[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]




 
                    LEGISLATIVE PROPOSALS TO REFORM

                     THE CURRENT DATA SECURITY AND

                 BREACH NOTIFICATION REGULATORY REGIME

=======================================================================

                                HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON FINANCIAL INSTITUTIONS
                          AND CONSUMER CREDIT

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 7, 2018

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 115-78
                           
                           
                           
                           
                           
                           
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
 
 
 
 
                             _________ 

                 U.S. GOVERNMENT PUBLISHING OFFICE
                   
 31-383 PDF              WASHINGTON : 2018                                
                           
                           

                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    JEB HENSARLING, Texas, Chairman

PATRICK T. McHENRY, North Carolina,  MAXINE WATERS, California, Ranking 
    Vice Chairman                        Member
PETER T. KING, New York              CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California          NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma             BRAD SHERMAN, California
STEVAN PEARCE, New Mexico            GREGORY W. MEEKS, New York
BILL POSEY, Florida                  MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri         WM. LACY CLAY, Missouri
BILL HUIZENGA, Michigan              STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin             DAVID SCOTT, Georgia
STEVE STIVERS, Ohio                  AL GREEN, Texas
RANDY HULTGREN, Illinois             EMANUEL CLEAVER, Missouri
DENNIS A. ROSS, Florida              GWEN MOORE, Wisconsin
ROBERT PITTENGER, North Carolina     KEITH ELLISON, Minnesota
ANN WAGNER, Missouri                 ED PERLMUTTER, Colorado
ANDY BARR, Kentucky                  JAMES A. HIMES, Connecticut
KEITH J. ROTHFUS, Pennsylvania       BILL FOSTER, Illinois
LUKE MESSER, Indiana                 DANIEL T. KILDEE, Michigan
SCOTT TIPTON, Colorado               JOHN K. DELANEY, Maryland
ROGER WILLIAMS, Texas                KYRSTEN SINEMA, Arizona
BRUCE POLIQUIN, Maine                JOYCE BEATTY, Ohio
MIA LOVE, Utah                       DENNY HECK, Washington
FRENCH HILL, Arkansas                JUAN VARGAS, California
TOM EMMER, Minnesota                 JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York              VICENTE GONZALEZ, Texas
DAVID A. TROTT, Michigan             CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia            RUBEN KIHUEN, Nevada
ALEXANDER X. MOONEY, West Virginia
THOMAS MacARTHUR, New Jersey
WARREN DAVIDSON, Ohio
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
TREY HOLLINGSWORTH, Indiana

                     Shannon McGahn, Staff Director
       Subcommittee on Financial Institutions and Consumer Credit

                 BLAINE LUETKEMEYER, Missouri, Chairman

KEITH J. ROTHFUS, Pennsylvania,      WM. LACY CLAY, Missouri, Ranking 
    Vice Chairman                        Member
EDWARD R. ROYCE, California          CAROLYN B. MALONEY, New York
FRANK D. LUCAS, Oklahoma             GREGORY W. MEEKS, New York
BILL POSEY, Florida                  DAVID SCOTT, Georgia
DENNIS A. ROSS, Florida              NYDIA M. VELAZQUEZ, New York
ROBERT PITTENGER, North Carolina     AL GREEN, Texas
ANDY BARR, Kentucky                  KEITH ELLISON, Minnesota
SCOTT TIPTON, Colorado               MICHAEL E. CAPUANO, Massachusetts
ROGER WILLIAMS, Texas                DENNY HECK, Washington
MIA LOVE, Utah                       GWEN MOORE, Wisconsin
DAVID A. TROTT, Michigan             CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    March 7, 2018................................................     1
Appendix:
    March 7, 2018................................................    37

                               WITNESSES
                        Wednesday, March 7, 2018

Cable, Sara, Director, Data Privacy and Security, and Assistant 
  Attorney General, Office of the Attorney General, Commonwealth 
  of Massachusetts...............................................     3
Creighton, Francis, President and Chief Executive Officer, 
  Consumer Data Industry Association.............................     5
Kratovil, Jason, Vice President, Financial Services Roundtable...     9
Miller, John S., Vice President, Global Policy and Law, 
  Information Technology Industry Council........................     7

                                APPENDIX

Prepared statements:
    Cable, Sara..................................................    38
    Creighton, Francis...........................................   100
    Kratovil, Jason..............................................   126
    Miller, John S...............................................   151

              Additional Material Submitted for the Record

Luetkemeyer, Hon. Blaine:
    Written statement from American Bankers Association (ABA)....   167
    Written statement from Consumer Bankers Association (CBA)....   180
    Written statement from Center for Democracy & Technology 
      (CDT)......................................................   182
    Coalition letter dated March 7, 2018.........................   184
    Written statement from Credit Union National Association 
      (CUNA).....................................................   187
    Written statement from Independent Community Bankers of 
      America (ICBA).............................................   189
    Written statement from National Association of Convenience 
      Stores (NACS)..............................................   191
    Written statement from National Association of Federally-
      Insured Credit Unions (NAFCU)..............................   193
    Written statement from National Retail Federation (NRF)......   196
    Letter from Kathleen McGee, State of New York Office of the 
      Attorney General...........................................   227
    Letter from Rapid7...........................................   233
    Letter from Society of Independent Gasoline Marketers of 
      America (SIGMA)............................................   236
Green, Hon. Al:
    Written statement from American Council of Life Insurers 
      (ACLI).....................................................   238
    Financial trades letter dated February 28, 2018..............   241
    Written statement from Property Casualty Insurers Association 
      of America (PCI)...........................................   243
    Retailer coalition letter dated February 13, 2018............   246
Cable, Sara:
    Written responses to questions for the record sumbitted by 
      Representatives Waters and Ross............................   250
Creighton, Francis:
    Written responses to questions for the record sumbitted by 
      Representatives Waters and Ross............................   263
Kratovil, Jason:
    Written responses to questions for the record sumbitted by 
      Representatives Waters and Ross............................   275
Miller, John S.:
    Written responses to questions for the record sumbitted by 
      Representatives Waters and Ross............................   283


