[Senate Hearing 114-78]
[From the U.S. Government Publishing Office]


                                                         S. Hrg. 114-78
 
                   GETTING IT RIGHT ON DATA SECURITY
                  AND BREACH NOTIFICATION LEGISLATION
                         IN THE 114TH CONGRESS

=======================================================================

                                HEARING

                               BEFORE THE

                  SUBCOMMITTEE ON CONSUMER PROTECTION,
                       PRODUCT SAFETY, INSURANCE,
                           AND DATA SECURITY

                                 OF THE

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            FEBRUARY 5, 2015

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation
                             
                             
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]



                            U.S. GOVERNMENT PUBLISHING OFFICE
96-892 PDF                       WASHINGTON : 2015                                 
________________________________________________________________________________________ 
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected].  
      
       
       
       
       
       
       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                   JOHN THUNE, South Dakota, Chairman
ROGER F. WICKER, Mississippi         BILL NELSON, Florida, Ranking
ROY BLUNT, Missouri                  MARIA CANTWELL, Washington
MARCO RUBIO, Florida                 CLAIRE McCASKILL, Missouri
KELLY AYOTTE, New Hampshire          AMY KLOBUCHAR, Minnesota
TED CRUZ, Texas                      RICHARD BLUMENTHAL, Connecticut
DEB FISCHER, Nebraska                BRIAN SCHATZ, Hawaii
JERRY MORAN, Kansas                  EDWARD MARKEY, Massachusetts
DAN SULLIVAN, Alaska                 CORY BOOKER, New Jersey
RON JOHNSON, Wisconsin               TOM UDALL, New Mexico
DEAN HELLER, Nevada                  JOE MANCHIN, West Virginia
CORY GARDNER, Colorado               GARY PETERS, Michigan
STEVE DAINES, Montana
              David Schwietert, Republican Staff Director
              Nick Rossi, Republican Deputy Staff Director
               Rebecca Seidel, Republican General Counsel
           Jason Van Beek, Republican Deputy General Counsel
                 Kim Lipsky, Democratic Staff Director
              Chris Day, Democratic Deputy Staff Director
       Clint Odom, Democratic General Counsel and Policy Director
                                 ------                                

  SUBCOMMITTEE ON CONSUMER PROTECTION, PRODUCT SAFETY, INSURANCE, AND 
                           DATA SECURITY \1\

JERRY MORAN, Kansas, Chairman        RICHARD BLUMENTHAL, Connecticut, 
ROY BLUNT, Missouri                      Ranking
TED CRUZ, Texas                      CLAIRE McCASKILL, Missouri
DEB FISCHER, Nebraska                AMY KLOBUCHAR, Minnesota
DEAN HELLER, Nevada                  EDWARD MARKEY, Massachusetts
DAN SULLIVAN, Alaska                 CORY BOOKER, New Jersey
CORY GARDNER, Colorado               TOM UDALL, New Mexico
STEVE DAINES, Montana


  

    \1\ On March 3, 2015 the Committee finalized Member assignments for 
its subcommittees. The list below reflects March 3, 2015 assignments. 
When this hearing was held, on February 5, 2015, formal assignments had 
not yet been made.
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on February 5, 2015.................................     1
Statement of Senator Moran.......................................     1
Statement of Senator Blumenthal..................................     3
Statement of Senator Fischer.....................................    50
Statement of Senator Schatz......................................    52
Statement of Senator Blunt.......................................    54
Statement of Senator Thune.......................................    55
Statement of Senator Klobuchar...................................    57
Statement of Senator Daines......................................    60

                               Witnesses

Cheri F. McGuire, Vice President, Global Government Affairs and 
  Cybersecurity Policy, Symantec Corporation.....................     5
    Prepared statement...........................................     6
Mallory B. Duncan, General Counsel and Senior Vice President, 
  National Retail Federation.....................................    11
    Prepared statement...........................................    12
Ravi Pendse, Ph.D., Vice President and Chief Information Officer, 
  Brown University, Cisco Fellow, Professor of Practice, Computer 
  Science and Engineering........................................    30
    Prepared statement...........................................    32
Doug Johnson, Senior Vice President and Senior Advisor for Risk 
  Management Policy, American Bankers Association................    34
    Prepared statement...........................................    36
Hon. Lisa Madigan, Attorney General, State of Illinois...........    38
    Prepared statement...........................................    40
Yael Weinman, Vice President, Global Privacy Policy and General 
  Counsel, Information Technology Industry Council (ITI).........    43
    Prepared statement...........................................    45

                                Appendix

Stephen Orfei, General Manager, Payment Card Industry Security 
  Standards Council, prepared statement..........................    65
Response to written questions submitted by Hon. Roy Blunt to:
    Cheri F. McGuire.............................................    66
    Mallory B. Duncan............................................    67
Response to written questions submitted to Doug Johnson by:
    Hon. Jerry Moran.............................................    68
    Hon. Roy Blunt...............................................    70
Response to written questions submitted by Hon. Roy Blunt to:
    Yael Weinman.................................................    71


                   GETTING IT RIGHT ON DATA SECURITY
                  AND BREACH NOTIFICATION LEGISLATION
                         IN THE 114TH CONGRESS

                              ----------                              


                       THURSDAY, FEBRUARY 5, 2015

                               U.S. Senate,
      Subcommittee on Consumer Protection, Product 
              Safety, Insurance, and Data Security,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 10 a.m. in 
room SR-253, Russell Senate Office Building, Hon. Jerry Moran, 
presiding.
    Present: Senators Moran [presiding], Thune, Blunt, Fischer, 
Daines, Klobuchar, Blumenthal, and Schatz.

            OPENING STATEMENT OF HON. JERRY MORAN, 
                    U.S. SENATOR FROM KANSAS

    Senator Moran. As I indicated, this is the first 
subcommittee hearing I have chaired in 8 years in Congress, and 
I was nervous, apparently nervous enough not to turn on the 
microphone.
    We look forward to being educated and getting a good 
understanding. First, I want to thank my colleagues and their 
level of interest in this important topic. I would also like to 
thank, as I said, our witnesses for joining us today. Expertise 
is important to us as Members of Congress, and unfortunately, 
this is a very timely topic.
    The purpose of this hearing is in many ways somewhat 
narrow, it is to examine the merits of the Federal data 
security standard and the need for preemptive and uniform 
Federal data breach notification.
    We all know we live in a digital world where consumers have 
embraced online products and services. Kansans, my folks at 
home, they know they can make purchases, determine their credit 
score, conduct banking and examine health care plans all from a 
mobile phone, computer, or a tablet. That is true of consumers 
across the country and increasingly around the globe.
    This digital economy creates new risks. In a world where 
one bad actor can battle against a team of highly trained 
experts, we face challenges to make certain that consumers are 
protected and that businesses have the tools and incentives to 
protect their customers from harm.
    For more than a decade, Congress, the Commerce Committee in 
particular, has been contemplating issues surrounding data 
security and data breach notification.
    In 2004, the Committee held its first congressional hearing 
to examine the high profile breach of ChoicePoint, a data 
aggregation firm. This breach forced the first of many 
conversations here in Congress, and today, we continue that 
dialogue.
    Recent high profile data breaches as well as the headline 
grabbing Sony cyberattack from late last year are the latest 
examples that highlight the ongoing and serious cyber threats 
that face Americans and businesses.
    Just this morning, we woke up to news of what experts are 
calling the largest health care breach to date. This time, the 
cyber criminals were able to infiltrate the nation's second 
largest health insurer to steal names, birth dates, medical 
I.D.'s, Social Security numbers, street addresses, e-mail 
addresses, and employment information, including income data.
    These high profile breaches are the most severe of what 
have become a common occurrence in our digital society. As of 
2015, the Privacy Rights Clearinghouse has estimated more than 
4,400 breaches involving more than 932 million records that 
have been made public since 2005.
    The Verizon 2014 data breach investigation report reviewed 
more than 63,000 security incidents and found 1,367 confirmed 
data breaches in 2013. On average, that is just shy of four 
breaches every day.
    While Congress has developed sector specific data security 
requirements for both financial institutions and companies that 
handle particular types of health information, Congress has 
been unable to reach consensus on the development of national 
data security and data breach notification standards.
    As a result, states have taken on this task by developing 
their own standards and as of today, businesses are subjected 
to a patchwork of over 50 different state, district, and 
territory laws that determine how businesses must notify 
consumers in the event of a breach. In addition, 12 states have 
enacted laws regarding data security practices.
    The need for Federal action becomes clearer each day. Last 
month President Obama voiced his support for national data 
breach notification legislation with strong preemptive language 
in part because he recognizes the benefits to American 
consumers and businesses of a predictable uniform data breach 
notice.
    The President's support along with bipartisan and bicameral 
congressional interest has renewed optimism among stakeholders 
that Congress can develop a balanced and thoughtful approach 
with legislation in the near term.
    Today, we will focus our attention on some of the key 
questions and topics of this debate, including what are the 
benefits of a national data breach notification standard? 
Should Congress implement a basic data security standard, to 
whom should that standard apply, should the Federal standard 
preempt state standards?
    What should be the trigger for notification, specific 
conditions that represent a potential harm to consumers, should 
there be exemptions and safe harbors, if so, for who, in what 
circumstances? Within what time-frame should a company be 
required to notify consumers?
    Should Congress enact new or stronger penalties for 
enforcement authorities and remedies? What lessons can we learn 
from states that have implemented their own data breach 
notification standards?
    I am confident that our panel with its expertise can share 
valuable insight into those questions and others that the 
Committee members may have, and help us find the right balance 
to these issues.
    I would like to recognize the Subcommittee's Ranking 
Member, Senator Blumenthal, for him to deliver his opening 
statement, and I would indicate to Senator Blumenthal here in 
public as we have in private, that I look forward to working 
very closely with you in a very thoughtful and bipartisan way 
to see that our Subcommittee accomplishes good things for the 
country.

             STATEMENT OF HON. RICHARD BLUMENTHAL, 
                 U.S. SENATOR FROM CONNECTICUT

    Senator Blumenthal. Thank you. First of all, my thanks to 
Senator Moran for his leadership, and in a very bipartisan way, 
for reaching out to me and also convening this subcommittee on 
a critically important topic. I really look forward to his 
continued insight and very thoughtful leadership on consumer 
protection issues. I am proud to serve as the Ranking Member of 
this very important subcommittee.
    I have served on this subcommittee for two years now. It is 
critical to consumer issues that affect every day Americans. We 
have delved into the General Motors' recall and the deadly 
Takata airbags.
    Today, the issue of data breach is no less central to 
American lives, even if it seems somewhat less spectacular. 
2014 was known as the year of the data breach. The importance 
of this issue was brought home, as Senator Moran said, just 
this morning when we read about the Anthem breach, which is 
absolutely breathtaking in its scope and scale.
    It is not only breathtaking but mind-bending in its extent 
and potential impact, and it is potentially heartbreaking for 
consumers who may be affected, not only birthdays, addresses, 
e-mail and employment information, but also Social Security 
numbers and income data were taken from Anthem, and 
potentially, although the company has said there is no evidence 
of it so far, critical health information.
    This breach comes after J.P. Morgan indicated a loss of 
personal information to hackers of about 83 million households.
    Of course, in November, hackers, the United States 
Government has said, had ties to the North Korean government, 
orchestrated a disruptive attack on Sony. The Sony attack would 
be comedy, but it is literally no laughing matter to other 
businesses, including financial institutions on Wall Street, 
health insurers and others whose vital data may be taken.
    To quote the FBI Agent in New York, Leo Taddeo, who 
supervises the Cyber and Special Operations Division, ``We are 
losing ground in the battle with hackers.''
    In December 2013, we first learned about Target's data 
breach, which affected credit card information and personal 
contact information for as many as 110 million consumers.
    The point here is that these losses of data are not only 
losses to these companies; they are potentially life changing 
losses to consumers. Target, J.P. Morgan, and Anthem failed not 
only the companies, but they failed their customers and 
consumers when these data breaches occurred.
    This fact of life is more than the cost of doing business 
for these companies. It is an invasion of their privacy. It is 
an invasion of consumer privacy, potentially theft of identity 
and personal assets.
    The billions of dollars that could have been saved by 
consumers, creditors, banks, and others if companies and 
universities who were collecting sensitive data spent money and 
resources on better protecting that information is one of the 
facts that brings us here today.
    As Attorney General, I brought a number of enforcement 
cases against companies that violated Connecticut's data breach 
law. I worked with my colleagues, including Lisa Madigan, who 
is here today, and I express special appreciation to her for 
her great work in this area, and I worked with Kelly Ayotte, 
who is now a colleague.
    This issue is hardly a partisan one. In fact, it is 
distinctly bipartisan, involving stronger protections for 
sensitive consumer data, and we recognize the states as 
laboratories of democracy and the great work they have done in 
this area.
    Let me just conclude by saying I think we have a lot of 
work that needs to be done, a lot of good work that should be 
done, but one guiding principle is: first do no harm. That is 
do no harm to the state protections and state enforcers who 
every day are seeking to protect their citizens from the 
scourge and spreading problem of data theft, in order for 
consumers to trust retailers, banks, and online sales, they 
need to know their data is secure without abuse, whether they 
are shopping online or at a bricks and mortar stores.
    Consumers expect retailers collecting their sensitive 
personal information will do everything in their power to 
protect that data. That is a reasonable expectation. They have 
a right to expect better than they are now receiving from 
retailers, companies, insurers, banks, all of the institutions, 
including universities and non-profits that increasingly have 
the coin of the realm, which is data about consumers.
    Thank you, Mr. Chairman.
    Senator Moran. Thank you, Senator Blumenthal. We now will 
turn to our witnesses. With us today is Ms. Cheri F. McGuire. 
She is Vice President of Global Government Affairs and 
Cybersecurity Policy for Symantec Corporation.
    Mr. Mallory Duncan, Senior Vice President and General 
Counsel of the National Retail Federation.
    Dr. Ravi Pendse, who is the Chief Information Officer at 
Brown University, but easier for me to say Wichita State 
University, his previous employer.
    Ms. Yael Weinman, Vice President for Global Privacy and 
General Counsel, Information Technology Industry Council.
    The Honorable Lisa Madigan, the Attorney General of the 
State of Illinois, and finally, Mr. Doug Johnson, Senior Vice 
President and Senior Advisor for Risk Management Policy, Office 
of the Chief Economist of the American Bankers Association.
    Ms. McGuire, let's begin with you.

         STATEMENT OF CHERI F. McGUIRE, VICE PRESIDENT,

          GLOBAL GOVERNMENT AFFAIRS AND CYBERSECURITY

                  POLICY, SYMANTEC CORPORATION

    Ms. McGuire. Thank you so much, Chairman Moran, Ranking 
Member Blumenthal, and members of the Subcommittee. Thank you 
for the opportunity to testify today on this very important 
issue.
    As the largest security software company in the world, 
Symantec's global intelligence network is made up of millions 
of sensors that give us an unique view of the entire Internet 
threat landscape.
    As we all have seen, even as of this morning, the recent 
headlines about cyber attacks have focused mostly on data 
breaches across a spectrum of industries. These network 
intrusions that result in stolen data have deep and profound 
impacts for the individuals who must worry about and clean up 
their identities, for the organizations whose systems have been 
penetrated, and for the governments trying to establish the 
right notification policies as well as deter and apprehend the 
perpetrators.
    The magnitude of threats of personally identifiable 
information is unprecedented. Over just the past 2 years alone, 
the number of identities exposed through network breaches is 
approaching one billion. Those are just the ones we know about.
    While many assume breaches are the result of sophisticated 
malware or well-resourced state actor, the reality is much more 
troubling. According to a recent report from the Online Trust 
Alliance, 90 percent of last year's breaches could have been 
prevented if organizations implemented basic cybersecurity best 
practices.
    While the focus on data breaches and the identities put at 
risk is certainly warranted, we also must not lose sight of the 
other types of cyber attacks that are equally concerning and 
can have dangerous consequences.
    There are a wide set of tools available to the cyber 
attacker, and the incidents we see today range from basic 
confidence schemes to massive denial of service attacks to 
sophisticated and potentially destructive intrusions into 
critical infrastructure systems.
    The attackers, of course, run the gamut and include highly 
organized criminal enterprises, disgruntled employees, 
individual cyber criminals, so-called ``hacktivists,'' and 
state-sponsored groups.
    While the continuing onslaught of data breaches is well 
documented, what seems to get less attention are the causes of 
data breaches and what can be done to prevent them. Targeted 
attacks are the single largest cause, most of which rely on 
social engineering, or in simple terms, tricking people into 
doing something they would not do if fully aware of the 
consequences of their actions.
    Last year, nearly 60 percent of data breaches occurred 
through network intrusions by unauthorized users. Another major 
cause is a lack of basic computer hygiene practices. While good 
security will stop most of these attacks, which often seek to 
exploit older known vulnerabilities, many organizations do not 
have up-to-date security or patch systems, do not make full use 
of the security tools available to them, or have security 
unevenly applied throughout their enterprise.
    What can we do? Cybersecurity is about managing risk, 
assessing one's risk and developing a plan is essential. For 
organizations, there are many guidelines including, as you 
discussed yesterday, the NIST Cybersecurity Framework, the FCC 
guidelines for small businesses, the Online Trust Alliance data 
protection and breach readiness guide, and many others.
    For the individual, we provide resources for managing 
online security to our Norton customers, and the FTC and others 
have many tips available on their websites. In fact, just this 
week the SEC published best practices for individual investors 
to secure their online accounts. In short, there is no shortage 
of available resources.
    Strong security should include intrusion protection, 
reputation based security, behavioral based blocking, data 
encryption backups, and data loss prevention tools. While the 
criminals' tactics are constantly evolving, basic cyber hygiene 
is still the simplest and most cost effective first step.
    Turning to the policy landscape, Symantec supports, as you 
said, Chairman Moran, a balanced and thoughtful national 
standard for data breach notification built on three 
principles.
    First, the scope of any legislation should apply equally to 
all entities that collect, maintain, or sell significant 
numbers of records containing sensitive personal information. 
This covers both the Government and private sector.
    Second, implementing pre-breach security measures should be 
central to any legislation. New legislation should not simply 
require notifications of consumers in case of a breach, but 
should seek to minimize the likelihood of a breach in the first 
place.
    Third, encryption or other proven security measures that 
render data unreadable and unusable at rest or in transit 
should be a key element to establish the risk based threshold 
for notification. This limits the burden for both consumers and 
for the breached organizations.
    At Symantec, we are committed to improving online security 
across the globe, and we will continue to work collaboratively 
with our partners on ways to do so.
    Thank you again for the opportunity to testify today, and I 
will look forward to your questions later.
    [The prepared statement of Ms. McGuire follows:]

    Prepared Statement of Cheri F. McGuire, Vice President, Global 
   Government Affairs and Cybersecurity Policy, Symantec Corporation
    Chairman Moran, Ranking Member Blumenthal, distinguished members of 
the Committee, thank you for the opportunity to testify today on behalf 
of Symantec Corporation.
    My name is Cheri McGuire and I am the Vice President for Global 
Government Affairs and Cybersecurity Policy at Symantec. I am 
responsible for Symantec's global public policy agenda and government 
engagement strategy, which includes cybersecurity, data integrity, 
critical infrastructure protection (CIP), and privacy. I lead a team of 
professionals spanning the U.S., Canada, Europe, and Asia, and 
represent the company in key policy organizations. In this capacity, I 
work extensively with industry and government organizations, and 
currently serve on the World Economic Forum Global Agenda Council on 
Cybersecurity, as well as on the boards of the Information Technology 
Industry Council, the U.S. Information Technology Office (USITO) in 
China, and the National Cyber Security Alliance. From 2010 to 2012, I 
was Chair of the Information Technology Sector Coordinating Council--
one of 16 critical sectors identified by the President and the U.S. 
Department of Homeland Security (DHS) to partner with the government on 
CIP and cybersecurity. I am also a past board member of the IT 
Information Sharing and Analysis Center (IT-ISAC). Previously, I served 
in various positions at DHS, including as head of the National Cyber 
Security Division and U.S. Computer Emergency Readiness Team (US-CERT).
    Symantec protects much of the world's information, and is a global 
leader in security, backup and availability solutions. We are the 
largest security software company in the world, with over 32 years of 
experience developing Internet security technology and helping 
consumers, businesses and governments secure and manage their 
information and identities. Our products and services protect people's 
information and their privacy across platforms--from the smallest 
mobile device, to the enterprise data center, to cloud-based systems. 
We have established some of the most comprehensive sources of Internet 
threat data in the world through our Global Intelligence Network, which 
is comprised of millions of attack sensors recording thousands of 
events per second, and we maintain 10 Security Response Centers around 
the globe. In addition, we process billions of e-mail messages and web 
requests across our 14 global data centers. All of these resources 
allow us to capture worldwide security data that give our analysts a 
unique view of the entire Internet threat landscape.
    The hearing today not only is timely--given the recent high profile 
data breaches--but also is a critically important discussion that will 
help focus attention on what businesses can do to protect themselves 
from similar attacks and how Congress can craft effective data breach 
legislation. Symantec welcomes the opportunity to provide comments to 
the Committee as it looks at how to prevent and respond to data 
breaches.
    In my testimony today, I will discuss:

   The current cyber threat landscape;

   How breaches are happening, including the methods criminals 
        are using to steal data;

