all
data breaches result in notifications. If that were the case, consumers
would not be able to distinguish between notices and determine which
ones warrant them to take action. Notification should be made to
consumers if an organization has determined that there is a significant
risk of identity theft or financial harm. Upon receipt of such a
notice, consumers can then implement measures to help avoid being
financially damaged.
The process of determining whether there is a significant risk of
identity theft or financial harm will include the examination of a
number of factors, including the nature of the information exposed and
whether it identifies an individual. Accordingly, efforts to define
``sensitive personally identifiable information'' in legislation should
be carefully considered to ensure that over-notification does not ensue
as a result of an overly broad definition that includes information,
which, if exposed, does not in fact pose a threat of identity theft or
financial harm. Determining whether there is a significant risk of
identity theft or financial harm may also turn on factors such as
whether the information exposed was unreadable. If data is unreadable,
its exposure will not result in a risk of financial harm, and therefore
notification would not be appropriate.
Consumers will be best served if they are notified not about every
data breach, but about those that can cause real financial harm so that
they can take precautionary actions only when they are in fact
necessary. These actions can often involve expensive and inconvenient
measures and should only be borne by consumers when there is a
significant risk of identity theft or financial harm.
Timing of Notification
Mandating that companies notify consumers of a data breach within a
prescribed time-frame is counterproductive. Recognizing the
sophistication of today's hackers, and the challenging nature of the
forensic investigation that ensues following the discovery of a breach,
Federal legislation must provide a realistic, flexible, and workable
time-frame for consumer notification. Companies must be afforded
sufficient time to remedy vulnerabilities, determine the scope and
extent of any data breach, and cooperate with law enforcement. In
certain instances, law enforcement agencies urge organizations to delay
consumer notification so that suspected hackers are not alerted and
driven off the grid. Sufficient flexibility in the timing of
notification allows law enforcement to effectively pursue hackers, and
ensures that consumers are neither notified with incomplete or
inaccurate information nor notified unnecessarily.
Federal Preemption
A Federal law that preempts the current patchwork of 51 different
state laws would provide considerable benefits. A Federal data breach
notification requirement without Federal preemption would accomplish
nothing other than adding a 52nd law to this patchwork. Federal
preemption ensures that consumers will receive consistent
notifications, and thus they will be more easily understood. For
organizations, it will streamline the notification process, enabling
organizations to redirect resources currently being devoted to comply
with 51 different notification laws. Such resources can be better
utilized following a data breach, which requires a myriad of important
steps, including investigating the breach, determining its scope,
remedying vulnerabilities, and cooperating with law enforcement. One
uniform framework allows organizations to make consistent
determinations about who should be notified, when those individuals
should be notified, and what information should be included in the
notification.
No Private Right of Action
We urge you to avoid legislation that includes a private right of
action for violations of a data breach notification regime. The best
way to protect consumers is not to empower the plaintiff's bar to
pursue actions that are ultimately only tangential to consumer injury.
Appropriate government enforcement for violations of data breach
notification legislation is the proper remedy.
2015: The Year of Federal Data Breach Notification Legislation
A Federal data breach notification law that preempts the current
regime would be an important step forward for 2015--the year after the
``year of the breach.'' At ITI, we hope that 2015 is the ``year of a
Federal data breach notification law.'' Thank you again for the
opportunity to share our thoughts on a Federal data breach notification
regime, and I am happy to answer any questions you may have.
Senator Moran. Thank you very much, and thank all of our
witnesses. Attorney General Madigan, you seem to be in the
minority, at least in this panel, on the issue of preemption.
How do you respond to the concern that has been raised
particularly by Mr. Duncan or Ms. Weinman about 51/52 different
sets of standards across the country? Is there a way to preempt
state law but then continue to have states involved in the
enforcement of that new standard?
Ms. Madigan. Sure. Senator, to answer your second question
first, of course, there is--and it happens frequently--at the
Federal level, where you will set a national standard but still
allow State Attorneys General to enforce the law.
Obviously, if that is what happens, that is one of our most
important concerns because there will be instances where there
are significant data breaches--they may be smaller, They may be
confined to one or only a few states--and it will not be a
circumstance where the FTC, for instance, they are the ones
with the enforcement authority, will look into it.
In part, it is the same situation we have in terms of
different jurisdictions at a State level versus a Federal
level, even for criminal matters. Some of the U.S. Attorneys
Offices have thresholds. It has to be a big enough matter. But
we still need and want the ability, as I said, to respond to
and to safeguard our own residents.
In terms of the concern, and I do appreciate having as many
as 51 different laws that organizations have to comply with in
terms of notification, I would say two things. One, to some
extent the concern is overblown, in a very real sense. As
somebody mentioned, it is a lawyer that sits down and
determines what the notice has got to be and then produces a
notice that can be used across the country.
That certainly happened in terms of the Target breach. I
remember getting that notification, and there are some
different provisions depending on the state, but it is not
impossible to do. It does not take such an enormous amount of
time that the other issues that need to be contended with
during the breach are ignored.
Two, it is not an overall necessity, but I do think it is
imperative. And I think everybody agrees that if you set a
national standard, it cannot be a weak one. It has to be a
higher one than some of the first generation state notification
laws because we are seeing an increasing number of breaches
with an increasing amount of sensitive information that is
being breached.
You are going to have to start to look into biometric data
and things that really, during the first generation, very few
if any states were concerned about.
Senator Moran. Thank you very much. Is there any
indication, and this is a question for any of the panelists,
that from state to state, depending upon the law, that law or
the effectiveness of that law has a consequence such that there
are fewer hackers?
Is there any suggestion that a state law discourages
hacking from taking place in that state? In other words, is it
effective as a prevention measure, and is there any suggestion
that a state law has increased the standards of businesses who
operate in those states?
Is there a different level of compliance and is there a
different level of desire to attack in a certain state because
of state laws? Mr. Duncan?
Mr. Duncan. Senator, as I mentioned in my testimony, the
very nature of this problem is that it is interstate. If you
imagine a situation with a small startup, they instantly have
connectivity throughout the entire United States if they are
selling merchandise. It is the fact of notice regardless of
which state it occurs in that drives the interest in trying to
have greater standards. It is not really a state issue. This is
a national problem.
Senator Moran. We often think of the states as
laboratories, and I assume if we develop a national standard
that we will look at states to see what standards are there,
what makes sense.
I just wanted to make certain there was no suggestion that
a particular state has found a way to prevent or discourage
this kind of behavior. I think at least your answer, Mr.
Duncan, is no.
Mr. Johnson?
Mr. Johnson. Yes, sir. I would echo that the answer is no.
I think what it does is it points to the need to have really a
data security standard that is attentive to any data breach
standard. If you do not have both pieces, you really do not
have the ability to raise the bar from a security standpoint,
because I do not believe that a breach notification in and of
itself motivates businesses to essentially raise the
cybersecurity bar.
Senator Moran. Thank you, Mr. Johnson. Let me ask you
before my time expires, is there any developing insurance
coverage market for data breach? Your banks have a standard in
place today. Is there insurance that covers the consequences of
a data breach?
Mr. Johnson. Yes, there is. It is a maturing market. We
actually have a captive insurance company that offers some of
those policies as well. I think it is a market that needs
further refinement.
We as an industry are looking at that very carefully in a
number of different fashions, and in fact working with Treasury
and with the Administration generally to try to figure out ways
to improve the market and try to build insurance as a private
incentive as opposed to building public incentives toward
greater cybersecurity.
Senator Moran. Thank you. Senator Blumenthal?
Senator Blumenthal. Thanks, Mr. Chairman. Ms. Madigan,
again, thank you for being here. I want to follow up on a
couple of questions that the Chairman asked.
You make the point that preemption has sometimes been
narrow in our laws. In fact, that concept of narrow protection
is that there should be preemption only if state laws are
inconsistent with Federal law and then only to the extent of
the inconsistency. That is a quote from one of those statutes.
In Gramm-Leach-Bliley, in the Health Information Technology
for Economic and Clinical Health Act, also known as HITECH,
that principle of narrow preemption has been adopted.
Has the experience been with that narrow approach to
preemption that there are these horrible inconsistencies or
confusion that our witnesses seem to raise as a specter of
avoiding preemption?
Ms. Madigan. No, Senator. The concern from the state level,
as you are aware, is that it took--let's assume Congress will
pass something this year--it took 10 years for Congress to pass
a breach notification law, if you pass it now.