                    LEGISLATIVE PROPOSALS TO REFORM



                  THE CURRENT DATA SECURITY AND BREACH



                     NOTIFICATION REGULATORY REGIME

                              ----------                              


                        Wednesday, March 7, 2018

                     U.S. House of Representatives,
                     Subcommittee on Financial Institutions
                                       and Consumer Credit,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 2:01 p.m., in 
room 2128, Rayburn House Office Building, Hon. Blaine 
Luetkemeyer [chairman of the subcommittee] presiding.
    Present: Representatives Luetkemeyer, Rothfus, Lucas, Ross, 
Pittenger, Tipton, Williams, Love, Trott, Loudermilk, Kustoff, 
Tenney, Clay, Scott, Green, Heck, and Crist.
    Also present: Representative Hensarling.
    Chairman Luetkemeyer. The committee will come to order. 
Without objection, the Chair is authorized to declare recess of 
the committee at any time.
    This hearing is entitled, ``Legislative Proposals to Reform 
the Current Data Security and Breach Notification Regulatory 
Regime.'' Before we begin, I would like to thank the witnesses 
for appearing today. We appreciate your participation and look 
forward to the discussion.
    We have a great crowd today. We must have a very, very 
interesting subject. So, thank you all for being here.
    I now recognize myself for 5 minutes for purposes of doing 
an opening statement. Forty-eight States, the District of 
Columbia, Guam, Puerto Rico, and the Virgin Islands have all 
enacted differing laws requiring private companies to notify 
individuals of breaches of personal information. For each State 
with robust safeguards or requirements in place, there is 
another with protections that are simply insufficient, creating 
a labyrinth that causes compliance nightmares while leaving 
uncertainty or certainty as needed the most, consumer 
notification.
    And although these laws only cover certain sectors, the 
protections vary widely from State to State. It is important to 
ensure all consumers are afforded better protections and more 
prompt notifications. Look at my home State of Missouri, where 
our two largest cities straddle State borders. There is no 
reason why a consumer sitting in East Saint Louis, Illinois 
should have greater protections than one sitting less than 10 
minutes away in Saint Louis.
    One individual's personal information is no more or less 
valuable than another's. This is a national problem that 
requires an immediate national solution, which is my 
legislation developed with the gentlelady from New York, Mrs. 
Maloney, is both timely and necessary. First and foremost, our 
legislation would create a national security standard for 
entities that access, maintain, store, or handle personal 
information, while providing flexibility based on an individual 
company's size, complexity, and sensitivity of the information 
it maintains.
    With a responsible Federal standard in place, companies 
will no longer have to spend valuable time tracking a maze of 
regulations. That time can be better spent actually securing 
the personal information of their customers and innovating to 
fight against cyber crime. The draft legislation also includes 
robust law enforcement and consumer notification regimes. A 
covered entity has the responsibility to conduct an immediate 
investigation and take responsible measures to restore the 
compromised system.
    If it is determined that the breach has or will cause 
identity theft, fraud, or economic loss, the breached entity 
must notify immediately law enforcement. On the consumer side, 
the bill requires immediate notification without unreasonable 
delay to any consumer who may be impacted by a breach of his or 
her personal information. This is a strict timeline that rivals 
even the most aggressive State laws. After all, it is the 
consumer that should be front and center in any conversation 
surrounding the protection of data.
    Today, we will also examine legislation introduced by the 
gentleman from North Carolina, Mr. McHenry. His PROTECT Act 
would establish a new regulatory regime for credit reporting 
agencies. Mr. McHenry's work on this legislation and on the 
broader issue of data security and the protection of consumer 
information has been an integral part of this debate, and we 
all appreciate his leadership.
    This isn't a question of if, but when there will be another 
data security breach and the personal information of too many 
consumers will be compromised. Congress will move a product 
across the finish line. The legislation we consider today aims 
to foster an environment where consumers are not just protected 
but empowered. This is a challenging issue, one that has been 
seriously debated in Congress for well over a decade, and the 
time to act has come.
    It is essential that the industry looks at the bigger 
picture here and realizes the immeasurable benefits data 
security safeguards and responsible notification process will 
have on their customers and businesses. While some of us may 
experience short-term pain, it will be far outweighed by the 
long-term gain of delivering meaningful results for the 
American people.
    I thank my friend from New York, Mrs. Maloney, for working 
with me on this discussion draft and the gentleman from North 
Carolina for his diligent work on his legislation as well.
    We have an excellent panel of witnesses today. I want to 
thank you for appearing. I look forward to your testimony. The 
Chair now recognizes the gentleman from Missouri, Mr. Clay, the 
Ranking Member of the subcommittee for 5 minutes for an opening 
statement.
    Mr. Clay. Thank you, Mr. Chairman. I certainly will not 
take the total 5 minutes. But I want to thank you for holding 
this hearing.
    Breaches are a growing problem and credit reporting agency 
Equifax just reported one of the largest breaches ever. On July 
29, 2017, Equifax detects their security breach. Bloomberg 
reported that regulatory filings showed that on August 1st, 
Chief Financial Officer John Gamble sold shares worth $946,000 
and Joseph Loughran, President of U.S. Information Solutions 
exercised options to dispose of stock worth $584,000. Rodolfo 
Ploder, President of Workforce Solutions, sold $250,000 worth 
of stock on August 2nd. None of the filings list the 
transactions as being part of 10b5-1 scheduled trading plan.
    On September 7, 2018, Equifax officially announces the 
security breach to the public. The company directs consumers to 
a dedicated website to check if they are included in the 
breach. October 2, 2017, Equifax announces that forensic 
computer security company Mandiant has identified another 2.5 
million people whose personally identifiable information has 
been compromised, taking the number of victims from 143 million 
to 145.5 million. On March 1, 2018, Equifax reported that 
another 2.4 million Americans were impacted by their already 
enormous data breach. That brings the total to 147.9 million 
Americans.
    We can all agree that consumers in the United States face a 
data protection crisis. Currently, no Federal law requires 
credit reporting agencies to offer credit freezes. So, I look 
forward to this discussion and working with the Chairman and 
others on this legislation.
    I thank you, Mr. Chairman, and yield back.
    Chairman Luetkemeyer. The gentleman yields back.
    Today, we welcome the testimony of Ms. Sara Cable, Director 
for Data Privacy and Security and Assistant Attorney General of 
the Commonwealth of Massachusetts; Mr. Francis Creighton, 
President and CEO, Consumer Data Industry Association (CDIA); 
Mr. John Miller, Vice President, Global Policy and Law, 
Information Technology Industry Council (ITI); and Mr. Jason 
Kratovil, Vice President, Financial Services Roundtable (FSR).
    We certainly thank each of you for being here today and 
just a quick tutorial on those of you who haven't been here 
before on the microphone system, please turn it on when you get 
ready to speak. The green light will show and when you are 
getting ready to the 1-minute mark left to talk, you get five 
to speak, it will be yellow. And whenever you get that all done 
it is red, and about that time I start to raise my gavel. So, 
we will get along real well today. I am sure.
    With that, we want to start with Ms. Cable. Welcome, and 
you are recognized for 5 minutes.

