[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
EXAMINING THE CURRENT DATA SECURITY
AND BREACH NOTIFICATION
REGULATORY REGIME
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON FINANCIAL INSTITUTIONS
AND CONSUMER CREDIT
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
FEBRUARY 14, 2018
__________
Printed for the use of the Committee on Financial Services
Serial No. 115-73
_________
U.S. GOVERNMENT PUBLISHING OFFICE
31-346 PDF WASHINGTON : 2018
HOUSE COMMITTEE ON FINANCIAL SERVICES
JEB HENSARLING, Texas, Chairman
PATRICK T. McHENRY, North Carolina, MAXINE WATERS, California, Ranking
Vice Chairman Member
PETER T. KING, New York CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma BRAD SHERMAN, California
STEVAN PEARCE, New Mexico GREGORY W. MEEKS, New York
BILL POSEY, Florida MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri WM. LACY CLAY, Missouri
BILL HUIZENGA, Michigan STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin DAVID SCOTT, Georgia
STEVE STIVERS, Ohio AL GREEN, Texas
RANDY HULTGREN, Illinois EMANUEL CLEAVER, Missouri
DENNIS A. ROSS, Florida GWEN MOORE, Wisconsin
ROBERT PITTENGER, North Carolina KEITH ELLISON, Minnesota
ANN WAGNER, Missouri ED PERLMUTTER, Colorado
ANDY BARR, Kentucky JAMES A. HIMES, Connecticut
KEITH J. ROTHFUS, Pennsylvania BILL FOSTER, Illinois
LUKE MESSER, Indiana DANIEL T. KILDEE, Michigan
SCOTT TIPTON, Colorado JOHN K. DELANEY, Maryland
ROGER WILLIAMS, Texas KYRSTEN SINEMA, Arizona
BRUCE POLIQUIN, Maine JOYCE BEATTY, Ohio
MIA LOVE, Utah DENNY HECK, Washington
FRENCH HILL, Arkansas JUAN VARGAS, California
TOM EMMER, Minnesota JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York VICENTE GONZALEZ, Texas
DAVID A. TROTT, Michigan CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia RUBEN KIHUEN, Nevada
ALEXANDER X. MOONEY, West Virginia
THOMAS MacARTHUR, New Jersey
WARREN DAVIDSON, Ohio
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
TREY HOLLINGSWORTH, Indiana
Shannon McGhan, Staff Director
Subcommittee on Financial Institutions and Consumer Credit
BLAINE LUETKEMEYER, Missouri, Chairman
KEITH J. ROTHFUS, Pennsylvania, WM. LACY CLAY, Missouri, Ranking
Vice Chairman Member
EDWARD R. ROYCE, California CAROLYN B. MALONEY, New York
FRANK D. LUCAS, Oklahoma GREGORY W. MEEKS, New York
BILL POSEY, Florida DAVID SCOTT, Georgia
DENNIS A. ROSS, Florida NYDIA M. VELAZQUEZ, New York
ROBERT PITTENGER, North Carolina AL GREEN, Texas
ANDY BARR, Kentucky KEITH ELLISON, Minnesota
SCOTT TIPTON, Colorado MICHAEL E. CAPUANO, Massachusetts
ROGER WILLIAMS, Texas DENNY HECK, Washington
MIA LOVE, Utah GWEN MOORE, Wisconsin
DAVID A. TROTT, Michigan CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
C O N T E N T S
----------
Page
Hearing held on:
February 14, 2018............................................ 1
Appendix:
February 14, 2018............................................ 39
WITNESSES
Wednesday, February 14, 2018
Cooper, Aaron, Vice President, Global Policy, BSA - The Software
Alliance....................................................... 3
Rosenzweig, Paul, Senior Fellow, R Street Institute.............. 9
Rotenberg, Marc, President, Electronic Privacy Information
Center, and Adjunct Professor, Georgetown University Law Center 8
Sponem, Kim, Chief Executive Officer and President, Summit Credit
Union, on behalf of the Credit Union National Association...... 5
Taylor, Nathan D., Partner, Morrison & Foerster LLP.............. 6
APPENDIX
Prepared statements:
Cooper, Aaron................................................ 40
Rosenzweig, Paul............................................. 49
Rotenberg, Marc.............................................. 57
Sponem, Kim.................................................. 72
Taylor, Nathan D............................................. 83
Additional Material Submitted for the Record
Luetkemeyer, Hon. Blaine:
Written statement for the record dated February 13, 2018..... 92
Written statement from Independent Community Bankers of
America.................................................... 96
Written statement from the National Association of
Convenience Stores and The Society of Independent Gasoline
Marketers of America....................................... 98
Written statement from the National Association of Insurance
Commissioners.............................................. 107
Written statement from the National Multifamily Housing
Council.................................................... 122
Maloney, Hon. Carolyn:
NationalJournal article entitled, ``Europe's New Data
Protections Expected to Spill Over into U.S.''............. 124
Waters, Hon. Maxine:
Opening statement for the record............................. 128
Cooper, Aaron:
Written responses to questions for the record submitted by
Representative Heck........................................ 136
Rosenzweig, Paul:
Written responses to questions for the record submitted by
Representative Heck........................................ 139
Rotenberg, Marc:
Written responses to questions for the record submitted by
Representative Heck........................................ 141
Sponem, Kim:
Written responses to questions for the record submitted by
Representative Heck........................................ 145
Taylor, Nathan D.:
Written responses to questions for the record submitted by
Representative Heck........................................ 148
EXAMINING THE CURRENT DATA SECURITY
AND BREACH NOTIFICATION
REGULATORY REGIME
----------
Wednesday, February 14, 2018
U.S. House of Representatives,
Subcommittee on Financial Institutions
and Consumer Credit,
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to notice, at 10:01 a.m., in
room 2128, Rayburn House Office Building, Hon. Blaine
Luetkemeyer [chairman of the subcommittee] presiding.
Present: Representatives Luetkemeyer, Rothfus, Lucas, Ross,
Pittenger, Barr, Tipton, Williams, Love, Trott, Loudermilk,
Kustoff, Tenney, Hensarling, Clay, Maloney, Scott, Green, Heck,
and Crist.
Also present: Representative Waters.
Chairman Luetkemeyer. The committee will come to order.
Without objection, the Chair is authorized to declare a recess
of the committee at any time. This hearing is entitled
``Examining the Current Data Security and Breach Notification
Regulatory Regime.''
Before we begin, I would like to thank the witnesses for
appearing before the subcommittee. We appreciate your
participation and look forward to today's discussion.
And I recognize myself for 3 minutes for the purpose of
delivering an opening statement.
Every year, the number and severity of data breaches seems
to increase and more and more Americans seem to become victims
of fraud and identity theft. Consumers are left not only facing
financial harm, but also the daunting task of restoring the
integrity of their personal information.
With constant technological advancements come more
sophisticated threats to data security. Some of the largest
financial institutions in the United States deal with hundreds
if not thousands of cyberthreats on a daily basis.
Those attacks aren't just from one-off hackers but
sometimes highly organized criminal enterprises backed by
foreign nation-states. The majority of entities that handle
personally identifiable information work hard to protect it
from fraudulent acquisition and use.
As we consider reform of the current regulatory regime
surrounding data security standards and notification
requirements, we should bear in mind that in many instances it
is both the entity and the consumer that has been the victim of
the crime.
While I recognize that companies work hard to guard against
complex threats, it is sometimes the smallest and most
avoidable errors that lead to the largest breaches. The company
only has to be wrong once. The 2017 Equifax breach is a
textbook example of the importance of good data security
hygiene.
This is a vastly complex issue that impacts nearly every
business in this Nation. But our primary focus throughout this
endeavor should be the consumer. Can we create a system that
puts them first? How can we safeguard their data without
overburdening the entities that they patronize? When is the
right time to notify them that a breach may have occurred?
Bottom line is that we, the American people, deserve better
than the status quo. All entities that handle our personal
information have some responsibility to maintain data security
standards that protect our information and to keep us better
informed of instances that could lead to theft, fraud, or
economic loss. We have the right to this information so we can
be empowered to protect ourselves.
Today's hearing will provide the committee with an
opportunity to hear from witnesses with diverse professional
backgrounds and opinions on data security. I want to thank them
for offering their perspectives today. I look forward to your
testimony and to continued collaboration on this incredibly
important issue.
The Chair now recognizes the Ranking Member of the
subcommittee, another gentleman from Missouri, Mr. Clay, for 5
minutes for an opening statement.
Mr. Clay. Thank you, Mr. Chair. At this time I will forego
the opening statement and hopefully we can get to the
witnesses. I yield back.
Chairman Luetkemeyer. Mr. Rothfus?
Mr. Rothfus. No.
Chairman Luetkemeyer. We are done with opening statements.
You guys are lucky this morning.
With that, we welcome testimony of our witnesses, a number
of you have names that are Luetkemeyer, a little difficult to
pronounce, and I apologize if I get them wrong this morning.
But Mr. Aaron Cooper, Vice President for Global Policy, BSA
- The Software Alliance; Ms. Kim Sponem, President and CEO of
Summit Credit Union on behalf of the Credit Union National
Association; Mr. Nathan Taylor, Partner, Morrison & Foerster,
LLP; Professor Mack Rotenberg--is that right, or Rotenberg?
Mr. Rotenberg. Marc. Marc Rotenberg.
Chairman Luetkemeyer. Marc. Marc Rotenberg, President,
Electronic Privacy Information Center and Adjunct Professor,
Georgetown University Law Center; and Mr. Paul Rosenzweig--
pretty close?
Mr. Rosenzweig. Much better than most, sir.
Chairman Luetkemeyer. OK. Obviously we are not right yet,
that is the problem. But that is OK--appreciate your
diligence--Senior Fellow, R Street Institute.
Each of you will be recognized for 5 minutes to give an
oral presentation of your testimony. Without objection, each of
your written statements will be made part of the record.
Just a little tutorial on the lighting system in front of
you. Green means go. When you see a yellow one pop up there
that means you have 1 minute to wrap up, and red means stop. I
have a gavel up here that we will make that emphatically known
if we need to.
I would ask that you pull the microphones close to you.
They do move. They are not stationary on the desk there. You
can pull them toward you so we can hear you. Sometimes if you
speak softly it is a little difficult in this large room to get
the right acoustics.
So with that, Mr. Cooper, you are recognized for 5 minutes.
STATEMENT OF AARON COOPER
Mr. Cooper. Thank you, Mr. Chairman. Good morning Chairman
Luetkemeyer, Ranking Member Clay, and members of the
subcommittee. My name is Aaron Cooper and I am Vice President
for Global Policy at BSA - The Software Alliance.
BSA is the leading advocate for the global software
industry in the United States and around the world. Our members
are at the forefront of cutting edge, cloud-enabled data
services that have a significant impact on U.S. job creation
and the global economy.
Data security is crucial to our members and to their
customers in every industry sector. I commend the subcommittee
for holding this hearing on such an important topic, and I
thank you for the opportunity to testify.
BSA's support for data security and breach notification
legislation dates back more than a decade. Persistent, high-
profile security incidents make the need for thoughtful
legislation more important now than ever.
Our economy today and economic growth and job creation in
the foreseeable future is rooted in digital data. Every
industry today is improved through the use of software to
store, transfer, and analyze data.
But the embrace of the digital economy cannot be taken for
granted. If customers do not trust that their data will be kept
secure, they will not use the technology. Our companies compete
on privacy and security. Their customers rightfully demand it.
Data breaches erode that trust in digital services and can
have a significant cost on the economy.
The security threats we face today are global, the
adversaries increasingly sophisticated, and the motivations are
far more complicated than in the past. Malicious actors use
both internal and external threats to commit financially
motivated crimes and other forms of espionage.
In some cases, advanced persistent threats are conducted by
well-resourced teams of specialists that are often linked to
nation-state actors. Organizations that hold sensitive data
need to incorporate high standards of risk management.