   Security measures to protect data and prevent breaches; and

   Key elements for data breach legislation.
The Current Cyber Threat Landscape
    Most of the recent headlines about cyber attacks have focused on 
data breaches across the spectrum of industries, which have become an 
all too common occurrence. Breaches impact individuals whose identities 
have been stolen, the organizations with systems that have been 
penetrated, and governments that are seeking ways to set data breach 
policies and to apprehend the perpetrators. Organizations that suffered 
significant breaches over the past few years include the State of South 
Carolina, Target, Neiman Marcus, Michael's, Home Depot, and Sony, just 
to name a few.
    The theft of personally identifiable information (PII) over this 
time-frame is simply unprecedented--over just the past two years alone, 
the number of identities exposed through breaches will likely approach 
one billion. And this is just from known breaches as many go unreported 
or undetected. Recent data breaches have touched all parts of society 
and across the globe, from governments and businesses to celebrities 
and individual's households. While many assume that breaches are the 
result of sophisticated malware or a well-resourced state actor, the 
reality is much more troubling. According to a recent report from the 
Online Trust Alliance, 90 percent of last year's breaches could have 
been prevented if organizations implemented basic cybersecurity best 
practices.\1\
---------------------------------------------------------------------------
    \1\ https://www.otalliance.org/news-events/press-releases/ota-
determines-over-90-data-breaches-2014-could-have-been-prevented
---------------------------------------------------------------------------
    In addition, the statistics from our 2014 Internet Security Threat 
Report are clear that the cyber threats we are facing on a day to day 
basis are growing. More than 550 million identities were exposed in 
2013, which was an increase of 62 percent over the prior year, and the 
top eight breaches exposed more than 10 million identities each. These 
breaches often exposed real names, birth dates and/or government ID 
numbers (e.g., social security numbers). Some records also exposed 
other highly sensitive data, such as medical records or financial 
information.
    While the focus on data breaches and the identities put at risk is 
certainly warranted, we also must not lose sight of the other types of 
cyber attacks that are equally concerning and can have dangerous 
consequences. There are a wide set of tools available to the cyber 
attacker, and the incidents we see today range from basic confidence 
schemes to massive denial of service attacks to sophisticated (and 
potentially destructive) intrusions into critical infrastructure 
systems. The economic impact can be immediate with the theft of money, 
or more long term and structural, such as through the theft of 
intellectual property. It can ruin a company or individual's reputation 
or finances, and it can impact citizens' trust in the Internet and 
their government.
    The attackers run the gamut and include highly organized criminal 
enterprises, disgruntled employees, individual cybercriminals, so-
called ``hacktivists,'' and state-sponsored groups. The motivations 
vary--the criminals generally are looking for some type of financial 
gain, the hacktivists are seeking to promote or advance some cause, and 
the state actors can be engaged in espionage (traditional spycraft or 
economic) or infiltrating critical infrastructure systems. These lines, 
however, are not set in stone, as criminals and even state actors might 
pose as hacktivists, and criminals often offer their skills to the 
highest bidder. Attribution has always been difficult in cyberspace, 
and is further complicated by the ability of cyber actors to mask their 
motives and objectives through misdirection and obfuscation.
How Data Breaches are Occurring
    While the continuing onslaught of data breaches is well documented, 
what is less understood is why data breaches happen and what can be 
done to prevent them. Targeted attacks remain a major cause. Some are 
direct attacks on a company's servers, where attackers search for 
unpatched vulnerabilities on websites or undefended connections to the 
Internet. But most rely on social engineering--in the simplest of 
terms, tricking people into doing something they would not do if fully 
aware of the consequences of their actions. E-mail is still a major 
attack vector and can take the form of broad mailings (``phishing'') or 
highly targeted messages (``spear phishing''). More and more we see the 
latter variety, with publicly available information used to craft an e-
mail designed to dupe a specific victim or group of victims. The goal 
of both varieties is to get victims to open an infected file or go to a 
malicious or compromised website.
    Another major cause of breaches is a lack of basic computer hygiene 
practices. While good security will stop most of these attacks--which 
often seek to exploit older, known vulnerabilities--many organizations 
do not have up-to-date security or patched systems, do not make full 
use of the security tools available to them, or have security unevenly 
applied throughout their enterprise. Even today--despite the recent 
focus on the loss of personal information--a large segment of the 
workforce handles sensitive information on unprotected mobile devices, 
servers, desktops, and laptops.
    E-mail, web mail, and removable storage devices are another source 
of breaches. Most of us, at one time or another, have e-mailed 
something to our personal e-mail address from our office so that we can 
work on it later. If our e-mail accounts or home computers are 
compromised, or if we misplace the thumb drive we use to transport 
files, any sensitive, unencrypted data is now lost and our organization 
suffers a data breach. And of course, breaches can occur through 
outright theft, often by a fired or disgruntled employee.
    Cybercriminals are also targeting the places where we ``live and 
play'' online in order to get at sensitive personal data. Social media 
is an increasingly sinister tool for cybercriminals. It is particularly 
effective in direct attacks, as people tend to trust things that appear 
to come from a friend's social media feed. But social media is also 
widely used to conduct reconnaissance for spear phishing or other 
targeted attacks. It can provide just the kind of personal details that 
a skilled attacker can use to get a victim to let his or her guard 
down. The old cliche is true when it comes to cyber attacks: we have to 
be right 100 percent of the time in protecting ourselves, while the 
attacker only has to get it right once.
Security Measures to Protect Data and Prevent Breaches
    Cybersecurity is about managing risk, whether at the individual or 
the organizational level. Assessing one's risk and developing a plan is 
essential. For the individual, the Federal Trade Commission's website 
is an excellent starting point for doing so.\2\ The website provides 
educational resources for how to better protect your identity and 
privacy online as well as helpful tools to help you report and recover 
if your personal information is ever stolen.
---------------------------------------------------------------------------
    \2\ http://www.consumer.ftc.gov/topics/privacy-identity
---------------------------------------------------------------------------
    For organizations of any size, the NIST Cyber Security Framework 
\3\, developed by industry and government in 2014 and in which Symantec 
was an active contributor, provides a solid structure for risk 
management. It lays out five core cybersecurity functions (Identify, 
Protect, Detect, Respond and Recover) that all organizations can use to 
plan for managing cyber events and protecting against data breaches, as 
well as useful references to international standards. As detailed 
below, good security starts with the basics and includes measures 
specific to one's needs.
---------------------------------------------------------------------------
    \3\ http://www.nist.gov/cyberframework/
---------------------------------------------------------------------------
Basic Security Steps
    When it comes to security, it starts with the basics. Though 
criminals' tactics are continually evolving, good cyber hygiene is 
still the simplest and most cost-effective first step. Strong passwords 
remain the foundation of good security--on home and work devices, e-
mail, social media accounts, or whatever you use to communicate (or 
really anything you log into). And these passwords must be different, 
because using a single password means that a breach of one account 
exposes all of your accounts. Using a second authentication factor 
(whether through a text message, a smart card, biometrics, or a token 
with a changing numeric password) significantly increases the security 
of a login.
    Patch management is also vital. Individuals and organizations 
should not delay installing patches, or software updates, because the 
same patch that closes a vulnerability can be a roadmap for a criminal 
to exploit and compromise any unpatched devices. The reality is that a 
large percentage of computers around the world, including some in large 
organizations, do not get patched regularly, and cybercriminals count 
on this. While so-called ``zero day exploits''--previously unknown 
critical vulnerabilities--get the most press, it is older, unpatched 
vulnerabilities that cause most systems to get compromised.
Modern Security Software
    Poor or insufficiently deployed security can also lead to a breach, 
and a modern security suite that is being fully utilized is also 
essential. While most people still commonly refer to security software 
as ``anti-virus'' or AV, advanced security protection is much more than 
that. In the past, the same piece of malware would be delivered to 
thousands or even millions of computers. Today, cybercriminals can take 
the same malware and create unlimited unique variants that can slip 
past basic AV software. If all your security software does is check for 
signatures (or digital fingerprints) of known malware, you are by 
definition not protected against even moderately sophisticated attacks. 
Put differently, a check-the-box security program that only includes 
installation of basic AV software may give you piece of mind--but that 
is about all it will give you.
    Modern security software does much more than look for known 
malware: it monitors your system, watching for unusual Internet 
traffic, activity, or system processes that could be indicative of 
malicious activity. At Symantec we also use what we call Insight and 
SONAR, which are reputation-based and behavior-based heuristic security 
technologies. Insight is a reputation-based technology that uses our 
Global Intelligence Network to put files in context, using their age, 
frequency, location and other characteristics to expose emerging 
threats that might otherwise be missed. If a computer is trying to 
execute a file that we have never seen anywhere in the world and that 
comes from an unknown source, there is a high probability that it is 
malicious--and Insight will either warn the user or block it. SONAR is 
behavior-based protection that uses proactive local monitoring to 
identify and block suspicious processes on computers.
Tailoring Security to the Device
    Security should also be specific to the device being protected. For 
example, modern Point of Sale (PoS) systems, which were linked to a 
number of major data breaches, are at their core just computers running 
mainstream operating systems. Because a user on such a device typically 
does not browse the web, send e-mails, or open shared drives, the 
functionally of the machine and the files that actually need to be on 
it are limited. This allows businesses to reduce the attack surface by 
locking down the system and using application control tools, as well as 
controlling which devices and applications are allowed to access the 
network. Doing so can render many strains of malware useless because 
they would not be allowed to run on the devices.
    In addition, payment card system infrastructure is highly complex 
and threats can be introduced at any number of points within the 
system. Last year we released a report, Attacks on Point of Sale 
Systems, that provides an overview of the methods that attackers may 
use to gain entry into a system.\4\ It also describes the steps that 
retailers and other organizations can use to protect PoS systems and 
mitigate the risk of an attack.
---------------------------------------------------------------------------
    \4\ Special Report on Attacks on Point of Sale Systems, Symantec 
Security Response (February 2014). http://www.symantec.com/content/en/
us/enterprise/media/security_response/whitepap
ers/attacks_on_point_of_sale_systems.pdf
---------------------------------------------------------------------------
Encrypting and Monitoring Data
    Encryption also is key to protecting your most valuable data. Even 
the best security will not stop a determined attacker, and encrypting 
your sensitive data provides defense in breadth, or across many 
platforms. Good encryption ensures that any data stolen will be useless 
to virtually all cybercriminals. The bottom line in computer security 
is no different from physical security--nothing is perfect. We can make 
it hard, indeed very hard, for an attacker, but if resourced and 
persistent criminals want to compromise a particular company or site, 
with time they are probably going to find a way to do it. Good security 
means not just doing the utmost to keep them out, but also to recognize 
that you must take steps to limit any damage they can do should they 
get in.
    Data loss Prevention (DLP) tools are also important in keeping your 
most valuable data safe and securely on your system. The latest DLP 
technology allows the user to monitor, protect and manage confidential 
data wherever it is stored and used--across endpoints, mobile devices, 
networks, and storage systems. It can help stop the theft of sensitive 
data by alerting the system manager before the data is exfiltrated, or 
moved outside the system.
Key Elements for Data Breach Legislation
    In the U.S. today, there are at least 48 state-specific data breach 
notification laws. This creates an enormous compliance burden, 
particularly for smaller companies, and does little to actually protect 
consumers. Symantec supports a national standard for data breach 
notification, built on three principles:

  1.  Data security legislation should apply equally to all. The scope 
        of any legislation should include all entities that collect, 
        maintain, or sell significant numbers of records containing 
        sensitive personal information. Requirements should apply to 
        government and the private sector equally, and should include 
        educational institutions and charitable organizations as well. 
        By the same token, any new legislation should consider existing 
        Federal regulations that govern data breach for some sectors 
        and not create duplicative, additional, or conflicting rules.

  2.  Implementing pre-breach security measures should be a part of any 
        legislation. Breaches are much less costly for companies that 
        are proactive in applying security. New legislation should not 
        simply require notification of consumers in the event of a data 
        breach, but should seek to minimize the likelihood of a breach 
        by pushing organizations to take reasonable security measures 
        to ensure the confidentiality and integrity of sensitive 
        personal information. Numerous standards, best practices, and 
        guidelines already exist to help organizations establish a 
        cybersecurity program or improve an existing one.

  3.  The use of encryption or other security measures that render data 
        unreadable and unusable should be a key element in establishing 
        the threshold for the need for notification. Any notification 
        scheme should minimize ``false positives''--notices to 
        individuals who are later shown not to have been impacted by a 
        breach because their data was rendered unusable before it was 
        stolen. A clear reference to the ``usability'' of information 
        should be considered when determining whether notification is 
        required in case of a breach. Promoting the use of encryption 
        as a best practice would significantly reduce the number of 
        ``false positives,'' thus reducing the burden on consumers, 
        businesses, and governments.
Conclusion
    Data breaches are continuing at an unprecedented pace, putting 
consumers at risk and damaging the public's trust in the Internet. 
While we cannot prevent every cyber attack or every data breach, 
applying cybersecurity best practices and using risk management 
principles to protect data appropriately can significantly reduce the 
attack surface and the impacts we see today. Moreover, legislation 
cannot stop breaches from happening, but smart data breach legislation 
can help businesses and governments respond effectively and 
efficiently, and empower consumers with accurate and timely 
information. At Symantec, we are committed to improving online security 
and we look forward to continuing to work with government and industry 
on ways to do so. Thank you again for the opportunity to testify, and I 
will be happy to answer any questions you may have.

    Senator Moran. Exactly 5 minutes. Thank you very much. Mr. 
Duncan?

                STATEMENT OF MALLORY B. DUNCAN,

           GENERAL COUNSEL AND SENIOR VICE PRESIDENT,

                   NATIONAL RETAIL FEDERATION

    Mr. Duncan. Chairman Moran, Ranking Member Blumenthal, 
members of the Subcommittee, thank you for this opportunity.
    Data breaches need to be correctly and forcibly addressed. 
They fundamentally affect our economy's push toward greater 
efficiency and cost effectiveness.
    By way of context, there is a long history of interception 
of private communications by individuals and by governments: 
from steaming open letters to tapping into telephone 
conversations. Today, we have super computers and the Internet. 
Together, they are creating a public network with virtually no 
boundaries, far more versatile and efficient than all the 
technology that has gone before.
    Governments entrust them with critical infrastructure, 
businesses with their most valuable intellectual property, and 
millions of people type their deepest secrets into Google, all 
the while knowing the system is vulnerable to intrusion, both 
by governments and by sophisticated bad actors.
    This interconnected technology is in many ways still in its 
infancy, having really commercially begun just a quarter 
century ago. We are still discovering its capabilities, its 
limitations and risks.
    Today, we are here to address one of the most significant 
risks to emerge--data breach. It is Congress' challenge to 
incentivize companies to manage this risk in ways that preserve 
the innovation and benefits this technology clearly offers.
    How can Congress do that? There are three essential 
elements--uniform notice, express preemption, and strong 
consensus of the laws notice. Let's recognize that data 
breaches affect everyone.
    As the Chairman referenced, in the 2014 Verizon report, 
retailers suffered their share of breaches, 11 percent. 
Government agencies incurred a slightly higher percentage. 
Hotels and restaurants combined constituted 10 percent of 
breaches, while financial institutions represent 34 percent.
    It is not because those with the most breaches have the 
weakest security. It is because bad actors are always looking 
for the biggest bang for the buck, and no single set of data 
security standards is fully protective of any industry.
    In a complex economy, each type of business is vulnerable 
to data breaches in a different way, be it theft of account 
numbers or Cloud data or intellectual property. Congress needs 
to provide incentives for companies to increase their security, 
and nothing motivates like sunlight. Requiring that every 
company have the same public notice obligations will provide 
this needed light.
    Uniform notice has two benefits. It can help individuals 
take steps to protect themselves, but equally important, the 
consequences of requiring all companies to publicly expose 
their data breaches is a powerful incentive for them to improve 
security.
    NRF members are some of the best known retail companies in 
America. Recent very public breaches and discussions on how to 
avoid them have engaged our members' most senior executives. As 
a result, our members are investing in unique and tailored 
solutions in an effort to address this ever morphing problem.
    Our nation's economy is bigger than retail. Congress needs 
to encourage disclosure and the incentive for security it 
brings across the board from all entities that handle sensitive 
information.
    Preemption. There are more than 50 jurisdictions with 
breach notice laws. Many have common elements but they are not 
the same. Some cover different datasets, require particular 
state officials to be notified, and so forth.
    Mid-sized companies struggling with the consequences of a 
breach face a morass of conflicting laws that have become 
little more than traps for the unwary. In the midst of a breach 
when a company should be focusing on securing its network and 
identifying affected customers, they instead divert their 
limited resources to paying law firms to clear them from 
regulatory ``gotchas.''
    We need an uniform preemptive Federal law. It would 
simplify the process for businesses and provide consistent 
notices for consumers nationwide, but it must be real 
preemption, otherwise the Federal law just becomes the 
52nd set of requirements that companies have to 
follow, and you will have accomplished worse than nothing.
    Finally, it would not be appropriate to preempt the states 
only to adopt the weakest law. Rather, for a Federal standard, 
you should be looking well above the median, not the most 
excessive, perhaps, but language that reflects the strong 
consensus of the state laws.
    We at NRF urge you to go further, establish the same notice 
obligations for all entities handling sensitive data. Congress 
should not permit notice holes, situations where some entities 
are exempt from reporting their known breaches. If we want 
meaningful incentives to increase security, everyone needs to 
have skin in the game.
    In closing, NRF believes that those three elements, uniform 
notice, express preemption, and a strong consensus law enforced 
by Federal authorities and the state AGs, are essential steps 
to properly and forcibly address the data breach conundrum that 
is plaguing businesses and consumers.
    Thank you.
    [The prepared statement of Mr. Duncan follows:]

  Prepared Statement of Mallory B. Duncan, General Counsel and Senior 
               Vice President, National Retail Federation
    Chairman Moran, Ranking Member Blumenthal, and members of the 
Subcommittee, on behalf of the National Retail Federation (NRF), I want 
to thank you for giving us the opportunity to testify at this hearing 
and provide you with our views on data breach notification legislation 
and protecting American's sensitive information. NRF is the world's 
largest retail trade association, representing discount and department 
stores, home goods and specialty stores, Main Street merchants, 
grocers, wholesalers, chain restaurants and Internet retailers from the 
United States and more than 45 countries. Retail is the Nation's 
largest private sector employer, supporting one in four U.S. jobs--42 
million working Americans. Contributing $2.6 trillion to annual GDP, 
retail is a daily barometer for the Nation's economy.
    Collectively, retailers spend billions of dollars safeguarding 
sensitive customer information and fighting fraud. Data security is 
something that our members strive to improve every day. Virtually all 
of the data breaches we've seen in the United States during the past 
year--from attacks on the networked systems of retailers, entertainment 
and technology companies that have been prominent in the news, to a 
reported series of attacks on our largest banks that have received less 
attention--have been perpetrated by criminals that are breaking the 
law. All of these companies are victims of these crimes and we should 
keep that in mind as we explore this topic and public policy 
initiatives relating to it.
    This issue is one that we urge the Committee to examine in a 
holistic fashion: we need to reduce fraud or other economic harm that 
may result from a data breach. That is, we should not be satisfied with 
simply determining what to do after a data breach occurs--that is, who 
to notify and how to assign liability. Instead, it's important to look 
at why such breaches occur, and what the perpetrators get out of them, 
so that we can find ways to reduce and prevent not only the breaches 
themselves, but the follow-on harm that is often the goal of these 
events. If breaches become less profitable to criminals, then they will 
dedicate fewer resources to committing them, and our goals will become 
more achievable.
    With that in mind, these comments are designed to provide some 
background on data breaches and on fraud, explain how these events 
impact all business's networked systems, discuss some of the 
technological advancements retailers have promoted that could improve 
the security of our networks, offer additional ways to achieve greater 
payment security, and suggest the elements of data breach notification 
legislation that may provide the best approach to developing a uniform, 
nationwide notification standard, based on the strong consensus of 
state laws, that applies to all businesses that handle sensitive 
personal information of consumers.
Data Breaches in the United States
    Unfortunately, data breaches are a fact of life in the United 
States, and virtually every part of the U.S. economy and government is 
being attacked in some way. In its 2014 Data Breach Investigations 
Report, Verizon determined there were 63,347 data security incidents 
reported by industry, educational institutions, and governmental 
entities in 2013, and that 1,367 of those had confirmed data losses. Of 
those, the financial industry suffered 34 percent, public institutions 
(including governmental entities) had 12.8 percent, the retail industry 
had 10.8 percent, and hotels and restaurants combined had 10 percent. 
Figure 1 below illustrates where breaches occur.
Where Breaches Occur (Figure 1)


    Source: 2014 Data Breach Investigations Report, Verizon \1\
---------------------------------------------------------------------------
    \1\ 2014 Data Breach Investigations Report by Verizon, available 
at: http://www.verizon
enterprise.com/DBIR/2014/