                    STATEMENT OF SARA CABLE

    Ms. Cable. Thank you, Chairman Luetkemeyer, Ranking Member 
Clay, distinguished members of the subcommittee. I appreciate 
being here today.
    My name is Sara Cable. I am an Assistant Attorney General 
with the Massachusetts Attorney General's Office and I am the 
Director of Data Privacy and Security for its Consumer 
Protection Division. I am here today on behalf of my office to 
testify as to our concerns with the discussion draft bill, the 
Data Acquisition and Technology Accountability and Security 
Act.
    My comments today are informed by my office's over a 
decade's worth of experience in enforcing the Massachusetts 
data breach notice law and data security regulations, which are 
regarded as among the strongest in the country. This office 
works hard to use those laws to protect our consumers and we 
think that our consumers are better off as a result.
    We are encouraged that the subcommittee recognizes the 
critical necessity of data security and breach protections for 
consumers, and we share this goal. The constant drum beat of 
breaches over the last few years affecting some of the largest 
and most sophisticated companies has brought the issue of data 
insecurity to the forefront of the public's consciousness. It 
is clear that more must be done to protect consumers and 
preserve confidence in the marketplace.
    Now is not the time to dilute the tools regularly and 
successfully used by many States including Massachusetts to 
combat this crisis. The subcommittee's first priority should be 
on enhancing the existing protections consumers have under 
State law, not minimizing compliance cost for businesses that 
allow these breaches to occur.
    While we understand that Federal standardization is the 
thrust of the bill, Congress should not expose American 
consumers to increased risks as a result of a new, less 
stringent national standard. In our view, this bill would harm, 
not help, consumers. It would restrict, not protect or even 
preserve, the existing authority and role of the State AGs 
(attorneys general) and it would disregard, not respect, the 
important role of the States to enact protections they deem 
appropriate for their own consumers.
    I want to make my first point concerning the bill's 
consumer notice provisions. Our view is that the notification 
provision as drafted will leave consumers in a worse position 
than the status quo. If preventing consumer harm is the goal of 
a data breach notice regime which we think it is, quickly 
notifying consumers that their data has been compromised must 
be the first priority. This allows that consumer time to take 
steps to protect their identity before the hacker or an 
identity thief uses the breached information against them.
    The consumer notice standards in this bill, as found in 
section 4b-2, do not protect the consumers. They require notice 
only after the consumer has suffered harm. This is contrary to 
today's regime where consumers under most State laws are 
notified of breaches before the harm occurs. Notifying 
consumers of the breach after they are already harmed does 
little for the consumer and instead, it allows entities to pass 
the costs of its poor data security on to consumers and this is 
unacceptable in our view. Especially unfair because the bill 
does not clearly authorize any mechanism to remedy this harm, 
including by not giving clear authority to the State attorneys 
general to obtain restitution or consumer damages.
    My second point concerns the proposed enforcement 
mechanisms of the bill which make it harder for our office to 
protect our consumers. The State AGs are the cops on the beat. 
We have been on the frontlines of this problem for over a 
decade. We use our authority under our consumer protection laws 
and personal information protection acts to protect our 
consumers from breaches and hold companies accountable for 
failing to protect that data. This bill makes it harder for us 
to do our jobs.
    Among other problems that I have laid out in my written 
testimony, the bill does not require entities to notify State 
AGs of breaches impacting their State's residents. Under 
Massachusetts law and currently under the law of at least 24 
other States, State AGs get direct notice of breaches impacting 
their residents, and this notice is critical for us because it 
allows us to understand whether our consumers are impacted and 
gives us an informed and comprehensive view of the risks that 
are out there for consumers.
    Over the last decade, 21,000 data breaches have been 
reported to the Massachusetts Attorney General's Office. There 
were 3,800 reported last year and as currently drafted, we 
would get notified of none of these breaches. We also want to 
point out that the threshold for Federal notice of 5,000 
individuals affected we believe is too high and will fail to 
capture breaches that have a significant impact in a State.
    For example, in Massachusetts, less than 1 percent of the 
3,800 breaches last year met this criteria and indeed 93 
percent of the 3,800 breaches impacted fewer than 100 residents 
each. So, we think this bill would create a significant blind 
spot for Federal or State enforcement of poor security 
practices by businesses. Thank you.
    [The prepared statement of Ms. Cable can be found on page 
38 of the Appendix.]
    Chairman Luetkemeyer. OK. Thank you for your testimony.
    Mr. Creighton, you are recognized for 5 minutes.

                 STATEMENT OF FRANCIS CREIGHTON

    Mr. Creighton. Thank you.
    Before discussing the legislation before us today and how 
it would impact CDIA members and the credit reporting system in 
general, I would like to just give a brief context about how 
credit bureaus help the economy and how we are already 
regulated.
    Our credit reporting system today is the envy of the world. 
It is a main reason we have such a diverse range of lenders and 
products from which to choose. Without it, without access to a 
full consumer report, community banks, credit unions, insurance 
companies, and others won't know how a consumer has handled 
their obligations unless they already know the customer. 
Without credit reporting, smaller institutions would not be 
able to compete against the very largest banks for your 
business.
    Credit reports are a check on human bias and assumptions by 
providing facts that contribute to equitable treatment. CDIA 
members make possible an accountable and color-blind system. 
Without it, subjective judgments could replace the facts of 
creditworthiness. Credit reporting companies are also 
innovating to solve the problem of the un-banked, thin file, 
and credit-invisible consumers who have not had a chance to 
participate in the mainstream financial system, a goal shared 
by many on this committee.
    The Federal Fair Credit Reporting Act (FCRA) which governs 
credit reporting subjects credit reporting companies to a 
comprehensive regulatory and consumer protection regime. The 
FCRA protects privacy. It includes criminal penalties for 
people who abuse the system, mandates the accuracy and 
completeness of consumer reports and makes the process 
transparent for consumers. On data security, under the Gramm-
Leach-Bliley Act (GLBA), the nationwide consumer reporting 
agencies are subject to the FTC's (Federal Trade Commission's) 
Safeguards Rule as non-bank financial institutions. We are also 
regulated and face enforcement in current law by the States.
    Contractual obligations from our financial institution 
customers make sure we meet the requirements of the Federal 
Financial Institutions Examinations Council (FFIEC). At every 
level, this is a well regulated industry. The PROTECT Act, one 
of the bills before us today, would establish a new FFIEC data 
security regulator for our companies. We believe that any major 
change like this would be better informed by the outcome of the 
Equifax investigation, which is still ongoing by the FTC and 
the CFPB (Consumer Financial Protection Bureau).
    The PROTECT Act also establishes a uniform standard for 
credit freezes. We believe that this is in the best interest of 
consumers who share the same concerns whether they live in 
Missouri or Massachusetts. The patchwork quilt of State laws 
creates confusion. Every consumer should have the same right 
regardless of where they live. The last major provision of the 
PROTECT Act would be to eliminate the use of Social Security 
numbers in 2 years. We do not believe that this is a feasible 
proposal and we look forward to working with Mr. McHenry and 
this subcommittee on alternatives and marketplace innovations.
    We have obligations under the FCRA to ensure maximum 
possible accuracy, and the SSN is critical to meeting that 
legal obligation. We use SSNs for the same reasons that 
Government does. They are the only reliable and universal 
identifier. SSNs help ensure that information is matched with 
the correct file. There simply is no other identifier currently 
in existence that gives us the confidence required to meet our 
statutory obligations.
    We take our data security responsibility seriously, 
especially in light of the breach at Equifax. While the 
investigation there is not yet completed as I said, it has put 
a spotlight on our companies. We know that the most important 
thing is not how a company responds to a breach; it is 
preventing the breach in the first place. The Chairman's 
legislation establishes a national standard for both data 
security and for breach notification. The bill's provisions 
would allow a company's prudential regulator to enforce these 
rules, setting up the FTC as the regulator for those without 
one already, with enforcement by State attorneys general.
    Since credit bureaus are financial entities under GLBA, 
they would continue to be subject to the FTC's Safeguards Rule 
and to civil penalty authority for violations of the breach 
notification provision of the bill. The trigger for what 
constitutes a data breach is well defined, reasonable risk that 
the breach of data security has resulted in identity theft, 
fraud, or economic loss.
    We are pleased to note that for breaches over 5,000 
consumers, credit bureaus can be notified ahead of others, 
ensuring that we can prepare for the increased volume that a 
large breach generates. This legislation broadly conforms to 
the policy goals CDIA members have had for breach notification 
legislation and we are pleased to note the different interests 
who are working together to solve this problem. As the 
legislative process moves forward on both of these bills, we 
anticipate that there will be perfecting amendments to improve 
them, and we look forward to working with the bills' sponsors 
and other members of the committee on whether and how to reform 
our data security and breach notification regulatory regimes.
    I look forward to your questions. Thank you.
    [The prepared statement of Mr. Creighton can be found on 
page 100 of the Appendix.]
    Chairman Luetkemeyer. Thank you, Mr. Creighton.
    Mr. Miller, you are recognized for 5 minutes.