To the extent that there are new threats out there or,
again, threats that specifically target a group of people,
consumers in our state, we need to be able to respond. Or, if
there is a rapidly changing area, again, we want to be able to
respond.
I think that is the real concern. We have not seen
significant problems where states retain enforcement authority
of a Federal law and/or the preemption is narrow. In fact, I
think it works best that way because, again, Federal resources
tend to go to larger issues whereas state resources go to some
of the smaller issues.
Senator Blumenthal. Mr. Duncan, I am troubled by the
failure of retailers to take responsible steps to protect their
consumers. In fact, some of them, I am told, have actually
blocked some of the new technology that could have been
available. I do not want to call any out, but I am happy to
name them if you wish.
I am disturbed that these major retailers have in fact
moved to block innovations by disabling their contact list
transaction terminals that they offered as a feature to
consumers for many years. Mobile payment technologies like
Apple Pay and Google Wallet, efforts are underway, but they
still have not been deployed as they should be.
Are you not disappointed that retailers have not done more
to protect their consumers?
Mr. Duncan. It is not a matter of disappointment in terms
of what retailers have done in the past. I can tell you that I
have sat in the Board meetings of the National Retail
Federation, and I have heard the CEOs of some of the best known
companies in this country talk long and seriously about the
steps they have to take to address this very serious problem.
Senator Blumenthal. I am sure they have talked about it.
Why have they not done anything about it?
Mr. Duncan. They are also adopting new technologies. This
is a very complicated issue to address because there are so
many ways, as has been pointed out, that the bad actors can get
in, so you have to develop very particularized systems that
will effectively block that, and they are adopting those.
Senator Blumenthal. Why are the retailers disabling their
terminals, for example?
Mr. Duncan. There are some technologies that either are
unproven, are extraordinarily expensive, or take control of the
company's operations away from the company and into someone
else's. Each company has to make its own decision on that
element, but that is completely separate from a decision about
how you secure the data in your files.
Senator Blumenthal. You know, I am struck that you have
recommended to the panel that there be preemption, not only of
state statutory law but also common law. That is a pretty broad
preemption, is it not?
Mr. Duncan. The fact is if you do not have preemption that
is strong and across the board, then ultimately, experience has
shown us, that the courts will strike down the preemption and
the proliferation of conflicting laws will reemerge. We have to
have a very strong law and it has to be an uniform law if it is
to be effective.
Senator Blumenthal. That principle of preemption, is that
not virtually unprecedented?
Mr. Duncan. No, I do not think so.
Senator Blumenthal. Where else has it been adopted?
Mr. Duncan. Well, let's look at what has happened with the
telemarketing sales rule that the FTC enforces. There
essentially the same kind of approach was taken. All power was
placed essentially on the rule with the FTC. You do not see
individual actions under that rule or you do not see----
Senator Blumenthal. My time is expired.
Mr. Duncan. State Attorneys General actions under that
rule, which we would support.
Senator Blumenthal. My time has expired. I would suggest
that that approach to preemption is broader than this committee
should consider, and a more narrow view of preemption such as
Attorney General Madigan has suggested, if there is to be any
preemption at all, is one that is more appropriate.
Thank you, Mr. Chairman.
Senator Moran. Thank you, Senator Blumenthal. Senator
Fischer?
STATEMENT OF HON. DEB FISCHER,
U.S. SENATOR FROM NEBRASKA
Senator Fischer. Thank you, Mr. Chairman. My thanks to you
and the Ranking Member for holding this very timely hearing
today.
Ms. McGuire, as you know, numerous reports have linked
nation state actors to cyber attacks. Additionally, some of the
same countries implicated in these reports may require U.S. IT
companies to turn over intellectual property, including
operating software source code, in exchange for market access.
Are you concerned that such information in the hands of
what we could call an ``irresponsible actor'' could pose
additional cybersecurity risks?
Ms. McGuire. Thank you for the question. We are concerned
about having to turn over any of our intellectual property to
any country. We believe that is an infringement on our
ownership of our intellectual property that we have clearly
spent extensive resources to develop, and that we should be
allowed to protect it accordingly.
Certainly, if it is passed to a third party or a second
party, then it does expose us to potential additional
vulnerabilities. In short, we believe that we should not have
to share our intellectual property.
Senator Fischer. There are instances, I believe, where
companies are being pressured by foreign governments to share
that property. Do you know how prevalent that is?
Ms. McGuire. There are some new requirements, actually some
not so new requirements, in some countries. I cannot tell you
how prevalent it is, but we are certainly seeing a growth in
those kinds of requests from many different countries around
the world.
Senator Fischer. How dangerous is that if we continue to
see growth in that, that companies do that for increase in
market access, for example? How dangerous is that to other
companies here in our country when that property is shared,
would it not put your security and other companies' security at
risk?
Ms. McGuire. It potentially could put other organizations
at risk. I am not sure I can quantify how much, but any time
you have to provide the source code to another party, it can
provide additional openings for risk.
Senator Fischer. Also, our Federal data protection
framework, it is largely based on who is collecting that
information rather than tailoring enforcement based on what is
being collected. Would it not be better for consumers and
businesses alike if we would apply a more uniform regime for
all entities so that enforcement is based on the sensitivity of
the information that is being collected?
Ms. McGuire. Yes, that is our view, that it should be a
risk-based application and threshold for what type of data
potentially is breached.
Senator Fischer. For all the witnesses, if I could just ask
a couple of yes or no questions here. Do you support a Federal
data breach notification standard that is consistent for all
consumers? Ms. McGuire, if you want to start.
Ms. McGuire. Yes.
Mr. Duncan. Absolutely.
Dr. Pendse. Yes.
Mr. Johnson. Yes.
Ms. Madigan. Yes, if it is strong and meaningful.
Ms. Weinman. I will be the outlier and ask for further
clarification of the question. When you say ``consumers,'' are
you referring to which particular type of data? Is that your
question, whether you do not want to distinguish between types
of data?
I think to a certain extent the sectoral approach that we
have here in the United States has worked to a large extent
with regard to financial data and health data.
Since the desire is to get Federal breach notification
legislation across the finish line in 2015, anything that could
potentially slow that down is something we should carefully
consider.
Senator Fischer. Do you think it would be easier to get
something across the finish line if exceptions are made or
targeting made on what type of data is collected?
Ms. Weinman. I think it would make it easier to get it
across the finish line if entities that are already subject to
data breach notification requirements in specialized areas--if
those remain intact.
Mr. Duncan. Senator Fischer, with all due respect, a
sectoral specific approach or exceptions are anathema to the
kind of incentives we are going to need in order to have
effective protection for consumers, at least in the view of the
National Retail Federation.
Senator Fischer. So, we have disagreement. I am over my
time, so thank you very much.
Senator Moran. Senator Schatz?
STATEMENT OF HON. BRIAN SCHATZ,
U.S. SENATOR FROM HAWAII
Senator Schatz. Thank you. Ms. Weinman, you and others have
talked about the balance to strike in terms of over-
notification. I think we all recognize we do not want to be
inundating consumers and others with notification of breaches
if they are not significant enough, and it would become
meaningless.
My question is who determines whether there is this
``significant risk'' of identity theft? Do you figure that gets
enshrined in the statute? Is that for Attorneys General to
determine? Is it the courts? Individual companies?
I think that is one of the key issues here. We can all
agree in principle that we do not want to be over notifying,
but where that responsibility and authority resides is really
key.
Ms. Weinman. Thank you. I am glad that we can all agree in
principle that over notification is not something that would be
desirable. I think an organization that holds the data and has
a sense of what information has been compromised, and the
extent to which it had been compromised, would be in the best
position to make that determination.
Senator Schatz. What standard would they be held to? Would
it be under the law or just their own judgment about whether
this was going to be harmful to their consumers? Or does this
all get refereed in court? That is the question, is it not?
Ms. Weinman. Well, I think the level of risk would be
something that would be codified in a statute like significant
risk of identity theft or financial harm. I do think that would
be in the letter of the law.
Senator Schatz. Ms. McGuire, you were talking about a risk-
based analysis. I would like you to elaborate there.
Ms. McGuire. So, along the same lines of what kind of data
has been breached and what the risk is to the consumer or the
organizations that also might have been part of that, but as I
stated in my statement, we believe that a component of that
statute needs to be that the data has been either rendered
unreadable or unusable via encryption or other technologies so
that in fact if the data has been accessed, it is meaningless
to the perpetrator. That is a key component----
Senator Schatz. That is your bright line?
Ms. McGuire. Of the statute; yes.