This does not always require adopting excessively costly or
cumbersome security measures. In fact, reasonable diligence can
make a considerable dent in the problem. Experts suggest that
more than 90 percent of data breaches could be preventable
through basic cyber hygiene.
Compromised or weak user credentials account for the vast
majority of hacking-related breaches and patched software could
prevent nearly 80 percent of security incidents.
BSA is committed to being part of the solution and, along
with our members, is leading on several important efforts.
First, BSA recently released a new cybersecurity policy agenda
which addresses the need to promote a secure software
ecosystem, develop a 21st-century cyber workforce, and embrace
emerging technologies.
Second, BSA members have been leading advocates of security
by design principles and secure development lifecycle
approaches to developing software.
Third, the industry has developed and deployed layered
defenses from protection at the data and document level to the
network and perimeter level.
Fourth, use of cloud-based services offer an important
option for data security. Just as a bank can better protect
individual financial assets of its patrons, cloud service
providers can provide a level of protection for their
customers' digital assets beyond what many small and medium-
sized businesses can do on their own.
It is important to remember that even when customer data is
placed in a cloud infrastructure, security remains a shared
responsibility. Cloud providers can help reduce the operational
burden associated with securing data, but security is a
process, not an end state.
The cloud provider and customer both have responsibilities
for managing the security of data.
While the industry is taking important steps, only Congress
can ensure that there is a uniform and effective Federal
standard. In BSA's view, legislation should aim to achieve
three goals.
First, legislation should minimize the risk of data
breaches. It should require companies that collect or maintain
sensitive personal information to implement reasonable data
security practices. The practices should be scoped in size to
the complexity, sensitivity, and volume of personal information
on a company's systems.
Second, legislation should mitigate the impact of breaches
that do occur. Legislation should ensure that consumers receive
timely and meaningful notification based on a risk-based
analysis.
Third, legislation should create uniformity. We currently
have a thicket of 48 different State data breach notification
standards. The variation between the State laws are not trivial
and it is unhelpful in the wake of a breach of personal
information to have a company working with a team of lawyers to
understand what requirements must be met in each jurisdiction
before notifying customers of the breach.
In conclusion, there is a lot that Congress can do to
improve the situation for both businesses and consumers. Well-
crafted legislation can facilitate rapid and robust responses
to significant security incidents. And Federal guidance on data
security will drive stronger security measures across the
Internet ecosystem.
BSA strongly supports these goals, and we look forward to
working with the subcommittee to achieve them. Thank you, and I
look forward to your questions.
[The prepared statement of Mr. Cooper can be found on page
40 of the Appendix]
Chairman Luetkemeyer. Thank you, Mr. Cooper.
Ms. Sponem, recognized for 5 minutes. Please turn your
microphone on and pull it close. Thank you.
STATEMENT OF KIM SPONEM
Ms. Sponem. Thanks. Chairman Luetkemeyer, Ranking Member
Clay, members of the subcommittee, thank you for the
opportunity to testify on this extremely important topic. My
name is Kim Sponem and I am Chief Executive Officer and
President at Summit Credit Union testifying on behalf of the
Credit Union National Association.
Summit Credit Union, headquartered in Madison, Wisconsin,
is a State-chartered credit union founded in 1935. We have $3
billion in assets and serve 175,000 members, which is quite
small compared to regional and national banks.
Like all credit unions, we are a not-for-profit
institution, owned by the very members we serve. Summit Credit
Union offers a full array of financial services to meet the
needs of our members, including debit and credit cards.
Unfortunately, data breaches occur far too often. Consumers
and financial institutions are harmed by data breaches when
entities and organizations, including merchants, fail to take
necessary steps to protect consumer data.
Community financial institutions foot the bill when
companies fail to secure customer information when many do not
need to store that information in the first place. Breaches
cost Summit Credit Union over $1 million in 2017 alone, but
more importantly, the negative impact on consumers is
significant and sometimes devastating.
Imagine you are making a purchase and your card is
declined. You don't know why. There is a line behind you. You
are embarrassed and concerned. You figure out a different way
to pay or you walk away angry.
You call your financial institution. There are fraudulent
charges on your card. You now know why the purchase was
declined because of fraud, but now you have the stress of
wondering just what information did the fraudsters gain on you?
Or are you using your debit card in another country to get
currency? It is shut down. Now what do you do? You are worried
someone is depleting your checking account. How long will it
take to get that resolved? How will you get your money in
another country? Panic sets in.
Even worse, someone stole your identity and took out a loan
in your name now your credit is compromised. How do you get it
back? It can take years and tens of thousands of dollars to
rectify.
Meanwhile, my credit union is working hard to get you
another card at $3 to $5 per card, overnighting them when
needed at our expense. We work with you to address the
fraudulent charges that are on your card that we pay for.
We look to increase our fraud monitoring systems that are
expensive and labor-intensive. And most of all, we spend the
much-needed time with our members to help them navigate the
financial system.
Once you have new cards then remembering to update your
automatic payments is the next step. If you forget, you now are
delinquent with that company.
All fraud and fraud mediation is paid for by financial
institutions. There is no incentive for companies that hold
personal information to protect it. And that is just plain
wrong.
Under current law, credit unions and banks are subject to
data security requirements, necessitating the development of
procedures and systems to protect consumer information from
theft, including notifying consumers in the event of a data
breach.
However, other entities that hold personal information are
subject to no such standards. Any company that holds consumers'
personal information necessarily or unnecessarily should be
held to a national standard. Americans deserve a strong
national data security standard that requires all businesses to
protect and safeguard personal information.
Companies that do not need to store personal information
should either not store it or be subject to the standard.
Companies should not be allowed to put consumers at undue risk.
And communicating a data breach in a timely manner allows
consumers and financial institutions the ability to try to
reduce possible losses with early detection and awareness.
The current system is not fair or sustainable. Consumers
are protected from losses because financial institutions bear
the responsibility for reimbursing them. Those that are
negligent should bear the cost.
Protecting data is expensive and it is labor-intensive. But
a company that stores information needs to invest in these
protections for consumers as a cost of doing business, or not
store the information at all.
In summary, it is our hope that this committee makes data
security one of its top priorities in 2018. We ask that any
legislation proposed would include these three priorities: One,
a standard for all companies holding personal information; two,
a requirement to communicate breaches in a timely manner; and
three, a responsibility for negligent companies to bear the
costs.
We will work with you to protect consumer data and increase
accountability. Companies may not want to invest in protecting
data, but it is a matter of responsibility and duty that goes
with holding that information.
On behalf of Summit Credit Union and the National
Association I would like to thank you for this opportunity to
share my views. And I would be happy to answer any questions.
Thank you.
[The prepared statement of Ms. Sponem can be found on page
72 of the Appendix]
Chairman Luetkemeyer. Thank you, Ms. Sponem.
Mr. Taylor is recognized for 5 minutes.
STATEMENT OF NATHAN TAYLOR
Mr. Taylor. Mr. Chairman, Ranking Member Clay, and members
of the subcommittee, my name is Nathan Taylor and I am a
partner at the law firm of Morrison & Foerster. My practice is
focused on helping financial institutions and other companies
protect the security of their sensitive information and respond
to security incidents that unfortunately but inevitably occur.
My colleagues and I have represented companies in
responding to a number of the largest and highest profile data
breaches in American history.
I am pleased to be here today to provide you with
background on the State safeguards laws and the State security
breach notification laws. At the outset, however, I want to
stress that I share your concern about the critical need to
protect American consumers and American businesses from the
increasingly sophisticated cybersecurity threats that we face
today.
Cybersecurity impacts not only the security of our own
sensitive personal information, but in the Internet-connected
world in which we live, it impacts our very way of life.
In my view, we need a national standard to address what is
truly a national issue, and I also believe that a national
standard would ultimately be good for both the American
consumer and American businesses.
For more than a decade I have tracked the State laws as
they have developed in this area. When you review the current
landscape of State laws, you find a complex matrix of
inconsistent, sometimes duplicative and often contradictory
requirements.
With respect to State safeguards laws specifically, today
only 15 States have laws in effect that impose general
requirements on all companies to protect the security of
sensitive personal information. Most of these safeguards laws
impose only a high level obligation to take reasonable steps to
protect sensitive information.
Only a few include detailed security requirements, and
those are often modeled on the Safeguards Rule issued by the
Federal Trade Commission pursuant to the Gramm-Leach-Bliley Act
(GLBA).
In contrast, however, today, 35 States do not have
generally applicable laws that require all companies to protect
sensitive personal information.
If you are an American, where you live should not impact
whether there is a legal obligation to protect sensitive
information about you. In my view, this point is not
controversial. We need a national standard for security to
ensure that all Americans are protected while also leveling the
playing field for American businesses.
With respect to breach notification, 48 States, as well as
the District of Columbia, Guam, Puerto Rico, and the U.S.
Virgin Islands have enacted breach notification laws. Although
these laws ostensibly share the same purpose, they are far from
uniform and vary significantly in terms of their requirements.
For any given breach the many differences among the laws
impacts whether at all a consumer receives a breach notice,
what that notice says, when it is sent, and even how it is
sent. In addition, the inconsistencies among these laws
complicate the process for companies in providing notice to
consumers.
Even for companies who respond to an incident diligently,
investigating a breach, restoring the security of systems, and
providing notice to consumers takes time. It is a complex
process that is made more difficult by the need to comply with
52 different breach laws. A single nationwide standard for
breach notification would address this issue.
In closing, I note that Congress, including this committee,
has considered the issue of data security for 15 years. In my
view, the time for Congress to act is now. In considering
legislation I would recommend that this committee be guided by
four principles.
First, a Federal bill should include strong yet flexible
and scalable data protection standards for all companies.
Second, a Federal bill should require notice to consumers
of breaches that put them at risk of harm.
Third, a Federal bill should include a safe harbor for
compliance with the existing Federal data security standards.
And finally, a Federal bill should pre-empt State laws to
ensure that all Americans receive the same level of protection
regardless of where they live.
Thank you for the opportunity to speak with you today, and
I am happy to answer any questions that you might have.
[The prepared statement of Mr. Taylor can be found on page
83 of the Appendix]
Chairman Luetkemeyer. Thank you, Mr. Taylor.
Professor Rotenberg, recognized for 5 minutes.
STATEMENT OF MARC ROTENBERG
Mr. Rotenberg. Mr. Chairman, Ranking Member Clay, and
members of the committee, thank you for the opportunity to
speak with you today. My name is Marc Rotenberg. I am President
of the Electronic Privacy Information Center.
We are a nonpartisan research organization established in
1994 to focus public attention on emerging privacy issues. I
have also taught privacy law at Georgetown for more than 25
years and am the author of several books on privacy law.
I have provided for the committee a detailed statement that
I ask be entered into the hearing record. I would be happy to
briefly summarize my comments, if that is OK? Thank you.
Let me say at the outset that data breaches today pose an
enormous challenge, not only to American families but also to
our country. Previously, consumer privacy laws were enacted to
safeguard consumers against the misuse of their personal data.
But what we are increasingly aware of is that foreign
adversaries are targeting the personal data stored by American
firms here in the United States. And you see as a consequence
when companies engage in lax security practices, they put their
clients and their customers at risk, not only of the misuse of
the data but also of identity theft and financial fraud from
foreign actors.
A related concern that I would like to bring to your
attention is the growing divergence between U.S. privacy laws
and privacy laws in Europe. As you may be aware, the European
Union is moving in May of this year to establish a
comprehensive approach to privacy protection known as the
General Data Protection Regulation.
That law is already having a big impact and I would say a
positive impact on the practices of U.S. firms operating in
Europe. But the increasingly critical question is whether the
United States will update its privacy laws to address growing
concerns about the protection of personal data held in the
U.S., not only on U.S. consumers but also on the consumers in
countries where we do business.