                    STATEMENT OF JOHN MILLER

    Mr. Miller. Chairman Luetkemeyer, Ranking Member Clay, and 
members of the subcommittee, on behalf of ITI and its member 
companies, thank you for the opportunity to testify today on 
the discussion draft of the Data Acquisition and Technology 
Accountability and Security Act.
    ITI is a global policy and advocacy organization 
representing over 60 of the world's leading information and 
communications technology companies from all corners of the 
sector, including hardware, software, Internet, networking, and 
services companies. Our members are not only technology 
solutions providers, but are also stewards of their own 
sensitive data. As such, we have interests as both covered 
entities and third parties in advancing Federal data security 
and data breach notification legislation that serves important 
consumer protection interests.
    Chairman Luetkemeyer and Congresswoman Maloney, I would 
like to begin my remarks by commending you for the transparent 
and inclusive process through which you and your staffs have 
worked to develop the discussion draft. We share your goal of 
developing a uniform consumer protective data security and 
breach regime and appreciate the openness with which you have 
considered our priority issues. Congress and the business 
community have worked for more than a dozen years to develop a 
regime that balances the concerns of all stakeholders, and this 
effort moves us closer to realizing that shared goal.
    We recognize that compromises must be made to move this 
effort forward and we do not wish the perfect to be the enemy 
of the good. In that spirit of compromise, ITI supports many of 
the provisions in the discussion draft but we also offer 
several recommendations aimed at further improving and 
clarifying the draft language. ITI developed principles that a 
data breach law must include to achieve much needed regulatory 
clarity and certainty. We are pleased the discussion draft 
reflects the majority of these principles by preempting the 
existing patchwork of State laws to reduce consumer confusion 
and ensure quicker and more consistent notifications, providing 
an exception for information that is rendered harmless via 
technology such as encryption; avoiding over-notification by 
appropriately limiting the definition of personal information 
to data that can be used to inflict concrete financial harms; 
acknowledging consumers are not well served by receiving 
notices from companies they do not recognize, but allowing 
companies and their third-party vendors to agree on 
notification responsibility by contract as appropriate; and 
recognizing criminal penalties are inappropriate for companies 
who are themselves victims of criminal hacks.
    Regarding the security provisions in the bill, ITI has long 
advocated for security approaches that are voluntary, grounded 
in sound risk management principles and international 
standards, foster innovation in cybersecurity and data 
protection, and are scalable for organizations of all sizes and 
sophistication. Flexibility is key, as a company must be able 
to protect the information it holds in a manner that is 
reasonable and appropriate to the nature of its business 
resources and the sensitivity of the data it handles.
    The security safeguards appear largely consistent with 
these key security principles, but we are concerned about the 
multilayered approach established by the bill which sets forth 
an enumerated list of sometimes prescriptive safeguards layered 
by a reasonable security standard. To help alleviate this 
concern, we recommend the inclusion of a heightened burden of 
proof for regulators, which would simply require a more 
thorough showing that a company who relied on and complied with 
the Government-directed safeguards and yet still suffered a 
breach nevertheless lacked reasonable security.
    In addition to this suggestion, my written testimony offers 
several additional recommendations to improve and clarify the 
proposed notification regime. I will briefly highlight a few of 
these recommendations here.
    First, the discussion draft requires notification be made 
immediately and without unreasonable delay. There are several 
reasons why immediate notification is not only infeasible but 
often inadvisable. Chief among them is that consumers will be 
subject to further harm by would-be thieves if the public is 
alerted to security vulnerabilities prior to their remediation. 
We recognize the urgency required in notification and recommend 
utilizing existing language from one of the existing State laws 
to more effectively balance these considerations.
    Second, the discussion draft requires third parties to 
notify covered entities if breached personal data has or may 
have occurred. Our companies deal with a large volume of 
security incidents daily, and while breaches are frequently 
suspected, preliminary investigations often reveal no breach 
occurred. Third parties cannot and should not be expected to 
notify based on a guess as to whether a breach may have 
happened. They must be afforded the same opportunity as covered 
entities to conduct an investigation to determine whether the 
security incident resulted in a compromise of data.
    Third, as the definitions are drafted, third parties will 
simultaneously be considered covered entities in most 
instances. This is problematic, because the discussion draft 
imposes different requirements on covered entities versus third 
parties. So, the overlapping definitions will subject third 
parties to divergent sets of requirements for the same 
activity. The definition of ``covered entity'' must be amended 
to focus on entities that own or license the data.
    Fourth, the discussion draft permits unlimited civil 
penalties arising from a single incident. Most data breaches 
are the result of criminal acts. Organizations can and should 
do their part to protect consumer data from unauthorized access 
and acquisition, but uncapped civil penalties are seemingly 
punitive in nature and not appropriate when an organization has 
been victimized by criminals or a nation state.
    Thank you again for the opportunity to share our 
perspective here today. I look forward to your questions.
    [The prepared statement of Mr. Miller can be found on page 
151 of the Appendix.]
    Chairman Luetkemeyer. Mr. Miller, thank you so much.
    Mr. Kratovil, you are recognized for 5 minutes. You have a 
very high bar to keep. Each one of these witnesses so far has 
stayed right at underneath their 5-minute allotment here.