Senator Schatz. Attorney General Madigan, maybe take half a
minute to elaborate on that, and I have another question for
you as well.
Ms. Madigan. I do not think there is any such thing as over
notification going on at this point. Notification keeps
consumers alert to the possibility of I.D. theft and they
should be protecting themselves.
It certainly depends on what other information these
criminals may have access to in terms of what they could be
using; information that we would deem individually not to pose
any risk to them, but could potentially if it is combined with
other information. There is no over notification going on at
this point.
Senator Schatz. I agree with you there may not be over-
notification but we do not want to create a scenario where I am
getting e-mails two or three times a week and I do not know
what to panic about and what to ignore. I think that is the
balance to strike.
I agree that we are not there in reality.
Ms. Madigan. At all.
Senator Schatz. If you could again articulate what would
constitute a sufficiently strong standard to kind of satisfy
your concerns. I respect the California law and some other
statutes are pretty good marks to make. I see a few heads
nodding, I see a few heads shaking.
Ms. Madigan. Do not scare them.
Senator Schatz. That is fine. I would like to hear what you
think would suffice in terms of being worth a tradeoff in terms
of preempting state laws.
Ms. Madigan. I think a strategy that I have heard talked
about here is that you really should look at the state laws
that are out there, California probably at this point being one
of the high marks. But I should say it is not just California.
Again, this is a bipartisan issue: Texas, Florida, Indiana,
have some of the most progressive notification laws in the
country.
You need to look and see what the changes have been from
the first generation of them, such as Illinois, where we said
it is going to be your first name or your first initial and
your last name along with unencrypted Social Security number,
driver's license number, credit or debit card number, and now
we are moving to biometric data, as I said, and e-mail
addresses with log-in passwords.
As it changes, you really need to look and see what is the
high water mark and make sure that really is your floor.
Senator Schatz. Mr. Johnson, I will let you have the last
word on this. What would suffice as a strong enough standard
that we would all feel comfortable preempting the 50 odd state
laws that we would be looking at?
Mr. Johnson. Gramm-Leach-Bliley.
Senator Schatz. I'm sorry, one more time.
Mr. Johnson. Gramm-Leach-Bliley, the Federal law. I think
what we are doing at the Federal level has a standard
associated with when a company makes a valuation, such as your
concern in terms of who has the responsibility to make the
determination as to when to notify of substantial harm.
I think also the financial services companies even if a
breach is not occurring at the financial services company has a
lot of experience in terms of dealing with those breaches as
well, and they look at Gramm-Leach-Bliley from that
perspective. I think that is what I would look to.
Senator Schatz. Thank you.
Senator Moran. Senator Blunt?
STATEMENT OF HON. ROY BLUNT,
U.S. SENATOR FROM MISSOURI
Senator Blunt. Thank you, Chairman. Thank you for having
this hearing. We had a similar hearing in this committee last
March, and at that time all the panelists were for a single,
consistent national standard.
Attorney General Madigan, I often tend to be in favor of
the underdog, but I seldom would imagine you would be the
underdog on this issue. You might be in terms of where other
people are tending to wind up.
I think a lot of the questions I would ask have already
been asked on the topic of preemption. We will just see where
that goes. The President and the Attorney General have both
taken a position, and both agree with the need for preemption.
Senator Carper and I introduced a bill last year, and we
are working on a bill again this year. Our bill covers a lot of
ground regarding data security and breach notification, but one
of the things we have not done in our legislation is establish
an arbitrary timeframe.
There is an argument about whether there should be a
specific timeframe established in the law as opposed to
established by circumstances. So far I have stayed on the side
that we need to have some flexibility in timeframes, but I am
not absolutely sure I understand, or the Committee understands,
all of the reasons why.
I did notice in the Anthem data breach this week, they sent
a general notice, and then I heard Mr. Schatz say basically he
was becoming the victim of breach fatigue by being constantly
notified that he could be in a group whose information may have
been breached.
I have not yet looked at legislation with the idea that we
need an arbitrary deadline, but I have a couple of questions
for whoever wants to answer, starting with you, Ms. Weinman.
The question would be what would you perceive in terms of
how a deadline should be established or the criteria for what
would be a reasonable response, and your view on whether an
arbitrary deadline is something that should be included in a
data breach notification.
Ms. Weinman. Thank you. I think an arbitrary deadline, a
specific timeframe, is not useful in that it sets an objective
standard. Each data breach incident is different. Each incident
requires special consideration to address vulnerabilities, and
to cooperate with law enforcement. Some breaches will require
cooperating with many different types of law enforcement.
I do not think a specific deadline is useful. That being
said, a number of the states have deadlines that do not involve
specific days, and I think that is the right approach to give
sufficient flexibility.
Senator Blunt. Is there any sort of guidelines you would
look at as to whether or not a response was appropriate, and
made in an appropriate timeframe? What would be a triggering
factor of whether the response was appropriately quick or not?
Ms. Weinman. I think the buzz words that we hear a lot is
``without unreasonable delay,'' that type of construct, I
think, works well in this situation. In examining whether the
notification was done without unreasonable delay, you would
look at what the company had done up until that point when it
decided to make that notification.
Had they dotted all the i's and crossed all the t's and
closed the patches, cooperated with law enforcement, listened
to law enforcement if law enforcement asked them to in fact
delay notification, which is in fact sometimes the case.
Senator Blunt. I am down to a minute. Anybody that feels a
guideline should be specific? Anybody want to respond to that?
Ms. McGuire. I do not, and I agree with Ms. Weinman that
there should be a standard for reasonable notification, but I
think it is important to recognize that there are different
types of breaches. There is a difference between losing a
laptop that has a lot of data on it and a network that has been
penetrated. That may require very different responses and very
different investigation and time lines. I think that is an
important criteria to consider.
Dr. Pendse. I would agree with my colleagues here, there
ought to be some flexibility there because smaller
organizations are simply not going to have the types of
resources that bigger organizations can bring to bear, so some
flexibility would be very much essential.
Senator Blunt. Anybody? I think I am out of time. I am not
a lawyer but it does sound like--my one concern about
``reasonable response'' is it sounds like time in court to me
for someone to try to determine whether the response was
reasonable or not.
I am out of time. Chairman, thank you for the time.
Senator Moran. Thank you, Senator Blunt. We are honored to
be joined by Chairman Thune, and I recognize him now.
STATEMENT OF HON. JOHN THUNE,
U.S. SENATOR FROM SOUTH DAKOTA
The Chairman. Thank you, Mr. Chairman. I thank you and
Senator Blumenthal for holding this hearing and focusing a
light on this issue. It is an issue that is important to our
country and something that Congress has been trying to fix for
over a decade, and hopefully this will be the year when we
finally find the path forward that enables us to put in place a
workable solution that protects consumers and addresses this
very important issue, which again we are reading about today,
millions of Americans impacted by yet another data breach.
I want to ask, and Senator Blunt mentioned this, because I
think the question has been asked many times but perhaps not
everyone has answered it, Ms. Weinman, I am just curious
because you have extensive experience in this area having
worked at the FTC prior to your current position with ITI,
could you give us your sort of explanation of why you think a
single Federal law is so preferable for both businesses and
consumers?
Ms. Weinman. Thank you. I have a chart with me that is 19
pages long that goes through the variances of the different
state laws. That reason alone, I think, lends itself to having
one Federal breach notification standard to enable companies to
act quickly and provide the required notice. I think it is both
business-friendly but more importantly consumer-friendly.
The Chairman. Mr. Duncan, your testimony today highlighted
the need for Congress to enact a preemptive Federal data breach
notification law. I agree that doing so would provide a great
deal of clarity for companies, including the retailers and
merchants that you count as your members.
It also would provide needed consistency, I think, for
consumers. That is an issue as I said before Congress has dealt
with in the past. There has been various legislative proposals
that have called not only for uniform notification procedures
but also for uniform Federal data security standards.
I appreciate your observations about some of the risks of
FTC enforcement, but since that enforcement can already occur,
would not retailers benefit from a Federal law saying that
reasonable data security measures must take into account the
size and scope of the organization and the sensitivity of the
data collected?
Mr. Duncan. Thank you, Senator Thune. The FTC effectively
has a reasonableness standard either under exception or under
unfairness right now.
Once you begin putting a lot of different factors into that
standard, then you essentially set up a situation where was it
reasonable as to (a), as to (b), as to (c), as to (d). If a
medium-sized company cannot check the box on every single one
of those factors, then they are likely to be in very bad shape.