So for both of these reasons, I think there is an enormous
urgency in this committee moving forward for strong proposals
for privacy protection. And I have outlined in my testimony
several key principles that I hope you will consider, as well
as brief comments on some of the bills that are pending in this
committee and elsewhere in Congress.
I want to comment on a few of the points that were made
earlier and highlighting also statements that are in my
prepared testimony. I think the key point is that you want to
establish a Federal standard but it should be a Federal
baseline standard.
And this is the traditional approach to privacy protection
in the United States. If you go back to the Video Privacy
Protection Act or the wiretap statute or other consumer privacy
laws, the approach to privacy protection has been one that
recognizes, as the other witnesses have said, the need to
ensure a Federal standard that provides baseline protection but
also allows the States to regulate upwards and to respond to
emerging privacy threats as they emerge.
Just looking at the field of data breach notification and
the experience in the State of California, what you will see is
that as the State confronted new forms of data breach, first it
was financial fraud and then it was medical records, the State
was updating its laws to address the new challenges and to
provide new and necessary coverage to ensure that consumers
would be aware of the new types of data breach.
This is entirely consistent with our Federalist form of
Government that leaves to the States the authority to establish
stronger privacy protections when necessary. So I would
certainly agree with the other witnesses on the need for a
national standard, but I would urge that that be a baseline
standard.
Some of the other key points in my testimony include the
need for prompt breach notification. It simply takes too long
today to tell people that their personal data has been
compromised.
In the credit reporting industry we think it is important
to establish across the board data freezes so that consumers
can make the determination affirmatively when to disclose their
personal data to others rather than to have to wait until the
breach occurs and then to take additional steps to safeguard
personal data that has already been compromised.
I would be pleased to address other points in my testimony,
and thank you again for the opportunity to speak with you
today.
[The prepared statement of Mr. Rotenberg can be found on
page 57 of the Appendix]
Chairman Luetkemeyer. Thank you, Professor.
Mr. Rosenzweig, recognized for 5 minutes.
STATEMENT OF PAUL ROSENZWEIG
Mr. Rosenzweig. Thank you, Mr. Chairman, Ranking Member
Clay, members of the committee. I thank you for the invitation
to join you today. My name is Paul Rosenzweig. I am a Senior
Fellow at the R Street Institute. We characterize ourselves as
a pragmatic think tank, which I guess means that we think the
free markets work except when they don't.
There is good evidence that the free markets do not fully
work in the cybersecurity arena and that the market does not
adequately price in the costs of cybersecurity.
Recent history is, of course, replete with examples of data
breaches like the Equifax breach and the harm they have caused.
I myself have been the subject of at least three breaches in
the last couple of years, Equifax, Home Depot, and the OPM
breach.
And as the Verizon data breach annual report reflects, in
2016, the last year for which we have some data, more than
40,000 incidents and 2,000 confirmed breaches have occurred.
So make no mistake. Cyberthreats are real and recent
experience has shown that neither the private nor the public
sector are fully equipped to cope with them.
Given these threats, we should expect that the market would
provide a solution. Why is that not enough? The answer I think
lies in the conception of externalities, that is, the fact that
activity between two economic actors may directly or
unintentionally affect a third party.
Cybersecurity has those types of negative externalities.
The most important one is what we call a pricing problem. That
is that private sector actors often do not internalize the
costs of security failures in a way that leads them to take
adequate protective steps. When software fails to prevent an
intrusion or a service provider fails to interdict a malware
attack, the costs are borne entirely by the end users.
In this way, security for the broader Internet is a classic
market externality. How then should Government respond to this
problem?
First and most importantly we should guard against what
public choice theory calls rent-seeking. That is the idea that
we should not foster the right result but rather the result
that concerted lobbying efforts favor.
Second, we must be careful of inflexible float to change
mandates. The Government's hierarchical decisionmaking
structure allows only slow progress in adapting to this
phenomenon and operates far too slowly to catch up with the
pace of cyber change, if you will.
We make decisions at the speed of conversation. But change
happens at the speed of light. Of course, whenever we have
chosen to address a pricing problem through litigation there
are also significant costs, most notably transaction costs.
Operating the civil justice system is expensive and
participating in that system even more so.
Those costs which are unrelated to the merits of the
failure or the litigation have a strong tendency to distort the
market in ways that are often unanticipated.
So then what is the right approach? My counsel to you would
be first do no harm. In the end, if a regulatory approach is
chosen at all, it should be flexible and scalable too and a
standard-setting approach with a light administrative
enforcement mechanism rather than a hard mandatory approach
with a heavy civil sanction.
Most importantly, we must develop a system that creates
more certainty than it does uncertainty, and that requires two
things: Guidance and reassurance. As to guidance, we need a
model that relies on a flexible standard but also one that is
clearly articulated.
By contrast, for example, today much of the guidance from
the FTC (Federal Trade Commission) to consumer enterprises on
acceptable cybersecurity practices comes in the form of consent
decrees that, taken together, articulate a very indefinite
standard of reasonable behavior. That is a poor way to set
standards.
Second, no enterprise will invest resources in achieving
standards without some assurance that doing so will benefit the
enterprise. In reality, a major portion of that benefit will
lie in the fiscal security of knowing that the enterprise has
taken adequate steps to avoid liability. So we need either an
implicit or an explicit form of safe harbor that encourages
people to adopt the standards we develop.
So what should our standard-setting system look like? Well,
we have a good example in the NIST (National Institute of
Standards and Technology) framework, a collaborative bottom-up
approach that collects best practices and advocates for them as
the best standard available.
If we follow these precepts, if we focus on standard
setting rather than rulemaking and guidelines rather than
mandates, will go a long way toward advancing cybersecurity and
ameliorating the failures in the marketplace.
I should caution that no solution we can devise will be
perfect. This is truly an insoluble problem that cannot be
eliminated altogether. But there are in fact better or worse
answers, and I commend the subcommittee for its attention to
the problem. And I look forward to answering your questions.
[The prepared statement of Mr. Rosenzweig can be found on
page 49 of the Appendix]
Chairman Luetkemeyer. Thank you, Mr. Rosenzweig, appreciate
your comments this morning. Although they were honest, you just
said we couldn't solve the problem, so at least we can talk
about it, huh? The Congress is really good at that. We can talk
a lot, can't we?
With that, I will recognize myself for 5 minutes and begin
the questioning. Again, thank all of you for your comments. As
many of you indicated we have almost daily breaches now, and
the American public is clamoring for some sort of solution to
some of these problems.
And we are trying to put together a bill that hopefully
will address some of the concerns and take into account some of
the suggestions that you have given us this morning. And we
certainly appreciate your input.
Let me start out with Mr. Rosenzweig with regards to one of
the issues I think that is key to this whole situation is the
pre-emption of State law, all of you mentioned this very thing.
To me it looks like we have two choices. One you pre-empt
State law and be able to protect the consumer data. Or the
other is you allow the hodgepodge of laws to continue and the
consumers beware. Where would you come down on this?
Mr. Rosenzweig. Well, rather than characterizing them as a
hodgepodge, I would say that federalism and competition is one
of the ways that a market can function. The other way is to
impose uniformity across the entire Nation. That has the
economic advantage of eliminating redundancies and conflicts
and reducing costs.
What I would say is the worst answer or the worst of both
possible worlds is to partially pre-empt State law, to set a
baseline standard that does away with federalism in the first
instance but doesn't eliminate the uncertainty of
multiplicitous laws in the second instance. You don't gain any
of the benefit and you cost a lot--
Chairman Luetkemeyer. Would you believe we had an across-
the-board exemption that allowed for a Federal standard that
would provide a better safeguard for data for people, though?
Mr. Rosenzweig. I think as an economic matter, if you are
going to--
Chairman Luetkemeyer. I am not talking about economics. I
am talking about the ability of people to protect their data.
Mr. Rosenzweig. There would be more consistency and
therefore more likelihood of full compliance. The inconsistency
of the rules is part of what generates some of the uncertainty.
So yes, sir.
Chairman Luetkemeyer. OK, thank you. You make a good
attorney. Let me go with the question with regards to
notification. I know everybody has a different idea of this.
You talk to the companies they want, and we have seen examples
of this, anywhere from 2 weeks to 1 year before people were
notified.
The American public deserved better than that, and because
of those, in my mind, lousy ways of trying to work and manage
their breach, they have lost the trust of the American people.
So I don't know how we can get it back unless you go to a zero,
immediate notification.
This is what we need to go to, and I think the American
public is going to clamor for this, and my thought process is
that while the breach is going on you know what is going on and
you are ascertaining exactly how much information and what
information was lost, whose information was compromised.
You can already know, OK, we have a breach. Now we have to
start setting up some sort of a notification process.
And I think you can do two tracks on this so that whenever
you finally do realize that you have a compromise situation
where you have to be notifying people, you can do that on an
immediate basis. Anybody like to comment on that, see where you
are on that?
Mr. Rotenberg. Well Mr. Chairman, I agree with you. I
think, in fact, our recent experience with Equifax demonstrates
the need for prompt breach notification. The company was aware
in March 2017 that they had a problem with a key security
protocol that they failed to update.
Yet it wasn't until August, 4 months later, that they
actually took steps to begin to notify the public of the
potential that their data had been breached.
And of course as long as that software was not updated the
breach was ongoing. So the breach is necessary not only to
provide information to consumers so that they can act, but also
to ensure that the company is being diligent when it uncovers a
problem.
Chairman Luetkemeyer. Very good. Anybody else like to
comment on that?
Ms. Sponem?
Ms. Sponem. We had a situation in Madison where there was a
local processor that processed credit cards for various
restaurants. And they had been breached and did not notify
anyone. It took them weeks and into over a month to start to
work on the patches that they needed to do in order to shut
that down.
So meanwhile, the hacker, every single time someone used
their credit card at one of those restaurants, they were just
getting new credit card information. We had customers who had
to get their credit card reissued four times during that
period.
Chairman Luetkemeyer. I would like to make one quick
comment. I know that yesterday in the National Journal there
was an article with regards to Europe beginning to come on, and
I think Professor you made this comment with regards to new
data rules coming out.
In their data rules they are looking at a 72-hour window
within which to disclose this, although it doesn't say in here
whether you actually ascertain exactly the kind of information
that has been breached and you know that there is actually some
people's information had been compromised. I think that is a
key component of this.
But just a quick, would everybody agree that immediate
notification has to be there or some other timeframe?
Mr. Cooper? I am running out of time.
Mr. Cooper. Mr. Chairman, I think it is really important
that there be prompt notification, and I think that the
response from companies needs to be strong and immediate. But
we also need to look at what is going to be best for consumers.
And one of the concerns about having an artificial deadline
about when notification has to happen is that the initial
information is not always the accurate information. And it is
more important that the information be accurate than that it be
fast.
Chairman Luetkemeyer. Very good.
Mr. Cooper. And I think that with the FTC and State
attorneys general being able to make that determination--
Chairman Luetkemeyer. Very good. My time is up. I have to
set a good example here. You will all be able to come to--
hopefully my guys have been listening over here and we are
going to get some good questions on this, because this is a key
component to be able to go forward here.
With that, Mr. Clay from Missouri is recognized for--the
Ranking Member is recognized for 5 minutes.
Mr. Clay. Thank you, Mr. Chairman.
And Professor Rotenberg, you have written previously that
without comprehensive legislation the data breach problem will
only get worse. As part of such legislation, what type of
personal information should be explicitly covered?
Mr. Rotenberg. Mr. Clay, this is a critical question, not
only because personal data such as home address and Social
Security number and financial records and educational records
are readily understood as personal data, but also increasingly
in an era of Big Data we have a lot of information that is
deidentified but can be reconstructed as personal data.
So when we talk about personal data in the 21st century, we
need to understand that it is information that appears as
personal data and is familiar or could be made personally
identifiable. So as a starting point for privacy legislation,
we think it is important that there be a broad scope and that
this particular problem be well-understood.