                   STATEMENT OF JASON KRATOVIL

    Mr. Kratovil. Mr. Chairman, Ranking Member Clay, and 
members of the subcommittee, on behalf of the leading banking 
and payments members of FSR, thank you for having me here today 
to discuss two proposals closely linked in their goals to 
improve cybersecurity and the protection of consumers' credit.
    For companies across the economy, data isn't just a nice 
thing to have. It is increasingly the engine of modern 
commerce. For the better part of 13 years, I have been involved 
in this committee's work on data security legislation. Back in 
2005 when I worked for the late Congressman Steve LaTourette, 
this committee passed his bipartisan legislation, marking the 
first time a Congressional committee directly tackled this 
issue.
    Back then, high-profile data breaches grabbed headlines 
much as they do today, but it was in many ways a simpler time. 
The ability to harness the power of data was confined to the 
Government or the largest, most sophisticated companies. 
Household budgeting relied on balancing a checkbook, not data 
aggregation platforms running advanced APIs, and the cloud was 
simply an object in the sky.
    While times have certainly changed, some principles remain 
the same. Over the last 13 years, the financial industry has 
consistently called for Congress to enact data security 
legislation that sets strong but flexible and scalable 
requirements for companies across the economy to protect data 
and to ensure consumers receive notice of a breach when they 
are at risk. The proliferation of sensitive consumer data 
across the economy has only heightened the need for Congress to 
act.
    Today, a business with only a few employees and modest 
resources can obtain the technology or develop an app to allow 
them to come into contact with millions of pieces of data. The 
implications of this from a consumer privacy and business 
ethics perspective are significant. The discussion for 
policymakers, however, must begin with security. That is why 
both the PROTECT Act offered by Congressman McHenry and Mr. 
Chairman, the discussion draft of data security and breach 
notice legislation you and Congresswoman Maloney have put 
forward are both so important and timely.
    The discussion draft of data security legislation is an 
excellent start and represents the best opportunity I have seen 
to actually get a bill through the House. I provide a more 
detailed review of both proposals in my written testimony, but 
would like to offer a few observations on the Chairman's 
discussion draft.
    First, your draft sets a high bar for data security. For 
the financial sector, this is critical. Underlying our advocacy 
for Federal legislation is the hope that with the right 
standard, the number of incidents can actually be reduced. 
Reaching the right threshold means spelling out a process and 
risk-based framework for companies to follow. Federal 
legislation should not expect the small mom-and-pop merchant to 
deploy the same cyber resources as their larger counterparts. 
Your draft sets the right standard while not unduly burdening 
firms that have little or no exposure to sensitive data.
    Second, we strongly believe notification to consumers must 
be tied to an assessment of risk as the discussion draft makes 
clear. By that, a breach of commonly available phonebook-type 
information or sensitive information that is encrypted should 
not trigger notice. Notice must be viewed by consumers as a 
call to action, based on an assessment that the nature of a 
breach has exposed them to a risk of financial fraud.
    Over-notification makes us desensitized. I guess most of us 
are guilty of throwing out yet another breach letter we 
received in the mail. With this draft, Congress has an 
opportunity to reframe the importance of breach notification, 
making receipt of a notice something we as consumers take 
seriously.
    Third, the United States has favored a sectoral approach to 
the regulation of data security and that approach should be 
preserved. By that, I mean new legislation should recognize 
that sectors including the financial industry have existing 
Federal obligations to secure data and notify consumers of a 
breach and not add duplicative responsibilities.
    Finally, we believe preemption of the patchwork of State 
laws is the right approach for Congress to take. Few issues 
better illustrate the need for a uniform Federal standard as 
data breach. That said, I would be very concerned if the 
measure before us only amounted to a weak data protection 
standard. However, as I mentioned, the discussion draft hits 
the right mark.
    In conclusion, with the lessons of history as our guide, it 
is clear that finding consensus is critical if we want to see 
data security legislation enacted. FSR has worked for many 
years to help bridge the policy divides that have caused the 
legislative process to stall in the past. As evidenced by this 
panel, more stakeholders are at the table today than ever 
before, ready to work with this committee and others in the 
interest of seeing a strong piece of consumer protection 
legislation signed into law.
    Thank you, Mr. Chairman. I look forward to your questions.
    [The prepared statement of Mr. Kratovil can be found on 
page 126 of the Appendix.]
    Chairman Luetkemeyer. Thank you, Mr. Kratovil, and I thank 
all of our witnesses. You guys did a great job and we certainly 
appreciate your thoughtful suggestions. And again, we are 
discussing a draft legislation with regards to what we are 
doing with our particular bill. And so, it is a work in 
progress and we appreciate your willingness to work with us on 
that. It is not perfect. We are going to try and get it better 
and hopefully, it would be something we can implement here down 
the road.
    So, with that in mind, I appreciate the statistics Ms. 
Cable gave us, 28,000 breaches in the last 10 years. We have a 
crisis on our hand, do we not? It would seem to me that this 
is--we have to do something different than what we have done in 
the past. So, I appreciate your comment. Also when you said 
data insecurity, that is a new word. I like the way you phrased 
that. It feels like after 28,000 breaches, we do probably have 
data insecurity rather than security at this point.
    So, with that, Mr. Creighton, I want to begin the 
questioning with you. There has been a lot of conversation 
around what this discussion draft might mean for credit 
bureaus. Can you tell us what if anything would change for your 
members if this bill was signed into law? And you have two 
bills here today that address a little bit in your world, so, 
if you don't mind.
    Mr. Creighton. Yes, sure. Your bill, the Data Breach 
Notification and Security Bill would--we are currently subject 
to the FTC's Safeguards Rule and our reading of the bill is 
that we would continue to be subject to the FTC's Safeguards 
Rule, but we would be subject to a new data breach notification 
standard at the Federal level, which currently doesn't exist.
    Right now, we comply with a series of State laws around the 
country--
    Chairman Luetkemeyer. That a better deal or a worse deal 
for you?
    Mr. Creighton. Well, I think it would be a greater deal for 
our consumers, for customers because we are trying to figure 
out what we should be complying with at any one moment. If 
there was one strong standard that we could live up to, 
consumers would benefit from that.
    Chairman Luetkemeyer. OK, very good.
    Mr. Creighton. On the PROTECT Act, the most--the biggest 
change would be the elimination of the use of Social Security 
numbers in 2 years. We would like to talk to the committee 
about that. That would not be something that we think we could 
work with, but we are interested in how we can innovate and how 
we can get other--find another universal identifier, but it 
would be a very difficult thing to do.
    We haven't solved that problem yet and Congress has been 
studying it for many years. The other thing is it would set a 
new data security regulator for the credit bureau industry that 
would be set by the Federal Financial Institutions Examination 
Council.
    Chairman Luetkemeyer. Very good. Thank you.
    Mr. Kratovil, as you know, financial institutions carry a 
lot of sensitive information for consumers. Some have charged 
that those institutions which are subject to the Gramm-Leach-
Bliley Act have no requirements when it comes to safeguards 
notification. Is that accurate?
    Mr. Kratovil. In a word, no.
    Chairman Luetkemeyer. I like the brevity of that answer, 
but I would like a little bit more explanation.
    Mr. Kratovil. Of course.
    Chairman Luetkemeyer. Thank you.
    Mr. Kratovil. In 1999, Congress passed GLBA. In 2000, the 
banking regulators and the FTC began implementing it. What they 
implemented were a series of interagency guidance and 
guidelines establishing information security practices and 
breach notification.
    Fundamentally, that guidance was issued as a core element 
of safety and soundness regulation. Banks are examined to 
ensure compliance with the guidance and compliance is demanded. 
And if compliance is not met, examiners have an extensive set 
