[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]





 
                  EXAMINING THE CURRENT DATA SECURITY

                        AND BREACH NOTIFICATION

                           REGULATORY REGIME

=======================================================================

                                HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON FINANCIAL INSTITUTIONS
                          AND CONSUMER CREDIT

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                           FEBRUARY 14, 2018

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 115-73
                           
                           
                           
                               _________ 

                  U.S. GOVERNMENT PUBLISHING OFFICE
                   
 31-346 PDF               WASHINGTON : 2018      
                          
                           
                           
                           

                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    JEB HENSARLING, Texas, Chairman

PATRICK T. McHENRY, North Carolina,  MAXINE WATERS, California, Ranking 
    Vice Chairman                        Member
PETER T. KING, New York              CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California          NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma             BRAD SHERMAN, California
STEVAN PEARCE, New Mexico            GREGORY W. MEEKS, New York
BILL POSEY, Florida                  MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri         WM. LACY CLAY, Missouri
BILL HUIZENGA, Michigan              STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin             DAVID SCOTT, Georgia
STEVE STIVERS, Ohio                  AL GREEN, Texas
RANDY HULTGREN, Illinois             EMANUEL CLEAVER, Missouri
DENNIS A. ROSS, Florida              GWEN MOORE, Wisconsin
ROBERT PITTENGER, North Carolina     KEITH ELLISON, Minnesota
ANN WAGNER, Missouri                 ED PERLMUTTER, Colorado
ANDY BARR, Kentucky                  JAMES A. HIMES, Connecticut
KEITH J. ROTHFUS, Pennsylvania       BILL FOSTER, Illinois
LUKE MESSER, Indiana                 DANIEL T. KILDEE, Michigan
SCOTT TIPTON, Colorado               JOHN K. DELANEY, Maryland
ROGER WILLIAMS, Texas                KYRSTEN SINEMA, Arizona
BRUCE POLIQUIN, Maine                JOYCE BEATTY, Ohio
MIA LOVE, Utah                       DENNY HECK, Washington
FRENCH HILL, Arkansas                JUAN VARGAS, California
TOM EMMER, Minnesota                 JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York              VICENTE GONZALEZ, Texas
DAVID A. TROTT, Michigan             CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia            RUBEN KIHUEN, Nevada
ALEXANDER X. MOONEY, West Virginia
THOMAS MacARTHUR, New Jersey
WARREN DAVIDSON, Ohio
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
TREY HOLLINGSWORTH, Indiana

                     Shannon McGhan, Staff Director
       Subcommittee on Financial Institutions and Consumer Credit

                 BLAINE LUETKEMEYER, Missouri, Chairman

KEITH J. ROTHFUS, Pennsylvania,      WM. LACY CLAY, Missouri, Ranking 
    Vice Chairman                        Member
EDWARD R. ROYCE, California          CAROLYN B. MALONEY, New York
FRANK D. LUCAS, Oklahoma             GREGORY W. MEEKS, New York
BILL POSEY, Florida                  DAVID SCOTT, Georgia
DENNIS A. ROSS, Florida              NYDIA M. VELAZQUEZ, New York
ROBERT PITTENGER, North Carolina     AL GREEN, Texas
ANDY BARR, Kentucky                  KEITH ELLISON, Minnesota
SCOTT TIPTON, Colorado               MICHAEL E. CAPUANO, Massachusetts
ROGER WILLIAMS, Texas                DENNY HECK, Washington
MIA LOVE, Utah                       GWEN MOORE, Wisconsin
DAVID A. TROTT, Michigan             CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    February 14, 2018............................................     1
Appendix:
    February 14, 2018............................................    39

                               WITNESSES
                      Wednesday, February 14, 2018

Cooper, Aaron, Vice President, Global Policy, BSA - The Software 
  Alliance.......................................................     3
Rosenzweig, Paul, Senior Fellow, R Street Institute..............     9
Rotenberg, Marc, President, Electronic Privacy Information 
  Center, and Adjunct Professor, Georgetown University Law Center     8
Sponem, Kim, Chief Executive Officer and President, Summit Credit 
  Union, on behalf of the Credit Union National Association......     5
Taylor, Nathan D., Partner, Morrison & Foerster LLP..............     6

                                APPENDIX

Prepared statements:
    Cooper, Aaron................................................    40
    Rosenzweig, Paul.............................................    49
    Rotenberg, Marc..............................................    57
    Sponem, Kim..................................................    72
    Taylor, Nathan D.............................................    83

              Additional Material Submitted for the Record

Luetkemeyer, Hon. Blaine:
    Written statement for the record dated February 13, 2018.....    92
    Written statement from Independent Community Bankers of 
      America....................................................    96
    Written statement from the National Association of 
      Convenience Stores and The Society of Independent Gasoline 
      Marketers of America.......................................    98
    Written statement from the National Association of Insurance 
      Commissioners..............................................   107
    Written statement from the National Multifamily Housing 
      Council....................................................   122
Maloney, Hon. Carolyn:
    NationalJournal article entitled, ``Europe's New Data 
      Protections Expected to Spill Over into U.S.''.............   124
Waters, Hon. Maxine:
    Opening statement for the record.............................   128
Cooper, Aaron:
    Written responses to questions for the record submitted by 
      Representative Heck........................................   136
Rosenzweig, Paul:
    Written responses to questions for the record submitted by 
      Representative Heck........................................   139
Rotenberg, Marc:
    Written responses to questions for the record submitted by 
      Representative Heck........................................   141
Sponem, Kim:
    Written responses to questions for the record submitted by 
      Representative Heck........................................   145
Taylor, Nathan D.:
    Written responses to questions for the record submitted by 
      Representative Heck........................................   148


                  EXAMINING THE CURRENT DATA SECURITY

                        AND BREACH NOTIFICATION

                           REGULATORY REGIME

                              ----------                              


                      Wednesday, February 14, 2018

                     U.S. House of Representatives,
                     Subcommittee on Financial Institutions
                                       and Consumer Credit,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 10:01 a.m., in 
room 2128, Rayburn House Office Building, Hon. Blaine 
Luetkemeyer [chairman of the subcommittee] presiding.
    Present: Representatives Luetkemeyer, Rothfus, Lucas, Ross, 
Pittenger, Barr, Tipton, Williams, Love, Trott, Loudermilk, 
Kustoff, Tenney, Hensarling, Clay, Maloney, Scott, Green, Heck, 
and Crist.
    Also present: Representative Waters.
    Chairman Luetkemeyer. The committee will come to order. 
Without objection, the Chair is authorized to declare a recess 
of the committee at any time. This hearing is entitled 
``Examining the Current Data Security and Breach Notification 
Regulatory Regime.''
    Before we begin, I would like to thank the witnesses for 
appearing before the subcommittee. We appreciate your 
participation and look forward to today's discussion.
    And I recognize myself for 3 minutes for the purpose of 
delivering an opening statement.
    Every year, the number and severity of data breaches seems 
to increase and more and more Americans seem to become victims 
of fraud and identity theft. Consumers are left not only facing 
financial harm, but also the daunting task of restoring the 
integrity of their personal information.
    With constant technological advancements come more 
sophisticated threats to data security. Some of the largest 
financial institutions in the United States deal with hundreds 
if not thousands of cyberthreats on a daily basis.
    Those attacks aren't just from one-off hackers but 
sometimes highly organized criminal enterprises backed by 
foreign nation-states. The majority of entities that handle 
personally identifiable information work hard to protect it 
from fraudulent acquisition and use.
    As we consider reform of the current regulatory regime 
surrounding data security standards and notification 
requirements, we should bear in mind that in many instances it 
is both the entity and the consumer that has been the victim of 
the crime.
    While I recognize that companies work hard to guard against 
complex threats, it is sometimes the smallest and most 
avoidable errors that lead to the largest breaches. The company 
only has to be wrong once. The 2017 Equifax breach is a 
textbook example of the importance of good data security 
hygiene.
    This is a vastly complex issue that impacts nearly every 
business in this Nation. But our primary focus throughout this 
endeavor should be the consumer. Can we create a system that 
puts them first? How can we safeguard their data without 
overburdening the entities that they patronize? When is the 
right time to notify them that a breach may have occurred?
    Bottom line is that we, the American people, deserve better 
than the status quo. All entities that handle our personal 
information have some responsibility to maintain data security 
standards that protect our information and to keep us better 
informed of instances that could lead to theft, fraud, or 
economic loss. We have the right to this information so we can 
be empowered to protect ourselves.
    Today's hearing will provide the committee with an 
opportunity to hear from witnesses with diverse professional 
backgrounds and opinions on data security. I want to thank them 
for offering their perspectives today. I look forward to your 
testimony and to continued collaboration on this incredibly 
important issue.
    The Chair now recognizes the Ranking Member of the 
subcommittee, another gentleman from Missouri, Mr. Clay, for 5 
minutes for an opening statement.
    Mr. Clay. Thank you, Mr. Chair. At this time I will forego 
the opening statement and hopefully we can get to the 
witnesses. I yield back.
    Chairman Luetkemeyer. Mr. Rothfus?
    Mr. Rothfus. No.
    Chairman Luetkemeyer. We are done with opening statements. 
You guys are lucky this morning.
    With that, we welcome testimony of our witnesses, a number 
of you have names that are Luetkemeyer, a little difficult to 
pronounce, and I apologize if I get them wrong this morning.
    But Mr. Aaron Cooper, Vice President for Global Policy, BSA 
- The Software Alliance; Ms. Kim Sponem, President and CEO of 
Summit Credit Union on behalf of the Credit Union National 
Association; Mr. Nathan Taylor, Partner, Morrison & Foerster, 
LLP; Professor Mack Rotenberg--is that right, or Rotenberg?
    Mr. Rotenberg. Marc. Marc Rotenberg.
    Chairman Luetkemeyer. Marc. Marc Rotenberg, President, 
Electronic Privacy Information Center and Adjunct Professor, 
Georgetown University Law Center; and Mr. Paul Rosenzweig--
pretty close?
    Mr. Rosenzweig. Much better than most, sir.
    Chairman Luetkemeyer. OK. Obviously we are not right yet, 
that is the problem. But that is OK--appreciate your 
diligence--Senior Fellow, R Street Institute.
    Each of you will be recognized for 5 minutes to give an 
oral presentation of your testimony. Without objection, each of 
your written statements will be made part of the record.
    Just a little tutorial on the lighting system in front of 
you. Green means go. When you see a yellow one pop up there 
that means you have 1 minute to wrap up, and red means stop. I 
have a gavel up here that we will make that emphatically known 
if we need to.
    I would ask that you pull the microphones close to you. 
They do move. They are not stationary on the desk there. You 
can pull them toward you so we can hear you. Sometimes if you 
speak softly it is a little difficult in this large room to get 
the right acoustics.
    So with that, Mr. Cooper, you are recognized for 5 minutes.