That kind of standard works better when you are developing
guidance. That is a big distinction between the GLB standards
that Mr. Johnson has talked about, and a uniform national
standard.
If you have an examiner sitting next to you, and you--can
in an iterative process--work through each of those various
elements, that may work. If you are trying to set one standard
for every type of commerce and every type of business in the
country, then having multiple components to that is going to
make it impossible with any certainty for the average American
company to respond to.
The Chairman. Could NRF support any type of security
requirement?
Mr. Duncan. Sure, if there is a standard comparable to that
the FTC is currently enforcing, which is a reasonable security
standard, and if that is coupled with the very, very robust
notice requirements that we have testified in favor of, that
would work.
The Chairman. I have a question for Attorney General
Madigan. Ms. McGuire in her testimony suggests that any
notification standard should minimize notifying individuals
about breaches in which their personal information was rendered
unusable before it was stolen.
Ms. Weinman suggests that the exposure of unreadable data
will not result in risk, therefore, notice would not be
appropriate.
I am wondering what your thoughts are on the wisdom of
including the usability reference in breach notice legislation
and then perhaps how the Illinois state law approaches that
issue.
Ms. Madigan. It is the right thing to do. I agree with both
of them on that front. Under Illinois' law, if the information
is encrypted, you do not get notification of the breach. What
we need to look to, because we have seen this in some of the
breaches taking place, is encrypted information that has been
compromised and the encryption key has also been stolen.
In those circumstances, when you can unencrypt, then there
should be notice. If it is encrypted--if it is unusable,
unreadable--notification does not need to take place under
Illinois law.
The Chairman. Great. Mr. Chairman, thank you.
Senator Moran. Mr. Chairman, thank you. Senator Klobuchar?
STATEMENT OF HON. AMY KLOBUCHAR,
U.S. SENATOR FROM MINNESOTA
Senator Klobuchar. Thank you very much, Mr. Chairman. Thank
you for holding this important hearing. I apologize for being
late. We had a Judiciary markup. It was very exciting. Now I am
here on a topic that is near and dear to our hearts in
Minnesota.
As you know, one of our major retailers experienced a
breach, and I think there is not a day that goes by that we do
not hear about another cyber attack in local communities or on
the national scene or even on the international scene.
In fact, last night the media reported that Anthem, the
nation's second largest health insurer, was breached, and as
many as 80 million customers could have had their account
information, including names, birth dates, addresses, Social
Security numbers stolen.
These cyber attacks are increasing in scope. I was a
sponsor of some of the bills that were out there in the last
Congress. I hope, given that we have already had hearings this
Congress, and I appreciate Senator Thune's leadership--I am one
of the few senators that are on both the Judiciary Committee
and the Commerce Committee--that we can move ahead in this area
of cybersecurity.
My first question actually was about what I just raised,
and I know it was in the news. Attorney General Madigan,
welcome. I have worked with you in the past and appreciate your
good work.
With this disclosure, it is important to discuss what is
and what is not covered under the Health Insurance Portability
and Accountability Act or HIPAA. To your knowledge, would the
information impacted in the Anthem breach be covered by HIPAA?
Ms. Madigan. What I have heard so far is that they claimed
medical information was not breached, so it probably falls
under the various state breach notification laws to determine
if the ``personal information'' definition is met at the
various states. I think it remains to be seen what the total
extent of that breach is.
Senator Klobuchar. I know. I do not think we know yet. In
your experience when something like this happens, not this
exact case, how are the agencies coordinating with the
Attorneys General, whether it is the Department of Health and
Human Services, or the FTC, to enforce these consumer
protections, and do you think there is more that can be done
there when it comes to coordination?
Ms. Madigan. Well, we have certainly had a very good
working relationship with the FTC because we obviously have
similar jurisdiction over consumer matters. We probably do not
have as much interaction with the other entities that are
dealing with some of the health information, but in Illinois,
the way our breach notification law works, if that type of
information is taken, we want the ability to be able to make
sure people are notified. And obviously, coordination, I think,
helps everybody, particularly when we all have limited
resources.
At the end of the day, our concern is all the same, right?
We are trying to protect individuals from any sort of identity
theft and financial damage that could occur because of it. We
are always looking to cooperate, whether it is at the state
level or at the state and Federal level.
Senator Klobuchar. OK. Mr. Duncan, I am going to focus on
the retail issues, since we are proud to have Target and Best
Buy in the State of Minnesota, two great companies.
Last year, many of my colleagues and the media had talked
about the need to move to chip-and-PIN technology, similar to
what we are seeing in Europe, Canada, and elsewhere, and
following the push for the change, the industry made a
voluntary commitment, as you know, to switch over to chip-and-
PIN cards and readers by the end of October 2015, which is this
year.
That is an important timeline, I think, for consumers. We
learned from the Home Depot data breach that impacted both
Canadians and Americans that cards from Canada were actually
less valuable on the black market than American cards because
they had chip-and-PIN technology. We tended to be a target
because we had not improved that technology, despite the work
of companies like Target who had early on tried to, but as we
know, it is not universal across the country.
Mr. Duncan, what percentage of your members have already
adopted chip-and-PIN payment technology and have the necessary
technology to read cards at points of sale?
Mr. Duncan. This is a quickly changing number. I have data
from several months ago, in which case it was in excess of a
quarter of the Nation's retail terminals were already outfitted
for chip-and-PIN.
The concern that many of our members have is that the
investment in PIN-and-chip technology is extraordinarily
expensive. It will cost between $25 and $30 billion to re-
terminalize the entire country.
It is worth it if you get improvement in fraud reduction.
Unfortunately, many of the banks, not all, but many of the
banks are not issuing pin and chip cards. They are only issuing
chip and signature cards. As you know, a signature is a
virtually worthless security device.
Retailers are being asked to spend tens of billions of
dollars for security that is going to be illusory.
Senator Klobuchar. I know just talking to Target and Best
Buy that they are pretty committed to getting to this October
deadline, which is great. When you are talking about the 25
percent, those are just ones that have not done it yet but you
expect a higher percentage to be there by October?
Mr. Duncan. Lots of companies--it takes a huge effort to
re-terminalize a large operation, an interconnected operation.
We expect a significant portion of the industry to be there,
not 100 percent. It is impossible to do that in 10 months.
Senator Klobuchar. Your point is it is very important to
have the full technology with the chip-and-PIN and----
Mr. Duncan. If we are going to spend the money to reduce
fraud, let's reduce fraud. Let's do PIN-and-chip.
Senator Klobuchar. Any comments from anyone else about
this? Mr. Johnson? Thank you, Mr. Duncan.
Mr. Johnson. Thanks for the opportunity, Senator. I think
one of the things when we have this conversation that we forget
sometimes is the fact that the card market is really two
different markets to some degree. It is the debit card market
as well as the credit card market. Debit cards have PINs. You
essentially have more than 50 percent of the card environment
already that is PIN enabled.
What we have learned from the credit side is the fact that
both at the retail side as well as our customer behavior, in
the credit environment, our customers prefer to use the
signature. If they want to be protected by a PIN, they can use
their debit cards. They have an effective choice to be able to
really accomplish that.
Senator Klobuchar. I think what Mr. Duncan said is that you
get more protection, and certainly the situation that we saw
with Home Depot where the Canadian cards were less valuable
because they had that full technology, I can imagine everyone
would like to see. It is just that if we know one technology
protects better, it seems we would not just want it for debit
cards.
Sometimes, I just know from having a bunch of cards in my
purse, I do not really think through what kind of card it is,
if it is signature or not.
Mr. Johnson. I think that the most important thing here is
to really work toward getting rid of static numbers. What we
have in the environment right now are credit card numbers and
PINs that are static numbers that make us vulnerable.
To the extent that we have developed technologies such as
tokenization, where numbers are meaningless, if someone was to
breach Target and capture all the numbers that were associated
with those transactions, or any retailer, the numbers would be
meaningless because they would only work for that one
transaction.
I think that is really what we need to be working toward,
making those numbers absolutely worthless to the criminal, and
that is what is really going to protect the customer at the end
of the day.
Senator Klobuchar. Very good. The last thing, just for the
good of my hometown, Target did fix the breach and everyone can
go shopping there. Thank you.
Senator Moran. Thank you. Senator Daines. Let me first say
that a vote is scheduled at 11:30. I want to make sure that
Senator Daines gets an opportunity to question. We intended to
take a second round, but that may not be possible based on the
voting schedule. Senator Daines?