    It may be surprising to some, given recent media coverage, that 
three times more data breaches occur at financial institutions than at 
retailers. And, it should be noted, even these figures obscure the fact 
that there are far more merchants that are potential targets of 
criminals in this area, as there are one thousand times more merchants 
accepting card payments in the United States than there are financial 
institutions issuing cards and processing those payments. It is not 
surprising that the thieves focus far more often on banks, which have 
our most sensitive financial information--including not just card 
account numbers but bank account numbers, social security numbers and 
other identifying data that can be used to steal identities beyond 
completing some fraudulent transactions.
    These figures are sobering. There are far too many breaches. And, 
breaches are often difficult to detect and carried out in many cases by 
criminals with real resources behind them. Financially focused crime 
seems to most often come from organized groups in Eastern Europe rather 
than state-affiliated actors in China, but the resources are there in 
both cases. The acute pressure on consumer-serving companies, including 
those in e-commerce, as well as on our financial system, is due to the 
overriding criminal goal of financial fraud. We need to recognize that 
this is a continuous battle against determined fraudsters and be guided 
by that reality.
Breaches Affect Everyone; Federal Legislation Should Be Similarly 
        Comprehensive
    The Year of the Breach, as 2014 has been nicknamed, was replete 
with news stories about data security incidents that raised concerns 
for all American consumers and for the businesses with which they 
frequently interact. Criminals focused on U.S. businesses, including 
merchants, banks, telecom providers, cloud services providers, 
technology companies, and others. These criminals devoted substantial 
resources and expertise to breaching the most advanced data protection 
systems. Vigilance against these threats is necessary, but we need to 
focus on the underlying causes of breaches as much as we do on the 
effects of them.
    If there is anything that the recently reported data breaches have 
taught us, it is that any security gaps left unaddressed will quickly 
be exploited by criminals. For example, the failure of the payment 
cards themselves to be secured by anything more sophisticated than an 
easily-forged signature makes the card numbers particularly attractive 
to criminals and the cards themselves vulnerable to fraudulent misuse. 
Likewise, cloud services companies that do not remove data when a 
customer requests its deletion, leave sensitive information available 
in cloud storage for thieves to later break in and steal, all while the 
customer suspects it has long been deleted. Better security at the 
source of the problem is needed. The protection of Americans' sensitive 
information is not an issue on which unreasonably limiting 
comprehensiveness makes any sense.
    In fact, the safety of Americans' data is only as secure as the 
weakest link in the chain of entities that share that data for a 
multitude of purposes. For instance, when information moves across 
communications lines--for transmission or processing--or is stored in a 
``cloud,'' it would be senseless for legislation to exempt these 
service providers, if breached, from comparable data security and 
notification obligations to those that the law would place upon any 
other entity that suffers a breach. Likewise, data breach legislation 
should not subject businesses handling the same sensitive customer data 
to different sets of rules with different penalty regimes, as such a 
regulatory scheme could lead to inconsistent public notice and 
enforcement.
    Given the breadth of these invasions, if Americans are to be 
adequately protected and informed, Federal legislation to address these 
threats must cover all of the types of entities that handle sensitive 
personal information. Exemptions for particular industry sectors not 
only ignore the scope of the problem, but create risks criminals can 
exploit. Equally important, a single Federal law applying to all 
breached entities would ensure clear, concise and consistent notices to 
all affected consumers regardless of where they live or where the 
breach occurs.
Third-Party Exemptions
    Figure 2, below, illustrates what some legislative proposals, 
introduced in the last Congress, would require in terms of notice by 
third parties. This graphic illustrates a typical payment card 
transaction in which this Committee has jurisdiction over all of the 
entities except for the bank. In a typical card transaction, a payment 
card is swiped at a card-accepting business, such as a retail shop, and 
the information is transmitted via communications carriers to a data 
processor, which in turn processes the data and transmits it over 
communications lines to the branded card network, such as Visa or 
MasterCard, which in turn processes it and transmits it over 
communications lines to the card-issuing bank. (Typically there also is 
an acquirer bank adjacent to the processor in the system, which figure 
2 omits.) Some legislative proposals would only require the retail 
shop, in this example, to provide notice of a breach of security. The 
data processor, data transmitter or card company suffering a breach 
would qualify as a third-party whose only obligation, if breached, is 
to notify the retail shop of their breach--not affected consumers or 
the public--so that the retailer provides notice on their behalf. And 
the bank suffering a breach would be exempt from notifying consumers or 
the public under most Federal legislative proposals to date. Not only 
does this notice regime present an inaccurate picture to consumers, but 
it is fraught with possible over-notification because payment 
processors and card companies are in a one-to-many relationship with 
retailers. If the retailers must bear the burden for every other entity 
in the networked system that suffers a breach, then 100 percent of the 
notices would come from entities that suffer only 11 percent of the 
breaches. This is neither fair nor enlightened public policy.
Notice Obligations Should Apply to All Breached Entities (Figure 2)
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    A recent example illustrates this point about the risk of over-
notifying and confusing American consumers if this proposed third-party 
notice rule illustrated in Figure 2 is adopted. The largest payment 
card breach in history occurred at a payment processor, Heartland 
Payment Systems, which was breached in 2008 resulting in the compromise 
of over 130 million payment cards. If Heartland had only followed the 
proposed third-party notice rule in Federal legislation, rather than 
notifying the public of its breach (as it did), it would have only been 
obligated to separately notify each of the merchants that it processed 
payments for, letting them know the affected card numbers that were 
breached. Those merchants (who were not breached) would, in turn, have 
to request (and possibly pay for) the contact information for each 
cardholder through some arrangement with each affected card company or 
card-issuing bank, and then make notice to those affected customers 
and/or make ``substitute'' notice (where individualized notice cannot 
be made) by announcing the breach to the general public. If affected 
consumers shopped at a number of retailers that all used the same 
payment processor that suffered the breach (Heartland, in this 
hypothetical), the consumers could potentially receive slightly 
different notices from each store--all providing what they knew about 
the breach of the same payment processor--when none of those branded 
retail stores actually suffered the breach itself. This proposal 
creates an untenable public policy solution that neither serves 
consumers nor businesses that have secured their own networks.
    Just as merchants, such as Target, who have publicly acknowledged a 
breach have taken tremendous steps to heighten their security, 
Heartland continued to harden its systems (after notifying of its own 
breach) and now is recognized as one of the most secure platforms in 
the industry. The threat of public notice has had a multiplier effect 
on other commercial businesses.
    Indeed, Congress could go further: it could establish the same data 
breach notice obligations for all entities handling sensitive data that 
suffer a breach of security. Congress should not permit ``notice 
holes''--the situation where certain entities are exempt from reporting 
known breaches of their own systems. If we want meaningful incentives 
to increase security, everyone needs to have skin in the game.
Financial Institution Exemptions
    Many legislative proposals last Congress, however, had ``notice 
holes,'' where consumers would not receive disclosures of breaches by 
certain entities. Perhaps the notice hole that has been left unplugged 
in most proposals is the exemption from notification standards for 
entities subject to the Gramm Leach Bliley Act (GLBA), which itself 
does not contain any statutory language that requires banks to provide 
notice of their security breaches to affected consumers or the public. 
Interpretive information security guidelines issued by Federal banking 
regulators in 2005 did not address this lack of a requirement when it 
set forth an essentially precatory standard for providing consumer 
notice in the event banks or credit unions were breached. Rather, the 
2005 interagency guidelines state that banks and credit unions 
``should'' conduct an investigation to determine whether consumers are 
at risk due to the breach and, if they determine there is such a risk, 
they ``should'' provide consumer notification of the breach.\2\ These 
guidelines fall short of creating a notification requirement using the 
language of ``shall,'' an imperative command used in proposed breach 
notification legislation for entities that would be subject to Federal 
Trade Commission enforcement. Instead, banks and credit unions are left 
to make their own determinations about when and whether to inform 
consumers of a data breach.
---------------------------------------------------------------------------
    \2\ Interagency Guidance on Response Programs for Unauthorized 
Access to Customer Information and Customer Notice, 70 Fed. Reg. 15736 
(Mar. 29, 2005) promulgating 12 C.F.R. Part 30, app. B, Supplement A 
(OCC); 12 C.F.R. Part 208, app. D-2, Supplement A and Part 225, app. F, 
Supplement A (Board); 12 C.F.R. Part 364, app. B, Supplement A (FDIC); 
and 12 C.F.R. Part 570, app. B, Supplement A (OTS), accessible at: 
https://www.fdic.gov/news/news/financial/2005/fil2705.html.
---------------------------------------------------------------------------
    Several accounts in 2014 of breaches at the largest U.S. banks 
demonstrate the lack of any notice requirement under the interagency 
guidelines. It was reported in news media last Fall that as many as one 
dozen financial institutions were targeted as part of the same cyber-
attack scheme.\3\ It is not clear to what extent customers of many of 
those institutions had their data compromised, nor to our knowledge 
have the identities of all of the affected institutions been made 
public The lack of transparency and dearth of information regarding 
these incidents reflects the fact that banks are not subject to the 
same requirements to notify affected customers of their own breaches of 
security as other businesses are required now under 47 state laws and 
would be required under most proposed Federal legislation, despite the 
fact that financial institutions hold Americans' most sensitive 
financial information. A number of the more seasoned and robust state 
laws, such as California's breach notification law, have not exempted 
financial institutions from their state's breach notification law 
because they recognize that banks are not subject to any Federal 
requirement that says they ``shall'' notify customers in the event of a 
breach of security.
---------------------------------------------------------------------------
    \3\ ``JP Morgan Hackers Said to Probe 13 Financial Firms,'' 
Bloomberg (Oct. 9, 2014).
---------------------------------------------------------------------------
Service Provider Exemptions
    Another notice hole that has remained unplugged in legislative 
proposals for many years is the service provider breach exemption, 
similar to the bank breach exemption, that would permit an entity 
providing data transmission or storage services to avoid providing 
consumer or public notice when it is aware of a breach of its data 
system. Other businesses, such as retailers, are required to provide 
notice even if they don't have the contact information for the affected 
consumers. The service provider exemption would, however, permit no 
notice at all to be made, not even to the FTC or law enforcement for a 
known breach of security affecting sensitive personal information. 
Surely Congress should not pass a disclosure law that provides a free 
pass for known breaches of security to certain service providers simply 
because they have successfully had such an exemption inserted into some 
past legislative proposals. Allowing this type of hole in notice 
requirements does not make sense. Just because a telecommunications 
provider, cloud data service, payment processor or other company 
provides a service to another business does not mean it should not have 
to provide notice of its data breaches. With an exemption for service 
providers like these, there is real risk that the public won't get 
information it needs and/or that other businesses will have to plug the 
gap and take the attendant cost and blame for someone else's data 
breach. And, of course, such a scheme would not create the incentives 
for service providers to improve their data security systems.
General Principle for Notification
    With respect to establishing a national standard for individual 
notice in the event of a breach of security at an entity handling 
sensitive personal information, the only principle that makes sense is 
that these breached entities should be obligated to notify affected 
individuals or make public notice when they discover breaches of their 
own systems. Just as the Federal Trade Commission (FTC) expects there 
to be reasonable data security standards employed by each business that 
handles sensitive personal information, a Federal breach notification 
bill should apply notification standards that ``follow the data'' and 
apply to any entity in a networked system that suffers a breach of 
security when sensitive data is in its custody. With respect to those 
who have called upon the entity that is ``closest to the consumer'' to 
provide the notice, we would suggest that the one-to-many relationships 
that exist in the payment card system and elsewhere will ultimately 
risk having multiple entities all notify about the same breach--someone 
else's breach. This is not the type of transparent disclosure policy 
that Congress has typically sought. An effort to promote relevant 
notices should not obscure transparency as to where a breakdown in the 
system has occurred. Indeed, a public notice obligation on all entities 
handling sensitive data would create significant incentives for every 
business that operates in our networked economy to invest in reasonable 
data security to protect the sensitive data in its custody. By 
contrast, a Federal law that permits ``notice holes'' in a networked 
system of businesses handling the same sensitive personal information--
requiring notice of some sectors, while leaving others largely exempt--
will unfairly burden the former and unnecessarily betray the public's 
trust.
More than 50 U.S. Jurisdictions Have Notice Laws; Congress Should Step 
        in Now to Establish a Nationwide, Uniform Standard to Benefit 
        Both Consumers and Businesses
    For more than a decade, the U.S. federalist system has enabled 
every state to develop its own set of disclosure standards for 
companies suffering a breach of data security and, to date, 47 states 
and 4 other Federal jurisdictions (including the District of Columbia 
and Puerto Rico) have enacted varying data breach notification laws. 
Many of the states have somewhat similar elements in their breach 
disclosure laws, including definitions of covered entities and covered 
data, notification triggers, timeliness of notification, provision 
specifying the manner and method of notification, and enforcement by 
state attorneys general. But they do not all include the same 
requirements, as some cover distinctly different types of data sets, 
some require that particular state officials be notified, and a few 
have time constraints (although the vast majority of state laws only 
require notice ``without unreasonable delay'' or a similar phrase.)
    Over the past ten years, businesses such as retailers, to whom all 
the state and Federal territory disclosure laws have applied, have met 
the burden of providing notice, even when they did not initially have 
sufficient information to notify affected individuals, through 
standardized substitute notification procedures in each state law. 
However, with an increasingly unwieldy and conflicting patchwork of 
disclosure laws covering more than 50 U.S. jurisdictions, it is time 
for Congress to acknowledge that the experimentation in legislation 
that is at the state level that defines our federalist system has 
reached its breaking point, and it is time for Congress to the step in 
to create a national, uniform standard for data moving in interstate 
commerce in order to ensure uniformity of a Federal act's standards and 
the consistency of their application across jurisdictions.
    For years, NRF has called on Congress to enact a preemptive Federal 
breach notification law that is modeled upon the strong consensus of 
existing laws in nearly every state, the District of Columbia, Puerto 
Rico and other Federal jurisdictions. A single, uniform national 
standard for notification of consumers affected by a breach of 
sensitive data would provide simplicity, clarity and certainty to both 
businesses and consumers alike. Importantly, a single Federal law would 
permit companies victimized by a criminal hacking to devote greater 
attention in responding to such an attack to securing their networks, 
determining the scope of affected data, and identifying the and 
customers to be notified, rather than diverting limited time and 
resources to a legal team attempting to reconcile a patchwork of 
conflicting disclosure standards in over 50 jurisdictions. In sum, 
passing a Federal breach notification law is a common-sense step that 
Congress should take now to ensure reasonable and timely notice to 
consumers while providing clear compliance standards for businesses.
    Preemption of state laws and common laws that create differing 
disclosure standards is never easy, and there is a long history of 
Supreme Court and other Federal courts ruling that, even when Congress 
expresses an intent to preempt state laws, limiting the scope of the 
preemption will not result in preemption. All it will accomplish is to 
add yet another law, this time federal, to the state statutes and 
common laws already in effect, resulting in the continuation of a 
confusing tapestry of state law requirements and enforcement regimes. A 
Federal act that leaves this in place would undermine the very purpose 
and effectiveness of the Federal legislation in the first place.
    In order to establish a uniform standard, preemptive Federal 
legislation is necessary. But that does not mean (as some have 
contended) that the Federal standard must or should be ``weaker'' than 
the state laws it would replace. On the contrary, in return for 
preemption, the Federal law should reflect a strong consensus of the 
many state laws. Some have called for a more robust notification 
standard at the Federal level than exists at the state level. Without 
adding unnecessary bells and whistles, NRF believes that Congress can 
create a stronger breach notification law by removing the exemptions 
and closing the types of ``notice holes'' that exist in several state 
laws, thereby establishing a breach notification standard that applies 
to all businesses--as this Committee has done in previous consumer 
protection legislation that is now Federal law. This approach would 
enable members that are concerned about preempting state laws to do so 
with confidence that they have created a more transparent and better 
notification regime for consumers and businesses alike. It is a way 
this Committee and Congress can work to enact a law with both robust 
protection and preemption.
    We urge you, therefore, in pursuing enactment of Federal breach 
notification legislation, to adopt a framework that applies to all 
entities handling sensitive personal information in order to truly 
establish uniform, nationwide standards that lead to clear, concise and 
consistent notices to all affected consumers whenever or wherever a 
breach occurs. When disclosure standards apply to all businesses that 
handle sensitive data, it will create the kind of security-maximizing 
effect that Congress wishes to achieve.
Multi-Tiered Set of Data Security Standards Applicable to Retailers
    Theoretically, security is like defense. One could spend all one's 
money on defense and still not be 100 percent protected. In the real 
world it is even more difficult.
Federal and State Data Security Standards
    Data security standards vary depending on the nature of an entity's 
business and where it operates. Over the past half-century, the United 
States has essentially taken a sector-specific approach to data privacy 
(including data security) requirements, and our current legal framework 
reflects this. For example, credit reporting agencies, financial 
institutions, and health care providers, just to name a few regulated 
sectors, have specific data security standards that flow from laws 
enacted by Congress, such as the Fair Credit Reporting Act (FCRA), the 
Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and 
Accountability Act (HIPAA), respectively. Those operating in other 
industry sectors that are subject to the jurisdiction of the Federal 
Trade Commission (FTC) must abide by the standards of care enforced by 
the FTC under Section 5 of the FTC Act, which give the Commission 
broad, discretionary authority to prosecute ``unfair or deceptive acts 
or practices'' (often referred to as their ``UDAP'' authority). On top 
of this Federal statutory and regulatory framework, states have 
regulated businesses' data security practices across a variety of 
industry sectors and enforced consumer protection laws through their 
state consumer protection agencies and/or their attorneys general.
    Legal exposure for data security failures is dependent on the 
Federal or state laws to which a business may be subject and is alleged 
to violate. The FTC, for example, has been very active in bringing over 
50 actions against a range of companies nationwide that are not 
otherwise subject to a sector-specific Federal data security law (e.g., 
GLBA, HIPAA, etc.). For example, under its Section 5 UDAP authority, 
the FTC has brought enforcement actions against entities that the 
Commission believes fall short in providing ``reasonable'' data 
security for personal information. Nearly all of these companies have 
settled with the FTC, paid fines for their alleged violations 
(sometimes to the extent of millions of dollars), and agreed to raise 
their security standards and undergo extensive audits of their 
practices over the next several decades to ensure that their data 
security standards are in line with the FTC's order.
Effect of Imposing GLBA-Like Standards with FTC Enforcement
    Providing the FTC, however, with the authority to enforce 
discretionary data security standards like those in the GLBA guidelines 
would dramatically expand FTC authority. Banking regulators take an 
audit/examination approach to regulating companies and work with them 
through an iterative process to help the institution come into 
compliance where it may be lacking without the threat of severe 
penalties. The FTC, by contrast, takes an enforcement approach, which 
under a GLBA guidelines standard, would require a post-hoc 
determination of a company's compliance with an amorphous standard in a 
world where the technological threat vectors are ever-changing. In an 
enforcement approach, entities are either guilty or not, and more often 
guilty by the mere fact of a breach; unlike with GLBA guidelines, 
companies regulated by the FTC are not able to get several bites at the 
apple working with regulators until they know they are in compliance 
with the regulator's vision for the rule. Companies regulated by the 
FTC would have to guess at what will satisfy the agency and, if their 
security is breached, the strong enforcement presumption would be that 
the company failed to meet the standard.
    The different enforcement regimes between financial institutions 
and entities subject to the FTC's jurisdiction is also evident in the 
manner and frequency with which fines are assessed and civil penalties 
imposed for non-compliance with a purported data security standard. 
Banks are rarely (if ever) fined by their regulators for data security 
weaknesses. But, as noted, commercial companies have been fined 
repeatedly by the FTC. Providing an agency like the FTC, with an 
enforcement approach, a set of standards with significant room for 
interpretation is likely to lead to punitive actions that are different 
in kind and effect on entities within the FTC's jurisdiction than the 
way the standards would be utilized by banking regulators in an 
examination. A punitive approach to companies already victimized by a 
crime would not be appropriate nor constructive in light of the fact 
that the FTC itself has testified before this Committee that no 
system--even the most protected one money can buy--is ever 100 percent 
secure.
Improving Payment Card Security
    Using the best data security technology and practices available 
still does not guarantee that a business can avoid suffering a data 
security breach. Therefore, raising security standards alone may not be 
the most efficient or effective means of preventing potential harm to 
consumers. With respect to payment card numbers, for example, it is 
possible that no matter how much security is applied by a business 
storing these numbers, the numbers may be stolen from a business's 
database in a highly sophisticated security breach that can evade even 
state-of-the-art system security measures. Because of these risks, it 
makes sense for industry to do more than just apply increased network 
or database security measures. One sensible proposal is to minimize the 
storage by businesses of the full set of unredacted and unencrypted 
payment card numbers necessary to complete a transaction--a data 
protection principle known as ``data minimization.'' Another method to 
help prevent downstream fraud from stolen card numbers is to require 
more data or numbers (such as a 4-digit PIN) from a consumer than 
simply the numbers that appear on a card to authorize and complete 
payment card transactions.
    For example, a decade ago, the National Retail Federation asked the 
branded card networks and banks to lift the requirement that retailers 
store full payment card numbers for all transactions. Retailers have 
also pushed to phase-out signature-authentication for cards and, 
instead, use a more secure authentication method for credit and debit 
card transactions, such as the PIN-based authentication that banks 
require for accessing bank accounts through ATM machines. PINs can 
provide an extra layer of security against downstream fraud even if the 
card numbers (which the card companies already emboss on the outside of 
a card) are stolen in a breach. In PIN-based transactions, for example, 
the stored 20-digits from the card would, alone, be insufficient to 
conduct a fraudulent transaction in a store without the 4-digit PIN 
known to the consumer and not present on the card itself. These 
business practice improvements are easier and quicker to implement than 
any new Federal data security law, and they hold the promise of being 
more effective at preventing the kind of financial harm that could 
impact consumers as companies suffer data security breaches affecting 
payment cards in the future.
    On October 17, 2014, the President signed an executive order 
initiating the BuySecure Initiative for government payment cards.\4\ 
The order provided, among other things, that payment cards issued to 
government employees would include PIN and chip technology and that 
government equipment to handle and process transactions would be 
upgraded to allow acceptance of PIN and chip. These are common-sense 
actions that recognize that while it may not be possible to ensure 
there is never another data security breach, it is still possible to 
minimize the harms that can come from those breaches--and reduce the 
incentives from criminals to try to steal some data in the first place.
---------------------------------------------------------------------------
    \4\ Executive Order--Improving the Security of Consumer Financial 
Transactions, The White House, October 17, 2014. Accessible at: http://
www.whitehouse.gov/the-press-office/2014/10/17/executive-order-
improving-security-consumer-financial-transactions
---------------------------------------------------------------------------
PCI-DSS Standards
    When it comes to protecting payment card data, however, retailers 
are essentially at the mercy of the dominant credit card companies. The 
credit card networks--Visa, MasterCard, American Express, Discover and 
JCB--are responsible for an organization known as the PCI (which stands 
for ``Payment Card Industry'') Data Security Council. PCI establishes 
data security standards (PCI-DSS) for payment cards. While well-
intentioned in concept, these standards have not worked quite as well 
in practice. They have been inconsistently applied, and their avowed 
purpose has been significantly altered.
    PCI has, in critical respects over time, pushed card security costs 
onto merchants even when other decisions might have more effectively 
reduced fraud--or done so at lower cost. For example, retailers have 
long been required by PCI to encrypt the payment card information that 
they have. While that is appropriate, PCI has not required financial 
institutions to be able to accept that data in encrypted form. That 
means the data often has to be de-encrypted at some point in the 
process in order for transactions to be processed.
    Similarly, merchants are expected to annually demonstrate PCI 
compliance to the card networks, often at considerable expense, in 
order to benefit from a promise that the merchants would be relieved of 
certain fraud inherent in the payment system, which PCI is supposed to 
prevent. However, certification by the networks as PCI Compliant 
apparently has not been able to adequately contain the growing fraud 
and retailers report that the ``promise'' increasingly has been 
abrogated or ignored. Unfortunately, as card security expert Avivah 
Litan of Gartner Research wrote recently, ``The PCI (Payment Card 
Industry) security standard has largely been a failure when you 
consider its initial purpose and history.'' \5\
---------------------------------------------------------------------------
    \5\ ``How PCI Failed Target and U.S. Consumers,'' by Avivah Litan, 
Gartner Blog Network, Jan. 20, 2014, available at http://
blogs.gartner.com/avivah-litan/2014/01/20/how-pci-failed-target-and-u-
s-consumers/.
---------------------------------------------------------------------------
    Retailers have spent billions of dollars on card security measures 
and upgrades to comply with PCI card security requirements, but it 
hasn't made them immune to data breaches and fraud. The card networks 
have made those decisions for merchants and the increases in fraud 
demonstrate that their decisions have not been as effective as they 
should have been.
Improving Technology Solutions to Better Protect Consumers in Payment 
        Transactions
PIN-Authentication of Cardholders
    There are technologies available that could reduce fraud. An 
overhaul of the fraud-prone cards that are currently used in the U.S. 
market is long overdue. As I noted, requiring the use of a PIN is one 
way to reduce fraud. Doing so takes a vulnerable piece of data (the 
card number) and makes it so that it cannot be used on its own. This 
ought to happen not only in the brick-and-mortar environment in which a 
physical card is used but also in the online environment in which the 
physical card does not have to be used. Many U.S. companies, for 
example, are exploring the use of a PIN for online purchases. This may 
help directly with the 90 percent of U.S. fraud which occurs online. It 
is not happenstance that automated teller machines (ATMs) require the 
entry of a PIN before dispensing cash. Using the same payment cards for 
purchases should be just as secure as using them at ATMs.
End-to-End Encryption
    Another technological solution that could help deter and prevent 
data breaches and fraud is encryption. Merchants are already required 
by PCI standards to encrypt cardholder data but, not everyone in the 
payments chain is required to be able to accept data in encrypted form. 
That means that data may need to be de-encrypted at some points in the 
process. Experts have called for a change to require ``end-to-end'' (or 
point-to-point) encryption which is simply a way to describe requiring 
everyone in the payment-handling chain to accept, hold and transmit the 
data in encrypted form.
    According to the September 2009 issue of the Nilson Report ``most 
recent cyberattacks have involved intercepting data in transit from the 
point of sale to the merchant or acquirer's host, or from that host to 
the payments network.'' The reason this often occurs is that ``data 
must be decrypted before being forwarded to a processor or acquirer 
because Visa, MasterCard, American Express, and Discover networks can't 
accept encrypted data at this time.'' \6\
---------------------------------------------------------------------------
    \6\ The Nilson Report, Issue 934, Sept. 2009 at 7.
---------------------------------------------------------------------------
    Keeping sensitive data encrypted throughout the payments chain 
would go a long way to convincing fraudsters that the data is not worth 
stealing in the first place--at least, not unless they were prepared to 
go through the arduous task of trying to de-encrypt the data which 
would be necessary in order to make use of it. Likewise, using PIN-
authentication of cardholders now would offer some additional 
protection against fraud should this decrypted payment data be 
intercepted by a criminal during its transmission ``in the clear.''
Tokenization and Mobile Payments
    Tokenization is another variant that could be helpful. Tokenization 
is a system in which sensitive payment card information (such as the 
account number) is replaced with another piece of data (the ``token''). 
Sensitive payment data could be replaced with a token to represent each 
specific transaction. Then, if a data breach occurred and the token 
data were stolen, it could not be used in any other transactions 
because it was unique to the transaction in question. This technology 
has been available in the payment card space since at least 2005.\7\ 
Still, tokenization is not a panacea, and it is important that 
whichever form is adopted be an open standard so that a small number of 
networks not obtain a competitive advantage, by design, over other 
payment platforms.
---------------------------------------------------------------------------
    \7\ For information on Shift4's 2005 launch of tokenization in the 
payment card space see http://www.internetretailer.com/2005/10/13/
shift4-launches-security-tool-that-lets-merchants-re-use-credit.
---------------------------------------------------------------------------
    In addition, in some configurations, mobile payments offer the 
promise of greater security as well. In the mobile setting, consumers 
won't need to have a physical card--and they certainly won't replicate 
the security problem of physical cards by embossing their account 
numbers on the outside of their mobile phones. It should be easy for 
consumers to enter a PIN or password to use payment technology with 
their smart phones. Consumers are already used to accessing their 
phones and a variety of services on them through passwords. Indeed, if 
we are looking to leapfrog the already aging current technologies, 
mobile-driven payments may be the answer.
    Indeed, as much improved as they are, the proposed chips to be 
slowly rolled out on U.S. payment cards are essentially dumb computers. 
Their dynamism makes them significantly more advanced than magstripes, 
but their sophistication pales in comparison with the common 
smartphone. Smartphones contain computing powers that could easily 
enable comparatively state-of-the-art fraud protection technologies. In 
fact, ``the new iPhones sold over the weekend of their release in 
September 2014 contained 25 times more computing power than the whole 
world had at its disposal in 1995.'' \8\ Smart phones soon may be 
nearly ubiquitous, and if their payment platforms are open and 
competitive, they will only get better.
---------------------------------------------------------------------------
    \8\ ``The Future of Work: There's an app for that,'' The Economist 
(Jan. 3, 2015).
---------------------------------------------------------------------------
    The dominant card networks have not made all of the technological 
improvements suggested above to make the cards issued in the United 
States more resistant to fraud, despite the availability of the 
technology and their adoption of it in many other developed countries 
of the world, including Canada, the United Kingdom, and most countries 
of Western Europe.
    In this section, we have merely described some of the solutions 
available, but the United States isn't using any of them the way that 
it should be. While everyone in the payments space has a responsibility 
to do what they can to protect against fraud and data theft, the card 
networks have arranged the establishment of the data security 
requirements and yet, in light of the threats, there is much left to be 
desired.
Legislative Solutions Beyond Breach Notification
    In addition to the marketplace and technological solutions 
suggested above, NRF also supports a range of legislative solutions 
that we believe would help improve the security of our networked 
systems, ensure better law enforcement tools to address criminal 
intrusions, and standardize and streamline the notification process so 
that consumers may be treated equally across the Nation when it comes 
to notification of data security breaches.
Legislation Protecting Consumers' Debit Cards to the Same Extent as 
        Credit Cards
    From many consumers' perspective, payment cards are payment cards. 
As has been often noted, consumers would be surprised to learn that 
their legal rights, when using a debit card--i.e., their own money--are 
significantly less than when using other forms of payment, such as a 
credit card. It would be appropriate if policy makers took steps to 
ensure that consumers' reasonable expectations were fulfilled, and they 
received at least the same level of legal protection when using their 
debit cards as they do when paying with credit.
    NRF strongly supports legislation like S. 2200, the ``Consumer 
Debit Card Protection Act,'' cosponsored by Senators Warner and Kirk 
last Congress. S. 2200 was a bipartisan solution that would immediately 
provide liability protection for consumers from debit card fraud to the 
same extent that they are currently protected from credit card fraud. 
This is a long overdue correction in the law and one important and 
productive step Congress could take immediately to protect consumers 
that use debit cards for payment transactions.
Legislation Protecting Businesses that Voluntarily Share Cyber-Threat 
        Information
    In addition, NRF supports the passage by Congress of legislation 
like H.R. 624, the ``Cyber Intelligence Sharing and Protection Act,'' 
cosponsored last Congress by Congressmen Rogers and Ruppersberger, and 
which passed the House of Representatives with bipartisan support. This 
legislation would protect and create incentives for private entities in 
the commercial sector to lawfully share information about cyber-threats 
with other private entities and the Federal government in real-time. 
This would help companies better defend their own networks from cyber-
attacks detected elsewhere by other business.
Legislation Aiding Law Enforcement Investigation and Prosecution of 
        Breaches
    We also support legislation that would provide more tools to law 
enforcement to ensure that unauthorized network intrusions and other 
criminal data security breaches are thoroughly investigated and 
prosecuted, and that the criminals that breach our systems to commit 
fraud with our customers' information are swiftly brought to justice.
Conclusion
    In summary, a Federal breach notification law should contain three 
essential elements:

  1.  Uniform Notice: Breached entities should be obligated to notify 
        affected individuals or make public notice when they discover 
        breaches of their own systems. A Federal law that permits 
        ``notice holes'' in a networked system of businesses handling 
        the same sensitive personal information--requiring notice of 
        some sectors, while leaving others largely exempt--will 
        unfairly burden the former and unnecessarily betray the 
        public's trust.