                    STATEMENT OF AARON COOPER

    Mr. Cooper. Thank you, Mr. Chairman. Good morning Chairman 
Luetkemeyer, Ranking Member Clay, and members of the 
subcommittee. My name is Aaron Cooper and I am Vice President 
for Global Policy at BSA - The Software Alliance.
    BSA is the leading advocate for the global software 
industry in the United States and around the world. Our members 
are at the forefront of cutting edge, cloud-enabled data 
services that have a significant impact on U.S. job creation 
and the global economy.
    Data security is crucial to our members and to their 
customers in every industry sector. I commend the subcommittee 
for holding this hearing on such an important topic, and I 
thank you for the opportunity to testify.
    BSA's support for data security and breach notification 
legislation dates back more than a decade. Persistent, high-
profile security incidents make the need for thoughtful 
legislation more important now than ever.
    Our economy today and economic growth and job creation in 
the foreseeable future is rooted in digital data. Every 
industry today is improved through the use of software to 
store, transfer, and analyze data.
    But the embrace of the digital economy cannot be taken for 
granted. If customers do not trust that their data will be kept 
secure, they will not use the technology. Our companies compete 
on privacy and security. Their customers rightfully demand it.
    Data breaches erode that trust in digital services and can 
have a significant cost on the economy.
    The security threats we face today are global, the 
adversaries increasingly sophisticated, and the motivations are 
far more complicated than in the past. Malicious actors use 
both internal and external threats to commit financially 
motivated crimes and other forms of espionage.
    In some cases, advanced persistent threats are conducted by 
well-resourced teams of specialists that are often linked to 
nation-state actors. Organizations that hold sensitive data 
need to incorporate high standards of risk management.
    This does not always require adopting excessively costly or 
cumbersome security measures. In fact, reasonable diligence can 
make a considerable dent in the problem. Experts suggest that 
more than 90 percent of data breaches could be preventable 
through basic cyber hygiene.
    Compromised or weak user credentials account for the vast 
majority of hacking-related breaches and patched software could 
prevent nearly 80 percent of security incidents.
    BSA is committed to being part of the solution and, along 
with our members, is leading on several important efforts. 
First, BSA recently released a new cybersecurity policy agenda 
which addresses the need to promote a secure software 
ecosystem, develop a 21st-century cyber workforce, and embrace 
emerging technologies.
    Second, BSA members have been leading advocates of security 
by design principles and secure development lifecycle 
approaches to developing software.
    Third, the industry has developed and deployed layered 
defenses from protection at the data and document level to the 
network and perimeter level.
    Fourth, use of cloud-based services offer an important 
option for data security. Just as a bank can better protect 
individual financial assets of its patrons, cloud service 
providers can provide a level of protection for their 
customers' digital assets beyond what many small and medium-
sized businesses can do on their own.
    It is important to remember that even when customer data is 
placed in a cloud infrastructure, security remains a shared 
responsibility. Cloud providers can help reduce the operational 
burden associated with securing data, but security is a 
process, not an end state.
    The cloud provider and customer both have responsibilities 
for managing the security of data.
    While the industry is taking important steps, only Congress 
can ensure that there is a uniform and effective Federal 
standard. In BSA's view, legislation should aim to achieve 
three goals.
    First, legislation should minimize the risk of data 
breaches. It should require companies that collect or maintain 
sensitive personal information to implement reasonable data 
security practices. The practices should be scoped in size to 
the complexity, sensitivity, and volume of personal information 
on a company's systems.
    Second, legislation should mitigate the impact of breaches 
that do occur. Legislation should ensure that consumers receive 
timely and meaningful notification based on a risk-based 
analysis.
    Third, legislation should create uniformity. We currently 
have a thicket of 48 different State data breach notification 
standards. The variation between the State laws are not trivial 
and it is unhelpful in the wake of a breach of personal 
information to have a company working with a team of lawyers to 
understand what requirements must be met in each jurisdiction 
before notifying customers of the breach.
    In conclusion, there is a lot that Congress can do to 
improve the situation for both businesses and consumers. Well-
crafted legislation can facilitate rapid and robust responses 
to significant security incidents. And Federal guidance on data 
security will drive stronger security measures across the 
Internet ecosystem.
    BSA strongly supports these goals, and we look forward to 
working with the subcommittee to achieve them. Thank you, and I 
look forward to your questions.
    [The prepared statement of Mr. Cooper can be found on page 
40 of the Appendix]
    Chairman Luetkemeyer. Thank you, Mr. Cooper.
    Ms. Sponem, recognized for 5 minutes. Please turn your 
microphone on and pull it close. Thank you.

                     STATEMENT OF KIM SPONEM

    Ms. Sponem. Thanks. Chairman Luetkemeyer, Ranking Member 
Clay, members of the subcommittee, thank you for the 
opportunity to testify on this extremely important topic. My 
name is Kim Sponem and I am Chief Executive Officer and 
President at Summit Credit Union testifying on behalf of the 
Credit Union National Association.
    Summit Credit Union, headquartered in Madison, Wisconsin, 
is a State-chartered credit union founded in 1935. We have $3 
billion in assets and serve 175,000 members, which is quite 
small compared to regional and national banks.
    Like all credit unions, we are a not-for-profit 
institution, owned by the very members we serve. Summit Credit 
Union offers a full array of financial services to meet the 
needs of our members, including debit and credit cards.
    Unfortunately, data breaches occur far too often. Consumers 
and financial institutions are harmed by data breaches when 
entities and organizations, including merchants, fail to take 
necessary steps to protect consumer data.
    Community financial institutions foot the bill when 
companies fail to secure customer information when many do not 
need to store that information in the first place. Breaches 
cost Summit Credit Union over $1 million in 2017 alone, but 
more importantly, the negative impact on consumers is 
significant and sometimes devastating.
    Imagine you are making a purchase and your card is 
declined. You don't know why. There is a line behind you. You 
are embarrassed and concerned. You figure out a different way 
to pay or you walk away angry.
    You call your financial institution. There are fraudulent 
charges on your card. You now know why the purchase was 
declined because of fraud, but now you have the stress of 
wondering just what information did the fraudsters gain on you?
    Or are you using your debit card in another country to get 
currency? It is shut down. Now what do you do? You are worried 
someone is depleting your checking account. How long will it 
take to get that resolved? How will you get your money in 
another country? Panic sets in.
    Even worse, someone stole your identity and took out a loan 
in your name now your credit is compromised. How do you get it 
back? It can take years and tens of thousands of dollars to 
rectify.
    Meanwhile, my credit union is working hard to get you 
another card at $3 to $5 per card, overnighting them when 
needed at our expense. We work with you to address the 
fraudulent charges that are on your card that we pay for.
    We look to increase our fraud monitoring systems that are 
expensive and labor-intensive. And most of all, we spend the 
much-needed time with our members to help them navigate the 
financial system.
    Once you have new cards then remembering to update your 
automatic payments is the next step. If you forget, you now are 
delinquent with that company.
    All fraud and fraud mediation is paid for by financial 
institutions. There is no incentive for companies that hold 
personal information to protect it. And that is just plain 
wrong.
    Under current law, credit unions and banks are subject to 
data security requirements, necessitating the development of 
procedures and systems to protect consumer information from 
theft, including notifying consumers in the event of a data 
breach.
    However, other entities that hold personal information are 
subject to no such standards. Any company that holds consumers' 
personal information necessarily or unnecessarily should be 
held to a national standard. Americans deserve a strong 
national data security standard that requires all businesses to 
protect and safeguard personal information.
    Companies that do not need to store personal information 
should either not store it or be subject to the standard. 
Companies should not be allowed to put consumers at undue risk.
    And communicating a data breach in a timely manner allows 
consumers and financial institutions the ability to try to 
reduce possible losses with early detection and awareness.
    The current system is not fair or sustainable. Consumers 
are protected from losses because financial institutions bear 
the responsibility for reimbursing them. Those that are 
negligent should bear the cost.
    Protecting data is expensive and it is labor-intensive. But 
a company that stores information needs to invest in these 
protections for consumers as a cost of doing business, or not 
store the information at all.
    In summary, it is our hope that this committee makes data 
security one of its top priorities in 2018. We ask that any 
legislation proposed would include these three priorities: One, 
a standard for all companies holding personal information; two, 
a requirement to communicate breaches in a timely manner; and 
three, a responsibility for negligent companies to bear the 
costs.
    We will work with you to protect consumer data and increase 
accountability. Companies may not want to invest in protecting 
data, but it is a matter of responsibility and duty that goes 
with holding that information.
    On behalf of Summit Credit Union and the National 
Association I would like to thank you for this opportunity to 
share my views. And I would be happy to answer any questions. 
Thank you.
    [The prepared statement of Ms. Sponem can be found on page 
72 of the Appendix]
    Chairman Luetkemeyer. Thank you, Ms. Sponem.
    Mr. Taylor is recognized for 5 minutes.

                   STATEMENT OF NATHAN TAYLOR

    Mr. Taylor. Mr. Chairman, Ranking Member Clay, and members 
of the subcommittee, my name is Nathan Taylor and I am a 
partner at the law firm of Morrison & Foerster. My practice is 
focused on helping financial institutions and other companies 
protect the security of their sensitive information and respond 
to security incidents that unfortunately but inevitably occur.
    My colleagues and I have represented companies in 
responding to a number of the largest and highest profile data 
breaches in American history.
    I am pleased to be here today to provide you with 
background on the State safeguards laws and the State security 
breach notification laws. At the outset, however, I want to 
stress that I share your concern about the critical need to 
protect American consumers and American businesses from the 
increasingly sophisticated cybersecurity threats that we face 
today.
    Cybersecurity impacts not only the security of our own 
sensitive personal information, but in the Internet-connected 
world in which we live, it impacts our very way of life.
    In my view, we need a national standard to address what is 
truly a national issue, and I also believe that a national 
standard would ultimately be good for both the American 
consumer and American businesses.
    For more than a decade I have tracked the State laws as 
they have developed in this area. When you review the current 
landscape of State laws, you find a complex matrix of 
inconsistent, sometimes duplicative and often contradictory 
requirements.
    With respect to State safeguards laws specifically, today 
only 15 States have laws in effect that impose general 
requirements on all companies to protect the security of 
sensitive personal information. Most of these safeguards laws 
impose only a high level obligation to take reasonable steps to 
protect sensitive information.
    Only a few include detailed security requirements, and 
those are often modeled on the Safeguards Rule issued by the 
Federal Trade Commission pursuant to the Gramm-Leach-Bliley Act 
(GLBA).
    In contrast, however, today, 35 States do not have 
generally applicable laws that require all companies to protect 
sensitive personal information.
    If you are an American, where you live should not impact 
whether there is a legal obligation to protect sensitive 
information about you. In my view, this point is not 
controversial. We need a national standard for security to 
ensure that all Americans are protected while also leveling the 
playing field for American businesses.
    With respect to breach notification, 48 States, as well as 
the District of Columbia, Guam, Puerto Rico, and the U.S. 
Virgin Islands have enacted breach notification laws. Although 
these laws ostensibly share the same purpose, they are far from 
uniform and vary significantly in terms of their requirements.
    For any given breach the many differences among the laws 
impacts whether at all a consumer receives a breach notice, 
what that notice says, when it is sent, and even how it is 
sent. In addition, the inconsistencies among these laws 
complicate the process for companies in providing notice to 
consumers.
    Even for companies who respond to an incident diligently, 
investigating a breach, restoring the security of systems, and 
providing notice to consumers takes time. It is a complex 
process that is made more difficult by the need to comply with 
52 different breach laws. A single nationwide standard for 
breach notification would address this issue.
    In closing, I note that Congress, including this committee, 
has considered the issue of data security for 15 years. In my 
view, the time for Congress to act is now. In considering 
legislation I would recommend that this committee be guided by 
four principles.
    First, a Federal bill should include strong yet flexible 
and scalable data protection standards for all companies.
    Second, a Federal bill should require notice to consumers 
of breaches that put them at risk of harm.
    Third, a Federal bill should include a safe harbor for 
compliance with the existing Federal data security standards.
    And finally, a Federal bill should pre-empt State laws to 
ensure that all Americans receive the same level of protection 
regardless of where they live.
    Thank you for the opportunity to speak with you today, and 
I am happy to answer any questions that you might have.
    [The prepared statement of Mr. Taylor can be found on page 
83 of the Appendix]
    Chairman Luetkemeyer. Thank you, Mr. Taylor.
    Professor Rotenberg, recognized for 5 minutes.