Mr. Clay. And should a harm threshold be used to trigger
notification of a breach or should all breaches be disclosed?
Mr. Rotenberg. Well, this is a critical question. The
problem with a harm threshold is that it is oftentimes left to
the company to make a determination about whether they think
the consumer has been harmed. And in our view the better
approach says to the company if a breach has occurred, notify
the consumer and then let the consumer determine the scope of
the harm.
Oftentimes companies don't have the full picture of what
the consequence will be if customer data is breached. And that
is why we think that the harm standard is too high. It results
in too little notification.
Mr. Clay. Thank you for that. In your testimony you
mentioned that credit rating agencies should have an automatic
credit freeze. Could you expound on that and tell me how would
a consumer unfreeze that credit then?
Mr. Rotenberg. Right. Well, I think this is just common
sense. As we also say, the credit reporting industry is vital
to the American economy and consumers need the ability to
obtain credit, to get a home loan or purchase a car. We all
understand that.
But when the consumer is making one of those big life
decisions the person should be able to say OK. Now I want this
company to have access to my credit report. So it becomes an
affirmative decision.
The problem with the current system is that companies
routinely get access to personal data, whether or not the
customer has any intent of doing business with the company. And
this also contributes to identify theft.
So if we change the default, give consumers the ability to
disclose the customer report, the credit report, prior to the
purchase, we think that would be good for the customer. It
would be good for the merchant and would reduce the levels of
identity theft.
Mr. Clay. Would that have had an impact on the Equifax?
Mr. Rotenberg. Absolutely. The problem with Equifax is the
data became widely available and consumers were asked after the
fact to race around and put credit freezes in place. And at
that point it is too late.
Mr. Clay. Yes, yes. And in recent testimony before the
Senate you underscored the implications that the massive
Equifax breach has for U.S. trade relations, citing the fact
that more than 15 million U.K. customers were impacted and the
fact that the data exposed by the breach is, as you put it, ``a
gold mine for identity thieves.'' Can you expand on that
concern?
Mr. Rotenberg. Well, this is the point that I raised in my
opening statement. Traditionally when we talked about privacy
law in Congress the focus was the impact on U.S. consumers. But
of course now we live in a global, Internet-connected
environment.
Many U.S. companies are doing business overseas, and those
governments are looking at U.S. privacy law and trying to
assess if we have adequate privacy protection for the records
of their citizens.
So when the Equifax breach occurred, it didn't just impact
American consumers. It impacted people in the U.K. and Canada
and elsewhere around the world. I think it is very much in the
long term interest of the U.S. economy to strengthen our
privacy laws because other countries are becoming increasingly
concerned about the weak privacy standards we have.
Mr. Clay. And you had mentioned that the E.U. was moving
forward--
Mr. Rotenberg. Yes, that is correct.
Mr. Clay. --with an initiative and we should probably look
at that also and take some of the good points of it I guess?
Mr. Rotenberg. Thank you.
Mr. Clay. Thank you.
I yield back.
Chairman Luetkemeyer. The gentleman yields back.
With that, we go to the gentleman from Pennsylvania, the
Vice Chairman of this committee, Mr. Rothfus, recognized for 5
minutes.
Mr. Rothfus. Thank you, Mr. Chairman.
Ms. Sponem, in your testimony you discussed how merchants
and other companies that are not banks or credit unions are a
source of vulnerability and cost.
You wrote the following, ``Financial institutions like
Summit Credit Union foot the bill for the fallout and
subsequent fraud that comes from the breach of personal
information from merchants and other companies' failure to
adequately protect and secure customer information. ``
In your experience, are merchants and other non-financial
companies a major avenue for data breaches?
Ms. Sponem. Yes, I believe that they are a major avenue for
breaches. I believe that most breaches do come from those
sources.
Mr. Rothfus. And can you quantify again how much these
breaches cost your credit union annually?
Ms. Sponem. So in 2017 we spent over $1 million on
breaches. And that has increased year-over-year. So in 2013 it
was around $350,000. It increased 20 percent in 2014, and today
it is over $1 million.
Mr. Rothfus. Mr. Taylor, while I agree that cybersecurity
and breach prevention and notification should be national
concerns, I also acknowledge that small businesses may post
less risk and have fewer resources available to address
potential risks.
What is the best way to tailor data security and breach
notification requirements to the characteristics of businesses
that vary in size and capacity?
Mr. Taylor. It is a great question, and I think the key is
that you have a flexible and scalable standard. And that is
something that a number of us on the panel have highlighted
today.
You need a standard that takes into account the size,
complexity, and scope of the business' operations so the
standard can apply to the smallest company in America to the
largest.
I think it is critical that everyone has at least some
obligation but then the amount of resources that you have and
the size of your organization should dictate the extent of the
expectations.
Mr. Rothfus. Do you know what NIST's role is in setting
cybersecurity standards?
Mr. Taylor. The NIST issued the cybersecurity framework
pursuant to an Executive Order.
Mr. Rothfus. Are entities required to use the NIST
framework?
Mr. Taylor. No.
Mr. Rothfus. What Federal agencies should enforce the law
and determine what compliance with the law in this area would
look like? Any opinion there?
Mr. Taylor. Yes, absolutely. I think you have to recognize
a couple points here. First, we do have existing standards
under the Gramm-Leach-Bliley Act and under HIPAA (Health
Insurance Portability and Accountability Act). And I think for
those areas you should continue to follow the prudential
regulation model.
For example, the financial regulators enforce over the
financial institutions. And then I think that when you are
looking for who else should enforce, I think you have to start
with the Federal Trade Commission, who has historically played
a very active and strong role in this space.
Mr. Rothfus. Mr. Cooper, if I can ask you, we all recognize
that Congress does not want to create a situation whereby
breached entities are forced to inundate consumers with
insignificant notifications to the point that the breached
entity is notifying wolf.
With that in mind, where should the responsibility and
authority reside in determining a direct risk threshold of
identity theft that would trigger a notification?
Mr. Cooper. Well, I think, again, we need to look at it
from the perspective of what is going to be helpful for the
consumer in responding to a breach that might have an effect on
them. I think they are most likely going to be responsive to
the entity that they know has their data.
So in Ms. Sponem's example, for instance, the restaurant
that a customer went to where their credit card was used,
making sure that entity is communicating with the customer I
think is crucial with some actionable information so that it is
not just a notice that there has been a breach but here are
things that you can do.
Mr. Rothfus. Mr. Taylor, if I could go back to you? In your
testimony you described the current patchwork of State
notification laws as a, quote, ``complex matrix of inconsistent
and sometimes duplicative and often contradictory
requirements.''
Clearly, there is a case to be made that a national
standard would be more appropriate and that it would
significantly reduce the compliance burden for firms.
If we were to establish a national breach notification
standard, what information would need to be included? What do
consumers need to know if their information has been improperly
accessed or stolen?
Mr. Taylor. I think there are a few key points that you
should focus on. First, a description of the incident, what
happened. What information was involved? What is the company
doing about it? And steps that the consumer could take to
protect herself from harm.
Mr. Rothfus. I yield back. Thank you.
Chairman Luetkemeyer. The gentleman's time has expired.
Then we go to the Ranking Member of the full committee, Ms.
Waters, from California, recognized for 5 minutes. Welcome.
Ms. Waters. Thank you, Mr. Luetkemeyer. I have an opening
statement that I will submit for the record, and I appreciate
you holding this hearing.
Mr. Rotenberg, Chairman Hensarling has said that in light
of the Equifax breach it should be obvious to all that our
committee will revisit the Data Security Act, legislation that
our committee took up nearly 2 years ago.
The law included sweeping language that would have pre-
empted State law, in which the Massachusetts attorney general
at a minority day hearing that Democrats called, indicated
would drastically undercut Massachusetts data security
regulations.
The New York attorney general's office agreed with this
perspective in their testimony before our committee. So in your
view, if the choice is between the status quo or Federal
legislation that pre-empts States' ability to take action to
protect consumers and bolster data security requirements, which
option would you prefer?
Mr. Rotenberg. Thank you, Congresswoman, for the question.
I am somewhat familiar with the Data Security Act, the 2015
bill, and I am also aware of the objection of many State
officials and consumer groups.
I think it would be better not to pre-empt State laws that
currently provide strong protections to consumers. I think
there is a very real risk, in fact, that if you pass a national
standard that is weaker than what many of the States currently
provide, you will see an increase in the levels of identity
theft and financial fraud in the United States.
Because it is actually those State officials and the State
attorneys general on the front lines of this problem who are
dealing with State residents and businesses trying to come up
with the best legislative solutions.
So the practical consequence of capping that effort would
be to remove the most well-informed, the most effective, and
the most responsive policymakers from this field. I think it
would be a terrible mistake.
Now, I do think Congress has a role to play and has always
played an important role establishing a baseline standard when
it becomes aware of an emerging privacy issue. And most
certainly the protection of personal data is an emerging issue.
But I have no difficulty saying quite simply, a measure
that would pre-empt State law would leave many more American
consumers at risk of identity theft and financial fraud.
Ms. Waters. Thank you. And in some discussions that I have
had with some members here, they have said that this area that
we are dealing with cybersecurity issues, that you need
flexibility and you need to be able to continue to strengthen
your efforts to ensure that you have the kind of protections
that are necessary.
And that means that the States may be able to move faster,
may be able to initiate changes, upgrade, do all kinds of
things that perhaps the Congress of the United States could not
easily and readily do. Is that a concern?
Mr. Rotenberg. Well, I think that is the actual experience
in this field. I think there are some fields where there is no
question that Congress does need to establish a comprehensive
national standard.
But I think there are other fields, and privacy is most
certainly one, where the nature of the subject matter and the
expertise that exists at the States underscores the need for
our Federalist approach to coming up with innovative solutions.
It was actually Justice Brandeis, known for his famous
opinion on the right to privacy, who also described the States
as the laboratories of democracy. And we see that in the
protection of privacy. This is where the innovative legislation
comes from.
Ms. Waters. Well, my concern is that when you start to talk
about national standards and you are dealing with all of these
Members of Congress who come from different States and you have
to basically come up with an agreement, a consensus dealing
with all of the concerns, that the national standard is usually
a race to the bottom almost.
And that it does not recognize that some States, such as
have been identified as New York and Massachusetts, have good
standards, higher standards. And a national standard would
certainly not match that which some States already have and
could have.
So I thank you for being here today. I appreciate your
testimony. And I think that we should take into consideration
what you have said because pre-emption of State laws is a
serious effort that should be taken seriously and not done in
the interests of just trying to have something.
I yield back the balance of my time.
Chairman Luetkemeyer. The gentlelady's time has expired.
With that, we go to the gentleman from North Carolina, Mr.
Pittenger. You are recognized for 5 minutes.
Mr. Pittenger. Thank you, Mr. Chairman. Thank you for
leading this very important hearing and would like to again
thank all of our witnesses for being with us today. Your input
is so critical for each of us on this committee.
Clearly, data and cybersecurity need to be at the forefront
of the agenda for the U.S. Congress. Over the last several
years we have had big and small companies that have been
affected by related security breaches. And obviously the
Equifax is at the forefront of an issue that we have all sought
to consider and evaluate where we go forward.
I would like to ask at this point, Ms. Sponem, what is the
nature of the FTC's oversight of the credit bureaus' data
security operations? Would you expand on that some more?
Ms. Sponem. What is the oversight of the FTC with regard to
this issue?
Mr. Pittenger. To the credit bureaus' data security
operations.
Ms. Sponem. So we fall under the GLBA standards, and we
believe that we are required to follow those. And we believe
that they should as well.
Mr. Pittenger. Sure. How does the FTC's oversight of the
credit bureaus measure against the data security regulatory
frameworks in other sectors of the economy, such as retail,
hospitality, education, and such, what is your view of that?