  2.  Express Preemption of State Law: A single, uniform national 
        standard for notification of consumers affected by a breach of 
        sensitive data would provide simplicity, clarity and certainty 
        to both businesses and consumers alike. Passing a Federal 
        breach notification law is a common-sense step that Congress 
        should take now to ensure reasonable and timely notice to 
        consumers while providing clear compliance standards for 
        businesses.

  3.  Reflect the Strong Consensus of State Laws: A national standard 
        should reflect the strong consensus of state law provisions. 
        NRF believes that Congress can create a stronger breach 
        notification law by removing the exemptions and closing the 
        types of ``notice holes'' that exist in several state laws, 
        thereby establishing a breach notification standard that 
        applies to all businesses, similar to the comprehensive 
        approach this Committee has taken in previous consumer 
        protection legislation that is now Federal law.
                                Appendix
What Retailers Want You To Know About Data Security \9\
---------------------------------------------------------------------------
    \9\ Slides Available at: http://www.slideshare.net/
NationalRetailFederation/thingsto-know-data
security?ref=https://nrf.com/media/press-releases/retailers-reiterate-
support-federal-data-breach-notification-standard
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

---------------------------------------------------------------------------
                                 ______
                                 

    Senator Moran. Thank you, Mr. Duncan.
    Dr. Pendse?

   STATEMENT OF RAVI PENDSE, Ph.D., VICE PRESIDENT AND CHIEF 
INFORMATION OFFICER, BROWN UNIVERSITY, CISCO FELLOW, PROFESSOR 
         OF PRACTICE, COMPUTER SCIENCE AND ENGINEERING

    Dr. Pendse. Good morning, Chairman Moran, Ranking Member 
Blumenthal, and distinguished members of the Committee and my 
eminent panelists here. Thank you so much for the opportunity 
to testify today about the data breach and notification 
legislation. It is truly an honor.
    I want to commend you for investing your valuable time to 
discuss this important area of cyber infrastructure and 
protection. As younger citizens get online in schools 
leveraging the power of the Internet to learn and create 
knowledge, your work on this legislation will be critical to 
protect our youth.
    As the amount of data continues to increase exponentially, 
primarily driven by our mobile and highly connected lifestyle, 
your work on this legislation will be critical to protect our 
``netizens.''
    As Internet connected devices on the ``Internet of Things'' 
increase in number from 10 billion to a projected 50 billion by 
2020, impacting our economy by as much as $19 trillion, 
according to many experts, your work on this legislation will a 
critical catalyst to empower connected innovation and wealth 
generation.
    As connected robots and 3D printing fundamentally change 
how we manufacture goods and manage our supply chain, your work 
on this legislation will be critical to supporting next 
generation innovation and our leadership in the world. We are 
truly looking at some exciting times.
    My name is Ravi Pendse. I have the privilege and honor to 
serve as Vice President and Chief Information Officer at Brown 
University. I am a Brown University Cisco Fellow and a senior 
member of IEEE. I am also a faculty member in both computer 
science and engineering.
    My area of expertise and research is in ``Internet of 
Things,'' cybersecurity, and aviation network security. I take 
great pride in admitting that I am a nerd.
    The Privacy Rights Clearinghouse, as the Chairman pointed 
out, has reported there have been over 932 million records 
compromised in over 4,000 plus breaches since 2005.
    Just yesterday, as was mentioned, Anthem reported a very 
large breach, and that breach may impact people in this room 
since many Federal employees, as I understand, are covered by 
some of the programs Anthem offers.
    We as individuals, organizations, and the Nation must 
continue to focus in this area for the protection of our 
consumers and national security.
    Currently, 47 states, including Rhode Island, where Brown 
is located, the District of Columbia, Guam, Puerto Rico, and 
the Virgin Islands, have enacted data breach legislation. While 
there are similarities between these state laws, no two are 
exactly alike.
    As a university with students from all 50 states, we are 
impacted by all of them. Maintaining the necessary standards 
for each state is challenging and very difficult. This can 
create a barrier for small innovative organizations lacking the 
expertise to address the specifics of state laws. In my view, 
this type of burden will stifle innovation.
    Breach notification is a national issue, so I would 
encourage you to consider a single national legislation. In my 
view, such legislation should clearly define the rules and 
actions that are required in the case of a breach. It should 
identify the methods, speed, delivery, and content of 
notifications.
    A hard time limit for breach notification may be 
unattainable for small organizations, non-profits, and 
educational institutions. A tiered approach based upon the size 
and designation of an organization would make compliance 
possible for all.
    It should also encourage organizations that collect data to 
be cognizant about the use of such data. Consumers, especially 
the young ones, appear to be happy to give away their data and 
their privacy to services, including social media sites, for 
the sake of convenience.
    All acts should clearly define expectations of security for 
organizations collecting and storing personally identifiable 
data. Given the highly publicized breaches that have been 
mentioned, it is apparent that more work is needed. No matter 
what the size of the company, certain expectations of security 
should be defined when data is collected and stored.
    Most importantly, it should provide incentives to establish 
education to better combat breaches, so preventive actions are 
necessary. It is important for us to develop cybersecurity 
expertise within the U.S. Our national security cannot be 
offshored.
    In conclusion, I applaud your efforts and appreciate the 
opportunity for this dialogue. I have more details in my 
written testimony. I stand by to assist you in any way I can. 
Cybersecurity and cybersecurity education is critical. Our 
national security cannot be offshored.
    Thank you.
    [The prepared statement of Dr. Pendse follows:]

  Prepared Statement of Ravi Pendse, Ph.D., Vice President and Chief 
   Information Officer, Brown University, Cisco Fellow, Professor of 
               Practice, Computer Science and Engineering
Executive Summary
    With an ever-increasing collection of databases, the impact of 
``big data'' on privacy, and the monetary value of personal data used 
for identity and financial theft, today's America is in need of sound 
and achievable legislation around data security, privacy, and the 
notification of consumers after a data breach. Such legislation would 
benefit all U.S. citizens as well as the organizations collecting and 
protecting their data.
    National legislation governing data breaches will have many 
advantages over existing state laws and reduce the burden that these 
dissimilar state laws place on complying organizations. While it's 
necessary for us to pursue centralized standards, it's important to 
produce legislation that accommodates organizations of all sizes. In 
addition to laws regarding data breaches, we should create incentives 
for proactive measures to reduce the likelihood of breaches, one of the 
most important being the development of a trained cybersecurity 
workforce through education and training.
Introduction
    Good morning Chairman Moran, Ranking Member Blumenthal, and 
distinguished Members of the Committee. Thank you so much for the 
opportunity to testify today about the data breach and notification 
legislation, it is truly an honor.
    I want to commend you for investing your valuable time to discuss 
this important area of cyberinfrastructure and protection. As younger 
citizens get online in schools leveraging the power of the Internet to 
learn and create knowledge, your work on this legislation will be 
critical to protect our youth. As the amount of data continues to 
increase exponentially, primarily driven by our mobile and highly 
connected lifestyle, your work on this legislation will be critical to 
protect our netizens. As internet-connected devices on the ``Internet 
of Things'' increase in number from 10 billion to a projected 50 
billion by 2020, impacting our economy by as much as $19 trillion, your 
work on this legislation will be a critical catalyst to empower 
connected innovation and wealth generation. As connected robots and 3-D 
printing fundamentally change how we manufacture goods and manage our 
supply chain, your work on this legislation will be critical to 
supporting next-generation innovation and our leadership in the world.
    My name is Ravi Pendse. I have the privilege and honor to serve as 
the Vice President and Chief Information Officer at Brown University. I 
am a Brown University Cisco Fellow and a senior member of IEEE. I am 
also a faculty member in both Computer Science and Engineering. My area 
of expertise and research is in the ``Internet of Things'', 
cybersecurity, and aviation network security; I also teach classes in 
these fields. Currently, I am teaching a class called ``Internet of 
Everything'' so your work on this legislation is critical to many young 
people I interact with each day who I know will change our world for 
the better.
    Thank you again for the opportunity to provide written and verbal 
testimony relative to a uniform Federal law concerning the definition, 
protection, and notification of the personally identifiable information 
of consumers. This is a necessary and extremely relevant topic in our 
hyper-connected world. The Privacy Rights Clearinghouse reports that 
there have been over 932,700,000 records compromised in over 4,450 U.S. 
breaches since April 2005. Countless high-profile security breaches 
have appeared in the news in the last year. My university witnesses an 
average of 30,000 attempted attacks each day.
    As long as there is a black market for the sale of personal and 
financial data, and these breaches are attainable, the attacks will 
continue. At the same time, we are living a mobile and highly connected 
lifestyle, American children are getting online at a younger age, and 
ten billion of our household devices are connected to the Internet. 
This ubiquity of connectivity makes sound security principles and 
postures a necessity. We, as individuals, enterprises, and a nation, 
must continue to focus on this area for the protection of our consumers 
and national security.
Background
    Security breach notification laws have been written in most U.S. 
states since 2002. The first such law, California SB 1386, became the 
de facto standard for all states nationwide. Since then, other states 
have been more descriptive in their remedies, making each, in effect, a 
standard as they appear.
    Forty-seven states (including Rhode Island, where Brown is 
located), the District of Columbia, Guam, Puerto Rico, and the Virgin 
Islands have enacted legislation requiring private or government 
entities to notify individuals of security breaches involving 
personally identifiable information. Many of these state security 
breach laws have provisions regarding which entities must comply with 
the law; how ``personal information'' is defined (such as name combined 
with Social Security number or driver's license number); what 
constitutes a breach; how, when, and to whom a notice must be sent; and 
which situations are exempt (such as a breach of encrypted 
information). No two are exactly alike.
    As a university with students from 49 states, we are impacted by 
them all. Maintaining the necessary standards for each state has been 
not only onerous, but also difficult to completely and legally address. 
This can create a barrier for small, innovative organizations lacking 
the expertise or legal team to address the specifics of state laws.
    Breach notification is a national issue, and the definition of 
entities, timing, and requirements should not be left to the individual 
states. Of course, the state Attorney General would have the ability to 
protect the citizens of their jurisdiction and make claims as such. 
Having one standard for this conduct would be beneficial to those who 
protect the information and respond when a security incident occurs.
Recommendations for Cybersecurity Breach Legislation
    A single national legislation governing data breaches should be 
established to replace disparate state laws. This legislation should . 


  1.  . . . define the rules and actions that are required in the case 
        of a breach, including the method, speed, delivery, and content 
        of notifications.

  2.  . . . adjust for the size, nature, and scope of both the breach 
        and the organization. For example, a hard time limit for breach 
        notification may be unattainable for small organizations, 
        nonprofits, and educational institutions without skills in deep 
        forensics and data science. A tiered approach based upon the 
        severity of the breach and size and designation of the 
        organization would make compliance achievable to all.

  3.  . . . be compliant with current national legislation (such as 
        HIPAA, GLBA, and HITECH) and prevent the possibility of 
        conflict with other Federal laws.

  4.  . . . mandate that organizations disclose what happens to 
        customer data. Consumers appear to be happy to give away their 
        data (and their privacy) to services including social media 
        sites for the sake of convenience. A requirement to inform 
        consumers how their data and information will be used is a 
        relevant response to this changing landscape of data exchange.

  5.  . . . define expectations of security for organizations 
        collecting and storing personally identifiable data. Given the 
        highly publicized breaches that have occurred in the past 
        twelve to eighteen months, it is apparent that even many larger 
        enterprises do not provide necessary security. No matter what 
        the size of the company, certain expectations of security 
        should be defined when data is collected and stored.

  6.  . . . create incentives for the formation of industry forums such 
        as the Financial Services Information Sharing and Analysis 
        Center (FS-ISAC). Such forums provide an opportunity to share 
        threats and approaches within an industry.

  7.  . . . consider compliance with the accepted framework by the 
        National Institute of Standards and Technology (NIST), or any 
        framework that meets or exceeds the NIST standards, in order to 
        establish the baseline against which to audit.

  8.  . . . most importantly, provide measures or incentives that 
        establish education to better combat breaches. It is important 
        for us to develop cybersecurity expertise within the U.S.; our 
        national security cannot be offshored. Cisco's 2014 Security 
        Report estimated a global shortage of more than a million 
        security professionals. While efforts like the National 
        Initiative for Cybersecurity Education (NICE) have attempted to 
        address this shortage, the numbers and expertise of available 
        professionals are still lacking. Cybersecurity programs should 
        be encouraged both in K-12 and higher education. A K-12 program 
        would prepare students to protect themselves as well as join 
        the workforce. Incentives for the expansion of certified 
        cybersecurity programs in higher education, including emerging 
        graduate programs, could make a more immediate impact on the 
        size of the workforce. Similar to the Teach for America 
        program, we could create a conduit for trained security 
        graduates to enter the workforce by establishing a loan 
        forgiveness program dependent upon a designated amount of years 
        in the profession.
Conclusion
    We must continue to work on multiple fronts to mitigate the impact 
of data breaches. Legislation that sets national standards will provide 
clarity for organizations and balanced protections for all U.S. 
citizens. As this is a global problem, we must continue to leverage and 
maximize resources whenever possible to understand and detect 
persistent threats.
    I would be supportive of an effort to create a single, national law 
around data security and breaches; a national law will remove the undue 
burden of complying with forty-seven disparate state laws. However, we 
must be careful to avoid a ``one size fits all'' model that could be 
impossible to attain for small organizations, nonprofits, and 
education. Established tiers of responsibility and compliance levels 
may better serve all, while legislating a single set of standards that 
can be embraced and addressed successfully.
    In addition to reactive legislation around the handling of data 
breaches, we need to be proactive. I strongly recommend incentives for 
proactive measures to reduce the likelihood of breaches, one of the 
most important being educational initiatives to develop a trained 
cybersecurity workforce. From additional Americans with forensics 
expertise to an engaged and educated nation of consumers, we should 
remember that people provide one of the most critical lines of defense.

    Senator Moran. Doctor, thank you. Good to see you again. 
Mr. Johnson?

  STATEMENT OF DOUG JOHNSON, SENIOR VICE PRESIDENT AND SENIOR 
     ADVISOR FOR RISK MANAGEMENT POLICY, AMERICAN BANKERS 
                          ASSOCIATION

    Mr. Johnson. Yes, good morning, Chairman Moran, Ranking 
Member Blumenthal, members of the Subcommittee. My name is Doug 
Johnson, Senior Vice President at the American Bankers 
Association. I currently lead the Association's physical and 
cybersecurity business, Continuity and resiliency policy 
efforts at the Association.
    ABA shares the concerns of Congress about protecting 
consumers in this increasingly sophisticated world of 
electronic commerce and recordkeeping. It is clear consumers 
enjoy the efficiency and convenience of conducting transactions 
electronically.
    Notwithstanding these recent breaches, our payment system 
remains strong and functional, and it is absolutely mandatory 
that we maintain that trust in the system so that it remains 
essentially a system that our customers can continue to trust.
    While the majority of the transactions are conducted 
safely, occasional breaches will occur and will continue to 
occur. Consumers have the right to swift, accurate, and 
effective notification of these breaches. They also have a 
right to trust that whenever they conduct business 
electronically the business is doing everything it can to 
prevent that the breach is occurring in the first place.
    Mr. Duncan mentioned the Verizon study, international 
sample of private companies and police stations around the 
world. Other organizations, such as the Identity Theft Resource 
Center, noted that United States' businesses reported over 30 
percent of the reported breaches for 2014, while financial 
institutions represented 6 percent.
    While our numbers may differ and we do believe the United 
States' numbers are more appropriate to cite, I believe that 
our intent frankly is the same, and our intent is to ensure 
that we are protecting customer data, and I think that is 
essentially both of our goals.
    The banking industry supports effective cybersecurity 
policy and will continue to work with Congress to achieve that 
goal. Banks are acknowledged leaders in defending against cyber 
threats. Therefore, from the financial services' perspective, 
it is critical that legislation takes a balanced approach that 
builds upon but does not duplicate or undermine what is already 
in place and effective for the financial sector.
    There are three key points that must be considered with 
regard to data protection standards. First, as others have 
noted, we do need a national data standard, a data breach 
standard. Consumer electronic payments are not confined by 
borders between states. As such, a national standard for data 
security and breach notification is of paramount importance.
    Currently, 46 states, three U.S. territories, and the 
District of Columbia have enacted laws governing data security 
in some fashion. Although some of these laws are similar, many 
have inconsistent and conflicting standards, forcing businesses 
to comply with multiple regulations and leaving many consumers 
without proper recourse or protection.
    Inconsistent state laws and regulations should be preempted 
in favor of strong Federal data protection and notification 
requirements.
    Second, any Federal data protection and notification 
requirement must recognize existing national data protection 
and notification requirements. Some industries, including 
financial services, are already required to by law to develop 
and maintain robust internal protections. They are also 
required to protect consumer financial information and notify 
customers when a breach occurs within their systems that would 
put customers at risk.
    We believe the extensive breach reporting requirements 
currently in place for banks provide an effective basis for any 
national data breach reporting requirement for businesses 
generally.
    Finally, there must be a strong national data protection 
requirement associated with any data breach law. All parties 
must share the responsibility and cost for protecting 
consumers. The cost of the data breach should ultimately be 
borne by the entity that incurs the breach.
    To limit such breaches, any comprehensive data breach 
requirement must have strong data protection requirements 
applicable to any party with access to important consumer 
financial information.
    Thank you, and I will be happy to answer any questions you 
may have.
    [The prepared statement of Mr. Johnson follows:]

 Prepared Statement of Doug Johnson, Senior Vice President and Senior 
    Advisor for Risk Management Policy, American Bankers Association
    Chairman Moran, Ranking Member Blumenthal, my name is Doug Johnson, 
Senior Vice President, payments and cybersecurity policy, of the 
American Bankers Association. In that capacity, I currently lead the 
association's physical and cybersecurity, business continuity and 
resiliency policy and fraud deterrence efforts on behalf of our 
membership. I appreciate the opportunity to be here to represent the 
ABA and discuss the importance of instituting a uniform Federal data 
breach law in place of disparate state laws. The ABA is the voice of 
the Nation's $15 trillion banking industry, which is composed of small, 
regional and large banks that together employ more than 2 million 
people, safeguard $11 trillion in deposits and extend over $8 trillion 
in loans.
    As the 114th Congress engages in public debate on the important 
issue of data security, we share your concerns about protecting 
consumers in this increasingly sophisticated world of electronic 
commerce and record keeping. It is clear that consumers enjoy the 
efficiency and convenience of conducting transactions electronically. 
Notwithstanding these recent breaches, our payment system remains 
strong and functional. No security breach seems to stop the $3 trillion 
that Americans spend safely and securely each year with their credit 
and debit cards. And with good reason: Customers can use these cards 
confidently because their banks protect them from losses by investing 
in technology to detect and prevent fraud, reissuing cards and 
absorbing fraud costs. While the vast majority of these transactions 
are conducted safely, occasional breaches will continue to occur. 
Consumers have a right to swift, accurate, and effective notification 
of such breaches. They also have a right to trust that, wherever they 
transact business electronically, the business is doing everything it 
can to prevent that breach from occurring in the first place.
    The banking industry supports effective cyber security policy and 
will continue to work with Congress to achieve that goal. Banks are 
acknowledged leaders in defending against cyber threats. Therefore, 
from the financial services perspective it is critical that legislation 
takes a balanced approach that builds upon--but does not duplicate or 
undermine--what is already in place and highly effective in the 
financial sector.
    In my testimony I will focus on three main points:

   The value of a national data breach standard. Consumers' 
        electronic payments are not confined by borders between states. 
        As such, a national standard for data security and breach 
        notification is of paramount importance.

   The importance of recognizing existing Federal breach 
        requirements. Any Federal data protection and notification 
        requirement must recognize existing national data protection 
        and notification requirements.

   The need for strong national data protection requirements. 
        All parties must share the responsibility, and the costs, for 
        protecting consumers. The costs of a data breach should 
        ultimately be borne by the entity that incurs the breach. To 
        limit such breaches, any comprehensive data breach requirement 
        must have strong data protection requirements applicable to any 
        party with access to important consumer financial information.
I. The Value of a National Data Breach Standard
    Our existing national payments system serves hundreds of millions 
of consumers, retailers, banks, and the economy well. It only stands to 
reason that such a system functions most effectively when it is 
governed by a consistent national data breach policy.
    Currently, 46 states, three U.S. territories, and the District of 
Columbia have enacted laws governing data security in some fashion, 
such as standards for data breach notification and for the safeguarding 
of consumer information. Although some of these laws are similar, many 
have inconsistent and conflicting standards, forcing businesses to 
comply with multiple regulations and leaving many consumers without 
proper recourse and protection. Inconsistent state laws and regulations 
should be preempted in favor of strong Federal data protection and 
notification requirements. In the event of a breach, the public should 
be informed where it occurred as soon as reasonably possible to allow 
consumers to protect themselves from fraud.
    Given the mobile nature of our Nation's citizens, it is clear that 
the existing patchwork of state data breach laws are unduly complicated 
for consumers as well as businesses. For instance, consider a couple 
residing in a northern state who winter in a southern one and have 
their credit card data compromised at a merchant in a third state. In 
this instance, the couple wants to be alerted that their financial data 
has been compromised and that they are protected. Determining where the 
couple may or may not reside and which state laws may or may not apply 
unduly complicates the simple need to protect the couple from financial 
harm. It also diverts resources at the merchant and the bank toward 
determining how to comply with a myriad of laws as opposed to fixing 
the problem.
    We believe that the following set of principles should serve as a 
guide when drafting legislation to provide stronger protection for 
consumer financial information:

  1.  Inconsistent state laws and regulations should be preempted in 
        favor of strong Federal data protection and notification 
        standards.

  2.  Strong national data protection and consumer notification 
        standards with effective enforcement provisions must be part of 
        any comprehensive data security regime, applicable to any party 
        with access to important consumer financial information.

  3.  Requirements for industries that are already subject to robust 
        data protection and notification requirements must be 
        recognized.

  4.  In the event of a breach, the public should be informed where it 
        occurred as soon as reasonably possible to allow consumers to 
        protect themselves from fraud. The business with the most 
        direct financial relationship with affected consumers should be 
        able to inform their customers and members about information 
        regarding the breach, including the entity at which the breach 
        occurred.

  5.  The costs of a data breach should ultimately be borne by the 
        entity that incurs the breach.
II. The Importance of Recognizing Existing Federal Breach Requirements
    As we enact a national data breach requirement, some industries--
including the financial industry--are already required by law to 
develop and maintain robust internal protections to combat and address 
criminal attacks, and are required to protect consumer financial 
information and notify consumers when a breach occurs within their 
systems that will put their customers at risk.
    Title V of the Gramm-Leach-Bliley Act (GLBA) requires banks to 
implement a ``risk-based'' response program to address instances of 
unauthorized access to customer information systems. At a minimum, a 
response program must:

  1.  Assess the nature and scope of any security incident and identify 
        what customer information systems and customer information may 
        have been accessed or misused;

  2.  Notify the institution's primary Federal regulator ``as soon as 
        possible'' about any threats ``to sensitive customer 
        information.''

  3.  Notify appropriate law enforcement authorities and file 
        Suspicious Activity Reports in situations involving Federal 
        criminal violations requiring immediate attention;

  4.  Take appropriate steps to contain the incident to prevent further 
        unauthorized access to or use of customer information, and

  5.  Notify customers ``as soon as possible'' if it is determined that 
        misuse of customer information has occurred or is reasonably 
        possible.