                   STATEMENT OF MARC ROTENBERG

    Mr. Rotenberg. Mr. Chairman, Ranking Member Clay, and 
members of the committee, thank you for the opportunity to 
speak with you today. My name is Marc Rotenberg. I am President 
of the Electronic Privacy Information Center.
    We are a nonpartisan research organization established in 
1994 to focus public attention on emerging privacy issues. I 
have also taught privacy law at Georgetown for more than 25 
years and am the author of several books on privacy law.
    I have provided for the committee a detailed statement that 
I ask be entered into the hearing record. I would be happy to 
briefly summarize my comments, if that is OK? Thank you.
    Let me say at the outset that data breaches today pose an 
enormous challenge, not only to American families but also to 
our country. Previously, consumer privacy laws were enacted to 
safeguard consumers against the misuse of their personal data.
    But what we are increasingly aware of is that foreign 
adversaries are targeting the personal data stored by American 
firms here in the United States. And you see as a consequence 
when companies engage in lax security practices, they put their 
clients and their customers at risk, not only of the misuse of 
the data but also of identity theft and financial fraud from 
foreign actors.
    A related concern that I would like to bring to your 
attention is the growing divergence between U.S. privacy laws 
and privacy laws in Europe. As you may be aware, the European 
Union is moving in May of this year to establish a 
comprehensive approach to privacy protection known as the 
General Data Protection Regulation.
    That law is already having a big impact and I would say a 
positive impact on the practices of U.S. firms operating in 
Europe. But the increasingly critical question is whether the 
United States will update its privacy laws to address growing 
concerns about the protection of personal data held in the 
U.S., not only on U.S. consumers but also on the consumers in 
countries where we do business.
    So for both of these reasons, I think there is an enormous 
urgency in this committee moving forward for strong proposals 
for privacy protection. And I have outlined in my testimony 
several key principles that I hope you will consider, as well 
as brief comments on some of the bills that are pending in this 
committee and elsewhere in Congress.
    I want to comment on a few of the points that were made 
earlier and highlighting also statements that are in my 
prepared testimony. I think the key point is that you want to 
establish a Federal standard but it should be a Federal 
baseline standard.
    And this is the traditional approach to privacy protection 
in the United States. If you go back to the Video Privacy 
Protection Act or the wiretap statute or other consumer privacy 
laws, the approach to privacy protection has been one that 
recognizes, as the other witnesses have said, the need to 
ensure a Federal standard that provides baseline protection but 
also allows the States to regulate upwards and to respond to 
emerging privacy threats as they emerge.
    Just looking at the field of data breach notification and 
the experience in the State of California, what you will see is 
that as the State confronted new forms of data breach, first it 
was financial fraud and then it was medical records, the State 
was updating its laws to address the new challenges and to 
provide new and necessary coverage to ensure that consumers 
would be aware of the new types of data breach.
    This is entirely consistent with our Federalist form of 
Government that leaves to the States the authority to establish 
stronger privacy protections when necessary. So I would 
certainly agree with the other witnesses on the need for a 
national standard, but I would urge that that be a baseline 
standard.
    Some of the other key points in my testimony include the 
need for prompt breach notification. It simply takes too long 
today to tell people that their personal data has been 
compromised.
    In the credit reporting industry we think it is important 
to establish across the board data freezes so that consumers 
can make the determination affirmatively when to disclose their 
personal data to others rather than to have to wait until the 
breach occurs and then to take additional steps to safeguard 
personal data that has already been compromised.
    I would be pleased to address other points in my testimony, 
and thank you again for the opportunity to speak with you 
today.
    [The prepared statement of Mr. Rotenberg can be found on 
page 57 of the Appendix]
    Chairman Luetkemeyer. Thank you, Professor.
    Mr. Rosenzweig, recognized for 5 minutes.