Ms. Sponem. I don't know where the standard should fall
under, but I do believe that those standards should be fluid.
For example, with the standards that we followed 5 years ago,
if we were continuing to follow those same standards today we
would have been hacked by now.
So those standards need to continue to evolve over time and
they need the flexibility to be able to do that as people get
more sophisticated in being able to penetrate different
systems.
Mr. Pittenger. Sure.
Ms. Sponem. So where that falls under and on--what that
looks like I don't know. But I think it is really an important
piece to make sure that we have in place.
Mr. Pittenger. Yes, ma'am. Thank you.
Mr. Taylor, do you think it is important to empower law
enforcement to share information with the private sector in
respect to ongoing cyberthreats and attacks? If you could elude
on that some more?
Mr. Taylor. Yes, absolutely critical. If law enforcement is
aware of threats and if companies had that information they
could take steps to protect their systems, absolutely critical.
And I think from an industry perspective even following the
Cyber Information Sharing Act, I think there has been a cry
from the industry generally for more information, particularly
from the Federal Government on threats and vulnerabilities that
exist today.
Mr. Pittenger. Yes, sir. And so you would say that there
should be greater information sharing among themselves in the
industry in the private sector on ongoing cyberattacks?
Mr. Taylor. Yes. And I think it has developed historically
in a very sectoral approach. The financial services and retail
and technology they all have their information sharing and
analysis centers and try and share threats amongst themselves.
And it is something that is developing and growing over time.
Mr. Pittenger. Is there anything we should be doing on the
Federal level to encourage information sharing?
Mr. Taylor. Can you repeat?
Mr. Pittenger. Is there anything we should be doing on the
Federal level to encourage information sharing?
Mr. Taylor. Well, this Congress did pass the Cyber
Information Sharing Act, which ostensibly was for that very
purpose. And I think that we need a reminder to Federal law
enforcement to encourage them to share with the private sector
information about threats.
Mr. Pittenger. Yes, sir. Thank you.
Mr. Rosenzweig, who has the enforcement authority for the
various data security regulatory regimes? Is it the FTC, the
State attorney general, or banking regulators?
Mr. Rosenzweig. It is a patchwork, sir. And it very much is
sector-dependent. Right now the FTC has significant authority
over consumer-facing institutions. States' attorneys general
have authority within their respective jurisdictions under
Gramm-Leach-Bliley.
There is regulatory authority from the banking groups,
HIPAA as well. One of the things that we see, as Mr. Taylor
said, is a sectorally developed set of privacy and security
rules that has created some uncertainty as where you fit within
the matrix, pretty much.
Mr. Pittenger. Yes, sir. Thank you. Just very briefly then,
I would ask you how can we ensure that Americans' data privacy
and data security interests are best served by the national
data security breach notification standards?
Mr. Rosenzweig. Well, I would start by saying that I don't
think that data breach notification is cybersecurity. It is an
ancillary to it because it has the collateral effect of
embarrassing people. But it only comes after you have failed.
The right way, the primary way, would be to foster standard
setting at the NIST that we have been talking about already
today and propagate that throughout industry so that we get a
best practices level playing field that is a good standard
setting model.
Mr. Pittenger. Thank you.
My time has expired. I thank you very much.
Chairman Luetkemeyer. The gentleman's time has expired.
With that, we go to the gentlelady from New York. Mrs.
Maloney is recognized for 5 minutes.
Mrs. Maloney. Thank you, Mr. Chairman. I would like to
thank you and the Ranking Member for holding this important
hearing. And all of the panelists for your truly riveting
testimony that underscored the urgency of acting on the Federal
level to protect the information of consumers.
I would like to first ask Professor Rotenberg about the
importance of breach notification. I think we all agree that
when a company is breached and personal information is stolen,
consumers should be notified as quickly as possible.
But before they can be notified about a breach, someone has
to discover it. Usually it is the company, but sometimes it is
discovered by a third party that the company has hired as a
vendor who discovers the breach first.
Now, a number of vendors, independent tech companies that
have huge platforms, are opposed to this. And personally I
think a third party should notify as quickly as possible.
But my first question is if a third party that a company
has hired discovers a data breach at the company, do you think
the third party should have an obligation to notify the company
of the breach?
Mr. Rotenberg. Well, thank you, Congresswoman, for the
question. And the simple answer is yes. We need more breach
notification. We need companies to be made aware of when they
have problems securing the data they collect.
And I thought a lot about how best to describe the problem
and this question in particular. Imagine, for example, that you
made your home available to a friend. And the person goes into
your house and the first couple days they are there a pipe
bursts and you have water pouring all into your house.
Now, let me ask you the question. Do you think they should
contact you right away when the pipe bursts and the water is
pouring over your house?
Or should they wait a few days or a couple of weeks or
maybe to when you get back home and you are looking around and
you are saying, gee, what happened here? Oh, well, the pipe
burst. Maybe someone should deal with it.
Data breach is actually very much like a pipe bursting. You
have lost control over the information that you have a
responsibility to protect. And if you don't act quickly and if
you don't notify somebody who has the ability to fix the
problem, it simply gets worse.
And as I tried to explain at the outset, the people who are
targeting personal data in the United States today are much
more sophisticated than the people 10 years ago or even 5 years
ago. These are foreign adversaries. They are trying to uncover
national vulnerabilities that they can exploit.
I think we need breach notification that is almost
immediate but practicable. Seventy-two hours, which the
Europeans chose, I think is probably a good target.
Mrs. Maloney. I thank you for that excellent reply. And in
fact, this article that actually the Chairman loaned to me
talks about the European Union in May they are enforcing their
72-hour reporting time, which in a sense will enforce it in
America, too, with those companies such as Boeing and GM and
Chevron and Microsoft, to mention a few, that are international
companies. They are going to obviously have to start responding
to what the European standard is.
So Europe's data rules are headed to the United States. It
used to be, as the financial capital of the world, the United
States would set the standard. Now we are rushing to catch up
with what the rest of the world is doing in a very important
area.
I must say that after Equifax I would say probably half of
the people on this panel were breached. And myself included.
And it took them 40 days to disclose that 145 million Americans
had lost their security.
And I agree with you that the 30 to 60 days that companies
in America are demanding is just too long. I think we should
move to the European standard and actually it is being forced
on our people now through the law that is going to start being
enforced in May from the European Union.
I ask unanimous consent to place in the record this
important article that shows the fierce urgency of acting now
to move forward on it.
Chairman Luetkemeyer. Without objection.
Mrs. Maloney. I will say I talked to the Ranking Member and
he is going to join me with some questions that I would like to
get everybody in writing because we don't have much time. We
have 5 minutes. And I spoke to the Chairman and he said if he
approves will join us, which would be great, on getting
everybody on record on some of these things.
I can't even be left alone in a hearing. It is going off.
Anyway, so I would like to ask Nathan Taylor, you mentioned in
your testimony that some States sometimes have data breach
notification laws that are inconsistent and directly conflict
with each other.
I will give you an example. You noted that some States
require companies to tell consumers as much information as
possible, while others say you can't. So we need a uniform.
My time is expired. I look forward to sending each of you a
thank you note for your excellent testimony and some other
additional information that we can see if everybody is onboard
on certain changes that we as a Nation should move forward on.
Thank you so very much. I yield back.
Chairman Luetkemeyer. The gentlelady's time has expired.
With that, we go to the gentleman from Colorado, Mr.
Tipton, recognized for 5 minutes.
Mr. Tipton. Thank you, Mr. Chairman and thank the panel for
taking the time to be able to be here.
Mr. Cooper, I would like to follow up a little on my
colleague Mr. Rothfus' question in regards to some consumer
confidence. Obviously if we don't have confidence in the data
being able to get out into other hands, we undermine the entire
process in the eyes of the consumer.
You had cited one instance to be able to help restore some
of that consumer confidence by just notifying the people that a
breach had occurred. Are there other measures that we should
take as well?
Mr. Cooper. Yes. So I think one of the best aspects of both
the proposal for legislation in this area and even this hearing
is raising the visibility of the importance that anybody who is
a steward of data is responsible for making sure that they take
reasonable steps in order to keep that data secure.
It is important for what Ms. Sponem's credit union does. It
is important for what our members do, because 90 percent or so
of data breaches can be prevented just by having good cyber
hygiene.
And if more companies are adopting a NIST style framework
in order to make sure that they are protecting their data, that
they are making sure that passwords are protected, that
credentials are protected, will resolve a lot of the data
security incidents that we see.
Mr. Tipton. Thank you. And maybe as a little follow up on
that, and Ms. Sponem and Mr. Taylor you might want to weigh in
on this as well when we are talking about who is responsible.
Can you explain the way in which institutions, which third
parties, retailers, who is responsible for the costs of a
breach?
Ms. Sponem. Yes, so today the financial institution is
responsible for any entity that is breached that impacts our
members negatively. So if it impacts their credit card or that
depletes their debit card checking account, we reimburse our
members for those fraudulent charges.
In the case of loan fraud, we also do all of the
reimbursing of any fraud that takes place from a fraudulent
loan. We have increased our costs from trying to identify more
fraudulent loans as that has been on a large increase over the
last year.
And so things that we might do is make sure that the Social
Security number issuance matches date of birth. We will check
I.P. addresses on the loan apps to make sure that the I.P.
address is from the same State.
We looked up people on social media to make sure that the
details match. We check driver's license numbers on the DMV
website. So we have gone to great lengths now in 2017 to
protect that information, to protect our members from
fraudulent loans being made.
And I believe that those entities that are negligent in
protecting consumers' data ought to be held responsible for the
costs of those data breaches.
Mr. Tipton. Mr. Taylor?
Mr. Taylor. Yes. Statutes today don't define liability.
This is a heavily litigated issue, whether it be among
companies for a company's fraud losses or a consumer's losses.
That is something that is pursued in courts today to define the
liability.
Mr. Tipton. OK. So ultimately right now liability is
landing literally with the banks, with the retailers and we
need to have that apply to a little bit more on a broad base?
Would that be fair to say?
Mr. Taylor. I think liability is an extremely controversial
issue. My personal view from my practice is I would tend to
lean toward leaving it to the private sector to work it out
amongst themselves and define and allocate risk.
Mr. Tipton. Great. Go ahead.
Ms. Sponem. I believe that companies who do not take the
added steps in protecting consumer data ought to pay for it. I
don't know why we would want the banking industry to be at the
risk of all of these different entities that are not protecting
consumers' data.
And oftentimes ending up in identity theft, which is a much
greater problem for consumers.
Mr. Tipton. Do you have any ideas on really how much we
should be spending? A broad-based question, obviously, in terms
of cybersecurity. Much of the resources should be allocated for
cybersecurity in businesses?
Mr. Cooper. If I may? I would say that it really depends on
the type of business that we are talking about. A local
restaurant probably has a different amount of resources that it
should be putting into its cybersecurity than a web hosting
company or a financial institution or a large multinational
company that collects and maintains a lot more data.
So I think one of the keys in having a data security set of
rules is that they be flexible and scalable depending on the
type of company that we are talking about.
Mr. Tipton. Great. Thank you.
I yield back, Mr. Chairman.
Chairman Luetkemeyer. The gentleman yields back.
With that, we go to the distinguished gentleman from
Georgia. Mr. Scott is recognized for 5 minutes.
Mr. Scott. Thank you, Mr. Chairman. Panel, a very good
discussion, really very enlightening, but I tell you, I am very
worried. I am worried about the future of our Nation. It seems
that we are in a cyber data breach world war. And I think we
need to look at it that way.
And United States of America is the number one target.
But I am worried about our inability to adequately respond
to this. First of all, you take the fact of Equifax, 145
million people with all of their vital information out in the
open, breached upon, and what happens? We first put the
consumer protection agency out front doing an intensive
investigation and then all of a sudden we draw that
investigation back.