of enforcement tools at their disposal which they can ensure 
any financial institution in violation is compliant.
    Chairman Luetkemeyer. So, I understand that there are all 
different levels for compliance with this. Are there not?
    Mr. Kratovil. Yes, sir.
    Chairman Luetkemeyer. I appreciate that. Thank you very 
much.
    Mr. Miller, one of the most discussed elements of the bill 
deals with requirements of third parties to notify in case of a 
breach. I think you discussed this a little bit in your opening 
statement. But can you give us your thoughts on how those 
requirements should be structured?
    Mr. Miller. Thank you for the question. Well, there are a 
couple of aspects of the third party requirements that I did 
point out in my testimony which could be improved.
    One of those is with respect to the overlapping 
requirements between third parties and covered entities. I 
think this could be tightened up by, I suggested, fixing some 
of the definitions and focusing both sets of definitions on 
what types of data is being handled or stored and using terms 
like that is actually very--it really creates a lot of 
confusion and, in particular, focusing the covered entity 
definition on companies that own or license data certainly 
seems better to us.
    With respect to the third party and the notifications 
themselves, the goal of the bill, we think, should be to 
provide, of course, meaningful notice to consumers. The 
entities with whom the consumers have a relationship, if we are 
really going to effectuate that goal, should be the ones 
providing that sort of notice. There are always going to be 
other parties involved in a breach, when we look at today's 
interconnected ecosystem, and the bill appropriately provides 
for those parties to work out the details of how those costs 
are shared.
    Chairman Luetkemeyer. Thank you for that. My time is up. I 
didn't get a chance to discuss this with you, but just to give 
you a heads up and hopefully some of the members of the 
committee will follow up on this. There are some European 
standards that are being promoted by some of the folks in 
Europe and I am not a big fan of letting Europe tell us how to 
do our business over here.
    So, I am concerned about that and I will hope that one of 
our members will follow up with some questions with regards to 
how you all view those sort of standards and if some of them 
are good, some of them are not so good, which ones we need to 
be thinking about.
    So, with that, I yield my time to--my time is up and I 
yield to Mr. Clay, the Ranking Member, for 5 minutes.
    Mr. Clay. Thank you, Mr. Chairman.
    Ms. Cable, according to Attorney General Healy, data 
security and breach notification legislation marked up by this 
committee last Congress would have drastically undercut your 
State's data security regulation. Would the concerns raised by 
AG Healy still apply to the discussion draft under 
consideration today, and can you explain specifically which 
Massachusetts safeguards would be undermined if the discussion 
draft were enacted in this current form?
    Ms. Cable. Thank you for the question. I will say the 
difference between this bill and prior bills that I think is 
positive is that it does have a data security minimum standard. 
In my written testimony, I have included some areas where that 
standard can be improved in a way that I think decreases 
compliance cost for businesses and protects consumers.
    Putting that aside, the way that this bill changes the 
status quo in a way that is worse for consumers is, as I 
mentioned, it doesn't put notice in their hands--mentioned, it 
does not require notification to consumers until after they 
have been harmed. It also allows the entity to conduct a 
preliminary investigation as to the scope of the breach and 
allows them to take remedial steps to secure the information 
but puts no outward timeframe for that investigation.
    And we believe in our experience, we have certainly seen, 
this creates opportunities for abuse and further delay before 
consumers are notified. So, we think that that is a big 
departure from current law. That does not help consumers at 
all.
    Mr. Clay. And as the committee considers creating national 
data security and breach notification standards, can you 
comment on whether you believe it is critical that we preserve 
the ability of States to protect their residents from emerging 
threats to the privacy and security of their data?
    Ms. Cable. It is absolutely critical. Currently, and our 
office has been actively engaged with our State legislature on 
improvements and the additional tools that we can use to 
protect our consumers in light of Equifax, and we are not the 
only State. I think States have been extremely active after 
Equifax in taking a look at their security freeze legislation, 
their data breach notification legislation, they are doing 
their jobs. They are doing what States do best, which is being 
agile, being innovative, and coming up with protections that 
they think fit their consumers and their consumers' needs.
    This bill, the preemptive effect of this bill, we think is 
not in the consumers' interest. And one thing I want to point 
out about the preemption as it currently is drafted--it 
preempts any State law, quote, ``with respect to securing 
information from unauthorized access or acquisition.''
    It is not limited to securing statutorily defined personal 
information. There is a big gap between what constitutes 
information and what constitutes personal information. And in 
my written testimony, I included some examples of some existing 
State law that arguably this bill would preempt. That have 
nothing to do with data breach notification or data security.
    I think we are not for weaker Federal standards that 
preempt stronger State. To the extent there is preemption, we 
think it needs to be narrowly tailored to the precise matters 
that the bill is addressing, not spread on other areas.
    Mr. Clay. And, Mr. Chairman, I couldn't agree more with the 
witness. She is making the point as to why should we weaken 
current protections under State laws that have already been 
enacted instead of us erring on the side of trying to craft 
this bill in a way that is consistent with the strongest 
protections of what the States have enacted to this point.
    I think she makes a great point about that and hopefully 
going forward, we as a committee can find some common ground in 
that area. And that is just a comment to you. I haven't 
finished yet.
    But look, it makes sense that we actually err on the side 
of giving the strongest protection possible to the American 
consumer and don't weaken them because we are trying to come up 
with a national law. Don't make it weaker in order to appease 
one side or the other. Make it stronger. Anyway, my time is up. 
And I yield back.
    Chairman Luetkemeyer. I appreciate the gentleman's comments 
and I appreciate Ms. Cable's comments. In fact, the first 
comment that you made, we are in the process of fixing that as 
we speak. I think we were aware of that, but we appreciate you 
bringing that point to us.
    Again, we want to make sure that we do this in the right 
way and, to the gentleman's concerns, this is the reason for 
the draft, is to come up with better ways of doing things. And 
we want to hopefully get that done here. Some of the States 
have some standards that are not able to be adhered to by 
everybody, so we want to make sure this is something that 
everybody can live with.
    So, we may back off the top standard a little bit to make 
sure it works, but we are going to try and get this all done. 
So, again, thank you very much.
    With that, we will go to the gentleman who is the Vice 
Chair of the committee, Mr. Rothfus. He is from Pennsylvania. 
You are recognized for 5 minutes.
    Mr. Rothfus. Thank you, Mr. Chairman.
    And Mr. Miller, when we look back at the Equifax breach, 
one of the major questions that stands out is why it took so 
long to notify the public. Millions of Americans had their 
personal data compromised and Equifax knew this, but they were 
not able to take steps to protect themselves some time after 
the breach occurred because they were unaware.
    At the same time, I understand a firm that has been 
breached goes public before any vulnerabilities can be patched, 
bad actors can continue to exploit gaps in the firm's cyber 
defenses. What is the best way to strike a balance between 
prompt notification and thorough corrective action?
    Mr. Miller. Thank you very much for the question. I think 
you point out how it is a bit of a paradox. We, of course, want 
to provide notification as quickly as possible when there is a 
breach. By the same the token, there are a lot of breaches, 
unfortunately. I think the Chairman mentioned a couple of times 
already, there is a crisis of sorts. And not all of those 
breaches are going to actually result in a breach of consumer 
data.
    Organizations have to have the opportunity to conduct an 
investigation to understand both the scope of the breach and 
also, in particular, to patch a vulnerability before actually 
providing notice, particularly public notice to consumers.