                  STATEMENT OF PAUL ROSENZWEIG

    Mr. Rosenzweig. Thank you, Mr. Chairman, Ranking Member 
Clay, members of the committee. I thank you for the invitation 
to join you today. My name is Paul Rosenzweig. I am a Senior 
Fellow at the R Street Institute. We characterize ourselves as 
a pragmatic think tank, which I guess means that we think the 
free markets work except when they don't.
    There is good evidence that the free markets do not fully 
work in the cybersecurity arena and that the market does not 
adequately price in the costs of cybersecurity.
    Recent history is, of course, replete with examples of data 
breaches like the Equifax breach and the harm they have caused. 
I myself have been the subject of at least three breaches in 
the last couple of years, Equifax, Home Depot, and the OPM 
breach.
    And as the Verizon data breach annual report reflects, in 
2016, the last year for which we have some data, more than 
40,000 incidents and 2,000 confirmed breaches have occurred.
    So make no mistake. Cyberthreats are real and recent 
experience has shown that neither the private nor the public 
sector are fully equipped to cope with them.
    Given these threats, we should expect that the market would 
provide a solution. Why is that not enough? The answer I think 
lies in the conception of externalities, that is, the fact that 
activity between two economic actors may directly or 
unintentionally affect a third party.
    Cybersecurity has those types of negative externalities. 
The most important one is what we call a pricing problem. That 
is that private sector actors often do not internalize the 
costs of security failures in a way that leads them to take 
adequate protective steps. When software fails to prevent an 
intrusion or a service provider fails to interdict a malware 
attack, the costs are borne entirely by the end users.
    In this way, security for the broader Internet is a classic 
market externality. How then should Government respond to this 
problem?
    First and most importantly we should guard against what 
public choice theory calls rent-seeking. That is the idea that 
we should not foster the right result but rather the result 
that concerted lobbying efforts favor.
    Second, we must be careful of inflexible float to change 
mandates. The Government's hierarchical decisionmaking 
structure allows only slow progress in adapting to this 
phenomenon and operates far too slowly to catch up with the 
pace of cyber change, if you will.
    We make decisions at the speed of conversation. But change 
happens at the speed of light. Of course, whenever we have 
chosen to address a pricing problem through litigation there 
are also significant costs, most notably transaction costs. 
Operating the civil justice system is expensive and 
participating in that system even more so.
    Those costs which are unrelated to the merits of the 
failure or the litigation have a strong tendency to distort the 
market in ways that are often unanticipated.
    So then what is the right approach? My counsel to you would 
be first do no harm. In the end, if a regulatory approach is 
chosen at all, it should be flexible and scalable too and a 
standard-setting approach with a light administrative 
enforcement mechanism rather than a hard mandatory approach 
with a heavy civil sanction.
    Most importantly, we must develop a system that creates 
more certainty than it does uncertainty, and that requires two 
things: Guidance and reassurance. As to guidance, we need a 
model that relies on a flexible standard but also one that is 
clearly articulated.
    By contrast, for example, today much of the guidance from 
the FTC (Federal Trade Commission) to consumer enterprises on 
acceptable cybersecurity practices comes in the form of consent 
decrees that, taken together, articulate a very indefinite 
standard of reasonable behavior. That is a poor way to set 
standards.
    Second, no enterprise will invest resources in achieving 
standards without some assurance that doing so will benefit the 
enterprise. In reality, a major portion of that benefit will 
lie in the fiscal security of knowing that the enterprise has 
taken adequate steps to avoid liability. So we need either an 
implicit or an explicit form of safe harbor that encourages 
people to adopt the standards we develop.
    So what should our standard-setting system look like? Well, 
we have a good example in the NIST (National Institute of 
Standards and Technology) framework, a collaborative bottom-up 
approach that collects best practices and advocates for them as 
the best standard available.
    If we follow these precepts, if we focus on standard 
setting rather than rulemaking and guidelines rather than 
mandates, will go a long way toward advancing cybersecurity and 
ameliorating the failures in the marketplace.
    I should caution that no solution we can devise will be 
perfect. This is truly an insoluble problem that cannot be 
eliminated altogether. But there are in fact better or worse 
answers, and I commend the subcommittee for its attention to 
the problem. And I look forward to answering your questions.
    [The prepared statement of Mr. Rosenzweig can be found on 
page 49 of the Appendix]
    Chairman Luetkemeyer. Thank you, Mr. Rosenzweig, appreciate 
your comments this morning. Although they were honest, you just 
said we couldn't solve the problem, so at least we can talk 
about it, huh? The Congress is really good at that. We can talk 
a lot, can't we?
    With that, I will recognize myself for 5 minutes and begin 
the questioning. Again, thank all of you for your comments. As 
many of you indicated we have almost daily breaches now, and 
the American public is clamoring for some sort of solution to 
some of these problems.
    And we are trying to put together a bill that hopefully 
will address some of the concerns and take into account some of 
the suggestions that you have given us this morning. And we 
certainly appreciate your input.
    Let me start out with Mr. Rosenzweig with regards to one of 
the issues I think that is key to this whole situation is the 
pre-emption of State law, all of you mentioned this very thing.
    To me it looks like we have two choices. One you pre-empt 
State law and be able to protect the consumer data. Or the 
other is you allow the hodgepodge of laws to continue and the 
consumers beware. Where would you come down on this?
    Mr. Rosenzweig. Well, rather than characterizing them as a 
hodgepodge, I would say that federalism and competition is one 
of the ways that a market can function. The other way is to 
impose uniformity across the entire Nation. That has the 
economic advantage of eliminating redundancies and conflicts 
and reducing costs.
    What I would say is the worst answer or the worst of both 
possible worlds is to partially pre-empt State law, to set a 
baseline standard that does away with federalism in the first 
instance but doesn't eliminate the uncertainty of 
multiplicitous laws in the second instance. You don't gain any 
of the benefit and you cost a lot--
    Chairman Luetkemeyer. Would you believe we had an across-
the-board exemption that allowed for a Federal standard that 
would provide a better safeguard for data for people, though?
    Mr. Rosenzweig. I think as an economic matter, if you are 
going to--
    Chairman Luetkemeyer. I am not talking about economics. I 
am talking about the ability of people to protect their data.
    Mr. Rosenzweig. There would be more consistency and 
therefore more likelihood of full compliance. The inconsistency 
of the rules is part of what generates some of the uncertainty. 
So yes, sir.
    Chairman Luetkemeyer. OK, thank you. You make a good 
attorney. Let me go with the question with regards to 
notification. I know everybody has a different idea of this. 
You talk to the companies they want, and we have seen examples 
of this, anywhere from 2 weeks to 1 year before people were 
notified.
    The American public deserved better than that, and because 
of those, in my mind, lousy ways of trying to work and manage 
their breach, they have lost the trust of the American people. 
So I don't know how we can get it back unless you go to a zero, 
immediate notification.
    This is what we need to go to, and I think the American 
public is going to clamor for this, and my thought process is 
that while the breach is going on you know what is going on and 
you are ascertaining exactly how much information and what 
information was lost, whose information was compromised.
    You can already know, OK, we have a breach. Now we have to 
start setting up some sort of a notification process.
    And I think you can do two tracks on this so that whenever 
you finally do realize that you have a compromise situation 
where you have to be notifying people, you can do that on an 
immediate basis. Anybody like to comment on that, see where you 
are on that?
    Mr. Rotenberg. Well Mr. Chairman, I agree with you. I 
think, in fact, our recent experience with Equifax demonstrates 
the need for prompt breach notification. The company was aware 
in March 2017 that they had a problem with a key security 
protocol that they failed to update.
    Yet it wasn't until August, 4 months later, that they 
actually took steps to begin to notify the public of the 
potential that their data had been breached.
    And of course as long as that software was not updated the 
breach was ongoing. So the breach is necessary not only to 
provide information to consumers so that they can act, but also 
to ensure that the company is being diligent when it uncovers a 
problem.
    Chairman Luetkemeyer. Very good. Anybody else like to 
comment on that?
    Ms. Sponem?
    Ms. Sponem. We had a situation in Madison where there was a 
local processor that processed credit cards for various 
restaurants. And they had been breached and did not notify 
anyone. It took them weeks and into over a month to start to 
work on the patches that they needed to do in order to shut 
that down.
    So meanwhile, the hacker, every single time someone used 
their credit card at one of those restaurants, they were just 
getting new credit card information. We had customers who had 
to get their credit card reissued four times during that 
period.
    Chairman Luetkemeyer. I would like to make one quick 
comment. I know that yesterday in the National Journal there 
was an article with regards to Europe beginning to come on, and 
I think Professor you made this comment with regards to new 
data rules coming out.
    In their data rules they are looking at a 72-hour window 
within which to disclose this, although it doesn't say in here 
whether you actually ascertain exactly the kind of information 
that has been breached and you know that there is actually some 
people's information had been compromised. I think that is a 
key component of this.
    But just a quick, would everybody agree that immediate 
notification has to be there or some other timeframe?
    Mr. Cooper? I am running out of time.
    Mr. Cooper. Mr. Chairman, I think it is really important 
that there be prompt notification, and I think that the 
response from companies needs to be strong and immediate. But 
we also need to look at what is going to be best for consumers.
    And one of the concerns about having an artificial deadline 
about when notification has to happen is that the initial 
information is not always the accurate information. And it is 
more important that the information be accurate than that it be 
fast.
    Chairman Luetkemeyer. Very good.
    Mr. Cooper. And I think that with the FTC and State 
attorneys general being able to make that determination--
    Chairman Luetkemeyer. Very good. My time is up. I have to 
set a good example here. You will all be able to come to--
hopefully my guys have been listening over here and we are 
going to get some good questions on this, because this is a key 
component to be able to go forward here.
    With that, Mr. Clay from Missouri is recognized for--the 
Ranking Member is recognized for 5 minutes.
    Mr. Clay. Thank you, Mr. Chairman.
    And Professor Rotenberg, you have written previously that 
without comprehensive legislation the data breach problem will 
only get worse. As part of such legislation, what type of 
personal information should be explicitly covered?
    Mr. Rotenberg. Mr. Clay, this is a critical question, not 
only because personal data such as home address and Social 
Security number and financial records and educational records 
are readily understood as personal data, but also increasingly 
in an era of Big Data we have a lot of information that is 
deidentified but can be reconstructed as personal data.
    So when we talk about personal data in the 21st century, we 
need to understand that it is information that appears as 
personal data and is familiar or could be made personally 
identifiable. So as a starting point for privacy legislation, 
we think it is important that there be a broad scope and that 
this particular problem be well-understood.
    Mr. Clay. And should a harm threshold be used to trigger 
notification of a breach or should all breaches be disclosed?
    Mr. Rotenberg. Well, this is a critical question. The 
problem with a harm threshold is that it is oftentimes left to 
the company to make a determination about whether they think 
the consumer has been harmed. And in our view the better 
approach says to the company if a breach has occurred, notify 
the consumer and then let the consumer determine the scope of 
the harm.
    Oftentimes companies don't have the full picture of what 
the consequence will be if customer data is breached. And that 
is why we think that the harm standard is too high. It results 
in too little notification.
    Mr. Clay. Thank you for that. In your testimony you 
mentioned that credit rating agencies should have an automatic 
credit freeze. Could you expound on that and tell me how would 
a consumer unfreeze that credit then?
    Mr. Rotenberg. Right. Well, I think this is just common 
sense. As we also say, the credit reporting industry is vital 
to the American economy and consumers need the ability to 
obtain credit, to get a home loan or purchase a car. We all 
understand that.
    But when the consumer is making one of those big life 
decisions the person should be able to say OK. Now I want this 
company to have access to my credit report. So it becomes an 
affirmative decision.
    The problem with the current system is that companies 
routinely get access to personal data, whether or not the 
customer has any intent of doing business with the company. And 
this also contributes to identify theft.
    So if we change the default, give consumers the ability to 
disclose the customer report, the credit report, prior to the 
purchase, we think that would be good for the customer. It 
would be good for the merchant and would reduce the levels of 
identity theft.
    Mr. Clay. Would that have had an impact on the Equifax?
    Mr. Rotenberg. Absolutely. The problem with Equifax is the 
data became widely available and consumers were asked after the 
fact to race around and put credit freezes in place. And at 
that point it is too late.
    Mr. Clay. Yes, yes. And in recent testimony before the 
Senate you underscored the implications that the massive 
Equifax breach has for U.S. trade relations, citing the fact 
that more than 15 million U.K. customers were impacted and the 
fact that the data exposed by the breach is, as you put it, ``a 
gold mine for identity thieves.'' Can you expand on that 
concern?
    Mr. Rotenberg. Well, this is the point that I raised in my 
opening statement. Traditionally when we talked about privacy 
law in Congress the focus was the impact on U.S. consumers. But 
of course now we live in a global, Internet-connected 
environment.
    Many U.S. companies are doing business overseas, and those 
governments are looking at U.S. privacy law and trying to 
assess if we have adequate privacy protection for the records 
of their citizens.
    So when the Equifax breach occurred, it didn't just impact 
American consumers. It impacted people in the U.K. and Canada 
and elsewhere around the world. I think it is very much in the 
long term interest of the U.S. economy to strengthen our 
privacy laws because other countries are becoming increasingly 
concerned about the weak privacy standards we have.
    Mr. Clay. And you had mentioned that the E.U. was moving 
forward--
    Mr. Rotenberg. Yes, that is correct.
    Mr. Clay. --with an initiative and we should probably look 
at that also and take some of the good points of it I guess?
    Mr. Rotenberg. Thank you.
    Mr. Clay. Thank you.
    I yield back.
    Chairman Luetkemeyer. The gentleman yields back.
    With that, we go to the gentleman from Pennsylvania, the 
Vice Chairman of this committee, Mr. Rothfus, recognized for 5 
minutes.
    Mr. Rothfus. Thank you, Mr. Chairman.
    Ms. Sponem, in your testimony you discussed how merchants 
and other companies that are not banks or credit unions are a 
source of vulnerability and cost.
    You wrote the following, ``Financial institutions like 
Summit Credit Union foot the bill for the fallout and 
subsequent fraud that comes from the breach of personal 
information from merchants and other companies' failure to 
adequately protect and secure customer information. ``
    In your experience, are merchants and other non-financial 
companies a major avenue for data breaches?
    Ms. Sponem. Yes, I believe that they are a major avenue for 
breaches. I believe that most breaches do come from those 
sources.
    Mr. Rothfus. And can you quantify again how much these 
breaches cost your credit union annually?
    Ms. Sponem. So in 2017 we spent over $1 million on 
breaches. And that has increased year-over-year. So in 2013 it 