    A critical component of the GLBA guidelines is customer 
notification. When a covered financial institution becomes aware of a 
material breach of ``sensitive customer information,'' it must conduct 
a reasonable investigation to determine whether the information has 
been or can be misused. If it determines that misuse of the information 
``has occurred or is reasonably possible,'' it must notify affected 
customers ``as soon as possible.''
    Under GLBA, sensitive customer information includes the customer's 
name, address or telephone number in conjunction with the customer's 
Social Security number, driver's license number, credit card, debit 
card or other account number or personal identification number. 
Sensitive customer information also includes any combination of 
components of customer information that would allow someone to log onto 
or access the customer's account, such as user name and password.
    A covered financial institution must also provide a clear and 
conspicuous notice. The notice must describe the incident in general 
terms and the type of customer information affected. It must also 
generally describe the institution's actions to protect the information 
from further unauthorized access and include a telephone number. The 
notice also must remind customers to remain vigilant over the next 12 
to 24 months and to promptly report incidents of suspected identity 
theft to the institution.
    Where appropriate, the notice also must include:

  1.  Recommendation to review account statements immediately and 
        report suspicious activity;

  2.  Description of fraud alerts and how to place them;

  3.  Recommendation that the customer periodically obtain credit 
        reports and have fraudulent information removed;

  4.  Explanation of how to receive a free credit report; and

  5.  Information about the FTC's identity theft guidance for 
        consumers.

    We believe the extensive breach reporting requirements currently in 
place for banks provide an effective basis for any national data breach 
reporting requirement for businesses generally.
III. The Need for Strong National Data Protection Requirements
    Any legislation focused on creating a national standard for breach 
notification should also include a complementary national data security 
standard for covered entities. If Congress does not address data 
security standards now it misses the opportunity to instill a greater 
overall level of data security protections for consumers.
    Every business must share in the responsibility to protect 
consumers. With that responsibility should come the requirement for 
that business, whether it be a bank, merchant, third party processor or 
other entity, to bear the costs for any breach they incur.
    To limit the potential for data breaches in the first place, any 
comprehensive national data breach requirement should be enacted in 
tandem with strong data protection requirements applicable to any party 
with access to important consumer financial information. Limiting the 
potential for such breaches through strong data protection is the 
first, essential, line of defense in our efforts to maintain customer 
trust and confidence in the payments system
    Effective data protection requirements are scalable. For instance, 
bank regulations, through GLBA, recognize that the level of risk to 
customer data varies significantly across banks. Large banks require 
continual, on-site examination personnel, while community-based 
institutions are subject to periodic information security examinations.
    Data security is also an ongoing process as opposed to the state or 
condition of controls at a point in time. As opposed to proscribing 
specific technological security requirements, GLBA and the associated 
bank regulatory requirements are risk and governance-based. Bank 
security programs are required to have ``strong board and senior 
management level support, integration of security activities and 
controls throughout the organization's business processes, and clear 
accountability for carrying out security responsibilities.'' \1\
---------------------------------------------------------------------------
    \1\ Federal Financial Institution Examination Council IT Handbook, 
available at http://ithandbook.ffiec.gov/it-booklets/information-
security/introduction/overview.aspx
---------------------------------------------------------------------------
IV. The Path Forward
    The legal, regulatory, examination and enforcement regime regarding 
banks ensures that banks robustly protect American's personal financial 
information. We believe that this regime provides an appropriate, 
scalable model for other businesses entrusted with sensitive customer 
financial and other information.

    Senator Moran. Attorney General Madigan, welcome.

  STATEMENT OF HON. LISA MADIGAN, ATTORNEY GENERAL, STATE OF 
                            ILLINOIS

    Ms. Madigan. Thank you, Chairman Moran, Ranking Member 
Blumenthal, and members of the Subcommittee. I appreciate 
having an opportunity to testify today.
    Data security is one of the biggest challenges that we face 
as a nation. It is an ongoing struggle for all Americans and 
the companies, non-profits, and government agencies that hold 
our personal information.
    While last year's massive data breaches reawakened many in 
the public, breaches are not a new problem. Because of that, 10 
years ago, I joined 43 other Attorneys General, including at 
the time Attorneys General Blumenthal and Ayotte, in a 
bipartisan call for a strong, meaningful national breach 
notification law, and for over a decade, my office has helped 
people clean up identity theft damage and investigated major 
breaches.
    In 2005, I drafted Illinois' breach notification law to 
ensure consumers are told when their personal financial 
information is compromised, and in 2006, I created an identity 
theft unit and hotline to help consumers restore their credit 
when their information was obtained and used without their 
authorization. So far, we have helped over 37,000 people remove 
over $27 million worth of fraudulent charges from their credit.
    At this point, Americans realize that it is not a matter of 
if but when they will be a victim of some form of identity 
theft. The question now is what we do to best assist them to 
prevent data breaches and reduce identity theft.
    First, I want you to recognize that for the most part, we 
already have data breach notification in this country. As you 
are aware, 47 states have laws requiring companies to notify 
people when their personal financial information is 
compromised. Many states are working to pass their second or 
third update to their laws in response to the constant threats 
that are revealed by the almost 4,500 publicly known breaches 
that have affected over 900 million records since 2005. In this 
environment, Americans need and expect more transparency of 
data breaches, not less. Last year, I held over 25 roundtables 
on data breaches throughout Illinois with nearly 1,000 
residents, including local government officials, law 
enforcement, small business owners, religious leaders, senior 
citizens, heads of social service agencies, as well as regular 
consumers.
    Here is what they told me. First, they are concerned by the 
increasing number of breaches and when their information is 
stolen, they want to know. Second, they want to know what they 
can do to protect themselves from identity theft. And third, 
they want to know whether entities are doing enough to prevent 
breaches and protect their information.
    A weak national law that restricts what most state laws 
have long provided will not meet Americans' increasing 
expectation that they be told when their information has been 
stolen. Instead, any definition of ``protected personal 
information'' should be broad and include the growing types of 
sensitive information that entities are collecting from 
individuals, and the FTC should be able to update the 
definition in response to new threats.
    In terms of whether entities are doing enough to protect 
people's data, unfortunately, as you have already heard from 
Ms. McGuire and I can tell you from my office's investigations, 
it has been revealed that entities too often fail to take basic 
data security precautions.
    We have found numerous instances where entities allowed 
sensitive personal data to be maintained unencrypted, failed to 
install security patches for known software vulnerabilities, 
collected sensitive data that was not needed, retained data 
longer than necessary, and failed to protect against 
compromised log-in credentials.
    Congress should include a provision that requires entities 
holding sensitive information to take reasonable steps to 
protect that information.
    Next, an entity who suffers a breach should not be 
conducting a self-serving harm analysis to determine whether 
consumers get notified about a data breach. Imagine if a 
landlord learned that a renter's home was robbed and that 
landlord had the opportunity to decide whether the stolen items 
were significant enough to let the renter know about the 
robbery. This is what you will allow when data is stolen with 
the so-called ``harm analysis.''
    Further, Congress should designate a Federal entity to 
investigate when massive data breaches that affect millions of 
Americans, similar to how the NTSB can investigate accidents.
    Finally, I know that Congress will consider preempting 
states' breach notification laws. As a state official, I oppose 
Federal legislation that limits our ability at the state level 
to respond to and to safeguard our residents.
    If Congress does preempt the states, the preemption 
provision must be narrow. The law should preserve the states' 
ability to use their own consumer protection laws and Congress 
should give the states the right to enforce the Federal law.
    I will be happy to answer any questions that you have.
    [The prepared statement of Ms. Madigan follows:]

      Prepared Statement of Hon. Lisa Madigan, Attorney General, 
                           State of Illinois
Introduction
    Chairman Moran, Ranking Member Blumenthal, and members of the 
Subcommittee, thank you for giving me the opportunity to speak with 
you. Data security is one of the biggest challenges we face in the 
United States today. It is an ongoing struggle for companies, non-
profits, government agencies, and consumers.
    While last year's massive data breaches were a national turning 
point for public awareness, this is not a new problem. For over a 
decade, my office has been investigating major data breaches and 
helping consumers respond to identity theft.\1\
---------------------------------------------------------------------------
    \1\ Since 2006, identity theft and data breaches have either been 
the most common complaint, or the second most common complaint, 
received in the Illinois Attorney General's office. Only complaints 
related to debt have had a higher total.
---------------------------------------------------------------------------
    In 2005, we passed a data breach notification law in Illinois to 
ensure consumers are notified when an entity suffers a breach of their 
sensitive personal information. And in 2006, I created an Identity 
Theft Unit and Hotline to help consumers restore their credit when 
their information was used without their authorization. So far, we have 
helped remove over $27 million worth of fraudulent charges for over 
37,000 Illinois residents.\2\
---------------------------------------------------------------------------
    \2\ In 2014, the Illinois Attorney General's office received 2,618 
complaints regarding identity theft and helped return over $918,000 to 
consumers who suffered identity theft.
---------------------------------------------------------------------------
    At this point, everyone knows it is not a question of if they will 
be a victim of some form of identity theft, but when. Because at every 
hour of every day, any entity that maintains a database of sensitive 
information could be under attack.
    The economic impacts have been, and will continue to be, enormous. 
Everyone agrees that we need to do something. Everyone wants to prevent 
data breaches. And everyone wants to prevent identity theft. The 
question is--how do we best do this?
    I have long supported the push for a national law on data breach 
notification. In 2005, I joined forty-three other state attorneys 
general to call for a national law on breach notification,\3\ so I am 
heartened that Congress looks poised to pass a law. But simply passing 
a law that replicates state laws will do very little to protect 
consumers that is not already being done.
---------------------------------------------------------------------------
    \3\ Letter to Congressional Leaders from the National Association 
of Attorneys General (NAAG) (Oct. 27, 2005).
---------------------------------------------------------------------------
    Congress must move beyond a debate about data breach notification. 
For the most part, we already have data breach notification in this 
country. Forty-seven states have passed laws requiring companies to 
notify consumers when they suffer data breaches. Many states have 
either passed, or are working to pass, a second or third-generation 
version of their laws.
II. The Need for Transparency
    We need more transparency on data breaches and data security, not 
less. We should not hide from the fact that our data can be 
compromised, and we should not hide data breaches when they occur. I 
have recently heard an argument that consumers are experiencing data 
breach fatigue, and that additional notification may be counter-
productive. I strongly disagree.
    In my experience, consumers may be fatigued over data breaches, but 
they are not asking to be less informed about them.
    Last year, I held over twenty-five roundtables on data breaches 
throughout Illinois, with nearly 1,000 Illinois residents from all 
walks of life--law enforcement officials, small business owners, 
consumers, and senior citizens.
    Here is what they told me. When their information is stolen, they 
want to know. They also want to know what they can do to protect 
themselves from identity theft and data breaches. And they want to know 
whether entities are doing enough to protect their information and 
prevent breaches.
    Unfortunately, my office's investigations have revealed that 
entities have repeatedly failed to take basic data security 
precautions. We have found instances where entities:

   allowed sensitive personal data to be maintained 
        unencrypted;

   failed to install security patches for known software 
        vulnerabilities;

   collected sensitive data that was not needed;

   retained data longer than necessary; and

   failed to protect against compromised login credentials.

    Understanding where data security failures occur is what leads to 
data security fixes. Without transparency, data breaches and their 
causes will remain hidden. Notification also allows consumers to take 
steps to protect themselves following the aftermath of a breach. This 
transparency is not possible without laws mandating it.
III. Information that Triggers Notification
    Therefore, Congress should pass a data breach notification law that 
covers the growing amount of sensitive personal information that 
entities are collecting. Any definition of protected ``personal 
information'' should be broad, and the Federal Trade Commission should 
be given the power to update the definition as needed. It is not just 
stolen social security numbers or stolen credit card numbers that 
consumers have to worry about now.
    When I first worked to pass a law in Illinois on this issue nearly 
a decade ago, we were focused solely on protecting consumers against 
identity theft and fraud.\4\ In the intervening ten years, the Internet 
has grown more than we imagined possible. This growth has been great 
for our economy and it has made our lives easier. But it has also made 
individuals more vulnerable to data breaches because more entities are 
collecting increasingly specific data about them. Any law designed to 
protect consumers should reflect this fact.
---------------------------------------------------------------------------
    \4\ Illinois Personal Information Protection Act, 815 ILCS 530/1 
et. seq. The Illinois Personal Information Protection Act requires 
notification to Illinois consumers in the event of a data breach. A 
breach is the unauthorized acquisition of computerized data that 
compromises the security, confidentiality, or integrity of ``personal 
information.'' Currently, ``personal information'' is defined as an 
individual's first name (or first initial) and last name combined with 
any of the following: social security number; driver's license or state 
identification card number; or account number or credit or debit card 
number, or an account number or credit card number in combination with 
any required security code, access code, or password that would permit 
access to an individual's financial account.
---------------------------------------------------------------------------
    Congress should seek to pass legislation that ensures notification 
of breaches related to pieces of information that can do us any kind of 
harm, whether that is financial harm or reputational harm. For example, 
this kind of data includes:

   login credentials for online accounts;

   medical information shared on the Internet that is outside 
        the scope of the Health Information Technology for Economic and 
        Clinical Health (HITECH) Act;\5\
---------------------------------------------------------------------------
    \5\ Title XIII of the American Recovery and Reinvestment Act of 
2009, Pub. L. 111-5.

---------------------------------------------------------------------------
   biometric data; and

   geolocation information.

    The recent attack on Sony was a lesson for all of us. Reputational 
harm can be far worse than financial harm. It can hurt companies, and 
it can destroy lives. In Illinois, I will be seeking to update our law 
to protect the type of data about individuals that entities are 
regularly collecting, and I encourage the Subcommittee to do the same.
IV. A ``Harm Analysis'' Hurts Consumers
    Next, an entity should not be conducting a ``harm analysis'' to 
determine whether it should notify consumers about a data breach. If an 
entity holds our sensitive information and loses it, most people want 
to know. The very loss of sensitive personal information should be 
viewed as harmful generally, and it is nearly impossible to truly 
determine what specific harm may or may not occur following a breach.
    Imagine if a landlord learned that a renter's home was robbed and 
that landlord had the opportunity to decide whether the stolen items 
were significant enough to let the renter know about the robbery. We 
are considering allowing this for stolen data with a so-called ``harm 
analysis.'' It will not lead to better data security, only fewer breach 
notifications.
V. Federal Role in Data Security
    Finally, data breach notification alone, no matter how expansive, 
will not be enough to secure our data. Congress also needs to ensure 
entities holding sensitive information are taking reasonable steps to 
protect that information. To do that, it should require companies to 
implement reasonable security standards and it should give the Federal 
Trade Commission the authority to promulgate regulations as needed.
    Congress should also focus its attention on the current authority 
of the Federal government to investigate massive data breaches that 
affect millions of Americans. When such breaches occur, the Federal 
government should have the general authority to investigate in the same 
manner the National Transportation Safety Board (NTSB) can investigate 
accidents. Currently, the Federal government has no such authority. 
Federal law enforcement agencies can conduct a criminal investigation 
to determine who was responsible for an attack, and the Federal 
government, through the Federal Trade Commission and other agencies, 
can conduct an investigation to determine whether the entity's data 
security practices were adequate. However, no Federal agency is tasked 
with simply uncovering what happened in massive data breaches, 
regardless of whether an entity's data security practices were 
adequate.
    If a Federal agency had this authority, that Federal agency would 
develop much-needed expertise in data security. It could issue reports 
about data breaches so that the private sector would better understand 
what vulnerabilities led to breaches. Our country would also have a 
much better sense of the general state of our data security.
VI. Role of the States
    I understand that Congress will consider preempting states on data 
breach notification laws. As a state official, I oppose any Federal 
legislation that limits our ability at the state level to protect our 
residents. In 2005, along with forty-three other state attorneys 
general, I wrote to Congress to caution against broad preemption.\6\ In 
the letter, we wrote:
---------------------------------------------------------------------------
    \6\ Letter to Congressional Leaders from the National Association 
of Attorneys General (NAAG) (Oct. 27, 2005).

        Preemption interferes with state legislatures' democratic role 
        as laboratories of innovation. The states have been able to 
        respond more quickly to concerns about privacy and identity 
        theft involving personal information, and have enacted laws in 
        these areas years before the Federal government. Indeed, 
        Congress would not be considering the issues of security breach 
        notification and security freeze if it were not for earlier 
        enactment of laws in these areas by innovative states.\7\
---------------------------------------------------------------------------
    \7\ Id.

    In the decade since we wrote that letter, it has become clear that 
preemption would have been a mistake for consumers.
    Additionally, a narrow view of preemption has been adopted in other 
Federal data security laws. The Gramm-Leach-Bliley Act (GLBA), which 
established data security standards for financial institutions, only 
preempts those state laws that are inconsistent with Federal law and 
``then only to the extent of the inconsistency.'' \8\
---------------------------------------------------------------------------
    \8\ 15 U.S.C. Sec. 6807(a).
---------------------------------------------------------------------------
    Similarly, in 2009, Congress took a narrow approach to preemption 
in the breach notification provisions in the Health Information 
Technology for Economic and Clinical Health (HITECH) Act.\9\ That law 
imposes the HIPAA preemption standard, which only preempts contrary 
provisions of state law.\10\ For those laws that protect the privacy of 
individually identifiable health information, the HIPAA Security Rule 
goes even further, to save any state law that is more stringent than 
the HIPAA protections.\11\ Together, these provisions illustrate a 
reasonable and workable approach to preemption. If Congress does 
preempt the states, for the benefit of consumers:
---------------------------------------------------------------------------
    \9\ Title XIII of the American Recovery and Reinvestment Act of 
2009, Pub. L. 111-5.
    \10\ 42 U.S.C. Sec. 1320(d-7).
    \11\ 45 C.F.R. Sec. 160.203.

   the law should be a ``floor'' with a narrow preemption 
---------------------------------------------------------------------------
        provision;

   the law should preserve a state's ability to use its 
        consumer protection laws to investigate data security 
        practices; and

   states should have the right to enforce the Federal law.
VII. Conclusion
    The roundtables on data security that I convened throughout 
Illinois last year showed me that data breach notification is working. 
Consumers are well aware of data breaches generally. But one challenge 
is making sure the affected consumers learn about the right breaches.
    Understandably, in certain circumstances, state laws allow 
companies to comply with notification requirements by notifying the 
media.\12\ Bills being considered in Congress allow similar 
notification exceptions. But the most often comment I received during 
these roundtables was that consumers did not know where to go to learn 
about breaches. It has become clear to me that it is not enough to 
require companies to notify the media.
---------------------------------------------------------------------------
    \12\ See, e.g., Illinois Personal Information Protection Act, 815 
ILCS 530/10(c).
---------------------------------------------------------------------------
    As a result, in Illinois, I am proposing a requirement that 
companies also notify my office when they suffer a breach. Fifteen 
states already require entities to notify their Attorney General in the 
event of a breach.\13\ If given that authority, I intend to create a 
website that will enable Illinois residents to see all the breaches 
that have occurred in Illinois.
---------------------------------------------------------------------------
    \13\ Cal. Civ. Code 1798.29(e); Conn. Ch. 669 Sec. 36a-7041b(b)(2); 
Fla. Stat. Sec. 501.171(3); Ind. Code Art. 24-4.9-3-1(c); Iowa Senate 
File 2259 (to be codified at 715C.2.8); LA Admin. Code Title 16 
Sec. 701; Maine Stat. Tit. 10 Sec. 1348(5).; Md. Comm. Code Sec. 14-
3504(h); Mass. Gen. Law Ch. 93H Sec. 3(a); Mo. Stat. Sec. 407.1500(8); 
N.H. Ch. 359-C:20(b); N.Y. Sec. 899-aa(8)(a); N.C. Gen. Stat. Sec. 75-
65(e1); Vt. Stat. Ann. Tit. 9 Sec. 2435(b)(3); Va. Code Sec. 18.2-
186.6(E).
---------------------------------------------------------------------------
    Such a website is only possible at the state level because we can 
include information about national breaches, as well as those that are 
local or regional. I believe such a service would greatly benefit 
Illinois residents, and I do not believe they would want Congress to 
prevent my office from offering it, or the other work we are doing on 
data security and data breaches.
    I am happy to answer any questions you have.
    Thank you.

    Senator Moran. Thank you very much. Ms. Weinman?

   STATEMENT OF YAEL WEINMAN, VICE PRESIDENT, GLOBAL PRIVACY 
  POLICY AND GENERAL COUNSEL, INFORMATION TECHNOLOGY INDUSTRY 
                         COUNCIL (ITI)

    Ms. Weinman. Thank you, Chairman Moran, Ranking Member 
Blumenthal, and Senators of the Subcommittee, for the 
opportunity to testify today.
    My name is Yael Weinman, and I am the Vice President for 
Global Privacy Policy and the General Counsel at the 
Information Technology Industry Council, known as ITI.
    Prior to joining ITI in 2013, I spent more than 10 years at 
the Federal Trade Commission, most recently as an attorney 
advisor to Commissioner Julie Brill. I began my career at the 
FTC in the Enforcement Division, ensuring that companies 
subject to FTC data security consent orders were in fact 
complying.
    The 59 technology companies that ITI represents are leaders 
and innovators in the information and communications technology 
sector.
    When consumer information is breached, individuals may be 
at risk of identity theft or other financial harm. Year after 
year, identity theft tops the list as the number one complaint 
reported to the FTC.
    Consumers can take steps to protect themselves from 
identity theft or other financial harm following a data breach. 
Federal breach notification legislation would put consumers in 
the best possible position to protect themselves.
    I take this opportunity to outline three important 
principles in connection with Federal data breach notification 
legislation. First is preemption. A Federal breach notification 
framework that preempts the existing state and territory breach 
notification laws provides an opportunity to streamline the 
notification process.
    Complying with 51 laws (47 states, three territories, and 
one district), each one with its own unique provisions, is 
complex, and it slows down the notification process to 
consumers while an organization addresses the nuances in each 
of these 51 laws.
    Complying with 51 different laws also results in notices 
across the country that are inconsistent and thus confusing to 
consumers. A Federal breach notification law without state 
preemption would merely add to the mosaic, resulting in a total 
of 52 different frameworks.
    The second principle is the timing of consumer 
notifications. An inflexible mandate that would require 
organizations to notify consumers of a data breach within a 
prescribed time-frame is counterproductive. Following a breach, 
there is much to be done. Vulnerabilities must be identified 
and remedied. The scope of the breach must be determined. 
Cooperation with law enforcement is imperative, and impacted 
consumers must be notified. Premature notification could 
subject organizations to further attack if they have not yet 
been able to secure their systems, further jeopardizing 
sensitive personal information.
    Premature notification might interfere with law 
enforcement's efforts to identify the intruders. The hackers 
might cover their tracks more aggressively upon learning that 
the breach had been discovered.
    Notification to consumers before an organization has 
identified the full scope of the breach could yield to 
providing inaccurate and incomplete information.
    Organizations have every incentive to notify impacted 
consumers in a timely manner, but a strict deadline does not 
afford the necessary flexibility.
    The third principle is determining which consumers should 
be notified. Notifying individuals that their information has 
been compromised enables them to take protective measures. It 
is not productive, however, if all data breaches result in 
notifications.
    If inundated with notices, consumers would be unable to 
determine which ones warrant action. Notifications should be 
made to consumers if they are at a significant risk of identity 
theft or financial harm.
    A number of factors would be considered in making that 
determination, including the nature of the breached information 
as well as whether that information was unreadable. Unreadable 
information would not warrant a notification. Upon receiving a 
notice, individuals can then take steps to help avoid being 
financially damaged.
    The three principles I have outlined today are included in 
the full set of principles that ITI has developed in connection 
with Federal data breach legislation, and I respectfully 
request that these be submitted for the record.
    2014 has been referred to as ``the year of the data 
breach,'' and I think many of us would like to see 2015 as the 
``year of Federal data breach notification legislation.''
    I would be happy to answer any questions. Thank you.
    [The prepared statement of Ms. Weinman follows:]