STATEMENT OF HON. STEVE DAINES,
U.S. SENATOR FROM MONTANA
Senator Daines. Thank you, Mr. Chairman. This morning, 80
million Anthem health insurance customers woke up to learn
their personal identifiable information could have been stolen.
In fact, we just received this over the fax machine, a notice
from Anthem that says ``To our Members,'' and I am just quoting
from the letter which was sent out to their members, and it
could be 80 million members.
``These attackers gained unauthorized access to Anthem's IT
system and have obtained personal information from our current
and former members, such as their names, their birthdays, their
medical I.D.'s, Social Security numbers, street addresses, e-
mail addresses, and employment information, including income
data.''
Last year in the House I offered an amendment that would
strengthen victim notification requirements. I am eager to work
with the chairman on strengthening these requirements again in
future legislation.
I have a question for anyone on the panel here this morning
in light of there has been a lot of discussion about past
breaches and now we have this most recent significant and most
serious breach.
What is an appropriate notification time period, like for
these 80 million customers, and we still do not know for sure
when this occurred, but we are hearing it might have been last
week, but for these 80 million customers that are waking up
this morning to hear and learn their PII could have been
stolen.
Ms. Madigan. Senator, I would respond this way. It sounds
unusual and helpful that Anthem has actually notified people,
even if we do not know the full extent of the breach, as
quickly as they have.
We are aware of situations where there are retailers who
have waited months and months, some maybe as long as six
months, to notify people, which is clearly too long to notify.
We have had some extensive discussion about whether there
should be a 30-day hard deadline, should it be more flexible. I
can tell you at the state level, while there are some that have
timeframes, we have been very reasonable, basically saying to
do this as expeditiously as possible.
When we look into whether that has taken place, we
determine when did the breach take place, when did the company
know about it, did they have time to put in place a response to
secure their system, and obviously, any exceptions, if they
need to continue to work with law enforcement.
A flexible deadline would be a good one, but it cannot be
that there is such a flexible deadline that you never have to
notify or that you can wait for months, because your goal is to
let people know that their information is out there and they
may be a victim of some form of financial fraud or identity
theft.
Senator Daines. Prior to coming up on the Hill, I spent 28
years in business, in fact, half of that time at Procter &
Gamble. We prided ourselves on good customer service. The other
half of that time as part of a technology startup, a Cloud
competing company that we took public. In fact, Oracle acquired
us a couple of years ago, built a world class Cloud competing
company.
I was the Vice President of Customer Service working with
literally millions of end users and thousands of customers. We
sold a B to C customer service Cloud-based solution.
When I was running Customer Service and looking after
customers and we had a problem, our policy was we notified our
customers as soon as we were aware of the problem, maybe not
always understanding the magnitude of it. We believed we owed
it to our customers to get back to them.
I frankly am surprised to think we might be thinking in
terms of 30 days. I think frankly that is unacceptable and that
the customers, the consumers in this country, should be served
better than that, and particularly when we are dealing with
PII, recognizing we may not know the scope of the problem at
the time, but at least the customers ought to know there is a
problem and we are working quickly here to try to resolve that.
I would be happy if there are any other comments from the
panel.
Mr. Duncan. Senator, we would support the kind of a notice
regime that is contained within the Illinois law. It is less
important as to what the number of days are attached to it, as
long as you provide the time for law enforcement, for example.
They may not want to notify because they want to set a trap
for the people who have invaded it and have a way of catching
them, taking them off the street. You have to allow for that.
You clearly want to clean up the holes so that the people
cannot come back inside. Once you have taken care of that, 30
days, 10 days, whatever, 40 days, it does not matter, just a
reasonable time period.
I will say to the specific point that was made a moment
ago, one of our members had a breach which they initially
interpreted to be a million card data's that had been released.
Once they examined it, it turned out there were only 35,000.
The idea that you would have given notices to 965,000 more
people unnecessarily is a pretty serious problem. You have to
get it right. There is no easy answer here.
Dr. Pendse. If I may comment, in terms of customer service,
I agree with you that quick notification is very important but
on the other hand a serious situation such as my other
panelists have pointed out, some flexibility is necessary.
One of the biggest detriments to any organization is loss
of trust. As we noticed, Anthem has been very quick at reaching
out to people and hopefully they will learn from past
challenges and also from other well publicized breaches that
have occurred.
Loss of trust is a very big detriment and in the current
environment, in an Internet enabled information gathering
session, people have to quickly respond.
Senator Daines. I would hope to continue to work on this
issue of trying to establish what we think would be without
unreasonable delay and trying to perhaps put better guardrails
on that. I think it is probably in the eyes of the beholder
sometimes.
With my experience of years of working in a Cloud-based
competing company, I just believe it is better to err on the
side of the consumer and their protection. I fully understand
the fact you can create maybe a bigger problem by notifying
everybody without understanding what really has happened.
I think as we lean one way or the other on this, I would
just urge us to lean toward a quicker response, defining that.
I think it is kind of better safe than sorry, particularly
looking at this notification that went out, this is Social
Security numbers, this is personal income data, this is perhaps
private medical records. This is very, very serious.
I think the consumer has the right to know about that
sooner than perhaps waiting a week as we try to walk the fine
line here of law enforcement and not creating a mountain out of
a mole hill.
I will tell you what, I think we should be trying to make
this tighter. I had 2 days with an amendment I offered, and I
hope we can work on something here that we can actually define.
Senator Moran. Senator Daines, thank you very much. The
bell has rung indicating votes. We will conclude this meeting
momentarily.
I am not going to ask any additional questions, but Dr.
Pendse, I would be glad to have you visit with my staff. You
know Kansas well. What small businesses should we be worried
about? What innovators may be deterred from greater innovation
as a result of this kind of legislation? I would welcome your
input.
Dr. Pendse. Absolutely.
Senator Moran. I would be interested in hearing from any of
the witnesses about Gramm-Leach-Bliley and its potential being
used as a standard.
I would like to know with the bankers, if there is
information that banks have that could be breached that is not
covered by Gramm-Leach-Bliley, and also the same kind of
question related to HIPAA, where in those two arenas, health
care and financial services, is there something we ought to be
considering, a standard, or a starting point as we look at
broader breach opportunities, or is that just a bad idea.
Senator Blumenthal, anything to add?
Senator Blumenthal. Yes, I agree with you that Gramm-Leach-
Bliley offers a potential model here. Mr. Johnson, I am quoting
from your testimony, ``The extensive breach reporting
requirements currently in place for banks provide an effective
basis for any national data breach reporting requirement for
businesses generally.''
I gather that you support the preemption model that is
contained in Gramm-Leach-Bliley.
Mr. Johnson. That is correct.
Senator Blumenthal. Because I think that may provide some
common ground here. I invite the witnesses--I apologize, my
time expired before, Mr. Duncan, you may have been able to
provide a full answer to my question, so I would invite you to
supplement your answer in writing if you wish, because I value
your further comments.
Thank you, Mr. Chairman.
Mr. Duncan. If I may, Senator Blumenthal, I would emphasize
the fact that Gramm-Leach-Bliley is essentially guidance. It is
precatory language. It says you should, you ought to, something
like that. That differs quite a bit from the state laws that
have a mandate and a requirement.
We would favor a mandate and a requirement rather than
something that is merely precatory.
Senator Blumenthal. I was referring really to the
preemption model there.
Senator Moran. Senator Klobuchar had exceeded her time at
the earlier opportunity.
Senator Klobuchar. Oh, new kid on the block.
[Laughter.]
Senator Moran. Senator Blunt, any concluding comments?
Senator Blunt. In the great tradition of Senators, that is
what we are expected to do. I think actually Senator Daines has
followed up on the question that I had, but I want to ask one
more time.
Mr. Duncan a couple of different times has established a
matrix of what might go into a reasonable standard. Is there
anyone on the panel who is concerned about the Congress
pursuing, as we look at this issue, a reasonable standard sort
of along the lines that have been outlined as opposed to a
specific notification period?
Ms. Madigan. Are we talking about timeframe?
Senator Blunt. We are. Nobody is proposing that we should
include a specific timeframe in any law that we require
notification in.
Ms. Madigan. Senator, what I can tell you is the reasonable
timeframe such as what Illinois has, we have seen it abused.
The idea is that you would put in a specific deadline: within
the most expedient time, but in no circumstances less than, put
some sort of a line there. Or, as I said, it could be 6 months,
at which point your information is long gone. It has long been
purchased on the black market, and who knows what has been done
with it or what damage has been done to you.
You need to have further discussions about how do you try
to better define what the time line is going to be for
notification.