was around $350,000. It increased 20 percent in 2014, and today 
it is over $1 million.
    Mr. Rothfus. Mr. Taylor, while I agree that cybersecurity 
and breach prevention and notification should be national 
concerns, I also acknowledge that small businesses may post 
less risk and have fewer resources available to address 
potential risks.
    What is the best way to tailor data security and breach 
notification requirements to the characteristics of businesses 
that vary in size and capacity?
    Mr. Taylor. It is a great question, and I think the key is 
that you have a flexible and scalable standard. And that is 
something that a number of us on the panel have highlighted 
today.
    You need a standard that takes into account the size, 
complexity, and scope of the business' operations so the 
standard can apply to the smallest company in America to the 
largest.
    I think it is critical that everyone has at least some 
obligation but then the amount of resources that you have and 
the size of your organization should dictate the extent of the 
expectations.
    Mr. Rothfus. Do you know what NIST's role is in setting 
cybersecurity standards?
    Mr. Taylor. The NIST issued the cybersecurity framework 
pursuant to an Executive Order.
    Mr. Rothfus. Are entities required to use the NIST 
framework?
    Mr. Taylor. No.
    Mr. Rothfus. What Federal agencies should enforce the law 
and determine what compliance with the law in this area would 
look like? Any opinion there?
    Mr. Taylor. Yes, absolutely. I think you have to recognize 
a couple points here. First, we do have existing standards 
under the Gramm-Leach-Bliley Act and under HIPAA (Health 
Insurance Portability and Accountability Act). And I think for 
those areas you should continue to follow the prudential 
regulation model.
    For example, the financial regulators enforce over the 
financial institutions. And then I think that when you are 
looking for who else should enforce, I think you have to start 
with the Federal Trade Commission, who has historically played 
a very active and strong role in this space.
    Mr. Rothfus. Mr. Cooper, if I can ask you, we all recognize 
that Congress does not want to create a situation whereby 
breached entities are forced to inundate consumers with 
insignificant notifications to the point that the breached 
entity is notifying wolf.
    With that in mind, where should the responsibility and 
authority reside in determining a direct risk threshold of 
identity theft that would trigger a notification?
    Mr. Cooper. Well, I think, again, we need to look at it 
from the perspective of what is going to be helpful for the 
consumer in responding to a breach that might have an effect on 
them. I think they are most likely going to be responsive to 
the entity that they know has their data.
    So in Ms. Sponem's example, for instance, the restaurant 
that a customer went to where their credit card was used, 
making sure that entity is communicating with the customer I 
think is crucial with some actionable information so that it is 
not just a notice that there has been a breach but here are 
things that you can do.
    Mr. Rothfus. Mr. Taylor, if I could go back to you? In your 
testimony you described the current patchwork of State 
notification laws as a, quote, ``complex matrix of inconsistent 
and sometimes duplicative and often contradictory 
requirements.''
    Clearly, there is a case to be made that a national 
standard would be more appropriate and that it would 
significantly reduce the compliance burden for firms.
    If we were to establish a national breach notification 
standard, what information would need to be included? What do 
consumers need to know if their information has been improperly 
accessed or stolen?
    Mr. Taylor. I think there are a few key points that you 
should focus on. First, a description of the incident, what 
happened. What information was involved? What is the company 
doing about it? And steps that the consumer could take to 
protect herself from harm.
    Mr. Rothfus. I yield back. Thank you.
    Chairman Luetkemeyer. The gentleman's time has expired.
    Then we go to the Ranking Member of the full committee, Ms. 
Waters, from California, recognized for 5 minutes. Welcome.
    Ms. Waters. Thank you, Mr. Luetkemeyer. I have an opening 
statement that I will submit for the record, and I appreciate 
you holding this hearing.
    Mr. Rotenberg, Chairman Hensarling has said that in light 
of the Equifax breach it should be obvious to all that our 
committee will revisit the Data Security Act, legislation that 
our committee took up nearly 2 years ago.
    The law included sweeping language that would have pre-
empted State law, in which the Massachusetts attorney general 
at a minority day hearing that Democrats called, indicated 
would drastically undercut Massachusetts data security 
regulations.
    The New York attorney general's office agreed with this 
perspective in their testimony before our committee. So in your 
view, if the choice is between the status quo or Federal 
legislation that pre-empts States' ability to take action to 
protect consumers and bolster data security requirements, which 
option would you prefer?
    Mr. Rotenberg. Thank you, Congresswoman, for the question. 
I am somewhat familiar with the Data Security Act, the 2015 
bill, and I am also aware of the objection of many State 
officials and consumer groups.
    I think it would be better not to pre-empt State laws that 
currently provide strong protections to consumers. I think 
there is a very real risk, in fact, that if you pass a national 
standard that is weaker than what many of the States currently 
provide, you will see an increase in the levels of identity 
theft and financial fraud in the United States.
    Because it is actually those State officials and the State 
attorneys general on the front lines of this problem who are 
dealing with State residents and businesses trying to come up 
with the best legislative solutions.
    So the practical consequence of capping that effort would 
be to remove the most well-informed, the most effective, and 
the most responsive policymakers from this field. I think it 
would be a terrible mistake.
    Now, I do think Congress has a role to play and has always 
played an important role establishing a baseline standard when 
it becomes aware of an emerging privacy issue. And most 
certainly the protection of personal data is an emerging issue.
    But I have no difficulty saying quite simply, a measure 
that would pre-empt State law would leave many more American 
consumers at risk of identity theft and financial fraud.
    Ms. Waters. Thank you. And in some discussions that I have 
had with some members here, they have said that this area that 
we are dealing with cybersecurity issues, that you need 
flexibility and you need to be able to continue to strengthen 
your efforts to ensure that you have the kind of protections 
that are necessary.
    And that means that the States may be able to move faster, 
may be able to initiate changes, upgrade, do all kinds of 
things that perhaps the Congress of the United States could not 
easily and readily do. Is that a concern?
    Mr. Rotenberg. Well, I think that is the actual experience 
in this field. I think there are some fields where there is no 
question that Congress does need to establish a comprehensive 
national standard.
    But I think there are other fields, and privacy is most 
certainly one, where the nature of the subject matter and the 
expertise that exists at the States underscores the need for 
our Federalist approach to coming up with innovative solutions.
    It was actually Justice Brandeis, known for his famous 
opinion on the right to privacy, who also described the States 
as the laboratories of democracy. And we see that in the 
protection of privacy. This is where the innovative legislation 
comes from.
    Ms. Waters. Well, my concern is that when you start to talk 
about national standards and you are dealing with all of these 
Members of Congress who come from different States and you have 
to basically come up with an agreement, a consensus dealing 
with all of the concerns, that the national standard is usually 
a race to the bottom almost.
    And that it does not recognize that some States, such as 
have been identified as New York and Massachusetts, have good 
standards, higher standards. And a national standard would 
certainly not match that which some States already have and 
could have.
    So I thank you for being here today. I appreciate your 
testimony. And I think that we should take into consideration 
what you have said because pre-emption of State laws is a 
serious effort that should be taken seriously and not done in 
the interests of just trying to have something.
    I yield back the balance of my time.
    Chairman Luetkemeyer. The gentlelady's time has expired.
    With that, we go to the gentleman from North Carolina, Mr. 
Pittenger. You are recognized for 5 minutes.
    Mr. Pittenger. Thank you, Mr. Chairman. Thank you for 
leading this very important hearing and would like to again 
thank all of our witnesses for being with us today. Your input 
is so critical for each of us on this committee.
    Clearly, data and cybersecurity need to be at the forefront 
of the agenda for the U.S. Congress. Over the last several 
years we have had big and small companies that have been 
affected by related security breaches. And obviously the 
Equifax is at the forefront of an issue that we have all sought 
to consider and evaluate where we go forward.
    I would like to ask at this point, Ms. Sponem, what is the 
nature of the FTC's oversight of the credit bureaus' data 
security operations? Would you expand on that some more?
    Ms. Sponem. What is the oversight of the FTC with regard to 
this issue?
    Mr. Pittenger. To the credit bureaus' data security 
operations.
    Ms. Sponem. So we fall under the GLBA standards, and we 
believe that we are required to follow those. And we believe 
that they should as well.
    Mr. Pittenger. Sure. How does the FTC's oversight of the 
credit bureaus measure against the data security regulatory 
frameworks in other sectors of the economy, such as retail, 
hospitality, education, and such, what is your view of that?
    Ms. Sponem. I don't know where the standard should fall 
under, but I do believe that those standards should be fluid. 
For example, with the standards that we followed 5 years ago, 
if we were continuing to follow those same standards today we 
would have been hacked by now.
    So those standards need to continue to evolve over time and 
they need the flexibility to be able to do that as people get 
more sophisticated in being able to penetrate different 
systems.
    Mr. Pittenger. Sure.
    Ms. Sponem. So where that falls under and on--what that 
looks like I don't know. But I think it is really an important 
piece to make sure that we have in place.
    Mr. Pittenger. Yes, ma'am. Thank you.
    Mr. Taylor, do you think it is important to empower law 
enforcement to share information with the private sector in 
respect to ongoing cyberthreats and attacks? If you could elude 
on that some more?
    Mr. Taylor. Yes, absolutely critical. If law enforcement is 
aware of threats and if companies had that information they 
could take steps to protect their systems, absolutely critical.
    And I think from an industry perspective even following the 
Cyber Information Sharing Act, I think there has been a cry 
from the industry generally for more information, particularly 
from the Federal Government on threats and vulnerabilities that 
exist today.
    Mr. Pittenger. Yes, sir. And so you would say that there 
should be greater information sharing among themselves in the 
industry in the private sector on ongoing cyberattacks?
    Mr. Taylor. Yes. And I think it has developed historically 
in a very sectoral approach. The financial services and retail 
and technology they all have their information sharing and 
analysis centers and try and share threats amongst themselves. 
And it is something that is developing and growing over time.
    Mr. Pittenger. Is there anything we should be doing on the 
Federal level to encourage information sharing?
    Mr. Taylor. Can you repeat?
    Mr. Pittenger. Is there anything we should be doing on the 
Federal level to encourage information sharing?
    Mr. Taylor. Well, this Congress did pass the Cyber 
Information Sharing Act, which ostensibly was for that very 
purpose. And I think that we need a reminder to Federal law 
enforcement to encourage them to share with the private sector 
information about threats.
    Mr. Pittenger. Yes, sir. Thank you.
    Mr. Rosenzweig, who has the enforcement authority for the 
various data security regulatory regimes? Is it the FTC, the 
State attorney general, or banking regulators?
    Mr. Rosenzweig. It is a patchwork, sir. And it very much is 
sector-dependent. Right now the FTC has significant authority 
over consumer-facing institutions. States' attorneys general 
have authority within their respective jurisdictions under 
Gramm-Leach-Bliley.
    There is regulatory authority from the banking groups, 
HIPAA as well. One of the things that we see, as Mr. Taylor 
said, is a sectorally developed set of privacy and security 
rules that has created some uncertainty as where you fit within 
the matrix, pretty much.
    Mr. Pittenger. Yes, sir. Thank you. Just very briefly then, 
I would ask you how can we ensure that Americans' data privacy 
and data security interests are best served by the national 
data security breach notification standards?
    Mr. Rosenzweig. Well, I would start by saying that I don't 
think that data breach notification is cybersecurity. It is an 
ancillary to it because it has the collateral effect of 
embarrassing people. But it only comes after you have failed.
    The right way, the primary way, would be to foster standard 
setting at the NIST that we have been talking about already 
today and propagate that throughout industry so that we get a 
best practices level playing field that is a good standard 
setting model.
    Mr. Pittenger. Thank you.
    My time has expired. I thank you very much.
    Chairman Luetkemeyer. The gentleman's time has expired.
    With that, we go to the gentlelady from New York. Mrs. 
Maloney is recognized for 5 minutes.
    Mrs. Maloney. Thank you, Mr. Chairman. I would like to 
thank you and the Ranking Member for holding this important 
hearing. And all of the panelists for your truly riveting 
testimony that underscored the urgency of acting on the Federal 
level to protect the information of consumers.
    I would like to first ask Professor Rotenberg about the 
importance of breach notification. I think we all agree that 
when a company is breached and personal information is stolen, 
consumers should be notified as quickly as possible.
    But before they can be notified about a breach, someone has 
to discover it. Usually it is the company, but sometimes it is 
discovered by a third party that the company has hired as a 
vendor who discovers the breach first.
    Now, a number of vendors, independent tech companies that 
have huge platforms, are opposed to this. And personally I 
think a third party should notify as quickly as possible.
    But my first question is if a third party that a company 
has hired discovers a data breach at the company, do you think 
the third party should have an obligation to notify the company 
of the breach?
    Mr. Rotenberg. Well, thank you, Congresswoman, for the 
question. And the simple answer is yes. We need more breach 
notification. We need companies to be made aware of when they 
have problems securing the data they collect.
    And I thought a lot about how best to describe the problem 
and this question in particular. Imagine, for example, that you 
made your home available to a friend. And the person goes into 
your house and the first couple days they are there a pipe 
bursts and you have water pouring all into your house.
    Now, let me ask you the question. Do you think they should 
contact you right away when the pipe bursts and the water is 
pouring over your house?
    Or should they wait a few days or a couple of weeks or 
maybe to when you get back home and you are looking around and 
you are saying, gee, what happened here? Oh, well, the pipe 
burst. Maybe someone should deal with it.
    Data breach is actually very much like a pipe bursting. You 
have lost control over the information that you have a 
responsibility to protect. And if you don't act quickly and if 
you don't notify somebody who has the ability to fix the 
problem, it simply gets worse.
    And as I tried to explain at the outset, the people who are 
targeting personal data in the United States today are much 
more sophisticated than the people 10 years ago or even 5 years 
ago. These are foreign adversaries. They are trying to uncover 
national vulnerabilities that they can exploit.
    I think we need breach notification that is almost 
immediate but practicable. Seventy-two hours, which the 
Europeans chose, I think is probably a good target.
    Mrs. Maloney. I thank you for that excellent reply. And in 
fact, this article that actually the Chairman loaned to me 
talks about the European Union in May they are enforcing their 
72-hour reporting time, which in a sense will enforce it in 
America, too, with those companies such as Boeing and GM and 
Chevron and Microsoft, to mention a few, that are international 
companies. They are going to obviously have to start responding 
to what the European standard is.
    So Europe's data rules are headed to the United States. It 
used to be, as the financial capital of the world, the United 
States would set the standard. Now we are rushing to catch up 
with what the rest of the world is doing in a very important 