  Prepared Statement of Yael Weinman, Vice President, Global Privacy 
  Policy and General Counsel, Information Technology Industry Council 
                                 (ITI)
    Chairman Moran, Ranking Member Blumenthal, and Senators of the 
Subcommittee, thank you for the opportunity to testify today. My name 
is Yael Weinman and I am the Vice President for Global Privacy Policy 
and the General Counsel at the Information Technology Industry Council, 
also known as ITI. Prior to joining ITI, I spent more than 10 years as 
an attorney at the Federal Trade Commission, most recently as an 
Attorney Advisor to Commissioner Julie Brill.
    ITI is the global voice of the technology sector. The 59 companies 
ITI represents--the majority of whom are based in the United States--
are leaders and innovators in the information and communications 
technology (ICT) sector, including in hardware, software, and services. 
Our companies are at the forefront developing the technologies to 
protect our networks. When a data breach occurs, however, we want a 
streamlined process that helps guide how consumers are informed in 
cases when there is a significant risk of identity theft or financial 
harm resulting from the breach of personally identifiable information. 
In my testimony today, I will focus on several of the critical elements 
necessary to be considered by Congress in developing a Federal 
legislative framework for data breach notification in the United 
States.
``Year of the Breach''
    We have all heard 2014 referred to as ``the year of the breach,'' 
but the reality is that data breaches did not just come on the scene 
last year--they surfaced quite some time ago. While companies and 
financial institutions spend tremendous resources to defend their 
infrastructures and protect their customers' information, it is an 
ongoing virtual arms race. Organizations race to keep up with hackers 
while the criminals scheme to stay one step ahead. Unfortunately, it is 
no longer a matter of if, but a matter of when, a criminal hacker will 
target an organization. And when certain information about individuals 
is exposed, those consumers may be at a significant risk of identity 
theft or other financial harm. Year after year, identify theft is the 
number one category of fraud reported to the Federal Trade 
Commission.\1\ I would expect that when the 2014 statistics are 
released, identity theft will continue to top the list.
---------------------------------------------------------------------------
    \1\ See Federal Trade Commission, Consumer Sentinel Network Data 
Book for January--December 2013 (February 2014) available at http://
www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-
data-book-january-december-2013/sentinel-cy2013.pdf; and Federal Trade 
Commission, Consumer Sentinel Network Data Book for January--December 
2012 (February 2013) available at http://www.ftc.gov/sites/default/
files/documents/reports/consumer-sentinel-network-data-book-january/
sentinel-cy2012.pdf.
---------------------------------------------------------------------------
51 Different Breach Notification Requirements
    As a result of this troubling landscape, over the years, state 
legislatures across the country enacted data breach notification 
regimes. Currently, there are 51 such regimes--47 states and four U.S. 
territories.\2\ Consumers across the country have received 
notifications pursuant to these laws. I have received more than one 
such notice myself, and I imagine some of you may have as well.
---------------------------------------------------------------------------
    \2\ The District of Columbia, Guam, Puerto Rico, and the U.S. 
Virgin Islands each adopted a data breach notification law. New Mexico, 
South Dakota, and Alabama have not yet enacted breach notification 
laws.
---------------------------------------------------------------------------
    The current scope of legal obligations in the United States 
following a data breach is complex. Each of the 51 state and territory 
breach notification laws varies by some degree, and some directly 
conflict with one another. For example, Kansas requires that 
notification to consumers ``must be made in the most expedient time 
possible and without unreasonable delay, consistent with the legitimate 
needs of law enforcement and consistent with any measures necessary to 
determine the scope of the breach and to restore the reasonable 
integrity of the computerized data system.'' \3\ Connecticut's 
notification requirement to consumers is similar, but not identical. It 
requires notification to ``be made without unreasonable delay, subject 
to [a law enforcement request for delay] and the completion of an 
investigation . . . to determine the nature and scope of the incident, 
to identify individuals affected, or to restore the reasonable 
integrity of the data system.'' \4\ Florida, however, mandates a strict 
timeline and requires that notification be made to consumers no later 
than 30 days unless law enforcement requests a delay, regardless of the 
status of the forensic investigation into the scope of the breach.\5\
---------------------------------------------------------------------------
    \3\ Kan. Stat. Sec. 50-7a02(a).
    \4\ Conn. Gen Stat. Sec. 36a-701b(b).
    \5\ Fla. Stat. Sec. 501.171.
---------------------------------------------------------------------------
    The complexities, however, are not limited to the timeline for 
notification. There are other significant variances among these state 
and territory laws, including what circumstances give rise to a 
notification requirement, how notifications should be effectuated, and 
what information should be included in notifications.
A Way Forward: A Single Uniform Data Breach Notification Standard
    Federal data breach notification legislation offers the opportunity 
to develop a single uniform standard. ITI is currently updating a set 
of principles that we believe should be reflected in any Federal data 
breach legislation you consider. I will be happy to share those with 
you upon their completion, which I expect to be very soon. Outlined 
below are several of these key policy recommendations.
Consumer Notification
    Notifying individuals that their information has been compromised 
is an important step that then enables them to take protective 
measures. Notification to consumers, however, is not productive if all 
data breaches result in notifications. If that were the case, consumers 
would not be able to distinguish between notices and determine which 
ones warrant them to take action. Notification should be made to 
consumers if an organization has determined that there is a significant 
risk of identity theft or financial harm. Upon receipt of such a 
notice, consumers can then implement measures to help avoid being 
financially damaged.
    The process of determining whether there is a significant risk of 
identity theft or financial harm will include the examination of a 
number of factors, including the nature of the information exposed and 
whether it identifies an individual. Accordingly, efforts to define 
``sensitive personally identifiable information'' in legislation should 
be carefully considered to ensure that over-notification does not ensue 
as a result of an overly broad definition that includes information, 
which, if exposed, does not in fact pose a threat of identity theft or 
financial harm. Determining whether there is a significant risk of 
identity theft or financial harm may also turn on factors such as 
whether the information exposed was unreadable. If data is unreadable, 
its exposure will not result in a risk of financial harm, and therefore 
notification would not be appropriate.
    Consumers will be best served if they are notified not about every 
data breach, but about those that can cause real financial harm so that 
they can take precautionary actions only when they are in fact 
necessary. These actions can often involve expensive and inconvenient 
measures and should only be borne by consumers when there is a 
significant risk of identity theft or financial harm.
Timing of Notification
    Mandating that companies notify consumers of a data breach within a 
prescribed time-frame is counterproductive. Recognizing the 
sophistication of today's hackers, and the challenging nature of the 
forensic investigation that ensues following the discovery of a breach, 
Federal legislation must provide a realistic, flexible, and workable 
time-frame for consumer notification. Companies must be afforded 
sufficient time to remedy vulnerabilities, determine the scope and 
extent of any data breach, and cooperate with law enforcement. In 
certain instances, law enforcement agencies urge organizations to delay 
consumer notification so that suspected hackers are not alerted and 
driven off the grid. Sufficient flexibility in the timing of 
notification allows law enforcement to effectively pursue hackers, and 
ensures that consumers are neither notified with incomplete or 
inaccurate information nor notified unnecessarily.
Federal Preemption
    A Federal law that preempts the current patchwork of 51 different 
state laws would provide considerable benefits. A Federal data breach 
notification requirement without Federal preemption would accomplish 
nothing other than adding a 52nd law to this patchwork. Federal 
preemption ensures that consumers will receive consistent 
notifications, and thus they will be more easily understood. For 
organizations, it will streamline the notification process, enabling 
organizations to redirect resources currently being devoted to comply 
with 51 different notification laws. Such resources can be better 
utilized following a data breach, which requires a myriad of important 
steps, including investigating the breach, determining its scope, 
remedying vulnerabilities, and cooperating with law enforcement. One 
uniform framework allows organizations to make consistent 
determinations about who should be notified, when those individuals 
should be notified, and what information should be included in the 
notification.
No Private Right of Action
    We urge you to avoid legislation that includes a private right of 
action for violations of a data breach notification regime. The best 
way to protect consumers is not to empower the plaintiff's bar to 
pursue actions that are ultimately only tangential to consumer injury. 
Appropriate government enforcement for violations of data breach 
notification legislation is the proper remedy.
2015: The Year of Federal Data Breach Notification Legislation
    A Federal data breach notification law that preempts the current 
regime would be an important step forward for 2015--the year after the 
``year of the breach.'' At ITI, we hope that 2015 is the ``year of a 
Federal data breach notification law.'' Thank you again for the 
opportunity to share our thoughts on a Federal data breach notification 
regime, and I am happy to answer any questions you may have.

    Senator Moran. Thank you very much, and thank all of our 
witnesses. Attorney General Madigan, you seem to be in the 
minority, at least in this panel, on the issue of preemption.
    How do you respond to the concern that has been raised 
particularly by Mr. Duncan or Ms. Weinman about 51/52 different 
sets of standards across the country? Is there a way to preempt 
state law but then continue to have states involved in the 
enforcement of that new standard?
    Ms. Madigan. Sure. Senator, to answer your second question 
first, of course, there is--and it happens frequently--at the 
Federal level, where you will set a national standard but still 
allow State Attorneys General to enforce the law.
    Obviously, if that is what happens, that is one of our most 
important concerns because there will be instances where there 
are significant data breaches--they may be smaller, They may be 
confined to one or only a few states--and it will not be a 
circumstance where the FTC, for instance, they are the ones 
with the enforcement authority, will look into it.
    In part, it is the same situation we have in terms of 
different jurisdictions at a State level versus a Federal 
level, even for criminal matters. Some of the U.S. Attorneys 
Offices have thresholds. It has to be a big enough matter. But 
we still need and want the ability, as I said, to respond to 
and to safeguard our own residents.
    In terms of the concern, and I do appreciate having as many 
as 51 different laws that organizations have to comply with in 
terms of notification, I would say two things. One, to some 
extent the concern is overblown, in a very real sense. As 
somebody mentioned, it is a lawyer that sits down and 
determines what the notice has got to be and then produces a 
notice that can be used across the country.
    That certainly happened in terms of the Target breach. I 
remember getting that notification, and there are some 
different provisions depending on the state, but it is not 
impossible to do. It does not take such an enormous amount of 
time that the other issues that need to be contended with 
during the breach are ignored.
    Two, it is not an overall necessity, but I do think it is 
imperative. And I think everybody agrees that if you set a 
national standard, it cannot be a weak one. It has to be a 
higher one than some of the first generation state notification 
laws because we are seeing an increasing number of breaches 
with an increasing amount of sensitive information that is 
being breached.
    You are going to have to start to look into biometric data 
and things that really, during the first generation, very few 
if any states were concerned about.
    Senator Moran. Thank you very much. Is there any 
indication, and this is a question for any of the panelists, 
that from state to state, depending upon the law, that law or 
the effectiveness of that law has a consequence such that there 
are fewer hackers?
    Is there any suggestion that a state law discourages 
hacking from taking place in that state? In other words, is it 
effective as a prevention measure, and is there any suggestion 
that a state law has increased the standards of businesses who 
operate in those states?
    Is there a different level of compliance and is there a 
different level of desire to attack in a certain state because 
of state laws? Mr. Duncan?
    Mr. Duncan. Senator, as I mentioned in my testimony, the 
very nature of this problem is that it is interstate. If you 
imagine a situation with a small startup, they instantly have 
connectivity throughout the entire United States if they are 
selling merchandise. It is the fact of notice regardless of 
which state it occurs in that drives the interest in trying to 
have greater standards. It is not really a state issue. This is 
a national problem.
    Senator Moran. We often think of the states as 
laboratories, and I assume if we develop a national standard 
that we will look at states to see what standards are there, 
what makes sense.
    I just wanted to make certain there was no suggestion that 
a particular state has found a way to prevent or discourage 
this kind of behavior. I think at least your answer, Mr. 
Duncan, is no.
    Mr. Johnson?
    Mr. Johnson. Yes, sir. I would echo that the answer is no. 
I think what it does is it points to the need to have really a 
data security standard that is attentive to any data breach 
standard. If you do not have both pieces, you really do not 
have the ability to raise the bar from a security standpoint, 
because I do not believe that a breach notification in and of 
itself motivates businesses to essentially raise the 
cybersecurity bar.
    Senator Moran. Thank you, Mr. Johnson. Let me ask you 
before my time expires, is there any developing insurance 
coverage market for data breach? Your banks have a standard in 
place today. Is there insurance that covers the consequences of 
a data breach?
    Mr. Johnson. Yes, there is. It is a maturing market. We 
actually have a captive insurance company that offers some of 
those policies as well. I think it is a market that needs 
further refinement.
    We as an industry are looking at that very carefully in a 
number of different fashions, and in fact working with Treasury 
and with the Administration generally to try to figure out ways 
to improve the market and try to build insurance as a private 
incentive as opposed to building public incentives toward 
greater cybersecurity.
    Senator Moran. Thank you. Senator Blumenthal?
    Senator Blumenthal. Thanks, Mr. Chairman. Ms. Madigan, 
again, thank you for being here. I want to follow up on a 
couple of questions that the Chairman asked.
    You make the point that preemption has sometimes been 
narrow in our laws. In fact, that concept of narrow protection 
is that there should be preemption only if state laws are 
inconsistent with Federal law and then only to the extent of 
the inconsistency. That is a quote from one of those statutes.
    In Gramm-Leach-Bliley, in the Health Information Technology 
for Economic and Clinical Health Act, also known as HITECH, 
that principle of narrow preemption has been adopted.
    Has the experience been with that narrow approach to 
preemption that there are these horrible inconsistencies or 
confusion that our witnesses seem to raise as a specter of 
avoiding preemption?
    Ms. Madigan. No, Senator. The concern from the state level, 
as you are aware, is that it took--let's assume Congress will 
pass something this year--it took 10 years for Congress to pass 
a breach notification law, if you pass it now.
    To the extent that there are new threats out there or, 
again, threats that specifically target a group of people, 
consumers in our state, we need to be able to respond. Or, if 
there is a rapidly changing area, again, we want to be able to 
respond.
    I think that is the real concern. We have not seen 
significant problems where states retain enforcement authority 
of a Federal law and/or the preemption is narrow. In fact, I 
think it works best that way because, again, Federal resources 
tend to go to larger issues whereas state resources go to some 
of the smaller issues.
    Senator Blumenthal. Mr. Duncan, I am troubled by the 
failure of retailers to take responsible steps to protect their 
consumers. In fact, some of them, I am told, have actually 
blocked some of the new technology that could have been 
available. I do not want to call any out, but I am happy to 
name them if you wish.
    I am disturbed that these major retailers have in fact 
moved to block innovations by disabling their contact list 
transaction terminals that they offered as a feature to 
consumers for many years. Mobile payment technologies like 
Apple Pay and Google Wallet, efforts are underway, but they 
still have not been deployed as they should be.
    Are you not disappointed that retailers have not done more 
to protect their consumers?
    Mr. Duncan. It is not a matter of disappointment in terms 
of what retailers have done in the past. I can tell you that I 
have sat in the Board meetings of the National Retail 
Federation, and I have heard the CEOs of some of the best known 
companies in this country talk long and seriously about the 
steps they have to take to address this very serious problem.
    Senator Blumenthal. I am sure they have talked about it. 
Why have they not done anything about it?
    Mr. Duncan. They are also adopting new technologies. This 
is a very complicated issue to address because there are so 
many ways, as has been pointed out, that the bad actors can get 
in, so you have to develop very particularized systems that 
will effectively block that, and they are adopting those.
    Senator Blumenthal. Why are the retailers disabling their 
terminals, for example?
    Mr. Duncan. There are some technologies that either are 
unproven, are extraordinarily expensive, or take control of the 
company's operations away from the company and into someone 
else's. Each company has to make its own decision on that 
element, but that is completely separate from a decision about 
how you secure the data in your files.
    Senator Blumenthal. You know, I am struck that you have 
recommended to the panel that there be preemption, not only of 
state statutory law but also common law. That is a pretty broad 
preemption, is it not?
    Mr. Duncan. The fact is if you do not have preemption that 
is strong and across the board, then ultimately, experience has 
shown us, that the courts will strike down the preemption and 
the proliferation of conflicting laws will reemerge. We have to 
have a very strong law and it has to be an uniform law if it is 
to be effective.
    Senator Blumenthal. That principle of preemption, is that 
not virtually unprecedented?
    Mr. Duncan. No, I do not think so.
    Senator Blumenthal. Where else has it been adopted?
    Mr. Duncan. Well, let's look at what has happened with the 
telemarketing sales rule that the FTC enforces. There 
essentially the same kind of approach was taken. All power was 
placed essentially on the rule with the FTC. You do not see 
individual actions under that rule or you do not see----
    Senator Blumenthal. My time is expired.
    Mr. Duncan. State Attorneys General actions under that 
rule, which we would support.
    Senator Blumenthal. My time has expired. I would suggest 
that that approach to preemption is broader than this committee 
should consider, and a more narrow view of preemption such as 
Attorney General Madigan has suggested, if there is to be any 
preemption at all, is one that is more appropriate.
    Thank you, Mr. Chairman.
    Senator Moran. Thank you, Senator Blumenthal. Senator 
Fischer?

                STATEMENT OF HON. DEB FISCHER, 
                   U.S. SENATOR FROM NEBRASKA

    Senator Fischer. Thank you, Mr. Chairman. My thanks to you 
and the Ranking Member for holding this very timely hearing 
today.
    Ms. McGuire, as you know, numerous reports have linked 
nation state actors to cyber attacks. Additionally, some of the 
same countries implicated in these reports may require U.S. IT 
companies to turn over intellectual property, including 
operating software source code, in exchange for market access.
    Are you concerned that such information in the hands of 
what we could call an ``irresponsible actor'' could pose 
additional cybersecurity risks?
    Ms. McGuire. Thank you for the question. We are concerned 
about having to turn over any of our intellectual property to 
any country. We believe that is an infringement on our 
ownership of our intellectual property that we have clearly 
spent extensive resources to develop, and that we should be 
allowed to protect it accordingly.
    Certainly, if it is passed to a third party or a second 
party, then it does expose us to potential additional 
vulnerabilities. In short, we believe that we should not have 
to share our intellectual property.
    Senator Fischer. There are instances, I believe, where 
companies are being pressured by foreign governments to share 
that property. Do you know how prevalent that is?
    Ms. McGuire. There are some new requirements, actually some 
not so new requirements, in some countries. I cannot tell you 
how prevalent it is, but we are certainly seeing a growth in 
those kinds of requests from many different countries around 
the world.
    Senator Fischer. How dangerous is that if we continue to 
see growth in that, that companies do that for increase in 
market access, for example? How dangerous is that to other 
companies here in our country when that property is shared, 
would it not put your security and other companies' security at 
risk?
    Ms. McGuire. It potentially could put other organizations 
at risk. I am not sure I can quantify how much, but any time 
you have to provide the source code to another party, it can 
provide additional openings for risk.
    Senator Fischer. Also, our Federal data protection 
framework, it is largely based on who is collecting that 
information rather than tailoring enforcement based on what is 
being collected. Would it not be better for consumers and 
businesses alike if we would apply a more uniform regime for 
all entities so that enforcement is based on the sensitivity of 
the information that is being collected?
    Ms. McGuire. Yes, that is our view, that it should be a 
risk-based application and threshold for what type of data 
potentially is breached.
    Senator Fischer. For all the witnesses, if I could just ask 
a couple of yes or no questions here. Do you support a Federal 
data breach notification standard that is consistent for all 
consumers? Ms. McGuire, if you want to start.
    Ms. McGuire. Yes.
    Mr. Duncan. Absolutely.
    Dr. Pendse. Yes.
    Mr. Johnson. Yes.
    Ms. Madigan. Yes, if it is strong and meaningful.
    Ms. Weinman. I will be the outlier and ask for further 
clarification of the question. When you say ``consumers,'' are 
you referring to which particular type of data? Is that your 
question, whether you do not want to distinguish between types 
of data?
    I think to a certain extent the sectoral approach that we 
have here in the United States has worked to a large extent 
with regard to financial data and health data.
    Since the desire is to get Federal breach notification 
legislation across the finish line in 2015, anything that could 
potentially slow that down is something we should carefully 
consider.
    Senator Fischer. Do you think it would be easier to get 
something across the finish line if exceptions are made or 
targeting made on what type of data is collected?
    Ms. Weinman. I think it would make it easier to get it 
across the finish line if entities that are already subject to 
data breach notification requirements in specialized areas--if 
those remain intact.
    Mr. Duncan. Senator Fischer, with all due respect, a 
sectoral specific approach or exceptions are anathema to the 
kind of incentives we are going to need in order to have 
effective protection for consumers, at least in the view of the 
National Retail Federation.
    Senator Fischer. So, we have disagreement. I am over my 
time, so thank you very much.
    Senator Moran. Senator Schatz?

                STATEMENT OF HON. BRIAN SCHATZ, 
                    U.S. SENATOR FROM HAWAII

    Senator Schatz. Thank you. Ms. Weinman, you and others have 
talked about the balance to strike in terms of over-
notification. I think we all recognize we do not want to be 
inundating consumers and others with notification of breaches 
if they are not significant enough, and it would become 
meaningless.
    My question is who determines whether there is this 
``significant risk'' of identity theft? Do you figure that gets 
enshrined in the statute? Is that for Attorneys General to 
determine? Is it the courts? Individual companies?
    I think that is one of the key issues here. We can all 
agree in principle that we do not want to be over notifying, 
but where that responsibility and authority resides is really 
key.
    Ms. Weinman. Thank you. I am glad that we can all agree in 
principle that over notification is not something that would be 
desirable. I think an organization that holds the data and has 
a sense of what information has been compromised, and the 
extent to which it had been compromised, would be in the best 
position to make that determination.
    Senator Schatz. What standard would they be held to? Would 
it be under the law or just their own judgment about whether 
this was going to be harmful to their consumers? Or does this 
all get refereed in court? That is the question, is it not?
    Ms. Weinman. Well, I think the level of risk would be 
something that would be codified in a statute like significant 
risk of identity theft or financial harm. I do think that would 
be in the letter of the law.
    Senator Schatz. Ms. McGuire, you were talking about a risk-
based analysis. I would like you to elaborate there.
    Ms. McGuire. So, along the same lines of what kind of data 
has been breached and what the risk is to the consumer or the 
organizations that also might have been part of that, but as I 
stated in my statement, we believe that a component of that 
statute needs to be that the data has been either rendered 
unreadable or unusable via encryption or other technologies so 
that in fact if the data has been accessed, it is meaningless 
to the perpetrator. That is a key component----
    Senator Schatz. That is your bright line?
    Ms. McGuire. Of the statute; yes.
    Senator Schatz. Attorney General Madigan, maybe take half a 
minute to elaborate on that, and I have another question for 
you as well.
    Ms. Madigan. I do not think there is any such thing as over 
notification going on at this point. Notification keeps 
consumers alert to the possibility of I.D. theft and they 
should be protecting themselves.
    It certainly depends on what other information these 
criminals may have access to in terms of what they could be 
using; information that we would deem individually not to pose 
any risk to them, but could potentially if it is combined with 
other information. There is no over notification going on at 
this point.
    Senator Schatz. I agree with you there may not be over-
notification but we do not want to create a scenario where I am 
getting e-mails two or three times a week and I do not know 
what to panic about and what to ignore. I think that is the 
balance to strike.
    I agree that we are not there in reality.
    Ms. Madigan. At all.
    Senator Schatz. If you could again articulate what would 
constitute a sufficiently strong standard to kind of satisfy 
your concerns. I respect the California law and some other 
statutes are pretty good marks to make. I see a few heads 
nodding, I see a few heads shaking.
    Ms. Madigan. Do not scare them.
    Senator Schatz. That is fine. I would like to hear what you 
think would suffice in terms of being worth a tradeoff in terms 
of preempting state laws.
    Ms. Madigan. I think a strategy that I have heard talked 
about here is that you really should look at the state laws 
that are out there, California probably at this point being one 
of the high marks. But I should say it is not just California. 
Again, this is a bipartisan issue: Texas, Florida, Indiana, 
have some of the most progressive notification laws in the 
country.
    You need to look and see what the changes have been from 
the first generation of them, such as Illinois, where we said 
it is going to be your first name or your first initial and 
your last name along with unencrypted Social Security number, 
driver's license number, credit or debit card number, and now 
we are moving to biometric data, as I said, and e-mail 
addresses with log-in passwords.
    As it changes, you really need to look and see what is the 
high water mark and make sure that really is your floor.
    Senator Schatz. Mr. Johnson, I will let you have the last 
word on this. What would suffice as a strong enough standard 
that we would all feel comfortable preempting the 50 odd state 
laws that we would be looking at?
    Mr. Johnson. Gramm-Leach-Bliley.
    Senator Schatz. I'm sorry, one more time.
    Mr. Johnson. Gramm-Leach-Bliley, the Federal law. I think 
what we are doing at the Federal level has a standard 
associated with when a company makes a valuation, such as your 
concern in terms of who has the responsibility to make the 
determination as to when to notify of substantial harm.
    I think also the financial services companies even if a 
breach is not occurring at the financial services company has a 
lot of experience in terms of dealing with those breaches as 
well, and they look at Gramm-Leach-Bliley from that 
perspective. I think that is what I would look to.
    Senator Schatz. Thank you.
    Senator Moran. Senator Blunt?