Senator Blunt. Anyone else?
[No response.]
Senator Blunt. Thank you.
Senator Moran. Thank you, Senator Blunt. To be bipartisan
in my admonition, Senator Daines also exceeded his time
allotment. I also note that Senator Klobuchar was very
effective in putting me in my place by saying something like
``the new kid on the block.''
Senator Klobuchar. Yes.
[Laughter.]
Senator Moran. We are delighted you all were here. We
appreciate the information that was conveyed to us.
The hearing record will remain open for two weeks. During
that time, Senators are asked to submit any questions for the
record.
Upon receipt of those questions, the witnesses are
requested to respond to the Committee as soon as possible.
I thank the witnesses again for their testimony, and I
conclude this hearing. We are adjourned. Thank you.
[Whereupon, at 11:39 a.m., the hearing was adjourned.]
A P P E N D I X
Prepared Statement of Stephen Orfei, General Manager, Payment Card
Industry Security Standards Council
The Payment Card Industry Security Standards Council (PCI Council)
thanks you for this opportunity to offer our insights toward national
legislation on data security and breach notification.
The PCI Council is an open global forum that is responsible for the
development, management, education, and awareness of the PCI security
standards, including the Data Security Standard (PCI DSS), Payment
Application Data Security Standard (PA-DSS), and PIN Transaction
Security (PTS) requirements. Founded in 2006, the PCI Council has 700
participating organizations representing merchants, banks, processors,
and vendors worldwide. Our mission of helping all stakeholders in the
payment card industry prevent breaches involving sensitive payment data
is led by the multi-industry leadership organization that exists to
keep the payment system safe. With our global collaboration of security
stakeholders, the PCI Council has created and maintains robust data
security standards designed to prevent breaches and keep consumers'
data safe. As part of these efforts, our organization regularly engages
stakeholders with certification programs, training courses and best
practice guidelines to help them meet new threats and improve
continuous processes required for securing payment card data.
Because PCI is the global forum for managing PCI security
standards, we are uniquely qualified to address the need for a security
standard in national data breach and notification legislation.
The complexity of computer, networking and electronic payment
technology offers tremendous opportunity for consumers, but also
creates an attractive opportunity for criminals to exploit
vulnerabilities in software and hardware. As we have seen in the recent
past, errors in system configurations, weak passwords, malicious
actions by insiders, or simple mistakes by anyone connected to
sensitive payment card data can lead to infiltration of networks that
lead to data breaches. At the PCI Council, we believe security results
from the right combination of people, processes and technology. There
is no silver bullet to protecting data, but instead it takes a multi-
layered approach to prevent breaches. Technical standards are but the
first step toward achieving data security.
We believe the Committee is correct in addressing the important
need for data security. The good news is that many security standards
already exist, are widely implemented at least on a partial basis, and
undergo regular enhancement to meet evolving threats. For example, the
National Institute of Standards and Technology's (NIST) Special
Publication 800-53 and other related standards are crucial for Federal
data security. The International Standard Organization's ISO 27000
family of security standards are used globally. The PCI Council's
portfolio of security standards for the global payment industry is
another example. The PCI DSS is our overarching data security standard,
collaboratively built on 12 principles that cover everything from
implanting strong access control, monitoring and testing networks, to
having an information security policy. All of these standards mentioned
share many common elements.
We urge the Committee to avoid recreating the wheel or conflicting
with existing security standards, and instead leverage the invaluable
work that is already used by organizations as practical frameworks for
data security.
It is true that despite the existence of security standards,
criminals have successfully breached some databases and stolen
sensitive data. But in the majority of cases, forensic investigations
show breaches are preventable--and result from improper implementation
of security standards. For example, in recent prominent retail
breaches, attackers used a relatively simple technique of inserting
malware onto vulnerable back-office computers, which then infiltrated
points-of-sale to steal payment card data. Breaches like these could
have been prevented by following prescriptions of security standards--
such as frequently scanning internal systems for out-of-date,
unprotected software and correcting those configurations. Cases like
these also illustrate why the PCI Council urges deployment and vigilant
ongoing monitoring of a wide range of best practice security
technologies used as ``defense in depth'' to backstop protection
against unpredictable threats.
With the ever evolving vectors of attack, businesses cannot assume
that passing a compliance evaluation at a point in the past will
protect their data in the future. Attackers are persistent and their
threats continue to evolve. Businesses must take prudent and reasonable
steps to keep their data security protocols up to date. This is true
whatever standard is used.
The PCI Council is deeply committed to helping payment card
industry stakeholders meet evolving threats and vigilantly defend
payment card data. As an example, the PCI Council welcomes the North
American payment industry's migration to ``EMV Chip'' technology, and
recognizes that transactions companies have been working towards the
adoption of EMV since 2011. The presence of an identifying integrated
circuit chip in each payment card will significantly reduce fraud in
card-present transactions. Based on global experience with EMV, we know
that after the U.S. transitions to this technology, fraud will migrate
to the card-not-present environment such as online or over the phone.
Accordingly, the best defense for protecting payment card data is a
multi-layered combination of EMV Chip and new technologies that take
sensitive account data out of harm's way, coupled with implementing PCI
standards.
The new technologies, including encryption and tokenization, are
intended to ``devalue'' stolen payment card data throughout the payment
system by scrambling the sensitive data and making it unusable to a
data thief. Making systemic changes like these take time and investment
while technologies are in their infancy, however, so until then,
organizations that store, transmit or process payment card data must be
vigilant 24/7 in monitoring their implementations of PCI standards.
The Committee's work will help bolster our stakeholders' vigilance
by having the Federal government facilitate sharing security
information with the private sector. We are encouraged by the
possibility of other deterrents to data breaches such as increasing
penalties for cybercrimes, and negotiating cybercrime treaties with key
foreign nations.
The PCI Council welcomes the opportunity to work with the Committee
and Congress as it considers emerging data security, breach
notification, cybersecurity and privacy legislation.
______
Response to Written Questions Submitted by Hon. Roy Blunt to
Cheri F. McGuire
Question 1. Today, there are 51 different laws dealing with breach
notification, and another 12 dealing with security requirements--with
even more states considering new laws, or changing their existing laws.
Given this trend, do you think Federal data breach legislation
should include a clear national standard for both data security and
breach notification?
Answer. Yes. A clear national standard would provide clarity for
consumers, businesses, and advocacy groups. In the current environment,
organizations have to comply with myriad and sometimes conflicting
standards. This adds cost and complexity for the organizations, and can
lead to confusion among consumers because they can receive multiple--
but different--notifications after a breach. This serves no one's
interest. A Federal standard should apply equally to the private sector
and the government--it should cover all entities that collect,
maintain, or sell significant numbers of records containing sensitive
personal information. It should also seek to minimize the likelihood of
a breach by pushing organizations to take reasonable security measures
to ensure the confidentiality and integrity of sensitive personal
information. This would also lower the cost of an event as studies have
shown that breaches are less costly for companies that were proactive
in applying security. Finally, any notification scheme should recognize
that state-of-the-art encryption renders data unreadable, which in turn
will minimize ``false positives''- notices to individuals who are later
shown not to have been impacted by a breach because their data was
rendered unusable before it was stolen.
Question 2. Do you think the 51 different breach notification laws
create confusion for consumers--especially for those who move, travel
frequently, or live in an area where they shop and work across state
lines?
Answer. Yes. As noted above, existing standards can proscribe
different forms of notices and require notification in different
situations. As a result, a consumer could receive multiple, different
breach notices from one company, or hear conflicting reports as to
whether a breach actually happened because the standard was met in one
state but not in another. Breaches and risk of identity and credit card
theft are confusing enough as it is; no one is served by conflicting
rules and laws that send mixed messages to potential victims.
______
Response to Written Questions Submitted by Hon. Roy Blunt to
Mallory B. Duncan
Question 1. Today, there are 51 different laws dealing with breach
notification, and another 12 dealing with security requirements--with
even more states considering new laws, or changing their existing laws.
Given this trend, do you think Federal data breach legislation
should include a clear national standard for both data security and
breach notification?
Answer. The Federal Trade Commission (FTC) enforces a general
reasonableness standard with respect to data security within the
confines of the existing ``unfair'' and ``deceptive'' prongs of Section
5 of the FTC Act. The commission's unfair and deceptive standards have
worked for commercial law enforcement because they are broad enough to
encompass an array of businesses and practices, and because they are
implemented through the commission's consent decree authority--which
allows for the clarification of requirements over time, without unduly
penalizing businesses exposed to novel or developing requirements.