area.
    I must say that after Equifax I would say probably half of 
the people on this panel were breached. And myself included. 
And it took them 40 days to disclose that 145 million Americans 
had lost their security.
    And I agree with you that the 30 to 60 days that companies 
in America are demanding is just too long. I think we should 
move to the European standard and actually it is being forced 
on our people now through the law that is going to start being 
enforced in May from the European Union.
    I ask unanimous consent to place in the record this 
important article that shows the fierce urgency of acting now 
to move forward on it.
    Chairman Luetkemeyer. Without objection.
    Mrs. Maloney. I will say I talked to the Ranking Member and 
he is going to join me with some questions that I would like to 
get everybody in writing because we don't have much time. We 
have 5 minutes. And I spoke to the Chairman and he said if he 
approves will join us, which would be great, on getting 
everybody on record on some of these things.
    I can't even be left alone in a hearing. It is going off. 
Anyway, so I would like to ask Nathan Taylor, you mentioned in 
your testimony that some States sometimes have data breach 
notification laws that are inconsistent and directly conflict 
with each other.
    I will give you an example. You noted that some States 
require companies to tell consumers as much information as 
possible, while others say you can't. So we need a uniform.
    My time is expired. I look forward to sending each of you a 
thank you note for your excellent testimony and some other 
additional information that we can see if everybody is onboard 
on certain changes that we as a Nation should move forward on.
    Thank you so very much. I yield back.
    Chairman Luetkemeyer. The gentlelady's time has expired.
    With that, we go to the gentleman from Colorado, Mr. 
Tipton, recognized for 5 minutes.
    Mr. Tipton. Thank you, Mr. Chairman and thank the panel for 
taking the time to be able to be here.
    Mr. Cooper, I would like to follow up a little on my 
colleague Mr. Rothfus' question in regards to some consumer 
confidence. Obviously if we don't have confidence in the data 
being able to get out into other hands, we undermine the entire 
process in the eyes of the consumer.
    You had cited one instance to be able to help restore some 
of that consumer confidence by just notifying the people that a 
breach had occurred. Are there other measures that we should 
take as well?
    Mr. Cooper. Yes. So I think one of the best aspects of both 
the proposal for legislation in this area and even this hearing 
is raising the visibility of the importance that anybody who is 
a steward of data is responsible for making sure that they take 
reasonable steps in order to keep that data secure.
    It is important for what Ms. Sponem's credit union does. It 
is important for what our members do, because 90 percent or so 
of data breaches can be prevented just by having good cyber 
hygiene.
    And if more companies are adopting a NIST style framework 
in order to make sure that they are protecting their data, that 
they are making sure that passwords are protected, that 
credentials are protected, will resolve a lot of the data 
security incidents that we see.
    Mr. Tipton. Thank you. And maybe as a little follow up on 
that, and Ms. Sponem and Mr. Taylor you might want to weigh in 
on this as well when we are talking about who is responsible. 
Can you explain the way in which institutions, which third 
parties, retailers, who is responsible for the costs of a 
breach?
    Ms. Sponem. Yes, so today the financial institution is 
responsible for any entity that is breached that impacts our 
members negatively. So if it impacts their credit card or that 
depletes their debit card checking account, we reimburse our 
members for those fraudulent charges.
    In the case of loan fraud, we also do all of the 
reimbursing of any fraud that takes place from a fraudulent 
loan. We have increased our costs from trying to identify more 
fraudulent loans as that has been on a large increase over the 
last year.
    And so things that we might do is make sure that the Social 
Security number issuance matches date of birth. We will check 
I.P. addresses on the loan apps to make sure that the I.P. 
address is from the same State.
    We looked up people on social media to make sure that the 
details match. We check driver's license numbers on the DMV 
website. So we have gone to great lengths now in 2017 to 
protect that information, to protect our members from 
fraudulent loans being made.
    And I believe that those entities that are negligent in 
protecting consumers' data ought to be held responsible for the 
costs of those data breaches.
    Mr. Tipton. Mr. Taylor?
    Mr. Taylor. Yes. Statutes today don't define liability. 
This is a heavily litigated issue, whether it be among 
companies for a company's fraud losses or a consumer's losses. 
That is something that is pursued in courts today to define the 
liability.
    Mr. Tipton. OK. So ultimately right now liability is 
landing literally with the banks, with the retailers and we 
need to have that apply to a little bit more on a broad base? 
Would that be fair to say?
    Mr. Taylor. I think liability is an extremely controversial 
issue. My personal view from my practice is I would tend to 
lean toward leaving it to the private sector to work it out 
amongst themselves and define and allocate risk.
    Mr. Tipton. Great. Go ahead.
    Ms. Sponem. I believe that companies who do not take the 
added steps in protecting consumer data ought to pay for it. I 
don't know why we would want the banking industry to be at the 
risk of all of these different entities that are not protecting 
consumers' data.
    And oftentimes ending up in identity theft, which is a much 
greater problem for consumers.
    Mr. Tipton. Do you have any ideas on really how much we 
should be spending? A broad-based question, obviously, in terms 
of cybersecurity. Much of the resources should be allocated for 
cybersecurity in businesses?
    Mr. Cooper. If I may? I would say that it really depends on 
the type of business that we are talking about. A local 
restaurant probably has a different amount of resources that it 
should be putting into its cybersecurity than a web hosting 
company or a financial institution or a large multinational 
company that collects and maintains a lot more data.
    So I think one of the keys in having a data security set of 
rules is that they be flexible and scalable depending on the 
type of company that we are talking about.
    Mr. Tipton. Great. Thank you.
    I yield back, Mr. Chairman.
    Chairman Luetkemeyer. The gentleman yields back.
    With that, we go to the distinguished gentleman from 
Georgia. Mr. Scott is recognized for 5 minutes.
    Mr. Scott. Thank you, Mr. Chairman. Panel, a very good 
discussion, really very enlightening, but I tell you, I am very 
worried. I am worried about the future of our Nation. It seems 
that we are in a cyber data breach world war. And I think we 
need to look at it that way.
    And United States of America is the number one target.
    But I am worried about our inability to adequately respond 
to this. First of all, you take the fact of Equifax, 145 
million people with all of their vital information out in the 
open, breached upon, and what happens? We first put the 
consumer protection agency out front doing an intensive 
investigation and then all of a sudden we draw that 
investigation back.
    There is nothing. I don't know of anybody right now, any 
Federal agency, that is investigating that breach, especially 
from a standpoint of even all the information that we had. They 
waited 2 months before they even notified anybody.
    They didn't wait that long when three of their top 
executives sold their stock once they found out what the breach 
was and made millions of dollars. No investigation.
    You know, I want to ask you, do you think 6 weeks to notify 
the public of a breach was fair to the American people? Anybody 
here think that was fair? I don't think so. Everybody is 
shaking their head that it--do you think that the CFPB should 
have backed away from this investigation?
    Where do you think that the feelings of the American people 
are resting now? Well, let me ask you this. Under Gramm-Leach-
Bliley, do you think that part of the problem may be that there 
is no delay in notification requirement that is even explicit 
within Gramm-Leach-Bliley?
    Do you think that that may be a part of the problem, Mr. 
Rosenzweig? Or you, Mr. Cooper? Do we have anything adequate to 
respond to this?
    Mr. Rosenzweig. Well, thank you for the question, Mr. 
Scott. As most of the members of the panel have suggested, the 
absence of any timeframe requirement for notification it does 
lead to uncertainty within the marketplace.
    I think perhaps unlike some of the other panelists and 
perhaps some like Mr. Rotenberg in particular, I don't think 
that a fixed timeframe is necessarily the best answer. I think 
that sometimes delay is both necessary to ascertain the facts. 
And sometimes delay is necessary as part of the investigative 
process underneath the law enforcement interests.
    That is not to say that the Equifax delay is an appropriate 
delay. I don't want to be heard to say that, but for me at 
least I would prefer a non-determinative, more flexible 
standard of notification requirement.
    Mr. Scott. Well, let me ask you, Mr. Cooper, you said in 
your testimony that data security is a shared responsibility. 
What did you mean by that?
    Mr. Cooper. When a company is collecting and using data, 
and it might be using another company to help store it or 
process it, provide customer relations management tools, H.R. 
tools, there is a need to protect the infrastructure. There is 
also a need to protect the passwords and credentials that are 
being used to access that information.
    And it is different companies that have different 
responsibilities as part of that security system. It is--
    Mr. Scott. Now, let me ask you maybe it seems like right 
now from my observation we have a hodgepodge of different 
regulations, different agencies. Wouldn't it be good for us to 
start trying to figure out how we can zero in and harmonize and 
get at this in a targeted way to protect the American people's 
information?
    Mr. Cooper. I think having the Federal Trade Commission 
have the lead responsibility to make sure that reasonable 
security measures are being taken and that notice is given to 
consumers when there is a breach in a reasonable amount of time 
will help make sure that there is timely notification because 
there is the Federal Trade Commission there to say if you have 
not provided notice when you should have in a reasonable amount 
of time, the FTC has enforcement authority.
    Mr. Scott. Thank you, Mr. Chairman.
    Chairman Luetkemeyer. The gentleman's time has expired.
    With that, we go to the gentleman from Texas. Mr. Williams, 
recognized for 5 minutes.
    Mr. Williams. Thank you, Mr. Chairman and also Ranking 
Member Clay. I want to thank you for holding today's hearing. 
As we have seen in the past year cybersecurity breaches and the 
loss of personal identifiable information unfortunately 
continues to affect hundreds of millions of Americans. The 
Equifax breach being the largest example.
    Now, bad actors are not stopping, in fact, quite the 
opposite. Organizations around the country continue to be under 
constant threat from cyber thieves seeking to steal personal 
data. Our constituents expect us to, where appropriate, 
consider solutions which successfully defend their information 
and let them know in the event it has been compromised.
    Thank you to the witnesses. It has been good testimony 
today before us this morning as this committee continues to 
work to find the answer in the space of consumer information 
safety and breach notification. And your expert testimony is 
welcomed.
    Ms. Sponem, thank you for being here today to provide the 
perspective of credit unions in the data security debate. I am 
a small business owner back in Texas, have been for 46 years 
and a steadfast defender of Main Street. I am glad to hear from 
you.
    And as you point out in your testimony, data breaches are 
becoming all too common. We have talked about that. And the 
cost to institutions like yours have to bear, to fix problems 
that weren't any fault of your own, begin to add up.
    So we have talked a little bit about this, but expand on 
it. What kind of standards should merchants be held to? And 
will those standards effectively reduce the cost your 
institution must pay to assist members who are affected by 
merchant data breaches?
    Ms. Sponem. I believe that merchants and other businesses 
that hold consumer information should have the proper controls 
in place as well. It is the making sure that your patches are 
done in a timely manner, that you have the proper people in 
place to monitor those controls and to make sure that you are 
doing what you need to do to protect that data.
    I think that that is at what level of standards? I think 
that that is something that others will need to decide, but 
given the type of information that someone holds about 
consumers I think does, as Mr. Cooper mentioned, does indicate 
to what level they need to be protecting that data.
    Mr. Williams. OK. Thank you.
    Mr. Taylor, in your testimony you recognized the harm that 
data breaches cause the American consumer. There exists today 
various State laws regarding the protection of consumer 
personal information and breach notification in the event that 
information is compromised.
    You are in support of a nationwide breach notification 
standard, so I ask this. Why is a nationwide Federal breach 
notification standard the correct policy rather than letting 
the States govern themselves?
    Mr. Taylor. Well, I think it ultimately comes down to--and 
the Chairman in his opening statement said we can't forget 
about the consumer. And that is a point that I agree with. This 
is fundamentally about equal treatment for all Americans, 
regardless.
    A lot of my family lives in Idaho Falls, Idaho. I live in 
Virginia. Our Social Security numbers are equally sensitive 
regardless of where we live and the expectation should be the 
same for companies regardless of where the company operates to 
protect all of our Socials.
    Mr. Williams. I have another question for you. In your 
testimony you discuss the steps a company takes in determining 
the scope of breach. You say that while it would be simple to 
confirm the facts of what happened, in actuality it takes 
detailed review before a company can figure out what happened 
and how to address the breach.
    One potential consideration that needs to be made when 
codifying a breach notification standard is the fact that, as 
you point out, when the breach becomes public a company becomes 
a target for other attackers.
    So how long would a company be given to secure their 
systems before being required to make a public notification? 
And is there a risk that notification could happen too quickly 
and invite new attacks?
    Mr. Taylor. There is absolutely a risk. And speaking from 
my experience alone; one, there is a fundamental point that I 
would like to highlight, which is all breaches are not created 
equal. They are really fact-specific.
    And so going down the road of picking times, whether it be 
days or hours, is really challenging because the breaches 
aren't alike. And it does take time, of course depending on the 
facts, to both investigate, restore the security of systems and 
that should be critical.
    And our expectation should be that a company should 
expeditiously investigate and take steps to protect their 
systems. That is mission critical in my mind.
    Mr. Williams. OK. Thank you very much.
    And I yield my time back, Mr. Chairman.
    Mr. Rothfus [presiding]. The Chair now recognizes the 
gentleman from Texas, Mr. Green, for 5 minutes.
    Mr. Green. Thank you, Mr. Chairman.
    I thank the witnesses for appearing as well, and am 
concerned about the liability aspect of this that my colleague 
across the aisle raised earlier.
    We seem to believe that there should not be a standard with 
reference to a timeline for reporting a breach, but we don't 
seem to think that there should be some sort of liability if 
that timeline is too long. If you wait until people are 
suffering such that they could not take some sort of action to 
help correct.
    Now, I think that businesses ought to be able to work out 
their problems, but what do you do when they don't? What do you 
do when they have millions of people at risk and their 
shareholders, some of whom happen to be in some pretty 
significant positions, my friend Mr. Scott mentioned it, they 
go ahead and sell their stock before they announce the breach.
    Now, if you think that it is appropriate for Equifax to 
have shareholders in significant positions, let us call them 
executives, to allow them to sell their stocks--probably can't 
stop them--but for them to sell their stocks before the breach 
is announced, if you think that is appropriate raise your hand, 
please?
    Let the record reflect that no one has indicated that this 
is appropriate. So when this occurs should there be some sort 
of liability? Do you think that people ought to be allowed to 
do this with impunity? Do you think that the poor guy who may 
not be able to afford a lawyer is going to be able to stop 
this?
    Do you think that class actions are going to be the 
solution when we have a class of people right here in Congress 
who are fighting class actions, don't want lawyers to be able 