    So, that is one of the reasons that we advocate against any 
types of very strict timelines and certainly against an 
immediate notification, but rather one that is without undue or 
unreasonable delay, or something like that. Thank you.
    Mr. Rothfus. Well, the Chairman raised the issue of the 
European situation with their general data protection 
regulation and the requirement of a notification within 72 
hours. Have you had a chance to take a look at that?
    And also Mr. Kratovil, I am just curious what you are 
thinking on what the Europeans have done. If Mr. Miller, you 
could comment, then maybe Mr. Kratovil?
    Mr. Miller. Sure, happy to. I have taken a look at the GDPR 
and that legislation. And I think it points to the importance 
of really being clear about which notification we are talking 
about.
    There actually is not a 72-hour notification provision in 
the GDPR with respect to consumer notifications, that there is 
again an--without undue delay standard there. There is a 72-
hour notification obligation where feasible to regulatory 
authorities. So, again, those are different types of 
notifications, of course. Thank you.
    Mr. Rothfus. Mr. Kratovil?
    Mr. Kratovil. Congressman, I would align myself with Mr. 
Miller. I completely agree with what he said. No two breaches 
are the same. If we have learned anything, it is that fact 
alone, and it does take companies time to get their arms around 
the breach and to stop the bleeding as it were.
    And also to figure out, as Mr. Miller said, did the breach 
result in something that is actually of harm to consumers? If 
what was breached was fully encrypted data that is unusable by 
the person who exfiltrated it from the system and consumers 
aren't at risk, does that trigger notice? Should that trigger 
notice? We would argue that it doesn't.
    In terms of timing, immediate is arguably an unprecedented 
concept in terms of speed and certainly among the States. As 
Mr. Miller said, most rely on some variations on the theme of 
promptly and without unreasonable delay and we would suggest 
that that is probably the best way to strike a balance in 
Federal legislation.
    Mr. Rothfus. In your testimony, you wrote, ``Congress needs 
to act to require firms of all shapes and sizes that handle 
sensitive information to protect the data.'' Why do you believe 
it is important that firms of all types that handle sensitive 
data comply?
    Mr. Kratovil. Thank you for that question. And what I was 
getting at, I mentioned in my opening statement, you can be a 
very small business and with modest resources, you can get 
access to the technology to allow you to be processing millions 
and millions of pieces of consumer data.
    It is very difficult to say that just based on the size of 
a company alone should determine how or what data security 
protection you should have on businesses. That is why the 
approach in the discussion draft that builds in a flexible and 
scalable framework that looks at a variety of considerations so 
that a company can look at itself and make the appropriate 
decisions based on the type of data that they hold, for 
example, and how sensitive that data is, as to what cyber 
protections they need to have in place.
    Mr. Rothfus. And how would the bill appropriately tailor 
data security obligations for firms of different sizes and 
different industries without compromising our collective 
security?
    Mr. Kratovil. Yes. It is a great question and you can look 
even to our law Gramm-Leach-Bliley for some reference and there 
are parallels with what is in the discussion draft. And as I 
mentioned, the bill lays out right up front a number of 
considerations that a firm should take into consideration, such 
as the size and complexity of the firm, the sensitivity and the 
type of data it holds, the cost of available products and 
security.
    Again, getting to the idea that you want a small firm that 
really isn't touching personal information or sensitive 
financial information should not have the same data security 
obligations as any of my members of large, nationwide 
companies.
    Mr. Rothfus. My time has expired. I yield back.
    Chairman Luetkemeyer. The gentleman's time has expired.
    With that, we go to the gentleman from Texas, Mr. Green is 
recognized. Oh, Mr. Scott. I am sorry.
    OK. The distinguished gentleman from Georgia is recognized 
for 5 minutes.
    Mr. Scott. Chairman Luetkemeyer, first of all, I want to 
thank you and Ranking Member Clay for having this very 
important hearing. Data security is very, very important. It is 
on the minds of all the American people. And we can do a whole 
lot better. We better get to work on it very quickly.
    And, of course, I represent Georgia, the home of the most 
unfortunately drastic cyber-attack with a very good company, 
Equifax, that we are working to get that straight as well.
    But, Mr. Chairman, I would like to just address my remarks 
to one of the pieces of legislation we have before the 
committee on data security and that is my good friend 
Congressman McHenry's PROTECT Act, House Resolution 4028.
    I just want to trump that and I have had a few moments of 
being able to talk to Representative McHenry about my concerns 
on this. And that is that in his bill, I found that one of the 
problems is that it only requires enhanced cybersecurity 
supervision for larger consumer reporting agencies.
    I think it is very important to realize that Americans have 
lost faith in all of their credit reporting agencies, so only 
applying these new standards in his bill to just the largest 
agencies would mean we would have some agencies that would meet 
enhanced security standards while others would not.
    I wanted to just point that out and see if we cannot build 
upon that. But more importantly, I want to talk about this 
organization that we refer to as the FFIEC. And that 
organization is the Federal Financial Institution Examination 
Council.
    And that is where we will be passing this hot potato to. It 
is the interagency council for financial regulators. But I 
think that this isn't enough. I really think Americans really 
would want us to go a bit farther.
    Everyone should be reminded that most Americans don't have 
a choice about whether credit reporting agencies like Equifax 
collects information on you. The American people, their data 
are the products of these companies.
    This world of the credit reporting agencies and how this 
industry works has been a total mystery to everyone up to this 
point. And after learning about what is happening, some of the 
people--American people feel quite a bit helpless and 
frustrated about it.
    Let me just ask you and this panel, with that said, I don't 
think that the Gramm-Leach-Bliley standards in Mr. McHenry's 
bill go far enough. And I think we should hold the credit 
reporting agencies to a higher standard than we have.
    We had the worst data breach in American history, 145, 146 
million American families lost very valuable data. And so, I 
was wondering if you all agree with me on this. Ms. Cable, 
would you respond to that?
    Ms. Cable. Absolutely, thank you for the question. I 
absolutely agree. In our experience, again, over 10 years, 
21,000 data breaches. Equifax is by far the worst. Both in 
terms of size and scope, the sensitivity of the data and what 
Equifax is.
    It is in the very business of protecting this precise data. 
And as the full committee learned a few months ago, our office 
has viewed Equifax through the law. Putting aside the PROTECT 
Act and looking at the Federal data security proposed 
legislation, I will note that it does appear to tie the hands 
of the State against a future breach by an entity such as 
Equifax. It is a little unclear, but comparing this bill, if it 
were to go forward, against the status quo, an entity like 
Equifax would frankly receive a windfall in terms of having one 
less source of regulators over it and that would be the States.
    We don't think that is appropriate at all. We think there 
is no justification whatsoever, especially in light of Equifax 
for that to be the case.
    Mr. Scott. I thank you, Ms. Cable. My time is up. Mr. 
Chairman, I just make note that I look forward to working with 
Mr. McHenry on this and see if we can apply it to all of the 
agencies. I think he will be agreeable to that.
    Chairman Luetkemeyer. Thank you for your thoughtful work 
here. Thank you, Mr. Scott. His time has expired.
    With that we go to the gentleman from North Carolina, Mr. 
Pittenger is recognized for 5 minutes.
    Mr. Pittenger. Thank you, Mr. Chairman for holding this 
important hearing today. I would like to thank all of you for 
being here. It has been very revealing for me. Data security is 
an essential part of any company. It is a critical part of 
ensuring that consumers' data is protected, that all customers' 
information is obviously kept safe. I would like to thank, as a 
result, Mr. McHenry, Mr. Luetkemeyer, Mrs. Maloney for their 
efforts and the hard work, all this important legislation.
    With the ever-present threat of data breach has many 
Americans sick and tired of frankly, their Social Security 
numbers being breached and being identified. And I would like 