                 STATEMENT OF HON. ROY BLUNT, 
                   U.S. SENATOR FROM MISSOURI

    Senator Blunt. Thank you, Chairman. Thank you for having 
this hearing. We had a similar hearing in this committee last 
March, and at that time all the panelists were for a single, 
consistent national standard.
    Attorney General Madigan, I often tend to be in favor of 
the underdog, but I seldom would imagine you would be the 
underdog on this issue. You might be in terms of where other 
people are tending to wind up.
    I think a lot of the questions I would ask have already 
been asked on the topic of preemption. We will just see where 
that goes. The President and the Attorney General have both 
taken a position, and both agree with the need for preemption.
    Senator Carper and I introduced a bill last year, and we 
are working on a bill again this year. Our bill covers a lot of 
ground regarding data security and breach notification, but one 
of the things we have not done in our legislation is establish 
an arbitrary timeframe.
    There is an argument about whether there should be a 
specific timeframe established in the law as opposed to 
established by circumstances. So far I have stayed on the side 
that we need to have some flexibility in timeframes, but I am 
not absolutely sure I understand, or the Committee understands, 
all of the reasons why.
    I did notice in the Anthem data breach this week, they sent 
a general notice, and then I heard Mr. Schatz say basically he 
was becoming the victim of breach fatigue by being constantly 
notified that he could be in a group whose information may have 
been breached.
    I have not yet looked at legislation with the idea that we 
need an arbitrary deadline, but I have a couple of questions 
for whoever wants to answer, starting with you, Ms. Weinman.
    The question would be what would you perceive in terms of 
how a deadline should be established or the criteria for what 
would be a reasonable response, and your view on whether an 
arbitrary deadline is something that should be included in a 
data breach notification.
    Ms. Weinman. Thank you. I think an arbitrary deadline, a 
specific timeframe, is not useful in that it sets an objective 
standard. Each data breach incident is different. Each incident 
requires special consideration to address vulnerabilities, and 
to cooperate with law enforcement. Some breaches will require 
cooperating with many different types of law enforcement.
    I do not think a specific deadline is useful. That being 
said, a number of the states have deadlines that do not involve 
specific days, and I think that is the right approach to give 
sufficient flexibility.
    Senator Blunt. Is there any sort of guidelines you would 
look at as to whether or not a response was appropriate, and 
made in an appropriate timeframe? What would be a triggering 
factor of whether the response was appropriately quick or not?
    Ms. Weinman. I think the buzz words that we hear a lot is 
``without unreasonable delay,'' that type of construct, I 
think, works well in this situation. In examining whether the 
notification was done without unreasonable delay, you would 
look at what the company had done up until that point when it 
decided to make that notification.
    Had they dotted all the i's and crossed all the t's and 
closed the patches, cooperated with law enforcement, listened 
to law enforcement if law enforcement asked them to in fact 
delay notification, which is in fact sometimes the case.
    Senator Blunt. I am down to a minute. Anybody that feels a 
guideline should be specific? Anybody want to respond to that?
    Ms. McGuire. I do not, and I agree with Ms. Weinman that 
there should be a standard for reasonable notification, but I 
think it is important to recognize that there are different 
types of breaches. There is a difference between losing a 
laptop that has a lot of data on it and a network that has been 
penetrated. That may require very different responses and very 
different investigation and time lines. I think that is an 
important criteria to consider.
    Dr. Pendse. I would agree with my colleagues here, there 
ought to be some flexibility there because smaller 
organizations are simply not going to have the types of 
resources that bigger organizations can bring to bear, so some 
flexibility would be very much essential.
    Senator Blunt. Anybody? I think I am out of time. I am not 
a lawyer but it does sound like--my one concern about 
``reasonable response'' is it sounds like time in court to me 
for someone to try to determine whether the response was 
reasonable or not.
    I am out of time. Chairman, thank you for the time.
    Senator Moran. Thank you, Senator Blunt. We are honored to 
be joined by Chairman Thune, and I recognize him now.

                 STATEMENT OF HON. JOHN THUNE, 
                 U.S. SENATOR FROM SOUTH DAKOTA

    The Chairman. Thank you, Mr. Chairman. I thank you and 
Senator Blumenthal for holding this hearing and focusing a 
light on this issue. It is an issue that is important to our 
country and something that Congress has been trying to fix for 
over a decade, and hopefully this will be the year when we 
finally find the path forward that enables us to put in place a 
workable solution that protects consumers and addresses this 
very important issue, which again we are reading about today, 
millions of Americans impacted by yet another data breach.
    I want to ask, and Senator Blunt mentioned this, because I 
think the question has been asked many times but perhaps not 
everyone has answered it, Ms. Weinman, I am just curious 
because you have extensive experience in this area having 
worked at the FTC prior to your current position with ITI, 
could you give us your sort of explanation of why you think a 
single Federal law is so preferable for both businesses and 
consumers?
    Ms. Weinman. Thank you. I have a chart with me that is 19 
pages long that goes through the variances of the different 
state laws. That reason alone, I think, lends itself to having 
one Federal breach notification standard to enable companies to 
act quickly and provide the required notice. I think it is both 
business-friendly but more importantly consumer-friendly.
    The Chairman. Mr. Duncan, your testimony today highlighted 
the need for Congress to enact a preemptive Federal data breach 
notification law. I agree that doing so would provide a great 
deal of clarity for companies, including the retailers and 
merchants that you count as your members.
    It also would provide needed consistency, I think, for 
consumers. That is an issue as I said before Congress has dealt 
with in the past. There has been various legislative proposals 
that have called not only for uniform notification procedures 
but also for uniform Federal data security standards.
    I appreciate your observations about some of the risks of 
FTC enforcement, but since that enforcement can already occur, 
would not retailers benefit from a Federal law saying that 
reasonable data security measures must take into account the 
size and scope of the organization and the sensitivity of the 
data collected?
    Mr. Duncan. Thank you, Senator Thune. The FTC effectively 
has a reasonableness standard either under exception or under 
unfairness right now.
    Once you begin putting a lot of different factors into that 
standard, then you essentially set up a situation where was it 
reasonable as to (a), as to (b), as to (c), as to (d). If a 
medium-sized company cannot check the box on every single one 
of those factors, then they are likely to be in very bad shape.
    That kind of standard works better when you are developing 
guidance. That is a big distinction between the GLB standards 
that Mr. Johnson has talked about, and a uniform national 
standard.
    If you have an examiner sitting next to you, and you--can 
in an iterative process--work through each of those various 
elements, that may work. If you are trying to set one standard 
for every type of commerce and every type of business in the 
country, then having multiple components to that is going to 
make it impossible with any certainty for the average American 
company to respond to.
    The Chairman. Could NRF support any type of security 
requirement?
    Mr. Duncan. Sure, if there is a standard comparable to that 
the FTC is currently enforcing, which is a reasonable security 
standard, and if that is coupled with the very, very robust 
notice requirements that we have testified in favor of, that 
would work.
    The Chairman. I have a question for Attorney General 
Madigan. Ms. McGuire in her testimony suggests that any 
notification standard should minimize notifying individuals 
about breaches in which their personal information was rendered 
unusable before it was stolen.
    Ms. Weinman suggests that the exposure of unreadable data 
will not result in risk, therefore, notice would not be 
appropriate.
    I am wondering what your thoughts are on the wisdom of 
including the usability reference in breach notice legislation 
and then perhaps how the Illinois state law approaches that 
issue.
    Ms. Madigan. It is the right thing to do. I agree with both 
of them on that front. Under Illinois' law, if the information 
is encrypted, you do not get notification of the breach. What 
we need to look to, because we have seen this in some of the 
breaches taking place, is encrypted information that has been 
compromised and the encryption key has also been stolen.
    In those circumstances, when you can unencrypt, then there 
should be notice. If it is encrypted--if it is unusable, 
unreadable--notification does not need to take place under 
Illinois law.
    The Chairman. Great. Mr. Chairman, thank you.
    Senator Moran. Mr. Chairman, thank you. Senator Klobuchar?

               STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Thank you very much, Mr. Chairman. Thank 
you for holding this important hearing. I apologize for being 
late. We had a Judiciary markup. It was very exciting. Now I am 
here on a topic that is near and dear to our hearts in 
Minnesota.
    As you know, one of our major retailers experienced a 
breach, and I think there is not a day that goes by that we do 
not hear about another cyber attack in local communities or on 
the national scene or even on the international scene.
    In fact, last night the media reported that Anthem, the 
nation's second largest health insurer, was breached, and as 
many as 80 million customers could have had their account 
information, including names, birth dates, addresses, Social 
Security numbers stolen.
    These cyber attacks are increasing in scope. I was a 
sponsor of some of the bills that were out there in the last 
Congress. I hope, given that we have already had hearings this 
Congress, and I appreciate Senator Thune's leadership--I am one 
of the few senators that are on both the Judiciary Committee 
and the Commerce Committee--that we can move ahead in this area 
of cybersecurity.
    My first question actually was about what I just raised, 
and I know it was in the news. Attorney General Madigan, 
welcome. I have worked with you in the past and appreciate your 
good work.
    With this disclosure, it is important to discuss what is 
and what is not covered under the Health Insurance Portability 
and Accountability Act or HIPAA. To your knowledge, would the 
information impacted in the Anthem breach be covered by HIPAA?
    Ms. Madigan. What I have heard so far is that they claimed 
medical information was not breached, so it probably falls 
under the various state breach notification laws to determine 
if the ``personal information'' definition is met at the 
various states. I think it remains to be seen what the total 
extent of that breach is.
    Senator Klobuchar. I know. I do not think we know yet. In 
your experience when something like this happens, not this 
exact case, how are the agencies coordinating with the 
Attorneys General, whether it is the Department of Health and 
Human Services, or the FTC, to enforce these consumer 
protections, and do you think there is more that can be done 
there when it comes to coordination?
    Ms. Madigan. Well, we have certainly had a very good 
working relationship with the FTC because we obviously have 
similar jurisdiction over consumer matters. We probably do not 
have as much interaction with the other entities that are 
dealing with some of the health information, but in Illinois, 
the way our breach notification law works, if that type of 
information is taken, we want the ability to be able to make 
sure people are notified. And obviously, coordination, I think, 
helps everybody, particularly when we all have limited 
resources.
    At the end of the day, our concern is all the same, right? 
We are trying to protect individuals from any sort of identity 
theft and financial damage that could occur because of it. We 
are always looking to cooperate, whether it is at the state 
level or at the state and Federal level.
    Senator Klobuchar. OK. Mr. Duncan, I am going to focus on 
the retail issues, since we are proud to have Target and Best 
Buy in the State of Minnesota, two great companies.
    Last year, many of my colleagues and the media had talked 
about the need to move to chip-and-PIN technology, similar to 
what we are seeing in Europe, Canada, and elsewhere, and 
following the push for the change, the industry made a 
voluntary commitment, as you know, to switch over to chip-and-
PIN cards and readers by the end of October 2015, which is this 
year.
    That is an important timeline, I think, for consumers. We 
learned from the Home Depot data breach that impacted both 
Canadians and Americans that cards from Canada were actually 
less valuable on the black market than American cards because 
they had chip-and-PIN technology. We tended to be a target 
because we had not improved that technology, despite the work 
of companies like Target who had early on tried to, but as we 
know, it is not universal across the country.
    Mr. Duncan, what percentage of your members have already 
adopted chip-and-PIN payment technology and have the necessary 
technology to read cards at points of sale?
    Mr. Duncan. This is a quickly changing number. I have data 
from several months ago, in which case it was in excess of a 
quarter of the Nation's retail terminals were already outfitted 
for chip-and-PIN.
    The concern that many of our members have is that the 
investment in PIN-and-chip technology is extraordinarily 
expensive. It will cost between $25 and $30 billion to re-
terminalize the entire country.
    It is worth it if you get improvement in fraud reduction. 
Unfortunately, many of the banks, not all, but many of the 
banks are not issuing pin and chip cards. They are only issuing 
chip and signature cards. As you know, a signature is a 
virtually worthless security device.
    Retailers are being asked to spend tens of billions of 
dollars for security that is going to be illusory.
    Senator Klobuchar. I know just talking to Target and Best 
Buy that they are pretty committed to getting to this October 
deadline, which is great. When you are talking about the 25 
percent, those are just ones that have not done it yet but you 
expect a higher percentage to be there by October?
    Mr. Duncan. Lots of companies--it takes a huge effort to 
re-terminalize a large operation, an interconnected operation. 
We expect a significant portion of the industry to be there, 
not 100 percent. It is impossible to do that in 10 months.
    Senator Klobuchar. Your point is it is very important to 
have the full technology with the chip-and-PIN and----
    Mr. Duncan. If we are going to spend the money to reduce 
fraud, let's reduce fraud. Let's do PIN-and-chip.
    Senator Klobuchar. Any comments from anyone else about 
this? Mr. Johnson? Thank you, Mr. Duncan.
    Mr. Johnson. Thanks for the opportunity, Senator. I think 
one of the things when we have this conversation that we forget 
sometimes is the fact that the card market is really two 
different markets to some degree. It is the debit card market 
as well as the credit card market. Debit cards have PINs. You 
essentially have more than 50 percent of the card environment 
already that is PIN enabled.
    What we have learned from the credit side is the fact that 
both at the retail side as well as our customer behavior, in 
the credit environment, our customers prefer to use the 
signature. If they want to be protected by a PIN, they can use 
their debit cards. They have an effective choice to be able to 
really accomplish that.
    Senator Klobuchar. I think what Mr. Duncan said is that you 
get more protection, and certainly the situation that we saw 
with Home Depot where the Canadian cards were less valuable 
because they had that full technology, I can imagine everyone 
would like to see. It is just that if we know one technology 
protects better, it seems we would not just want it for debit 
cards.
    Sometimes, I just know from having a bunch of cards in my 
purse, I do not really think through what kind of card it is, 
if it is signature or not.
    Mr. Johnson. I think that the most important thing here is 
to really work toward getting rid of static numbers. What we 
have in the environment right now are credit card numbers and 
PINs that are static numbers that make us vulnerable.
    To the extent that we have developed technologies such as 
tokenization, where numbers are meaningless, if someone was to 
breach Target and capture all the numbers that were associated 
with those transactions, or any retailer, the numbers would be 
meaningless because they would only work for that one 
transaction.
    I think that is really what we need to be working toward, 
making those numbers absolutely worthless to the criminal, and 
that is what is really going to protect the customer at the end 
of the day.
    Senator Klobuchar. Very good. The last thing, just for the 
good of my hometown, Target did fix the breach and everyone can 
go shopping there. Thank you.
    Senator Moran. Thank you. Senator Daines. Let me first say 
that a vote is scheduled at 11:30. I want to make sure that 
Senator Daines gets an opportunity to question. We intended to 
take a second round, but that may not be possible based on the 
voting schedule. Senator Daines?

                STATEMENT OF HON. STEVE DAINES, 
                   U.S. SENATOR FROM MONTANA

    Senator Daines. Thank you, Mr. Chairman. This morning, 80 
million Anthem health insurance customers woke up to learn 
their personal identifiable information could have been stolen. 
In fact, we just received this over the fax machine, a notice 
from Anthem that says ``To our Members,'' and I am just quoting 
from the letter which was sent out to their members, and it 
could be 80 million members.
    ``These attackers gained unauthorized access to Anthem's IT 
system and have obtained personal information from our current 
and former members, such as their names, their birthdays, their 
medical I.D.'s, Social Security numbers, street addresses, e-
mail addresses, and employment information, including income 
data.''
    Last year in the House I offered an amendment that would 
strengthen victim notification requirements. I am eager to work 
with the chairman on strengthening these requirements again in 
future legislation.
    I have a question for anyone on the panel here this morning 
in light of there has been a lot of discussion about past 
breaches and now we have this most recent significant and most 
serious breach.
    What is an appropriate notification time period, like for 
these 80 million customers, and we still do not know for sure 
when this occurred, but we are hearing it might have been last 
week, but for these 80 million customers that are waking up 
this morning to hear and learn their PII could have been 
stolen.
    Ms. Madigan. Senator, I would respond this way. It sounds 
unusual and helpful that Anthem has actually notified people, 
even if we do not know the full extent of the breach, as 
quickly as they have.
    We are aware of situations where there are retailers who 
have waited months and months, some maybe as long as six 
months, to notify people, which is clearly too long to notify.
    We have had some extensive discussion about whether there 
should be a 30-day hard deadline, should it be more flexible. I 
can tell you at the state level, while there are some that have 
timeframes, we have been very reasonable, basically saying to 
do this as expeditiously as possible.
    When we look into whether that has taken place, we 
determine when did the breach take place, when did the company 
know about it, did they have time to put in place a response to 
secure their system, and obviously, any exceptions, if they 
need to continue to work with law enforcement.
    A flexible deadline would be a good one, but it cannot be 
that there is such a flexible deadline that you never have to 
notify or that you can wait for months, because your goal is to 
let people know that their information is out there and they 
may be a victim of some form of financial fraud or identity 
theft.
    Senator Daines. Prior to coming up on the Hill, I spent 28 
years in business, in fact, half of that time at Procter & 
Gamble. We prided ourselves on good customer service. The other 
half of that time as part of a technology startup, a Cloud 
competing company that we took public. In fact, Oracle acquired 
us a couple of years ago, built a world class Cloud competing 
company.
    I was the Vice President of Customer Service working with 
literally millions of end users and thousands of customers. We 
sold a B to C customer service Cloud-based solution.
    When I was running Customer Service and looking after 
customers and we had a problem, our policy was we notified our 
customers as soon as we were aware of the problem, maybe not 
always understanding the magnitude of it. We believed we owed 
it to our customers to get back to them.
    I frankly am surprised to think we might be thinking in 
terms of 30 days. I think frankly that is unacceptable and that 
the customers, the consumers in this country, should be served 
better than that, and particularly when we are dealing with 
PII, recognizing we may not know the scope of the problem at 
the time, but at least the customers ought to know there is a 
problem and we are working quickly here to try to resolve that.
    I would be happy if there are any other comments from the 
panel.
    Mr. Duncan. Senator, we would support the kind of a notice 
regime that is contained within the Illinois law. It is less 
important as to what the number of days are attached to it, as 
long as you provide the time for law enforcement, for example.
    They may not want to notify because they want to set a trap 
for the people who have invaded it and have a way of catching 
them, taking them off the street. You have to allow for that.
    You clearly want to clean up the holes so that the people 
cannot come back inside. Once you have taken care of that, 30 
days, 10 days, whatever, 40 days, it does not matter, just a 
reasonable time period.
    I will say to the specific point that was made a moment 
ago, one of our members had a breach which they initially 
interpreted to be a million card data's that had been released. 
Once they examined it, it turned out there were only 35,000.
    The idea that you would have given notices to 965,000 more 
people unnecessarily is a pretty serious problem. You have to 
get it right. There is no easy answer here.
    Dr. Pendse. If I may comment, in terms of customer service, 
I agree with you that quick notification is very important but 
on the other hand a serious situation such as my other 
panelists have pointed out, some flexibility is necessary.
    One of the biggest detriments to any organization is loss 
of trust. As we noticed, Anthem has been very quick at reaching 
out to people and hopefully they will learn from past 
challenges and also from other well publicized breaches that 
have occurred.
    Loss of trust is a very big detriment and in the current 
environment, in an Internet enabled information gathering 
session, people have to quickly respond.
    Senator Daines. I would hope to continue to work on this 
issue of trying to establish what we think would be without 
unreasonable delay and trying to perhaps put better guardrails 
on that. I think it is probably in the eyes of the beholder 
sometimes.
    With my experience of years of working in a Cloud-based 
competing company, I just believe it is better to err on the 
side of the consumer and their protection. I fully understand 
the fact you can create maybe a bigger problem by notifying 
everybody without understanding what really has happened.
    I think as we lean one way or the other on this, I would 
just urge us to lean toward a quicker response, defining that. 
I think it is kind of better safe than sorry, particularly 
looking at this notification that went out, this is Social 
Security numbers, this is personal income data, this is perhaps 
private medical records. This is very, very serious.
    I think the consumer has the right to know about that 
sooner than perhaps waiting a week as we try to walk the fine 
line here of law enforcement and not creating a mountain out of 
a mole hill.
    I will tell you what, I think we should be trying to make 
this tighter. I had 2 days with an amendment I offered, and I 
hope we can work on something here that we can actually define.
    Senator Moran. Senator Daines, thank you very much. The 
bell has rung indicating votes. We will conclude this meeting 
momentarily.
    I am not going to ask any additional questions, but Dr. 
Pendse, I would be glad to have you visit with my staff. You 
know Kansas well. What small businesses should we be worried 
about? What innovators may be deterred from greater innovation 
as a result of this kind of legislation? I would welcome your 
input.
    Dr. Pendse. Absolutely.
    Senator Moran. I would be interested in hearing from any of 
the witnesses about Gramm-Leach-Bliley and its potential being 
used as a standard.
    I would like to know with the bankers, if there is 
information that banks have that could be breached that is not 
covered by Gramm-Leach-Bliley, and also the same kind of 
question related to HIPAA, where in those two arenas, health 
care and financial services, is there something we ought to be 
considering, a standard, or a starting point as we look at 
broader breach opportunities, or is that just a bad idea.
    Senator Blumenthal, anything to add?
    Senator Blumenthal. Yes, I agree with you that Gramm-Leach-
Bliley offers a potential model here. Mr. Johnson, I am quoting 
from your testimony, ``The extensive breach reporting 
requirements currently in place for banks provide an effective 
basis for any national data breach reporting requirement for 
businesses generally.''
    I gather that you support the preemption model that is 
contained in Gramm-Leach-Bliley.
    Mr. Johnson. That is correct.
    Senator Blumenthal. Because I think that may provide some 
common ground here. I invite the witnesses--I apologize, my 
time expired before, Mr. Duncan, you may have been able to 
provide a full answer to my question, so I would invite you to 
supplement your answer in writing if you wish, because I value 
your further comments.
    Thank you, Mr. Chairman.
    Mr. Duncan. If I may, Senator Blumenthal, I would emphasize 
the fact that Gramm-Leach-Bliley is essentially guidance. It is 
precatory language. It says you should, you ought to, something 
like that. That differs quite a bit from the state laws that 
have a mandate and a requirement.
    We would favor a mandate and a requirement rather than 
something that is merely precatory.
    Senator Blumenthal. I was referring really to the 
preemption model there.
    Senator Moran. Senator Klobuchar had exceeded her time at 
the earlier opportunity.
    Senator Klobuchar. Oh, new kid on the block.
    [Laughter.]
    Senator Moran. Senator Blunt, any concluding comments?
    Senator Blunt. In the great tradition of Senators, that is 
what we are expected to do. I think actually Senator Daines has 
followed up on the question that I had, but I want to ask one 
more time.
    Mr. Duncan a couple of different times has established a 
matrix of what might go into a reasonable standard. Is there 
anyone on the panel who is concerned about the Congress 
pursuing, as we look at this issue, a reasonable standard sort 
of along the lines that have been outlined as opposed to a 
specific notification period?
    Ms. Madigan. Are we talking about timeframe?
    Senator Blunt. We are. Nobody is proposing that we should 
include a specific timeframe in any law that we require 
notification in.
    Ms. Madigan. Senator, what I can tell you is the reasonable 
timeframe such as what Illinois has, we have seen it abused. 
The idea is that you would put in a specific deadline: within 
the most expedient time, but in no circumstances less than, put 
some sort of a line there. Or, as I said, it could be 6 months, 
at which point your information is long gone. It has long been 
purchased on the black market, and who knows what has been done 
with it or what damage has been done to you.
    You need to have further discussions about how do you try 
to better define what the time line is going to be for 
notification.
    Senator Blunt. Anyone else?
    [No response.]
    Senator Blunt. Thank you.
    Senator Moran. Thank you, Senator Blunt. To be bipartisan 
in my admonition, Senator Daines also exceeded his time 
allotment. I also note that Senator Klobuchar was very 
effective in putting me in my place by saying something like 
``the new kid on the block.''
    Senator Klobuchar. Yes.
    [Laughter.]
    Senator Moran. We are delighted you all were here. We 
appreciate the information that was conveyed to us.
    The hearing record will remain open for two weeks. During 
that time, Senators are asked to submit any questions for the 
record.
    Upon receipt of those questions, the witnesses are 
requested to respond to the Committee as soon as possible.
    I thank the witnesses again for their testimony, and I 
conclude this hearing. We are adjourned. Thank you.
    [Whereupon, at 11:39 a.m., the hearing was adjourned.]