to bring class actions against these mal actors?
    So what is the solution? To debate it and do nothing? Why 
wouldn't there be some liability imposed if you knew or should 
have known that your security measures were inadequate and 
somebody is suffering as a result?
    So let us start with Mr. Rosenzweig.
    Mr. Rosenzweig. Well, Mr. Green, thank you for the 
question. I would like to divide the answer. I don't know the 
facts of the Equifax case. They are still under investigation, 
but assuming the facts--
    Mr. Green. Well, let us not talk about the--
    Mr. Rosenzweig. --that you proposed--
    Mr. Green. Well, let us do this. Let us take them off the 
table.
    Mr. Rosenzweig. Right.
    Mr. Green. And we will have our own fictitious entity.
    Mr. Rosenzweig. I would say that insider trading is already 
a crime. And if you trade on insider information that is an 
investigation that is appropriate for the SEC and securities 
enforcement authorities.
    I think that that is different from a generalized breach 
notification law. And there I think that I agree with Mr. 
Taylor, that the standard is or ought to be a flexible one that 
reflects expeditiousness at the most earliest reasonably 
practical time. The law is filled with flexible standards like 
that, the tort liability standard, for the reasonable man sort 
of thing.
    I do tend to think that firm--
    Mr. Green. Excuse me. Let me intercede--
    Mr. Rosenzweig. Sure.
    Mr. Green. But what should be done when the flexibility 
that you speak of is abused?
    Mr. Rosenzweig. Either an administrative enforcement action 
or possibly litigation. Those are the two possible--
    Mr. Green. Well, who pays for the litigation?
    Mr. Rosenzweig. Presumably the people who are litigating.
    Mr. Green. Would that be the consumer?
    Mr. Rosenzweig. We don't have a loser pays law here in the 
United States, so yes.
    Mr. Green. It would be the consumer. Why wouldn't Congress 
intercede and establish some standard that deals with this 
notion of flexibility? Let us assume that you are right. 
Different circumstances require different timeframes. But what 
happens when that is abused?
    Mr. Rosenzweig. Well, that would be a matter for 
administrative enforcement presumably through the FTC or in the 
case of Equifax through the banking regulatory authorities.
    Mr. Green. And I assume that Mr. Taylor you would like to 
weigh in on this as well?
    Mr. Taylor. Yes. Throughout this hearing liability has come 
up in a couple of contexts. And what we have been talking 
about, two completely separate issues. And the point that you 
were raising, Congressman, is a good one.
    If we are going to have a strong standard, we should hold 
companies accountable to that standard. And in your bill you 
can provide penalties that you believe are appropriate for 
failure to comply with the standard.
    There is a separate liability issue that we have talked 
about in other contexts today, which is the liability between 
companies who when one company has a breach there can be 
impacts, for example, to a credit union for reissuing cards. 
Those are two separate things.
    But on the former, I completely agree with you that we 
should hold companies accountable. If we are going to have a 
Federal standard we should expect that they comply. And if they 
don't there should be penalties.
    Mr. Rothfus. The time of the gentleman has expired.
    Mr. Green. Thank you.
    Thank you, Mr. Chairman.
    Mr. Rothfus. The Chair now recognizes the gentlelady from 
Utah, Mrs. Love, for 5 minutes.
    Mrs. Love. Thank you so much. A few months ago, one of our 
cybersecurity experts here at the Congressional Research 
Center, Chris Jaikaran, testified before the Senate Banking 
Committee about data security. He outlines a process by which 
organizations typically respond to a breach, and I would like 
to unpack that a little bit and get your thoughts on various 
aspects.
    Mr. Jaikaran said that there will be a delay between the 
discovery of an attack and public notification of that attack 
because the analysis of what has transpired would need to be 
conducted.
    This analysis will inform the entity of how they were 
breached and what data systems were compromised is what he 
said. Now, I understand that clearly an organization needs to 
know what happened before they can accurately notify people who 
were affected by the breach.
    But can we say that this is obviously a theme that I think 
both sides of the aisle are incredibly concerned about. We hear 
it over and over and it is asked in so many different ways I 
can't even imagine your heads must be spinning. But can we say 
that there should be general parameters on the timing of 
notification?
    Mr. Cooper, I knew you wanted to say something earlier. You 
pushed your button, so I am going to let you go ahead and 
answer that question.
    Mr. Cooper. Thank you. Yes, so I think that the complexity 
of the breach is going to affect when notification can happen 
in an accurate way. And I think accuracy is really important.
    I think that it is important that the Federal Trade 
Commission, and perhaps State attorneys general, are able to 
enforce a reasonableness standard in terms of the time when 
notification is provided so that we can figure out the 
parameters of what is reasonable and make sure that companies 
are held to that standard of reasonableness with no enforcement 
isn't a real standard.
    A standard that allows enforcement and penalties when it is 
not met will help make sure that there are not delays that are 
unnecessary.
    Mrs. Love. OK. So there are some serious questions, for 
example, about the lack of notification regarding the Equifax 
breach. I would like to get your thoughts, Mr. Taylor, on that 
because I think one of the analogies that was expressed about 
pipe breaking in your home, to me the difference is when 
information is released and what type of information is 
released.
    And I would tend to think that there would be some sort of 
information saying, you know what? There is a pipe that broke. 
We don't know how. We will give you further information later 
about that. But there is a problem and we need to notify of 
that problem.
    So I guess I would like to just get your thoughts about 
regarding the notification, for example, and the lag of 
notification, because that is the serious concern here.
    Mr. Taylor. I appreciate your concern. And while I can't 
speak to Equifax specifically, I think what the fundamental 
issue here is, when does the clock start ticking. And I walked 
through this in detail in my written testimony.
    When does a company, quote, ``discover a breach.'' Is that 
the first awareness of a fact that later with the benefit of 
hindsight is concluded to have been related to the breach? Or 
is it the moment that the company determines something is 
wrong? We have an issue here.
    And my point is there should be an expectation that a 
company expeditiously investigates to figure out what happened 
and restore the security of their systems and that is, in my 
mind, when the clock should start ticking, once those steps 
have been done.
    Mrs. Love. OK. So when a breach occurs, should there be a 
specific timeframe for notification established in law? Is 
there something that we should do to make sure that there is 
some sort of a timeframe?
    Mr. Taylor. If by timeframe you mean something like days or 
hours, I would say no. I think you should go with a standard 
that is as expeditiously as possible or as as reasonably as 
possible. I think you need a flexible standard because all 
breaches are not created equal.
    They are very different.
    Mrs. Love. Is it realistic to require that any company 
notify customers within a set number of days or whatever 
circumstance? Is there some sort of reasonable standard that 
should be out there?
    Mr. Taylor. I think, again, it really depends. It depends 
on the facts. A company needs to know whose data was lost in 
order to be able to notify the right consumer. You don't want 
to notify the wrong consumer and unduly alarm them. So it--
    Mrs. Love. So I have just a few seconds, but I just want to 
say that we are here on behalf--I believe--I keep saying this. 
The branch of Government that is closest to people is the House 
of Representatives. And we will not be doing our job if we are 
not looking out for the people whose intellectual property has 
been breached and released.
    So our job is to protect the people. It will always be 
that. And so I think it is our responsibility to make sure that 
there is something that we can protect people when their 
information is out--has been breached. So with that, thank you.
    Mr. Rothfus. The time of the gentlelady is expired.
    The Chair now recognizes the gentleman from Washington, Mr. 
Heck, for 5 minutes.
    Mr. Heck. Thank you, Mr. Chairman.
    So I want to get at this issue of what do we do about data 
breaches, and I want to think outside the box a little bit. I 
am reflecting back on the Equifax breach, and part of which I 
found incredibly galling, namely that the company essentially 
threw one person under the bus.
    I don't know if that was motivated by a liability 
limitation, but I thought it was exceedingly poor form. But it 
was also galling, frankly, because it suggested that something 
that was so mission critical was dependent on one single 
individual, which seems to be a systems issue.
    But I got to thinking about the gold standard that we have 
all around us in even more tragic circumstances. Not that this 
one wasn't tragic--and that would be the National 
Transportation Safety Board, which is charged to go in after 
accidents of trains or planes and do the investigation.
    Why did this happen and what can we do to prevent it in the 
future? And there is also a chemical safety board for chemical 
spills, oil platforms, and the like. That is their sole job. Go 
in and look at why this thing happened and what can be done to 
prevent it in the future.
    So I got to thinking. A computer network safety board, an 
entity, a Federal Government entity whose sole job would be to 
determine how did this come about and what is it that needs to 
happen in order to prevent it going forward?
    So just going down the line there, I am interested in your 
reaction to that idea.
    Mr. Rosenzweig. Which end are you starting at?
    Mr. Heck. Yours, sir, because you were nodding the whole 
time I was talking.
    Mr. Rosenzweig. Well, no. I mean--it is actually an idea 
that I have been toying with myself. I would say that the only 
problem that I see with it, serious, is that cybersecurity is 
really two components. There is the systems approach portion of 
management of the company protocols in place, awareness of the 
issue, risk assessments, that sort of thing.
    And then there is the technical piece of--did you fail to 
patch? Was the intrusion detection system inadequate, that sort 
of thing.
    So as you went forward, we would want to do both and the 
problem, which is very much mirrored in the NTSB, is that the 
form of those, the human system part is a lot harder to 
evaluate with precision than the latter.
    The NTSB can say part A failed, but they can't say that the 
company didn't inspect frequently enough because frequently 
enough is a flexible standard that--
    Mr. Heck. But--
    Mr. Rosenzweig. --but I like the idea generically.
    Mr. Heck. But we have human error on the transportation 
front, too.
    Mr. Rosenzweig. Right.
    Mr. Heck. And I am not understanding why you think the 
analogy breaks down?
    Mr. Rosenzweig. I don't think the analogy breaks down. It 
is just the way you phrased the question at least made me think 
that you were thinking only of the technical side of the 
problem.
    Mr. Heck. No. No.
    Mr. Rosenzweig. OK. Then so long as we are willing to 
accept that human error is human error and can't be--
    Mr. Heck. Sure.
    Mr. Rosenzweig. --eradicated from any human system, I--
    Mr. Heck. Right.
    Mr. Rosenzweig. --I would follow you down this road.
    Mr. Heck. Good.
    Mr. Rotenberg. Well, sir, I am going to give you a 
different answer. I don't think we need another entity 
responsible for computer security. I think the problem right 
now is that there is overlapping authority that needs to be 
clarified.
    Both the FTC and the Consumer Finance Protection Bureau 
have responsibility for security standards. But it is not a 
mandatory standard and that is part of the problem. I suggest 
in my testimony that that authority which currently exists 
should be strengthened.
    I also want to mention, and I mentioned this in the 
testimony, I was very concerned when I read the news reports 
that the acting director of the CFPB, Mr. Mulvaney, has 
apparently decided to discontinue the investigation of Equifax 
when his agency already had the authority to pursue the matter.
    Now, why this is of particular concern is not simply about 
compensating the individuals for whatever harm they have 
suffered. But it is now almost 6 months since one of the 
greatest data breaches in U.S. history has occurred and we 
still don't know who is responsible.
    That is actually a remarkable fact. It is as if we went 
through 9/11 and didn't know who was on those planes. I 
remember that day. And I almost can't believe that at this 
moment in time we still don't know who is responsible for the 
Equifax attack.
    So I would say that rather than create a new authority we 
should make sure that current authorities should do their job. 
And the last thing that a current authority should do is drop 
an investigation that it already has the authority to pursue.
    Mr. Heck. I am virtually out of time. Sorry to the rest of 
the panelists. I am sure that you have something meaningful to 
add as well.
    Mr. Rothfus. The gentleman's time expired.
    The Chair now recognizes the gentleman from Georgia, Mr. 
Loudermilk, for 5 minutes.
    Mr. Loudermilk. Thank you, Mr. Chairman and I appreciate 
the panel being here after spending nearly 30 years in the IT 
industry and a lot in data security, this is a critical balance 
that we have to strive here because as I have heard in here 
stated several times, it is very difficult.
    And Congress cannot respond in the appropriate timeframe 
for stringent regulatory or stringent regulations for something 
that moves as fast as technology.
    It is impossible for us to keep up with it. And having a 
hard set Federal standard that meets everything would be like 
the EPA trying to regulate the security exchanges. It just 
isn't going to fit in every situation.
    So our struggle is how do we ultimately protect the 
consumer? And as we have seen time and time again, we have to 
continue to review regulations, especially when you are dealing 
with financial services.
    If you over-regulate what happens is the businesses then 
are more concerned with meeting the legal standard of the 
regulation instead of actually doing what is best for the 
consumer.
    But yet you have to have some type of guideline. And that 
is where I think our struggle is here. Where is that balance? 
How do we get to that balance?
    And it is, as Mr. Taylor said several times, no breaches 
are the same. They are very unique based on the platform, the 
diversity of systems, the type of industry, or even the source 
of the breach.
    And that is what we are struggling with a lot now is who is 
liable? And in the current system it is not always those that 
caused the data to be breached that are ultimately liable for 
the consumers and the cost that they are facing.
    So I think for me it is looking for what is that stringent 
guideline or standard that can be flexible. And I think that is 
what I am hearing from a lot of the panelists here is the 
flexibility but one that is stringent enough that can go across 
the multiple platforms.
    Because what we are looking at now is totally something 
different than what our founders ever envisioned. Through 
federalism you have States had banks. Though history the State 
of Georgia, when I was in the State legislature, we regulated 
banks.
    Well, they regulate very few banks now because the Federal 
Government is doing it because they cross so many platforms and 
money is not transferred by Wells Fargo wagons anymore. It is 
transferred instantaneously through data networks, which brings 
in more people who with more liability and more chances for 
this to be disclosed.
    One of the issues that I have spoken about quite often 
coming from this background is basically a principle we had 
when I was in the military dealing with intelligence data, was 
you don't have to secure what you don't have. In other words, 
don't keep a bunch of stuff.
    And one of my concerns that we have is in the Government we 
require so much data to either be reported to the Government or 
to be held by companies that really you don't need to keep in 
an archive that makes us more vulnerable.
    Mr. Cooper, with the different standards across the 
different States, and I understand this, very difficult for 
businesses, even small businesses. My business we worked in 
multiple States.
    It is very difficult for businesses to know which, really 
what standard each State has. When it comes to personal 
identifiable information, do we have multiple definitions of 
that through States?
    Mr. Cooper. Yes. Different States have different 
definitions of what type of personal information triggers a 
notification requirement. Perhaps more importantly, there are 
only a dozen or so States that have data security rules in the 
first place.
    And I think you put your finger on exactly what the 
difficulty or the art is in what you are trying to do here, 
which is how to establish a flexible security standard where 