There is nothing. I don't know of anybody right now, any
Federal agency, that is investigating that breach, especially
from a standpoint of even all the information that we had. They
waited 2 months before they even notified anybody.
They didn't wait that long when three of their top
executives sold their stock once they found out what the breach
was and made millions of dollars. No investigation.
You know, I want to ask you, do you think 6 weeks to notify
the public of a breach was fair to the American people? Anybody
here think that was fair? I don't think so. Everybody is
shaking their head that it--do you think that the CFPB should
have backed away from this investigation?
Where do you think that the feelings of the American people
are resting now? Well, let me ask you this. Under Gramm-Leach-
Bliley, do you think that part of the problem may be that there
is no delay in notification requirement that is even explicit
within Gramm-Leach-Bliley?
Do you think that that may be a part of the problem, Mr.
Rosenzweig? Or you, Mr. Cooper? Do we have anything adequate to
respond to this?
Mr. Rosenzweig. Well, thank you for the question, Mr.
Scott. As most of the members of the panel have suggested, the
absence of any timeframe requirement for notification it does
lead to uncertainty within the marketplace.
I think perhaps unlike some of the other panelists and
perhaps some like Mr. Rotenberg in particular, I don't think
that a fixed timeframe is necessarily the best answer. I think
that sometimes delay is both necessary to ascertain the facts.
And sometimes delay is necessary as part of the investigative
process underneath the law enforcement interests.
That is not to say that the Equifax delay is an appropriate
delay. I don't want to be heard to say that, but for me at
least I would prefer a non-determinative, more flexible
standard of notification requirement.
Mr. Scott. Well, let me ask you, Mr. Cooper, you said in
your testimony that data security is a shared responsibility.
What did you mean by that?
Mr. Cooper. When a company is collecting and using data,
and it might be using another company to help store it or
process it, provide customer relations management tools, H.R.
tools, there is a need to protect the infrastructure. There is
also a need to protect the passwords and credentials that are
being used to access that information.
And it is different companies that have different
responsibilities as part of that security system. It is--
Mr. Scott. Now, let me ask you maybe it seems like right
now from my observation we have a hodgepodge of different
regulations, different agencies. Wouldn't it be good for us to
start trying to figure out how we can zero in and harmonize and
get at this in a targeted way to protect the American people's
information?
Mr. Cooper. I think having the Federal Trade Commission
have the lead responsibility to make sure that reasonable
security measures are being taken and that notice is given to
consumers when there is a breach in a reasonable amount of time
will help make sure that there is timely notification because
there is the Federal Trade Commission there to say if you have
not provided notice when you should have in a reasonable amount
of time, the FTC has enforcement authority.
Mr. Scott. Thank you, Mr. Chairman.
Chairman Luetkemeyer. The gentleman's time has expired.
With that, we go to the gentleman from Texas. Mr. Williams,
recognized for 5 minutes.
Mr. Williams. Thank you, Mr. Chairman and also Ranking
Member Clay. I want to thank you for holding today's hearing.
As we have seen in the past year cybersecurity breaches and the
loss of personal identifiable information unfortunately
continues to affect hundreds of millions of Americans. The
Equifax breach being the largest example.
Now, bad actors are not stopping, in fact, quite the
opposite. Organizations around the country continue to be under
constant threat from cyber thieves seeking to steal personal
data. Our constituents expect us to, where appropriate,
consider solutions which successfully defend their information
and let them know in the event it has been compromised.
Thank you to the witnesses. It has been good testimony
today before us this morning as this committee continues to
work to find the answer in the space of consumer information
safety and breach notification. And your expert testimony is
welcomed.
Ms. Sponem, thank you for being here today to provide the
perspective of credit unions in the data security debate. I am
a small business owner back in Texas, have been for 46 years
and a steadfast defender of Main Street. I am glad to hear from
you.
And as you point out in your testimony, data breaches are
becoming all too common. We have talked about that. And the
cost to institutions like yours have to bear, to fix problems
that weren't any fault of your own, begin to add up.
So we have talked a little bit about this, but expand on
it. What kind of standards should merchants be held to? And
will those standards effectively reduce the cost your
institution must pay to assist members who are affected by
merchant data breaches?
Ms. Sponem. I believe that merchants and other businesses
that hold consumer information should have the proper controls
in place as well. It is the making sure that your patches are
done in a timely manner, that you have the proper people in
place to monitor those controls and to make sure that you are
doing what you need to do to protect that data.
I think that that is at what level of standards? I think
that that is something that others will need to decide, but
given the type of information that someone holds about
consumers I think does, as Mr. Cooper mentioned, does indicate
to what level they need to be protecting that data.
Mr. Williams. OK. Thank you.
Mr. Taylor, in your testimony you recognized the harm that
data breaches cause the American consumer. There exists today
various State laws regarding the protection of consumer
personal information and breach notification in the event that
information is compromised.
You are in support of a nationwide breach notification
standard, so I ask this. Why is a nationwide Federal breach
notification standard the correct policy rather than letting
the States govern themselves?
Mr. Taylor. Well, I think it ultimately comes down to--and
the Chairman in his opening statement said we can't forget
about the consumer. And that is a point that I agree with. This
is fundamentally about equal treatment for all Americans,
regardless.
A lot of my family lives in Idaho Falls, Idaho. I live in
Virginia. Our Social Security numbers are equally sensitive
regardless of where we live and the expectation should be the
same for companies regardless of where the company operates to
protect all of our Socials.
Mr. Williams. I have another question for you. In your
testimony you discuss the steps a company takes in determining
the scope of breach. You say that while it would be simple to
confirm the facts of what happened, in actuality it takes
detailed review before a company can figure out what happened
and how to address the breach.
One potential consideration that needs to be made when
codifying a breach notification standard is the fact that, as
you point out, when the breach becomes public a company becomes
a target for other attackers.
So how long would a company be given to secure their
systems before being required to make a public notification?
And is there a risk that notification could happen too quickly
and invite new attacks?
Mr. Taylor. There is absolutely a risk. And speaking from
my experience alone; one, there is a fundamental point that I
would like to highlight, which is all breaches are not created
equal. They are really fact-specific.
And so going down the road of picking times, whether it be
days or hours, is really challenging because the breaches
aren't alike. And it does take time, of course depending on the
facts, to both investigate, restore the security of systems and
that should be critical.
And our expectation should be that a company should
expeditiously investigate and take steps to protect their
systems. That is mission critical in my mind.
Mr. Williams. OK. Thank you very much.
And I yield my time back, Mr. Chairman.
Mr. Rothfus [presiding]. The Chair now recognizes the
gentleman from Texas, Mr. Green, for 5 minutes.
Mr. Green. Thank you, Mr. Chairman.
I thank the witnesses for appearing as well, and am
concerned about the liability aspect of this that my colleague
across the aisle raised earlier.
We seem to believe that there should not be a standard with
reference to a timeline for reporting a breach, but we don't
seem to think that there should be some sort of liability if
that timeline is too long. If you wait until people are
suffering such that they could not take some sort of action to
help correct.
Now, I think that businesses ought to be able to work out
their problems, but what do you do when they don't? What do you
do when they have millions of people at risk and their
shareholders, some of whom happen to be in some pretty
significant positions, my friend Mr. Scott mentioned it, they
go ahead and sell their stock before they announce the breach.
Now, if you think that it is appropriate for Equifax to
have shareholders in significant positions, let us call them
executives, to allow them to sell their stocks--probably can't
stop them--but for them to sell their stocks before the breach
is announced, if you think that is appropriate raise your hand,
please?
Let the record reflect that no one has indicated that this
is appropriate. So when this occurs should there be some sort
of liability? Do you think that people ought to be allowed to
do this with impunity? Do you think that the poor guy who may
not be able to afford a lawyer is going to be able to stop
this?
Do you think that class actions are going to be the
solution when we have a class of people right here in Congress
who are fighting class actions, don't want lawyers to be able
to bring class actions against these mal actors?
So what is the solution? To debate it and do nothing? Why
wouldn't there be some liability imposed if you knew or should
have known that your security measures were inadequate and
somebody is suffering as a result?
So let us start with Mr. Rosenzweig.
Mr. Rosenzweig. Well, Mr. Green, thank you for the
question. I would like to divide the answer. I don't know the
facts of the Equifax case. They are still under investigation,
but assuming the facts--
Mr. Green. Well, let us not talk about the--
Mr. Rosenzweig. --that you proposed--
Mr. Green. Well, let us do this. Let us take them off the
table.
Mr. Rosenzweig. Right.
Mr. Green. And we will have our own fictitious entity.
Mr. Rosenzweig. I would say that insider trading is already
a crime. And if you trade on insider information that is an
investigation that is appropriate for the SEC and securities
enforcement authorities.
I think that that is different from a generalized breach
notification law. And there I think that I agree with Mr.
Taylor, that the standard is or ought to be a flexible one that
reflects expeditiousness at the most earliest reasonably
practical time. The law is filled with flexible standards like
that, the tort liability standard, for the reasonable man sort
of thing.
I do tend to think that firm--
Mr. Green. Excuse me. Let me intercede--
Mr. Rosenzweig. Sure.
Mr. Green. But what should be done when the flexibility
that you speak of is abused?
Mr. Rosenzweig. Either an administrative enforcement action
or possibly litigation. Those are the two possible--
Mr. Green. Well, who pays for the litigation?
Mr. Rosenzweig. Presumably the people who are litigating.
Mr. Green. Would that be the consumer?
Mr. Rosenzweig. We don't have a loser pays law here in the
United States, so yes.
Mr. Green. It would be the consumer. Why wouldn't Congress
intercede and establish some standard that deals with this
notion of flexibility? Let us assume that you are right.
Different circumstances require different timeframes. But what
happens when that is abused?
Mr. Rosenzweig. Well, that would be a matter for
administrative enforcement presumably through the FTC or in the
case of Equifax through the banking regulatory authorities.
Mr. Green. And I assume that Mr. Taylor you would like to
weigh in on this as well?
Mr. Taylor. Yes. Throughout this hearing liability has come
up in a couple of contexts. And what we have been talking
about, two completely separate issues. And the point that you
were raising, Congressman, is a good one.
If we are going to have a strong standard, we should hold
companies accountable to that standard. And in your bill you
can provide penalties that you believe are appropriate for
failure to comply with the standard.
There is a separate liability issue that we have talked
about in other contexts today, which is the liability between
companies who when one company has a breach there can be
impacts, for example, to a credit union for reissuing cards.
Those are two separate things.
But on the former, I completely agree with you that we
should hold companies accountable. If we are going to have a
Federal standard we should expect that they comply. And if they
don't there should be penalties.
Mr. Rothfus. The time of the gentleman has expired.
Mr. Green. Thank you.
Thank you, Mr. Chairman.
Mr. Rothfus. The Chair now recognizes the gentlelady from
Utah, Mrs. Love, for 5 minutes.
Mrs. Love. Thank you so much. A few months ago, one of our
cybersecurity experts here at the Congressional Research
Center, Chris Jaikaran, testified before the Senate Banking
Committee about data security. He outlines a process by which
organizations typically respond to a breach, and I would like
to unpack that a little bit and get your thoughts on various
aspects.
Mr. Jaikaran said that there will be a delay between the
discovery of an attack and public notification of that attack
because the analysis of what has transpired would need to be
conducted.
This analysis will inform the entity of how they were
breached and what data systems were compromised is what he
said. Now, I understand that clearly an organization needs to
know what happened before they can accurately notify people who
were affected by the breach.
But can we say that this is obviously a theme that I think
both sides of the aisle are incredibly concerned about. We hear
it over and over and it is asked in so many different ways I
can't even imagine your heads must be spinning. But can we say
that there should be general parameters on the timing of
notification?
Mr. Cooper, I knew you wanted to say something earlier. You
pushed your button, so I am going to let you go ahead and
answer that question.