                            A P P E N D I X

  Prepared Statement of Stephen Orfei, General Manager, Payment Card 
                  Industry Security Standards Council
    The Payment Card Industry Security Standards Council (PCI Council) 
thanks you for this opportunity to offer our insights toward national 
legislation on data security and breach notification.
    The PCI Council is an open global forum that is responsible for the 
development, management, education, and awareness of the PCI security 
standards, including the Data Security Standard (PCI DSS), Payment 
Application Data Security Standard (PA-DSS), and PIN Transaction 
Security (PTS) requirements. Founded in 2006, the PCI Council has 700 
participating organizations representing merchants, banks, processors, 
and vendors worldwide. Our mission of helping all stakeholders in the 
payment card industry prevent breaches involving sensitive payment data 
is led by the multi-industry leadership organization that exists to 
keep the payment system safe. With our global collaboration of security 
stakeholders, the PCI Council has created and maintains robust data 
security standards designed to prevent breaches and keep consumers' 
data safe. As part of these efforts, our organization regularly engages 
stakeholders with certification programs, training courses and best 
practice guidelines to help them meet new threats and improve 
continuous processes required for securing payment card data.
    Because PCI is the global forum for managing PCI security 
standards, we are uniquely qualified to address the need for a security 
standard in national data breach and notification legislation.
    The complexity of computer, networking and electronic payment 
technology offers tremendous opportunity for consumers, but also 
creates an attractive opportunity for criminals to exploit 
vulnerabilities in software and hardware. As we have seen in the recent 
past, errors in system configurations, weak passwords, malicious 
actions by insiders, or simple mistakes by anyone connected to 
sensitive payment card data can lead to infiltration of networks that 
lead to data breaches. At the PCI Council, we believe security results 
from the right combination of people, processes and technology. There 
is no silver bullet to protecting data, but instead it takes a multi-
layered approach to prevent breaches. Technical standards are but the 
first step toward achieving data security.
    We believe the Committee is correct in addressing the important 
need for data security. The good news is that many security standards 
already exist, are widely implemented at least on a partial basis, and 
undergo regular enhancement to meet evolving threats. For example, the 
National Institute of Standards and Technology's (NIST) Special 
Publication 800-53 and other related standards are crucial for Federal 
data security. The International Standard Organization's ISO 27000 
family of security standards are used globally. The PCI Council's 
portfolio of security standards for the global payment industry is 
another example. The PCI DSS is our overarching data security standard, 
collaboratively built on 12 principles that cover everything from 
implanting strong access control, monitoring and testing networks, to 
having an information security policy. All of these standards mentioned 
share many common elements.
    We urge the Committee to avoid recreating the wheel or conflicting 
with existing security standards, and instead leverage the invaluable 
work that is already used by organizations as practical frameworks for 
data security.
    It is true that despite the existence of security standards, 
criminals have successfully breached some databases and stolen 
sensitive data. But in the majority of cases, forensic investigations 
show breaches are preventable--and result from improper implementation 
of security standards. For example, in recent prominent retail 
breaches, attackers used a relatively simple technique of inserting 
malware onto vulnerable back-office computers, which then infiltrated 
points-of-sale to steal payment card data. Breaches like these could 
have been prevented by following prescriptions of security standards--
such as frequently scanning internal systems for out-of-date, 
unprotected software and correcting those configurations. Cases like 
these also illustrate why the PCI Council urges deployment and vigilant 
ongoing monitoring of a wide range of best practice security 
technologies used as ``defense in depth'' to backstop protection 
against unpredictable threats.
    With the ever evolving vectors of attack, businesses cannot assume 
that passing a compliance evaluation at a point in the past will 
protect their data in the future. Attackers are persistent and their 
threats continue to evolve. Businesses must take prudent and reasonable 
steps to keep their data security protocols up to date. This is true 
whatever standard is used.
    The PCI Council is deeply committed to helping payment card 
industry stakeholders meet evolving threats and vigilantly defend 
payment card data. As an example, the PCI Council welcomes the North 
American payment industry's migration to ``EMV Chip'' technology, and 
recognizes that transactions companies have been working towards the 
adoption of EMV since 2011. The presence of an identifying integrated 
circuit chip in each payment card will significantly reduce fraud in 
card-present transactions. Based on global experience with EMV, we know 
that after the U.S. transitions to this technology, fraud will migrate 
to the card-not-present environment such as online or over the phone. 
Accordingly, the best defense for protecting payment card data is a 
multi-layered combination of EMV Chip and new technologies that take 
sensitive account data out of harm's way, coupled with implementing PCI 
standards.
    The new technologies, including encryption and tokenization, are 
intended to ``devalue'' stolen payment card data throughout the payment 
system by scrambling the sensitive data and making it unusable to a 
data thief. Making systemic changes like these take time and investment 
while technologies are in their infancy, however, so until then, 
organizations that store, transmit or process payment card data must be 
vigilant 24/7 in monitoring their implementations of PCI standards.
    The Committee's work will help bolster our stakeholders' vigilance 
by having the Federal government facilitate sharing security 
information with the private sector. We are encouraged by the 
possibility of other deterrents to data breaches such as increasing 
penalties for cybercrimes, and negotiating cybercrime treaties with key 
foreign nations.
    The PCI Council welcomes the opportunity to work with the Committee 
and Congress as it considers emerging data security, breach 
notification, cybersecurity and privacy legislation.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Roy Blunt to 
                            Cheri F. McGuire
    Question 1. Today, there are 51 different laws dealing with breach 
notification, and another 12 dealing with security requirements--with 
even more states considering new laws, or changing their existing laws.
    Given this trend, do you think Federal data breach legislation 
should include a clear national standard for both data security and 
breach notification?
    Answer. Yes. A clear national standard would provide clarity for 
consumers, businesses, and advocacy groups. In the current environment, 
organizations have to comply with myriad and sometimes conflicting 
standards. This adds cost and complexity for the organizations, and can 
lead to confusion among consumers because they can receive multiple--
but different--notifications after a breach. This serves no one's 
interest. A Federal standard should apply equally to the private sector 
and the government--it should cover all entities that collect, 
maintain, or sell significant numbers of records containing sensitive 
personal information. It should also seek to minimize the likelihood of 
a breach by pushing organizations to take reasonable security measures 
to ensure the confidentiality and integrity of sensitive personal 
information. This would also lower the cost of an event as studies have 
shown that breaches are less costly for companies that were proactive 
in applying security. Finally, any notification scheme should recognize 
that state-of-the-art encryption renders data unreadable, which in turn 
will minimize ``false positives''- notices to individuals who are later 
shown not to have been impacted by a breach because their data was 
rendered unusable before it was stolen.

    Question 2. Do you think the 51 different breach notification laws 
create confusion for consumers--especially for those who move, travel 
frequently, or live in an area where they shop and work across state 
lines?
    Answer. Yes. As noted above, existing standards can proscribe 
different forms of notices and require notification in different 
situations. As a result, a consumer could receive multiple, different 
breach notices from one company, or hear conflicting reports as to 
whether a breach actually happened because the standard was met in one 
state but not in another. Breaches and risk of identity and credit card 
theft are confusing enough as it is; no one is served by conflicting 
rules and laws that send mixed messages to potential victims.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Roy Blunt to 
                           Mallory B. Duncan
    Question 1. Today, there are 51 different laws dealing with breach 
notification, and another 12 dealing with security requirements--with 
even more states considering new laws, or changing their existing laws.
    Given this trend, do you think Federal data breach legislation 
should include a clear national standard for both data security and 
breach notification?
    Answer. The Federal Trade Commission (FTC) enforces a general 
reasonableness standard with respect to data security within the 
confines of the existing ``unfair'' and ``deceptive'' prongs of Section 
5 of the FTC Act. The commission's unfair and deceptive standards have 
worked for commercial law enforcement because they are broad enough to 
encompass an array of businesses and practices, and because they are 
implemented through the commission's consent decree authority--which 
allows for the clarification of requirements over time, without unduly 
penalizing businesses exposed to novel or developing requirements.
    If section 5 were amended to include a comparably broad requirement 
to maintain ``reasonable data security,'' without more, and were 
coupled with existing cease and desist enforcement authority, it would 
have a similarly positive effect of advancing data security without 
exposing them to penalties for unanticipated, evolving risks. If this 
were also coupled with the very robust notice requirements that we have 
testified in favor of, that would be something that might work well.
    Conversely, if the legislation were to establish a multi-factor 
data security standard--similar in nature to the Gramm-Leach-Bliley Act 
(GLBA) data security guidelines--for businesses which are subject to 
FTC jurisdiction, this would exponentially increase the likelihood of 
the businesses being found at fault for a data breach despite having 
overall reasonable data security standards, because the FTC would 
potentially only need to find unreasonableness as to any one of the 
factors in order to claim a violation of the Act.
    As the FTC has found previously, a multi-factor test is appropriate 
under GLBA guidelines for more sophisticated entities such as financial 
institutions because they routinely have much broader sets of the most 
sensitive personal and financial customer information in digitized 
form, which presents security risks and vulnerabilities not evident in 
most unregulated commercial businesses with much narrower data sets 
that typically contain less sensitive customer information. 
Additionally, financial institutions are subject to an examination 
process in which they work with bank examiners to develop a security 
plan that is in compliance with their guidance.
    As discussed in detail in my written testimony, the FTC does not 
have staff or processes capable of providing this guidance process to 
every business under its jurisdiction, and entities subject to its 
jurisdiction may only become aware of the possibility of being in non-
compliance with an FTC-enforced standard when they are under 
investigation. Under its broad jurisdiction, FTC enforcement of a 
multi-factor test would apply to every non-financial institution in the 
country, including not only retailers, but hotels, bars and 
restaurants, theaters, auto dealers, gas stations, grocery and 
convenience stores, fast-food eateries, airlines and others in the 
travel industry, hospitals and doctors, dentists, veterinarians, hair 
salons, gyms, dry cleaners, plumbers and taxi drivers. These businesses 
do not have the staff to determine up-front whether they could survive 
a mult-factor test. Virtually every unregulated business in the U.S. 
economy that provides goods or services to American consumers. Imposing 
Banking regulatory standards on these unregulated businesses, to be 
enforced by the FTC in a non-examination process, would be an 
unprecedented expansion of FTC authority comparable to what the 
commission attempted to accomplish with its ``red flags'' rule, before 
congress was forced to intervene.

    Question 2. Do you think the 51 different breach notification laws 
create confusion for consumers--especially for those who move, travel 
frequently, or live in an area where they shop and work across state 
lines?
    Answer. Yes. We have reached the point where these laws not only 
require different notification standards, but many suffer from a flawed 
rule that leads to over-notification. Specifically, the third-party 
entity rules in state breach laws do not require those entities to 
provide notification to affected consumers when they are breached. As 
further explained in my written testimony, to have an effective breach 
law, these ``notice holes'' must be closed. This is a position that the 
retail industry has successfully conveyed to, and favorably recognized, 
by certain State AGs. For example, a payment processor who works with 
multiple merchants could, under many state laws, fulfill its 
obligations by requiring dozens of merchants to bear the burden of 
providing varying notices to the same consumers for the processor's 
single breach. Such a rule does not provide effective notice to 
consumers; rather, it results in likely over-notification and confusion 
as consumers receive multiple and differing notices about the same 
breach from entities that did not suffer the breach.
    The most effective and timely consumer notice would result from a 
nationwide standard that requires all breached entities--including all 
breached third-party entities--to provide public notice, either 
directly to the affected consumers or via a substitute notification 
procedure where they make the breach publicly known through widely 
distributed media and other acceptable means. Some flexibility should 
be provided to respect contractual arrangements between third-party 
contractors and those that hire them regarding the most effective 
notice, but the general rule should clearly place the burden for 
requiring notice and any potential liability for the breach on the 
breached entity.
    This threat of making public disclosure has proven to be a powerful 
incentive to companies to improve their data security standards. A 
Federal bill that preempts state laws has the opportunity to close the 
problematic notice holes that exist in state laws for third-party 
entities and provide not only more robust notification--leading to 
greater consumer protection and awareness of data breaches that may 
cause financial harm--but also create ``skin in the game'' for all 
entities so that they place greater emphasis on, and investment in, 
improving data security for the most sensitive data.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Jerry Moran to 
                              Doug Johnson
    Question 1. During the hearing, a statement was made saying that 
``three times more data breaches occur at financial institutions than 
at retailers'' citing a report by Verizon. Will you please share your 
analysis of this data provided in the referenced Verizon report?
    Answer. The Identity Theft Resource Center has compiled a list of 
all publicly reported breaches in the United States and shows that 
banks accounted for only 5.5 percent of all breaches in 2014. Other 
businesses accounted for 33 percent. Retailer groups continue to cite 
the Verizon report on data breach statistics as a way to distract 
policymakers regarding the primary focus of data security breaches, but 
the inconvenient truth is that this Verizon report is based on an 
international sample of breaches as opposed to an actual compilation of 
all publicly reported breaches in the United States.

    Question 2. In some of the testimony, it was stated that one cause 
of the major breaches at Target and Home Depot, and perhaps similar 
breaches, was an ``easily forged signature.'' From your perspective, 
what other causes have you identified as contributors to these 
breaches?
    Answer. Forged signatures were not a cause in the Target, Home 
Depot, or any similar breach. The major cause of these breaches were 
the insecure point of sale systems used by these retailers. Bank 
customer credit and debit card numbers would not have been breached if 
these systems had not been vulnerable to POS malware. The card numbers 
also would not have been breached if Target had properly segregated its 
POS system from an invoicing system that Fazio Mechanical Services, a 
vendor to Target, had access to. When Fazio Mechanical was compromised 
with malicious software it gave the criminals a direct tunnel to 
Target's POS system, which allowed the criminals to install additional 
malicious software on that system.

    Question 3. As lawmakers consider a national data breach 
notification standard, it has been suggested that some industries 
should have an exception because they are governed by other breach 
laws. What are the pros and cons of creating an exemption for financial 
institutions? Is it possible that a Gramm-Leach-Bliley Act exemption 
would create ``notice holes'' where consumers would not receive notices 
of breaches at banks and other financial institutions?
    Answer. A Gramm-Leach-Bliley Act (GLBA) exemption from a national 
breach notification standard, rather than creating a ``notice hole,'' 
is appropriate in that we recommend any national standard imposed on 
other industries should be consistent with GLBA.
    As we enact a national data breach requirement, some industries--
including the financial industry--are already required by law to 
develop and maintain robust internal protections to combat and address 
criminal attacks, and are required to protect consumer financial 
information and notify consumers when a breach occurs within their 
systems that will put their customers at risk.
    Title V of GLBA requires banks to implement a ``risk-based'' 
response program to address instances of unauthorized access to 
customer information systems. At a minimum, a response program must:

  1.  Assess the nature and scope of any security incident and identify 
        what customer information systems and customer information may 
        have been accessed or misused;

  2.  Notify the institution's primary Federal regulator ``as soon as 
        possible'' about any threats ``to sensitive customer 
        information.''

  3.  Notify appropriate law enforcement authorities and file 
        Suspicious Activity Reports in situations involving Federal 
        criminal violations requiring immediate attention;

  4.  Take appropriate steps to contain the incident to prevent further 
        unauthorized access to or use of customer information, and

  5.  Notify customers ``as soon as possible'' if it is determined that 
        misuse of customer information has occurred or is reasonably 
        possible.

    A critical component of the GLBA guidelines is customer 
notification. When a covered financial institution becomes aware of a 
material breach of ``sensitive customer information,'' it must conduct 
a reasonable investigation to determine whether the information has 
been or can be misused. If it determines that misuse of the information 
``has occurred or is reasonably possible,'' it must notify affected 
customers ``as soon as possible.''
    Under GLBA, sensitive customer information includes the customer's 
name, address or telephone number in conjunction with the customer's 
Social Security number, driver's license number, credit card, debit 
card or other account number or personal identification number. 
Sensitive customer information also includes any combination of 
components of customer information that would allow someone to log onto 
or access the customer's account, such as user name and password.
    A covered financial institution must also provide a clear and 
conspicuous notice. The notice must describe the incident in general 
terms and the type of customer information affected. It must also 
generally describe the institution's actions to protect the information 
from further unauthorized access and include a telephone number. The 
notice also must remind customers to remain vigilant over the next 12 
to 24 months and to promptly report incidents of suspected identity 
theft to the institution.
    Where appropriate, the notice also must include:

  1.  Recommendation to review account statements immediately and 
        report suspicious activity;

  2.  Description of fraud alerts and how to place them;

  3.  Recommendation that the customer periodically obtain credit 
        reports and have fraudulent information removed;

  4.  Explanation of how to receive a free credit report; and

  5.  Information about the FTC's identity theft guidance for 
        consumers.

    In summary, rather than creating a notice hole, we believe the 
extensive breach reporting requirements currently in place for banks 
provide an effective basis for any national data breach reporting 
requirement for businesses generally.

    Question 4. Do you think requiring the use of PINs on payment 
transactions is the best solution for addressing the data breach 
problem? What aspects of the increased use of PIN technology would be 
helpful in preventing future data breaches? In your estimation, are 
there drawbacks to increasing PIN use? Please share any additional 
insight on the use of PIN technology that you feel may be useful to the 
Committee as it explores data breach prevention. Also, please comment 
on new and emerging payment technologies and potential security 
advantages or vulnerabilities.
    Answer. The fact is that attackers are becoming increasingly adept 
at defeating cybersecurity practices and mitigating measures points to 
the need for industry to develop and deploy enhanced measures on an 
ongoing basis with greater speed. Rather than adopting static number 
PIN technology, we intend to focus on taking static numbers out of the 
payment system entirely.
    Eliminating the use of static numbers altogether for debit and 
credit card purchases is a very important next step in protecting our 
payment system and the consumers that use it. Finding ways to keep 
consumers from having to remember static numbers, letters or symbols in 
order to authenticate themselves when conducting a financial or other 
sensitive transaction was a primary focus at the recent White House 
Summit on Cybersecurity and Consumer Protection. For instance:

   Ajay Banga, President and CEO, MasterCard: ``What I have 
        learned from my consumer customers is that they want two clear 
        things aside from safety and security--one is to stop making me 
        remember things to prove I am who I am. Because there are too 
        many things to remember.''

   Richard Davis, Chairman and CEO, U.S. Bank: ``Our job is 
        really a lot of financial literacy to help people understand 
        how to protect themselves better . . . not putting a piece of 
        tape on the back of your debit card or credit card and writing 
        your PIN on it.''

   Chuck Scharf, CEO, Visa: We can talk all we want about 
        methods of authentication . . . but the fact is if card numbers 
        are flying around even though there is zero liability it's not 
        something the consumer wants to go through . . . We are working 
        with people across the payment ecosystem to figure out where we 
        can get rid of those account numbers, so if there is a 
        compromise, which there always will be because the bad guys are 
        steps ahead as hard as we all try, the compromise does not have 
        the effect it has today.''

    These comments point to the fact that payment security is a dynamic 
challenge that requires a like response, and that there is no single 
solution that will eliminate payment fraud. Locking in any static 
technology provides a roadmap to attackers, telling them where to focus 
their attacks. Tokenization replaces sensitive consumer account 
information at the register or online with a random ``token,'' 
rendering any static information associated with the transaction 
useless to criminals, and thus shows great promise.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Roy Blunt to 
                              Doug Johnson
    Question 1. Today, there are 51 different laws dealing with breach 
notification, and another 12 dealing with security requirements--with 
even more states considering new laws, or changing their existing laws.
    Given this trend, do you think Federal data breach legislation 
should include a clear national standard for both data security and 
breach notification?
    Answer. Although some of these laws are similar, many have 
inconsistent and conflicting standards, forcing businesses to comply 
with multiple regulations and leaving many consumers without proper 
recourse and protections. Inconsistent state laws and regulations 
should be preempted in favor of strong Federal data protection and 
notification requirements. In the event of a breach, the public should 
be informed where it occurred as soon as reasonably possible to allow 
consumers to protect themselves from fraud.
    We believe that the following set of principles should serve as a 
guide when drafting legislation to provide stronger protection for 
consumer financial information:

  1.  Inconsistent state laws and regulations should be preempted in 
        favor of strong Federal data protection and notification 
        standards.

  2.  Strong national data protection and consumer notification 
        standards with effective enforcement provisions must be part of 
        any comprehensive data security regime, applicable to any party 
        with access to important consumer financial information.

  3.  Requirements for industries that are already subject to robust 
        data protection and notification requirements must be 
        recognized.

  4.  In the event of a breach, the public should be informed where it 
        occurred as soon as reasonably possible to allow consumers to 
        protect themselves from fraud. The business with the most 
        direct financial relationship with affected consumers should be 
        able to inform their customers and members about information 
        regarding the breach, including the entity at which the breach 
        occurred.

  5.  The costs of a data breach should ultimately be borne by the 
        entity that incurs the breach.

    Our existing national payments system serves hundreds of millions 
of consumers, retailers, banks, and the economy well. It only stands to 
reason that such a system functions most effectively when it is 
governed by a consistent national data breach policy.

    Question 2. Do you feel the standards and guidance under Gramm-
Leach-Bliley provide necessary security, but with flexibility for 
organizations of different size and complexity? If so, can you 
elaborate why?
    Answer. Effective data protection requirements are scalable. For 
instance, bank regulations, through GLBA, recognize that the level of 
risk to customer data varies significantly across banks. Large banks 
require continual, on-site examination personnel, while community-based 
institutions are subject to periodic information security examinations.
    Data security is also an ongoing process as opposed to the state or 
condition of controls at a point in time.
    As opposed to proscribing specific technological security 
requirements, GLBA and the associated bank regulatory requirements are 
risk and governance-based. Bank security programs are required to have 
``strong board and senior management level support, integration of 
security activities and controls throughout the organization's business 
processes, and clear accountability for carrying out security 
responsibilities.''

    Question 3. Hackers seem to be getting more sophisticated by the 
day, and I imagine we expect even more attacks and perhaps more 
successful ones in the future. If that is the case doesn't it make 
sense to do everything possible to protect consumer personal and 
financial data? Do you think Federal data security standards applicable 
to all players in the payments process would help and if so why?
    Answer. Any legislation focused on creating a national standard for 
breach notification should also include a complementary national data 
security standard for covered entities. If Congress does not address 
data security standards now it misses the opportunity to instill a 
greater overall level of data security protections for consumers.
    Because the payment system is by definition a network, every 
business within that network must share in the responsibility to 
protect consumers and should have to abide by a data security standard. 
With that responsibility should also come the requirement for that 
business, whether it be a bank, merchant, third party processor or 
other entity, to bear the costs for any breach they incur.

    Question 4. A number of states have enacted data protection and 
consumer notification laws. However, I also understand that these 
provisions can vary from state to state. Is your industry currently 
covered by any Federal law that requires consumer financial and 
personal data to be protected? Are there other industries that are not 
covered by Federal data protection and consumer notification standards?
    Answer. Yes, Title V of GLBA requires banks to implement a ``risk-
based'' response program to address instances of unauthorized access to 
customer information systems. At a minimum, a response program must:

  1.  Assess the nature and scope of any security incident and identify 
        what customer information systems and customer information may 
        have been accessed or misused;

  2.  Notify the institution's primary Federal regulator ``as soon as 
        possible'' about any threats ``to sensitive customer 
        information.''

  3.  Notify appropriate law enforcement authorities and file 
        Suspicious Activity Reports in situations involving Federal 
        criminal violations requiring immediate attention;

  4.  Take appropriate steps to contain the incident to prevent further 
        unauthorized access to or use of customer information, and

  5.  Notify customers ``as soon as possible'' if it is determined that 
        misuse of customer information has occurred or is reasonably 
        possible.

    As already noted, the GLBA also contains a set of scalable data 
security standards. The retail industry currently does not currently 
have a similar set of Federal requirements. The legal, regulatory, 
examination and enforcement regime regarding banks ensures that banks 
robustly protect American's personal financial information. We believe 
that this regime provides an appropriate, scalable model for other 
businesses entrusted with sensitive customer financial and other 
information.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Roy Blunt to 
                              Yael Weinman
    Question 1. Today, there are 51 different laws dealing with breach 
notification, and another 12 dealing with security requirements--with 
even more states considering new laws, or changing their existing laws.
    Given this trend, do you think Federal data breach legislation 
should include a clear national standard for both data security and 
breach notification?
    Answer. ITI supports a breach notification bill that preempts state 
notification requirements consistent with our breach notification 
principles (previously submitted for the record and attached hereto). 
It is critically necessary to replace the existing 51 state and 
territory notification laws with one national framework. While ITI does 
not seek a national data security requirement in such a bill, we would 
not oppose a bill that includes a reasonable and technology-neutral 
data security requirement that is appropriate to a company's size and 
complexity, the nature and scope of its activities, and the sensitivity 
of the data held, and that preempts existing and future state data 
security requirements.

    Question 2. Do you think the 51 different breach notification laws 
create confusion for consumers--especially for those who move, travel 
frequently, or live in an area where they shop and work across state 
lines?
    Answer. Consistency in notices would reduce consumer confusion that 
may result from the variances of the method of data breach 
notifications, the content of such notifications, and the circumstances 
of such notification. In addition, consistency would also reduce 
confusion for businesses--particularly smaller e-commerce businesses--
as to how and when to notify their customers who reside in different 
states, each requiring a different type or content for notification and 
under differing circumstances.

                                  [all]

                  This page intentionally left blank.
                  This page intentionally left blank.
                  This page intentionally left blank.