If section 5 were amended to include a comparably broad requirement
to maintain ``reasonable data security,'' without more, and were
coupled with existing cease and desist enforcement authority, it would
have a similarly positive effect of advancing data security without
exposing them to penalties for unanticipated, evolving risks. If this
were also coupled with the very robust notice requirements that we have
testified in favor of, that would be something that might work well.
Conversely, if the legislation were to establish a multi-factor
data security standard--similar in nature to the Gramm-Leach-Bliley Act
(GLBA) data security guidelines--for businesses which are subject to
FTC jurisdiction, this would exponentially increase the likelihood of
the businesses being found at fault for a data breach despite having
overall reasonable data security standards, because the FTC would
potentially only need to find unreasonableness as to any one of the
factors in order to claim a violation of the Act.
As the FTC has found previously, a multi-factor test is appropriate
under GLBA guidelines for more sophisticated entities such as financial
institutions because they routinely have much broader sets of the most
sensitive personal and financial customer information in digitized
form, which presents security risks and vulnerabilities not evident in
most unregulated commercial businesses with much narrower data sets
that typically contain less sensitive customer information.
Additionally, financial institutions are subject to an examination
process in which they work with bank examiners to develop a security
plan that is in compliance with their guidance.
As discussed in detail in my written testimony, the FTC does not
have staff or processes capable of providing this guidance process to
every business under its jurisdiction, and entities subject to its
jurisdiction may only become aware of the possibility of being in non-
compliance with an FTC-enforced standard when they are under
investigation. Under its broad jurisdiction, FTC enforcement of a
multi-factor test would apply to every non-financial institution in the
country, including not only retailers, but hotels, bars and
restaurants, theaters, auto dealers, gas stations, grocery and
convenience stores, fast-food eateries, airlines and others in the
travel industry, hospitals and doctors, dentists, veterinarians, hair
salons, gyms, dry cleaners, plumbers and taxi drivers. These businesses
do not have the staff to determine up-front whether they could survive
a mult-factor test. Virtually every unregulated business in the U.S.
economy that provides goods or services to American consumers. Imposing
Banking regulatory standards on these unregulated businesses, to be
enforced by the FTC in a non-examination process, would be an
unprecedented expansion of FTC authority comparable to what the
commission attempted to accomplish with its ``red flags'' rule, before
congress was forced to intervene.
Question 2. Do you think the 51 different breach notification laws
create confusion for consumers--especially for those who move, travel
frequently, or live in an area where they shop and work across state
lines?
Answer. Yes. We have reached the point where these laws not only
require different notification standards, but many suffer from a flawed
rule that leads to over-notification. Specifically, the third-party
entity rules in state breach laws do not require those entities to
provide notification to affected consumers when they are breached. As
further explained in my written testimony, to have an effective breach
law, these ``notice holes'' must be closed. This is a position that the
retail industry has successfully conveyed to, and favorably recognized,
by certain State AGs. For example, a payment processor who works with
multiple merchants could, under many state laws, fulfill its
obligations by requiring dozens of merchants to bear the burden of
providing varying notices to the same consumers for the processor's
single breach. Such a rule does not provide effective notice to
consumers; rather, it results in likely over-notification and confusion
as consumers receive multiple and differing notices about the same
breach from entities that did not suffer the breach.
The most effective and timely consumer notice would result from a
nationwide standard that requires all breached entities--including all
breached third-party entities--to provide public notice, either
directly to the affected consumers or via a substitute notification
procedure where they make the breach publicly known through widely
distributed media and other acceptable means. Some flexibility should
be provided to respect contractual arrangements between third-party
contractors and those that hire them regarding the most effective
notice, but the general rule should clearly place the burden for
requiring notice and any potential liability for the breach on the
breached entity.
This threat of making public disclosure has proven to be a powerful
incentive to companies to improve their data security standards. A
Federal bill that preempts state laws has the opportunity to close the
problematic notice holes that exist in state laws for third-party
entities and provide not only more robust notification--leading to
greater consumer protection and awareness of data breaches that may
cause financial harm--but also create ``skin in the game'' for all
entities so that they place greater emphasis on, and investment in,
improving data security for the most sensitive data.
______
Response to Written Questions Submitted by Hon. Jerry Moran to
Doug Johnson
Question 1. During the hearing, a statement was made saying that
``three times more data breaches occur at financial institutions than
at retailers'' citing a report by Verizon. Will you please share your
analysis of this data provided in the referenced Verizon report?
Answer. The Identity Theft Resource Center has compiled a list of
all publicly reported breaches in the United States and shows that
banks accounted for only 5.5 percent of all breaches in 2014. Other
businesses accounted for 33 percent. Retailer groups continue to cite
the Verizon report on data breach statistics as a way to distract
policymakers regarding the primary focus of data security breaches, but
the inconvenient truth is that this Verizon report is based on an
international sample of breaches as opposed to an actual compilation of
all publicly reported breaches in the United States.
Question 2. In some of the testimony, it was stated that one cause
of the major breaches at Target and Home Depot, and perhaps similar
breaches, was an ``easily forged signature.'' From your perspective,
what other causes have you identified as contributors to these
breaches?
Answer. Forged signatures were not a cause in the Target, Home
Depot, or any similar breach. The major cause of these breaches were
the insecure point of sale systems used by these retailers. Bank
customer credit and debit card numbers would not have been breached if
these systems had not been vulnerable to POS malware. The card numbers
also would not have been breached if Target had properly segregated its
POS system from an invoicing system that Fazio Mechanical Services, a
vendor to Target, had access to. When Fazio Mechanical was compromised
with malicious software it gave the criminals a direct tunnel to
Target's POS system, which allowed the criminals to install additional
malicious software on that system.
Question 3. As lawmakers consider a national data breach
notification standard, it has been suggested that some industries
should have an exception because they are governed by other breach
laws. What are the pros and cons of creating an exemption for financial
institutions? Is it possible that a Gramm-Leach-Bliley Act exemption
would create ``notice holes'' where consumers would not receive notices
of breaches at banks and other financial institutions?
Answer. A Gramm-Leach-Bliley Act (GLBA) exemption from a national
breach notification standard, rather than creating a ``notice hole,''
is appropriate in that we recommend any national standard imposed on
other industries should be consistent with GLBA.
As we enact a national data breach requirement, some industries--
including the financial industry--are already required by law to
develop and maintain robust internal protections to combat and address
criminal attacks, and are required to protect consumer financial
information and notify consumers when a breach occurs within their
systems that will put their customers at risk.
Title V of GLBA requires banks to implement a ``risk-based''
response program to address instances of unauthorized access to
customer information systems. At a minimum, a response program must:
1. Assess the nature and scope of any security incident and identify
what customer information systems and customer information may
have been accessed or misused;
2. Notify the institution's primary Federal regulator ``as soon as
possible'' about any threats ``to sensitive customer
information.''
3. Notify appropriate law enforcement authorities and file
Suspicious Activity Reports in situations involving Federal
criminal violations requiring immediate attention;
4. Take appropriate steps to contain the incident to prevent further
unauthorized access to or use of customer information, and
5. Notify customers ``as soon as possible'' if it is determined that
misuse of customer information has occurred or is reasonably
possible.
A critical component of the GLBA guidelines is customer
notification. When a covered financial institution becomes aware of a
material breach of ``sensitive customer information,'' it must conduct
a reasonable investigation to determine whether the information has
been or can be misused. If it determines that misuse of the information
``has occurred or is reasonably possible,'' it must notify affected
customers ``as soon as possible.''
Under GLBA, sensitive customer information includes the customer's
name, address or telephone number in conjunction with the customer's
Social Security number, driver's license number, credit card, debit
card or other account number or personal identification number.
Sensitive customer information also includes any combination of
components of customer information that would allow someone to log onto
or access the customer's account, such as user name and password.
A covered financial institution must also provide a clear and
conspicuous notice. The notice must describe the incident in general
terms and the type of customer information affected. It must also
generally describe the institution's actions to protect the information
from further unauthorized access and include a telephone number. The
notice also must remind customers to remain vigilant over the next 12
to 24 months and to promptly report incidents of suspected identity
theft to the institution.
Where appropriate, the notice also must include:
1. Recommendation to review account statements immediately and
report suspicious activity;
2. Description of fraud alerts and how to place them;
3. Recommendation that the customer periodically obtain credit
reports and have fraudulent information removed;
4. Explanation of how to receive a free credit report; and
5. Information about the FTC's identity theft guidance for
consumers.