Mr. Cooper. Thank you. Yes, so I think that the complexity
of the breach is going to affect when notification can happen
in an accurate way. And I think accuracy is really important.
I think that it is important that the Federal Trade
Commission, and perhaps State attorneys general, are able to
enforce a reasonableness standard in terms of the time when
notification is provided so that we can figure out the
parameters of what is reasonable and make sure that companies
are held to that standard of reasonableness with no enforcement
isn't a real standard.
A standard that allows enforcement and penalties when it is
not met will help make sure that there are not delays that are
unnecessary.
Mrs. Love. OK. So there are some serious questions, for
example, about the lack of notification regarding the Equifax
breach. I would like to get your thoughts, Mr. Taylor, on that
because I think one of the analogies that was expressed about
pipe breaking in your home, to me the difference is when
information is released and what type of information is
released.
And I would tend to think that there would be some sort of
information saying, you know what? There is a pipe that broke.
We don't know how. We will give you further information later
about that. But there is a problem and we need to notify of
that problem.
So I guess I would like to just get your thoughts about
regarding the notification, for example, and the lag of
notification, because that is the serious concern here.
Mr. Taylor. I appreciate your concern. And while I can't
speak to Equifax specifically, I think what the fundamental
issue here is, when does the clock start ticking. And I walked
through this in detail in my written testimony.
When does a company, quote, ``discover a breach.'' Is that
the first awareness of a fact that later with the benefit of
hindsight is concluded to have been related to the breach? Or
is it the moment that the company determines something is
wrong? We have an issue here.
And my point is there should be an expectation that a
company expeditiously investigates to figure out what happened
and restore the security of their systems and that is, in my
mind, when the clock should start ticking, once those steps
have been done.
Mrs. Love. OK. So when a breach occurs, should there be a
specific timeframe for notification established in law? Is
there something that we should do to make sure that there is
some sort of a timeframe?
Mr. Taylor. If by timeframe you mean something like days or
hours, I would say no. I think you should go with a standard
that is as expeditiously as possible or as as reasonably as
possible. I think you need a flexible standard because all
breaches are not created equal.
They are very different.
Mrs. Love. Is it realistic to require that any company
notify customers within a set number of days or whatever
circumstance? Is there some sort of reasonable standard that
should be out there?
Mr. Taylor. I think, again, it really depends. It depends
on the facts. A company needs to know whose data was lost in
order to be able to notify the right consumer. You don't want
to notify the wrong consumer and unduly alarm them. So it--
Mrs. Love. So I have just a few seconds, but I just want to
say that we are here on behalf--I believe--I keep saying this.
The branch of Government that is closest to people is the House
of Representatives. And we will not be doing our job if we are
not looking out for the people whose intellectual property has
been breached and released.
So our job is to protect the people. It will always be
that. And so I think it is our responsibility to make sure that
there is something that we can protect people when their
information is out--has been breached. So with that, thank you.
Mr. Rothfus. The time of the gentlelady is expired.
The Chair now recognizes the gentleman from Washington, Mr.
Heck, for 5 minutes.
Mr. Heck. Thank you, Mr. Chairman.
So I want to get at this issue of what do we do about data
breaches, and I want to think outside the box a little bit. I
am reflecting back on the Equifax breach, and part of which I
found incredibly galling, namely that the company essentially
threw one person under the bus.
I don't know if that was motivated by a liability
limitation, but I thought it was exceedingly poor form. But it
was also galling, frankly, because it suggested that something
that was so mission critical was dependent on one single
individual, which seems to be a systems issue.
But I got to thinking about the gold standard that we have
all around us in even more tragic circumstances. Not that this
one wasn't tragic--and that would be the National
Transportation Safety Board, which is charged to go in after
accidents of trains or planes and do the investigation.
Why did this happen and what can we do to prevent it in the
future? And there is also a chemical safety board for chemical
spills, oil platforms, and the like. That is their sole job. Go
in and look at why this thing happened and what can be done to
prevent it in the future.
So I got to thinking. A computer network safety board, an
entity, a Federal Government entity whose sole job would be to
determine how did this come about and what is it that needs to
happen in order to prevent it going forward?
So just going down the line there, I am interested in your
reaction to that idea.
Mr. Rosenzweig. Which end are you starting at?
Mr. Heck. Yours, sir, because you were nodding the whole
time I was talking.
Mr. Rosenzweig. Well, no. I mean--it is actually an idea
that I have been toying with myself. I would say that the only
problem that I see with it, serious, is that cybersecurity is
really two components. There is the systems approach portion of
management of the company protocols in place, awareness of the
issue, risk assessments, that sort of thing.
And then there is the technical piece of--did you fail to
patch? Was the intrusion detection system inadequate, that sort
of thing.
So as you went forward, we would want to do both and the
problem, which is very much mirrored in the NTSB, is that the
form of those, the human system part is a lot harder to
evaluate with precision than the latter.
The NTSB can say part A failed, but they can't say that the
company didn't inspect frequently enough because frequently
enough is a flexible standard that--
Mr. Heck. But--
Mr. Rosenzweig. --but I like the idea generically.
Mr. Heck. But we have human error on the transportation
front, too.
Mr. Rosenzweig. Right.
Mr. Heck. And I am not understanding why you think the
analogy breaks down?
Mr. Rosenzweig. I don't think the analogy breaks down. It
is just the way you phrased the question at least made me think
that you were thinking only of the technical side of the
problem.
Mr. Heck. No. No.
Mr. Rosenzweig. OK. Then so long as we are willing to
accept that human error is human error and can't be--
Mr. Heck. Sure.
Mr. Rosenzweig. --eradicated from any human system, I--
Mr. Heck. Right.
Mr. Rosenzweig. --I would follow you down this road.
Mr. Heck. Good.
Mr. Rotenberg. Well, sir, I am going to give you a
different answer. I don't think we need another entity
responsible for computer security. I think the problem right
now is that there is overlapping authority that needs to be
clarified.
Both the FTC and the Consumer Finance Protection Bureau
have responsibility for security standards. But it is not a
mandatory standard and that is part of the problem. I suggest
in my testimony that that authority which currently exists
should be strengthened.
I also want to mention, and I mentioned this in the
testimony, I was very concerned when I read the news reports
that the acting director of the CFPB, Mr. Mulvaney, has
apparently decided to discontinue the investigation of Equifax
when his agency already had the authority to pursue the matter.
Now, why this is of particular concern is not simply about
compensating the individuals for whatever harm they have
suffered. But it is now almost 6 months since one of the
greatest data breaches in U.S. history has occurred and we
still don't know who is responsible.
That is actually a remarkable fact. It is as if we went
through 9/11 and didn't know who was on those planes. I
remember that day. And I almost can't believe that at this
moment in time we still don't know who is responsible for the
Equifax attack.
So I would say that rather than create a new authority we
should make sure that current authorities should do their job.
And the last thing that a current authority should do is drop
an investigation that it already has the authority to pursue.
Mr. Heck. I am virtually out of time. Sorry to the rest of
the panelists. I am sure that you have something meaningful to
add as well.
Mr. Rothfus. The gentleman's time expired.
The Chair now recognizes the gentleman from Georgia, Mr.
Loudermilk, for 5 minutes.
Mr. Loudermilk. Thank you, Mr. Chairman and I appreciate
the panel being here after spending nearly 30 years in the IT
industry and a lot in data security, this is a critical balance
that we have to strive here because as I have heard in here
stated several times, it is very difficult.
And Congress cannot respond in the appropriate timeframe
for stringent regulatory or stringent regulations for something
that moves as fast as technology.
It is impossible for us to keep up with it. And having a
hard set Federal standard that meets everything would be like
the EPA trying to regulate the security exchanges. It just
isn't going to fit in every situation.
So our struggle is how do we ultimately protect the
consumer? And as we have seen time and time again, we have to
continue to review regulations, especially when you are dealing
with financial services.
If you over-regulate what happens is the businesses then
are more concerned with meeting the legal standard of the
regulation instead of actually doing what is best for the
consumer.
But yet you have to have some type of guideline. And that
is where I think our struggle is here. Where is that balance?
How do we get to that balance?
And it is, as Mr. Taylor said several times, no breaches
are the same. They are very unique based on the platform, the
diversity of systems, the type of industry, or even the source
of the breach.
And that is what we are struggling with a lot now is who is
liable? And in the current system it is not always those that
caused the data to be breached that are ultimately liable for
the consumers and the cost that they are facing.
So I think for me it is looking for what is that stringent
guideline or standard that can be flexible. And I think that is
what I am hearing from a lot of the panelists here is the
flexibility but one that is stringent enough that can go across
the multiple platforms.
Because what we are looking at now is totally something
different than what our founders ever envisioned. Through
federalism you have States had banks. Though history the State
of Georgia, when I was in the State legislature, we regulated
banks.
Well, they regulate very few banks now because the Federal
Government is doing it because they cross so many platforms and
money is not transferred by Wells Fargo wagons anymore. It is
transferred instantaneously through data networks, which brings
in more people who with more liability and more chances for
this to be disclosed.
One of the issues that I have spoken about quite often
coming from this background is basically a principle we had
when I was in the military dealing with intelligence data, was
you don't have to secure what you don't have. In other words,
don't keep a bunch of stuff.
And one of my concerns that we have is in the Government we
require so much data to either be reported to the Government or
to be held by companies that really you don't need to keep in
an archive that makes us more vulnerable.
Mr. Cooper, with the different standards across the
different States, and I understand this, very difficult for
businesses, even small businesses. My business we worked in
multiple States.
It is very difficult for businesses to know which, really
what standard each State has. When it comes to personal
identifiable information, do we have multiple definitions of
that through States?
Mr. Cooper. Yes. Different States have different
definitions of what type of personal information triggers a
notification requirement. Perhaps more importantly, there are
only a dozen or so States that have data security rules in the
first place.
And I think you put your finger on exactly what the
difficulty or the art is in what you are trying to do here,
which is how to establish a flexible security standard where
that flexibility also scales up as time goes on, because as you
point out, the types of threats that we are going to face 10
years from now are different than the ones that we face today.
And a flexible standard should make sure that the
requirements also ratchet up as we are aware of those threats.
Mr. Loudermilk. Well, let me add another aspect into that,
because one of the things we don't hear a lot about right now
is are we aggressively going after the bad guys? Are we
pursuing that aspect?
OK, there is the prevention aspect, but one of the ways of
preventing is also prosecuting. Are we putting enough effort
into actually going after the criminals who are creating these
problems?
Mr. Cooper. So I think it is a really important point to
highlight that in these data breaches they are always criminal
acts. And making sure that law enforcement does have not just
the direction that these are priorities, but also the resources
and the institutional knowledge to be able to do the forensics
that is required in order to catch them.
It is very difficult, and there are different kinds of
breaches and we need to recognize that there are breaches that
are from sophisticated actors, some nation-state-linked, some
not. There are also much less sophisticated activities that
still have a significant impact on all the companies that we
are talking about in every industry sector because every
industry is relying on data in some way.
Mr. Rothfus. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Tennessee, Mr.
Kustoff, for 5 minutes.
Mr. Kustoff. Thank you, Mr. Chairman. And I do thank the
witnesses for appearing today at this very important hearing.
Mr. Rosenzweig, if I can, we have talked about these
disturbing cyberattacks that we have seen throughout the last
several years. We have talked about Equifax this morning, which
affected almost 145 million Americans.
And of course their data has likely been sold on the dark
web to somebody.
With Equifax and with other breaches, with Target, with the
Office of Personnel Management, information being sold
throughout the Internet, it is clear that indeed our financial
institutions are clearly vulnerable to attacks.
And as much as we look to do to prevent them, these
perpetrators still look for weaknesses and firewalls and other
data protection mechanisms.
We have talked today about a national standard or a Federal
standard. In your opinion, if Congress years ago had already
enacted such a standard as you and some of the other witnesses
have talked about today, do you think that these breaches still
would have occurred?