that flexibility also scales up as time goes on, because as you 
point out, the types of threats that we are going to face 10 
years from now are different than the ones that we face today.
    And a flexible standard should make sure that the 
requirements also ratchet up as we are aware of those threats.
    Mr. Loudermilk. Well, let me add another aspect into that, 
because one of the things we don't hear a lot about right now 
is are we aggressively going after the bad guys? Are we 
pursuing that aspect?
    OK, there is the prevention aspect, but one of the ways of 
preventing is also prosecuting. Are we putting enough effort 
into actually going after the criminals who are creating these 
problems?
    Mr. Cooper. So I think it is a really important point to 
highlight that in these data breaches they are always criminal 
acts. And making sure that law enforcement does have not just 
the direction that these are priorities, but also the resources 
and the institutional knowledge to be able to do the forensics 
that is required in order to catch them.
    It is very difficult, and there are different kinds of 
breaches and we need to recognize that there are breaches that 
are from sophisticated actors, some nation-state-linked, some 
not. There are also much less sophisticated activities that 
still have a significant impact on all the companies that we 
are talking about in every industry sector because every 
industry is relying on data in some way.
    Mr. Rothfus. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Tennessee, Mr. 
Kustoff, for 5 minutes.
    Mr. Kustoff. Thank you, Mr. Chairman. And I do thank the 
witnesses for appearing today at this very important hearing.
    Mr. Rosenzweig, if I can, we have talked about these 
disturbing cyberattacks that we have seen throughout the last 
several years. We have talked about Equifax this morning, which 
affected almost 145 million Americans.
    And of course their data has likely been sold on the dark 
web to somebody.
    With Equifax and with other breaches, with Target, with the 
Office of Personnel Management, information being sold 
throughout the Internet, it is clear that indeed our financial 
institutions are clearly vulnerable to attacks.
    And as much as we look to do to prevent them, these 
perpetrators still look for weaknesses and firewalls and other 
data protection mechanisms.
    We have talked today about a national standard or a Federal 
standard. In your opinion, if Congress years ago had already 
enacted such a standard as you and some of the other witnesses 
have talked about today, do you think that these breaches still 
would have occurred?
    And if the answer is no, can you talk about how it should 
be structured or could be structured?
    Mr. Rosenzweig. I think the answer is yes, the breaches 
still would have occurred. Maybe not the exact same sets of 
breaches, but data breach notification law is an after-the-fact 
amelioration of the harm that has already occurred. The 
existence of data breach notification laws in 48 States and 
throughout Europe and throughout the world has not stopped the 
prevalence of cybersecurity breaches.
    What is necessary or what is appropriate to try and 
implement to limit or reduce the amount of cybersecurity 
breaches since, of course, they can't be eliminated altogether, 
is some form of primary standard setting that requires and 
addresses and advocates for people to raise their game, to 
bring up the nature of what they are doing so that they are 
more secure overall.
    That includes deploying firewalls and intrusion detection 
systems. That includes process management systems so that 
corporations have an awareness of and do risk assessments on 
their companies.
    Those sorts of steps are the primary way of fixing the 
cybersecurity data breach notification is about privacy and it 
is about ameliorating the harm after it has occurred. But it is 
not a primary way of achieving cybersecurity. It is derivative.
    Mr. Kustoff. Thank you very much.
    Ms. Sponem, as we look at banks and credit unions, I am 
interested in how our financial institutions identify and 
address cyberattacks when they occur. And as the President of 
the Summit Credit Union can you discuss the systems that your 
institution has in place to detect a data breach or other 
credit unions? What systems they would have in place to detect 
a credit breach?
    Ms. Sponem. We have at Summit Credit Union and other 
financial institutions, we have data intrusion tests done on 
our systems all the time. And so we test our systems. We hire 
people to try to hack into our systems and so that we can fix 
any type of vulnerabilities that we might have.
    In terms of how do we detect a breach by another entity 
that might be impacting our members, sometimes that comes from 
our members themselves, who report a fraudulent charge. And we 
start to connect the dots and say, this is interesting. It 
comes from similar places. Sometimes it is identified by 
places.
    Sometimes it is identified that way. Sometimes we get lists 
from Visa. Sometimes we read about it into the newspaper. 
Companies do not tend to be forthright and especially merchants 
with data breaches, and that leads also to this big time delay 
in us being able to notify people.
    Do we really want consumers to have to worry about looking 
at their information all the time in order to protect 
themselves from that? Probably not. If we can get a head's up 
from a company that their systems have been compromised, that 
is a good indication for consumers to be able to say, oh, OK. 
Now I am going to look at this a little bit more closely.
    We look at that from all different sources and it is not 
the same. And from a loan fraudulent activity perspective, that 
we try to protect our members in many different ways by trying 
to cross-reference different lists and looking up things to 
make sure that information is consistent so that we are not 
issuing fraudulent loans.
    Mr. Kustoff. Thank you. My time has expired. Thank you.
    Mr. Rothfus. Time of the gentleman is expired.
    The Chair now recognizes the gentlelady from New York, Ms. 
Tenney, for 5 minutes.
    Ms. Tenney. Thank you, Mr. Chairman, and thank you panel 
for this really important meeting. Obviously this is a huge 
issue. A really unusual thing happened in my district recently. 
We had actually a bank robbery where somebody walked into the 
bank in a traditional way and reminded me of the old movie, 
Woody Allen movie, Take the Money and Run. He went into the 
bank with his soap gun.
    But this is interesting that now this is occurring in cyber 
spaces, so just like watching a sports event from the comfort 
of your living room, you can now rob a bank and heist millions 
and billions of dollars just by cyber.
    And so I think what my biggest concern is, and obviously I 
wanted to start with Mr. Rosenzweig about, my concern--a number 
of years ago I attended a seminar before--it was right about 
the time New York State--and I am a member from New York State, 
when the Department of Financial Services was being put 
together.
    And the discussion was now our institutions, our banking 
and financial institutions or credit unions are going to be 
asked to hand over their private information which they so 
carefully secure, their information about their customers, 
obviously their lifeline, to the State of New York. And the 
concern over the protection and the ability of the taxpayers to 
protect this data.
    And so that is my concern is that I think we know banks and 
institutions, and we have heard, obviously Ms. Sponem and 
others talking about how important it is to protect theirs. But 
how at risk are we when we hand our data over to the State of 
New York, for example, and how do we prevent against them being 
hacked?
    We know that Congress and our institutions are hacked 
numerous times on a daily basis. Now the taxpayers, how do we 
get around the cost in being able to protect that and still 
have a regulatory regime in place and the balance there? I 
don't know if you have an opinion on that?
    Mr. Rosenzweig. That is a great question. Neither the 
Federal Government nor the State governments are immune from 
this problem. South Carolina had a very large breach of their 
driver's license system a few years ago. I am aware of breaches 
in California and Illinois as well.
    I don't know of any in New York particularly, but I imagine 
they must have happened. And obviously the OPM breach was far 
more significant for me personally than the Equifax breach 
because I lost my fingerprints.
    There is no way to guarantee the security of State and 
Federal databases any more than there is a way of guaranteeing 
the security of bank breaches.
    I think that the answer is much the same as with private 
entities. That State and local institutions and Federal 
institutions need to be mandated and forced to up their game so 
that they give at least the best that they can give us.
    Ms. Tenney. Thank you. I do worry because obviously Equifax 
was a major factor. It hurt our community and these major 
breaches.
    I am just concerned that we go from the private 
institution, which obviously has as their most important asset 
is their customer, to have to give that information up to a 
Government entity just for regulatory purposes. And we know 
that governments are not always so reliable.
    I might ask Ms. Sponem if you could just tell us a little 
bit about your viewpoint on dealing with a credit union 
situation? How we protect it? And especially you have 
identified in your testimony small credit unions and the risk 
that you have taken and how you feel about turning your data 
over dealing with your data when it comes to protecting your 
customers?
    Ms. Sponem. So we are very careful about who we turn our 
information over to because we also know that, and why the 
hearing is taking place, is that other entities are not 
protecting data in the same way that we protect data.
    And so we do not like to turn over any information that is 
personal information about our members unless we absolutely 
have to do that.
    Ms. Tenney. Thank you. One last thing, and just if we could 
go to I would say Mr. Rosenzweig or whoever might have an 
opinion, what can we do to minimize this risk and exposure on 
the private sector in terms of what could we put in place in 
terms of a formation of a bill or a regulatory regime that 
would help us protect the customer but also protect the asset 
in the event that we do have to turn data over? I don't know if 
you--
    Mr. Rosenzweig. I would give you two quick points, 
minimization of data. A couple of people have said that. You 
can't be breached for that which you don't collect. And the 
second, which is a word that we haven't said at all in this 
hearing is resiliency, which is plan for the failure.
    It will happen and what we really don't have is a lot of 
good recovery systems.
    Ms. Tenney. I appreciate that because I know you pointed 
out the obvious to me and it is great to have to deal with a 
data breach later, but it is already the damage has been done 
and the horse is already out of the barn.
    So I do appreciate that. I think preventing it is to me, 
and again, I thank you for your comments. I love that we--let 
us not give the information out.
    So in that case it is not going to be a secure--and I still 
have many of my constituents who refuse to even have a bank 
account. They are still hiding it in the mattress because they 
are so afraid of data security.
    But thank you so much for the panel and for the Chairman. I 
yield back. Thank you.
    Mr. Rothfus. The gentlelady yields back.
    The Chair now recognizes the gentleman from Kentucky, Mr. 
Barr, for 5 minutes.
    Mr. Barr. Thank you, Mr. Chairman.
    Thank you to our witnesses for your testimony today. I will 
start with Ms. Sponem. Thank--
    Ms. Sponem. Sponem.
    Mr. Barr. Sponem. Thank you. I have heard from many of my 
credit unions that I represent in central Kentucky about the 
data breach problem. And can you just tell us once again what 
the average cost is to replace a debit or credit card?
    Ms. Sponem. So anywhere between $3 and $5 per card, but 
that is actually the least expensive part of a data breach.
    Mr. Barr. Because of the fraud monitoring that you have to 
engage with, addressing your member calls, and actually helping 
them navigate ramifications of the breach?
    Ms. Sponem. That is correct. So yes, so the actual talking 
with our members, talking through the breach with them, what 
they need to do to rectify the situation to make them whole, 
but also the actual fraudulent charges themselves fall on the 
financial institution.
    Mr. Barr. Right.
    Ms. Sponem. And so as we talk about the standards for other 
companies, really what is the incentive for companies to not 
protect their data or to protect their data if we are going to 
pay for all of--
    Mr. Barr. When you take all--
    Ms. Sponem. --their breaches when we take all of it.
    Mr. Barr. When you take on all the responsibilities.
    Ms. Sponem. That is correct.
    Mr. Barr. And yet financial institutions like credit unions 
and community banks, you are subject to the Gramm-Leach-Bliley 
standards, standards that don't apply to other sectors of the 
economy. Is that correct?
    Ms. Sponem. We are absolutely held to those standards along 
with reporting of any type of breaches.
    Mr. Barr. So your testimony resonates with me because, as I 
said before, so many credit unions and community banks in the 
6th District of Kentucky have told me that of all of the 
regulatory pressures that they face and the compliance costs 
that they deal with, this is one of their very top priorities 
in terms of additional cost and ultimately who bears that cost.
    Ms. Sponem. We bear all of the costs of data breaches, of 
if there is a fraudulent loan, any type of fraudulent activity, 
including wire transfers. We hold all of that responsibility.
    Mr. Barr. But then beyond that, who ultimately--where is 
that cost passed along to?
    Ms. Sponem. Well, because we are owned by our members, we, 
it is really our members' money that we are spending in these 
fraudulent situations. And that is $1 million in 2017 that 
could have gone to other things that would have benefited our 
members.
    Mr. Barr. So consumers, the members of the credit union or 
a customer of a community bank, they are the ones ultimately 
that pay for this in the form of higher fees or more expensive 
financial services?
    Ms. Sponem. They absolutely do, yes.
    Mr. Barr. Now, let us move on to--that is the problem. Let 
us move on to the solution a little bit and the proposed 
Federal legislation to Mr. Taylor and also Mr. Cooper, if you 
would?
    There seems to be some tension in the recommendations a 
little bit in terms of the desire to create some certainty and 
some clarity in terms of what standards merchant community or 
whoever has to comply with. But there is also testimony here 
today about the need for flexible, scalable standards and 
technology-neutral standards. We don't want to create a box so 
that we suppress innovation.
    Can you all help us, as we craft this legislation, 
reconcile that tension? Yes, we want flexibility, yes, we want 
scalability. We want technology-neutral. I take that 
recommendation seriously, but how can we at the same time 
provide for the merchant community that is responsible for 
adhering to those standards some clarity and legal certainty?
    Mr. Cooper. I think we want it to be outcome-focused. I 
think the goal of a Federal standard on security should be what 
steps depending on the size of the entity, the type of personal 
information they have and the amount of personal information 
they have, what steps will be appropriate?
    And if we have the Federal Trade Commission and State 
attorneys general all enforcing the same law and the same 
standard we will get that consistency where it still allows for 
it to be scaled up or down depending on the type of entity or 
the emergence of new kinds of threats.
    Mr. Taylor. I would reiterate the point that you made 
earlier about the Gramm-Leach-Bliley Act and look at that as a 
model. And it does include notification standards, by the way. 
I think earlier someone said that it didn't, but it does.
    But the GLBA model is, in fact, one that focuses on the 
process. It is technology-neutral. You need to think about 
risk. You need to adopt safeguards that address those risks.
    Mr. Barr. And final question, Mr. Rosenzweig, should 
legislation deny a private right of action? Would a private 
right of action undermine consistent enforcement and what 
should be the interface between litigation versus a regulatory 
compliance defense or a standard compliance defense?
    Mr. Rosenzweig. I am a little agnostic on that. I tend to 
favor an administrative enforcement mechanism rather than the 
randomness of class action and litigation.
    Mr. Barr. Anybody else on that?
    Mr. Rothfus. The gentleman's time has expired.
    I would like to thank our witnesses for their testimony 
today. Without objection, all members will have 5 legislative 
days within which to submit additional written questions for 
the witnesses to the Chair, which will be forwarded to the 
witnesses for their response.
    I ask our witnesses to please respond as promptly as you 
are able.
    Without objection, all members will have 5 legislative days 
within which to submit extraneous materials to the Chair for 
inclusion of the record. The hearing is adjourned.
    [Whereupon, at 11:59 a.m., the subcommittee was adjourned.]

                            A P P E N D I X



                           February 14, 2018
                           
                           
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]