In summary, rather than creating a notice hole, we believe the
extensive breach reporting requirements currently in place for banks
provide an effective basis for any national data breach reporting
requirement for businesses generally.
Question 4. Do you think requiring the use of PINs on payment
transactions is the best solution for addressing the data breach
problem? What aspects of the increased use of PIN technology would be
helpful in preventing future data breaches? In your estimation, are
there drawbacks to increasing PIN use? Please share any additional
insight on the use of PIN technology that you feel may be useful to the
Committee as it explores data breach prevention. Also, please comment
on new and emerging payment technologies and potential security
advantages or vulnerabilities.
Answer. The fact is that attackers are becoming increasingly adept
at defeating cybersecurity practices and mitigating measures points to
the need for industry to develop and deploy enhanced measures on an
ongoing basis with greater speed. Rather than adopting static number
PIN technology, we intend to focus on taking static numbers out of the
payment system entirely.
Eliminating the use of static numbers altogether for debit and
credit card purchases is a very important next step in protecting our
payment system and the consumers that use it. Finding ways to keep
consumers from having to remember static numbers, letters or symbols in
order to authenticate themselves when conducting a financial or other
sensitive transaction was a primary focus at the recent White House
Summit on Cybersecurity and Consumer Protection. For instance:
Ajay Banga, President and CEO, MasterCard: ``What I have
learned from my consumer customers is that they want two clear
things aside from safety and security--one is to stop making me
remember things to prove I am who I am. Because there are too
many things to remember.''
Richard Davis, Chairman and CEO, U.S. Bank: ``Our job is
really a lot of financial literacy to help people understand
how to protect themselves better . . . not putting a piece of
tape on the back of your debit card or credit card and writing
your PIN on it.''
Chuck Scharf, CEO, Visa: We can talk all we want about
methods of authentication . . . but the fact is if card numbers
are flying around even though there is zero liability it's not
something the consumer wants to go through . . . We are working
with people across the payment ecosystem to figure out where we
can get rid of those account numbers, so if there is a
compromise, which there always will be because the bad guys are
steps ahead as hard as we all try, the compromise does not have
the effect it has today.''
These comments point to the fact that payment security is a dynamic
challenge that requires a like response, and that there is no single
solution that will eliminate payment fraud. Locking in any static
technology provides a roadmap to attackers, telling them where to focus
their attacks. Tokenization replaces sensitive consumer account
information at the register or online with a random ``token,''
rendering any static information associated with the transaction
useless to criminals, and thus shows great promise.
______
Response to Written Questions Submitted by Hon. Roy Blunt to
Doug Johnson
Question 1. Today, there are 51 different laws dealing with breach
notification, and another 12 dealing with security requirements--with
even more states considering new laws, or changing their existing laws.
Given this trend, do you think Federal data breach legislation
should include a clear national standard for both data security and
breach notification?
Answer. Although some of these laws are similar, many have
inconsistent and conflicting standards, forcing businesses to comply
with multiple regulations and leaving many consumers without proper
recourse and protections. Inconsistent state laws and regulations
should be preempted in favor of strong Federal data protection and
notification requirements. In the event of a breach, the public should
be informed where it occurred as soon as reasonably possible to allow
consumers to protect themselves from fraud.
We believe that the following set of principles should serve as a
guide when drafting legislation to provide stronger protection for
consumer financial information:
1. Inconsistent state laws and regulations should be preempted in
favor of strong Federal data protection and notification
standards.
2. Strong national data protection and consumer notification
standards with effective enforcement provisions must be part of
any comprehensive data security regime, applicable to any party
with access to important consumer financial information.
3. Requirements for industries that are already subject to robust
data protection and notification requirements must be
recognized.
4. In the event of a breach, the public should be informed where it
occurred as soon as reasonably possible to allow consumers to
protect themselves from fraud. The business with the most
direct financial relationship with affected consumers should be
able to inform their customers and members about information
regarding the breach, including the entity at which the breach
occurred.
5. The costs of a data breach should ultimately be borne by the
entity that incurs the breach.
Our existing national payments system serves hundreds of millions
of consumers, retailers, banks, and the economy well. It only stands to
reason that such a system functions most effectively when it is
governed by a consistent national data breach policy.
Question 2. Do you feel the standards and guidance under Gramm-
Leach-Bliley provide necessary security, but with flexibility for
organizations of different size and complexity? If so, can you
elaborate why?
Answer. Effective data protection requirements are scalable. For
instance, bank regulations, through GLBA, recognize that the level of
risk to customer data varies significantly across banks. Large banks
require continual, on-site examination personnel, while community-based
institutions are subject to periodic information security examinations.
Data security is also an ongoing process as opposed to the state or
condition of controls at a point in time.
As opposed to proscribing specific technological security
requirements, GLBA and the associated bank regulatory requirements are
risk and governance-based. Bank security programs are required to have
``strong board and senior management level support, integration of
security activities and controls throughout the organization's business
processes, and clear accountability for carrying out security
responsibilities.''
Question 3. Hackers seem to be getting more sophisticated by the
day, and I imagine we expect even more attacks and perhaps more
successful ones in the future. If that is the case doesn't it make
sense to do everything possible to protect consumer personal and
financial data? Do you think Federal data security standards applicable
to all players in the payments process would help and if so why?
Answer. Any legislation focused on creating a national standard for
breach notification should also include a complementary national data
security standard for covered entities. If Congress does not address
data security standards now it misses the opportunity to instill a
greater overall level of data security protections for consumers.
Because the payment system is by definition a network, every
business within that network must share in the responsibility to
protect consumers and should have to abide by a data security standard.
With that responsibility should also come the requirement for that
business, whether it be a bank, merchant, third party processor or
other entity, to bear the costs for any breach they incur.
Question 4. A number of states have enacted data protection and
consumer notification laws. However, I also understand that these
provisions can vary from state to state. Is your industry currently
covered by any Federal law that requires consumer financial and
personal data to be protected? Are there other industries that are not
covered by Federal data protection and consumer notification standards?
Answer. Yes, Title V of GLBA requires banks to implement a ``risk-
based'' response program to address instances of unauthorized access to
customer information systems. At a minimum, a response program must:
1. Assess the nature and scope of any security incident and identify
what customer information systems and customer information may
have been accessed or misused;
2. Notify the institution's primary Federal regulator ``as soon as
possible'' about any threats ``to sensitive customer
information.''
3. Notify appropriate law enforcement authorities and file
Suspicious Activity Reports in situations involving Federal
criminal violations requiring immediate attention;
4. Take appropriate steps to contain the incident to prevent further
unauthorized access to or use of customer information, and
5. Notify customers ``as soon as possible'' if it is determined that
misuse of customer information has occurred or is reasonably
possible.
As already noted, the GLBA also contains a set of scalable data
security standards. The retail industry currently does not currently
have a similar set of Federal requirements. The legal, regulatory,
examination and enforcement regime regarding banks ensures that banks
robustly protect American's personal financial information. We believe
that this regime provides an appropriate, scalable model for other
businesses entrusted with sensitive customer financial and other
information.
______
Response to Written Questions Submitted by Hon. Roy Blunt to
Yael Weinman
Question 1. Today, there are 51 different laws dealing with breach
notification, and another 12 dealing with security requirements--with
even more states considering new laws, or changing their existing laws.
Given this trend, do you think Federal data breach legislation
should include a clear national standard for both data security and
breach notification?
Answer. ITI supports a breach notification bill that preempts state
notification requirements consistent with our breach notification
principles (previously submitted for the record and attached hereto).
It is critically necessary to replace the existing 51 state and
territory notification laws with one national framework. While ITI does
not seek a national data security requirement in such a bill, we would
not oppose a bill that includes a reasonable and technology-neutral
data security requirement that is appropriate to a company's size and
complexity, the nature and scope of its activities, and the sensitivity
of the data held, and that preempts existing and future state data
security requirements.
Question 2. Do you think the 51 different breach notification laws
create confusion for consumers--especially for those who move, travel
frequently, or live in an area where they shop and work across state
lines?
Answer. Consistency in notices would reduce consumer confusion that
may result from the variances of the method of data breach
notifications, the content of such notifications, and the circumstances
of such notification. In addition, consistency would also reduce
confusion for businesses--particularly smaller e-commerce businesses--
as to how and when to notify their customers who reside in different
states, each requiring a different type or content for notification and
under differing circumstances.
[all]
This page intentionally left blank.
This page intentionally left blank.
This page intentionally left blank.