And if the answer is no, can you talk about how it should
be structured or could be structured?
Mr. Rosenzweig. I think the answer is yes, the breaches
still would have occurred. Maybe not the exact same sets of
breaches, but data breach notification law is an after-the-fact
amelioration of the harm that has already occurred. The
existence of data breach notification laws in 48 States and
throughout Europe and throughout the world has not stopped the
prevalence of cybersecurity breaches.
What is necessary or what is appropriate to try and
implement to limit or reduce the amount of cybersecurity
breaches since, of course, they can't be eliminated altogether,
is some form of primary standard setting that requires and
addresses and advocates for people to raise their game, to
bring up the nature of what they are doing so that they are
more secure overall.
That includes deploying firewalls and intrusion detection
systems. That includes process management systems so that
corporations have an awareness of and do risk assessments on
their companies.
Those sorts of steps are the primary way of fixing the
cybersecurity data breach notification is about privacy and it
is about ameliorating the harm after it has occurred. But it is
not a primary way of achieving cybersecurity. It is derivative.
Mr. Kustoff. Thank you very much.
Ms. Sponem, as we look at banks and credit unions, I am
interested in how our financial institutions identify and
address cyberattacks when they occur. And as the President of
the Summit Credit Union can you discuss the systems that your
institution has in place to detect a data breach or other
credit unions? What systems they would have in place to detect
a credit breach?
Ms. Sponem. We have at Summit Credit Union and other
financial institutions, we have data intrusion tests done on
our systems all the time. And so we test our systems. We hire
people to try to hack into our systems and so that we can fix
any type of vulnerabilities that we might have.
In terms of how do we detect a breach by another entity
that might be impacting our members, sometimes that comes from
our members themselves, who report a fraudulent charge. And we
start to connect the dots and say, this is interesting. It
comes from similar places. Sometimes it is identified by
places.
Sometimes it is identified that way. Sometimes we get lists
from Visa. Sometimes we read about it into the newspaper.
Companies do not tend to be forthright and especially merchants
with data breaches, and that leads also to this big time delay
in us being able to notify people.
Do we really want consumers to have to worry about looking
at their information all the time in order to protect
themselves from that? Probably not. If we can get a head's up
from a company that their systems have been compromised, that
is a good indication for consumers to be able to say, oh, OK.
Now I am going to look at this a little bit more closely.
We look at that from all different sources and it is not
the same. And from a loan fraudulent activity perspective, that
we try to protect our members in many different ways by trying
to cross-reference different lists and looking up things to
make sure that information is consistent so that we are not
issuing fraudulent loans.
Mr. Kustoff. Thank you. My time has expired. Thank you.
Mr. Rothfus. Time of the gentleman is expired.
The Chair now recognizes the gentlelady from New York, Ms.
Tenney, for 5 minutes.
Ms. Tenney. Thank you, Mr. Chairman, and thank you panel
for this really important meeting. Obviously this is a huge
issue. A really unusual thing happened in my district recently.
We had actually a bank robbery where somebody walked into the
bank in a traditional way and reminded me of the old movie,
Woody Allen movie, Take the Money and Run. He went into the
bank with his soap gun.
But this is interesting that now this is occurring in cyber
spaces, so just like watching a sports event from the comfort
of your living room, you can now rob a bank and heist millions
and billions of dollars just by cyber.
And so I think what my biggest concern is, and obviously I
wanted to start with Mr. Rosenzweig about, my concern--a number
of years ago I attended a seminar before--it was right about
the time New York State--and I am a member from New York State,
when the Department of Financial Services was being put
together.
And the discussion was now our institutions, our banking
and financial institutions or credit unions are going to be
asked to hand over their private information which they so
carefully secure, their information about their customers,
obviously their lifeline, to the State of New York. And the
concern over the protection and the ability of the taxpayers to
protect this data.
And so that is my concern is that I think we know banks and
institutions, and we have heard, obviously Ms. Sponem and
others talking about how important it is to protect theirs. But
how at risk are we when we hand our data over to the State of
New York, for example, and how do we prevent against them being
hacked?
We know that Congress and our institutions are hacked
numerous times on a daily basis. Now the taxpayers, how do we
get around the cost in being able to protect that and still
have a regulatory regime in place and the balance there? I
don't know if you have an opinion on that?
Mr. Rosenzweig. That is a great question. Neither the
Federal Government nor the State governments are immune from
this problem. South Carolina had a very large breach of their
driver's license system a few years ago. I am aware of breaches
in California and Illinois as well.
I don't know of any in New York particularly, but I imagine
they must have happened. And obviously the OPM breach was far
more significant for me personally than the Equifax breach
because I lost my fingerprints.
There is no way to guarantee the security of State and
Federal databases any more than there is a way of guaranteeing
the security of bank breaches.
I think that the answer is much the same as with private
entities. That State and local institutions and Federal
institutions need to be mandated and forced to up their game so
that they give at least the best that they can give us.
Ms. Tenney. Thank you. I do worry because obviously Equifax
was a major factor. It hurt our community and these major
breaches.
I am just concerned that we go from the private
institution, which obviously has as their most important asset
is their customer, to have to give that information up to a
Government entity just for regulatory purposes. And we know
that governments are not always so reliable.
I might ask Ms. Sponem if you could just tell us a little
bit about your viewpoint on dealing with a credit union
situation? How we protect it? And especially you have
identified in your testimony small credit unions and the risk
that you have taken and how you feel about turning your data
over dealing with your data when it comes to protecting your
customers?
Ms. Sponem. So we are very careful about who we turn our
information over to because we also know that, and why the
hearing is taking place, is that other entities are not
protecting data in the same way that we protect data.
And so we do not like to turn over any information that is
personal information about our members unless we absolutely
have to do that.
Ms. Tenney. Thank you. One last thing, and just if we could
go to I would say Mr. Rosenzweig or whoever might have an
opinion, what can we do to minimize this risk and exposure on
the private sector in terms of what could we put in place in
terms of a formation of a bill or a regulatory regime that
would help us protect the customer but also protect the asset
in the event that we do have to turn data over? I don't know if
you--
Mr. Rosenzweig. I would give you two quick points,
minimization of data. A couple of people have said that. You
can't be breached for that which you don't collect. And the
second, which is a word that we haven't said at all in this
hearing is resiliency, which is plan for the failure.
It will happen and what we really don't have is a lot of
good recovery systems.
Ms. Tenney. I appreciate that because I know you pointed
out the obvious to me and it is great to have to deal with a
data breach later, but it is already the damage has been done
and the horse is already out of the barn.
So I do appreciate that. I think preventing it is to me,
and again, I thank you for your comments. I love that we--let
us not give the information out.
So in that case it is not going to be a secure--and I still
have many of my constituents who refuse to even have a bank
account. They are still hiding it in the mattress because they
are so afraid of data security.
But thank you so much for the panel and for the Chairman. I
yield back. Thank you.
Mr. Rothfus. The gentlelady yields back.
The Chair now recognizes the gentleman from Kentucky, Mr.
Barr, for 5 minutes.
Mr. Barr. Thank you, Mr. Chairman.
Thank you to our witnesses for your testimony today. I will
start with Ms. Sponem. Thank--
Ms. Sponem. Sponem.
Mr. Barr. Sponem. Thank you. I have heard from many of my
credit unions that I represent in central Kentucky about the
data breach problem. And can you just tell us once again what
the average cost is to replace a debit or credit card?
Ms. Sponem. So anywhere between $3 and $5 per card, but
that is actually the least expensive part of a data breach.
Mr. Barr. Because of the fraud monitoring that you have to
engage with, addressing your member calls, and actually helping
them navigate ramifications of the breach?
Ms. Sponem. That is correct. So yes, so the actual talking
with our members, talking through the breach with them, what
they need to do to rectify the situation to make them whole,
but also the actual fraudulent charges themselves fall on the
financial institution.
Mr. Barr. Right.
Ms. Sponem. And so as we talk about the standards for other
companies, really what is the incentive for companies to not
protect their data or to protect their data if we are going to
pay for all of--
Mr. Barr. When you take all--
Ms. Sponem. --their breaches when we take all of it.
Mr. Barr. When you take on all the responsibilities.
Ms. Sponem. That is correct.
Mr. Barr. And yet financial institutions like credit unions
and community banks, you are subject to the Gramm-Leach-Bliley
standards, standards that don't apply to other sectors of the
economy. Is that correct?
Ms. Sponem. We are absolutely held to those standards along
with reporting of any type of breaches.
Mr. Barr. So your testimony resonates with me because, as I
said before, so many credit unions and community banks in the
6th District of Kentucky have told me that of all of the
regulatory pressures that they face and the compliance costs
that they deal with, this is one of their very top priorities
in terms of additional cost and ultimately who bears that cost.
Ms. Sponem. We bear all of the costs of data breaches, of
if there is a fraudulent loan, any type of fraudulent activity,
including wire transfers. We hold all of that responsibility.
Mr. Barr. But then beyond that, who ultimately--where is
that cost passed along to?
Ms. Sponem. Well, because we are owned by our members, we,
it is really our members' money that we are spending in these
fraudulent situations. And that is $1 million in 2017 that
could have gone to other things that would have benefited our
members.
Mr. Barr. So consumers, the members of the credit union or
a customer of a community bank, they are the ones ultimately
that pay for this in the form of higher fees or more expensive
financial services?
Ms. Sponem. They absolutely do, yes.
Mr. Barr. Now, let us move on to--that is the problem. Let
us move on to the solution a little bit and the proposed
Federal legislation to Mr. Taylor and also Mr. Cooper, if you
would?
There seems to be some tension in the recommendations a
little bit in terms of the desire to create some certainty and
some clarity in terms of what standards merchant community or
whoever has to comply with. But there is also testimony here
today about the need for flexible, scalable standards and
technology-neutral standards. We don't want to create a box so
that we suppress innovation.
Can you all help us, as we craft this legislation,
reconcile that tension? Yes, we want flexibility, yes, we want
scalability. We want technology-neutral. I take that
recommendation seriously, but how can we at the same time
provide for the merchant community that is responsible for
adhering to those standards some clarity and legal certainty?
Mr. Cooper. I think we want it to be outcome-focused. I
think the goal of a Federal standard on security should be what
steps depending on the size of the entity, the type of personal
information they have and the amount of personal information
they have, what steps will be appropriate?
And if we have the Federal Trade Commission and State
attorneys general all enforcing the same law and the same
standard we will get that consistency where it still allows for
it to be scaled up or down depending on the type of entity or
the emergence of new kinds of threats.
Mr. Taylor. I would reiterate the point that you made
earlier about the Gramm-Leach-Bliley Act and look at that as a
model. And it does include notification standards, by the way.
I think earlier someone said that it didn't, but it does.
But the GLBA model is, in fact, one that focuses on the
process. It is technology-neutral. You need to think about
risk. You need to adopt safeguards that address those risks.
Mr. Barr. And final question, Mr. Rosenzweig, should
legislation deny a private right of action? Would a private
right of action undermine consistent enforcement and what
should be the interface between litigation versus a regulatory
compliance defense or a standard compliance defense?
Mr. Rosenzweig. I am a little agnostic on that. I tend to
favor an administrative enforcement mechanism rather than the
randomness of class action and litigation.
Mr. Barr. Anybody else on that?
Mr. Rothfus. The gentleman's time has expired.
I would like to thank our witnesses for their testimony
today. Without objection, all members will have 5 legislative
days within which to submit additional written questions for
the witnesses to the Chair, which will be forwarded to the
witnesses for their response.
I ask our witnesses to please respond as promptly as you
are able.
Without objection, all members will have 5 legislative days
within which to submit extraneous materials to the Chair for
inclusion of the record. The hearing is adjourned.
[Whereupon, at 11:59 a.m., the subcommittee was adjourned.]
A P P E N D I X
February 14, 2018
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]