to address first Mr. Miller, and then Mr. Creighton. What can 
we do about our Social Security numbers being compromised?
    Mr. Miller. Thank you for the question, Congressman 
Pittenger. Well, I know that the PROTECT Act discusses Social 
Security numbers and the potential for phasing out Social 
Security numbers. I think if you talk to most security experts, 
they will tell you that that is a laudable goal, moving away 
from static universal identifiers.
    The question, of course, as your question implies, is how 
do we get there? There are all types of innovative technologies 
and progress being made around different types of 
authentication using biometrics, et cetera.
    I can't sit here today and tell you I have the answer on 
what the alternative is for protecting or even not using Social 
Security numbers so much, but I do know that we need to keep 
looking for other solutions to what Social Security numbers are 
currently serving in terms of their purpose.
    Mr. Pittenger. Mr. Creighton, would you like to weigh in on 
this?
    Mr. Creighton. Yes, Sir. The Social Security number is 
really used as an identifier, not as an authenticator. And that 
is an important difference. You would be surprised at how many 
people in this country share the same name and even share the 
same date of birth.
    And the Social Security number gives us the ability to 
match the right information with the right file, for example, a 
father and a son who share the same name and maybe even the 
same address.
    We believe it is very important that the Social Security 
number stay out there for identification purposes only. Now, if 
that was all that was necessary for you to go out and to get a 
loan, there would be a much greater incidence of new identity 
fraud or new account fraud in financial institutions because 
the Social Security number has been compromised so many times 
that they are out there, right?
    The OPM (U.S. Office of Personnel Management) hack, which I 
was subject to and I am sure others on this committee were, is 
one example of many other examples where the Social Security 
number has already been compromised.
    The wide-scale usage of Social Security numbers didn't 
happen overnight. It really was something that is a decades-
long process that started with the Executive Branch and 
eventually moved into the private sector.
    But now it is there. And the question that I think we need 
to answer is, if we are going to replace it what do we replace 
it with? We still need something that is going to identify 
people.
    Mr. Pittenger. And?
    Mr. Creighton. I don't have the answer for that.
    Mr. Pittenger. OK.
    Mr. Creighton. And I wish I did. Believe me because--
    Mr. Pittenger. I thought it was just going to burst out.
    Mr. Creighton. Oh no, I wish. But I personally have been 
breached so many times. It makes you crazy.
    Mr. Pittenger. Sure. I have too--
    Mr. Creighton. I understand that, but there is nothing 
right now that it could be replaced with, unfortunately.
    Mr. Pittenger. We will wait for that magic moment.
    Mr. Creighton. Yes, sir. Me too.
    Mr. Pittenger. Mr. Kratovil, kindly tell me the role again, 
just clarify, of law enforcements and what they play in 
determining the notification timing after a breach has 
occurred?
    Mr. Kratovil. Sure, thanks for that question Congressman. 
Financial institutions work very, very closely with two primary 
law enforcement bodies, that would be the Secret Service and 
the FBI.
    They very often maintain very close working relationships 
with field offices, so that in the event of a cyber incident it 
can be a mutual effort to help ascertain what has happened, get 
a handle on the breach. The main purpose of involving law 
enforcement is to see if they have the capacity in the course 
of investigating a breach to identify who has done the hacking 
and maybe even go after them and get them.
    And thinking about it in the context of the timing question 
that we have talked about for notification, it is very 
important to let that process happen. Our members take 
engagement with law enforcement very, very seriously. And I 
know having them involved in an investigation is critical.
    Mr. Pittenger. Mr. Creighton, would you like to weigh in?
    Mr. Creighton. Yes and in fact, in some cases, law 
enforcement actually requests that the breached entity not 
disclose until they can finish their investigation, and that is 
something that the law should probably accommodate as well.
    Mr. Pittenger. Thank you. My time has expired.
    Chairman Luetkemeyer. The gentleman's time is about to 
expire. With that we go to the gentleman from Washington, Mr. 
Heck is recognized for 5 minutes.
    Mr. Heck. Thank you, Mr. Chairman.
    Last night I had the pleasure of watching my wife's--whose 
birthday is today--beloved alma mater, Gonzaga University, put 
the hurt on BYU, apologies to Congresswoman Love for the WCC 
championship.
    This will be our 19th straight State trip to the dance 
under Coach Few who is the winningest active coach in the NCAA. 
And many years ago the big schools started coming after him 
because of his success. They try to lure him away with a 
contract a multiple, far away from the little Jesuit University 
in Spokane, Washington. And he kept saying, ``No, no, no, no.'' 
And he has said, ``No, no, no, no'' ever since.
    And eventually they stopped asking. And then reporters 
started asking, why did you say no all those years? And his 
response was, ``Why mess with success?'' And that wisdom 
reminds me of a provision that is included in this draft bill 
and that is the carve-out for State insurance regulators.
    I want to thank the Chair for that. I fought very hard for 
that last year when we were in the midst of that and extend my 
gratitude to Mrs. Maloney as well. I think it is a recognition 
that for those of us who have as a goal protecting consumers, 
acknowledge that State insurance commissioners oftentimes are 
doing this very well.
    I know they are in my State. My goal is protecting 
consumers and my insurance commissioner is doing that. But that 
is not to say, of course, that we don't have significant cyber 
threats in this area.
    And so, Sara, I want to direct this to you if I may, Ms. 
Cable. We are having a hearing on data security. So, if you 
could suggest to insurance regulators anything that they might 
do to strengthen their cybersecurity rules, what comes to your 
mind?
    Ms. Cable. That is a big question. I think I will answer 
if--
    Mr. Heck. It is a great lead-up, though.
    Ms. Cable. It is. It is. I will answer it by saying this is 
not unique to insurance companies but institutions in general 
and to comment on a comment made earlier that most breaches are 
criminal in nature, that has not been our experience. And I 
think there are other statistics to back this up, but by far 
most breaches we see are a result of human error because humans 
are humans.
    And sometimes companies have fantastic policies and 
employees just don't follow them. Oftentimes, however, 
companies do not have good policies or they have a policy on 
paper that doesn't actually get implemented.
    And even criminal breaches, we see in the case with 
Equifax, they result because of a failure to do even basic--
take even basic security precautions such as patching a 
software the company knows to be vulnerable.
    And so, I think the advice to a regulator would be looking 
to enhance or enact minimum data security standards, is they 
are critically important because there is an awful lot of room 
for improvement.
    And I think the standards established in Massachusetts 
which are similar to the Gramm-Leach-Bliley standards, somewhat 
similar to those proposed in this bill, although again there 
are some improvements that we have put forth in our testimony 
that we think are critical because it is impossible to stop all 
breaches, but it is definitely possible to stop a lot of them.
    Insurance companies handle tremendously sensitive 
information. Sometimes a company has agents all over the place 
that they have a hard time getting their arms around in terms 
of making sure that those agents have secure systems, their 
computers are secure and what not. So, I do think that data 
security for insurance companies is critically important. The 
States have been active in this. We had a resolution against 
Nationwide Insurance a year so ago.
    So, I encourage State insurance commissioners to consider 
minimum security standards. I think it is critically important.
    Mr. Heck. So, in the short period of time I have left, and 
prefacing this question with the disclosure I am not a lawyer. 
I note that there is a use of terms like a reasonable risk, 
economic loss, and unreasonable delay within the notification 
section of this bill.
    As it relates to Equifax, I guess I would be curious, Ms. 
Cable, if you think 40 days was unreasonable. And does 
unreasonable delay have any legal meaning?
    Ms. Cable. Thank you for the question. I see my time to 
answer--we have sued Equifax so I would like to not speak to 
the specifics on the facts that the timing of the notification 
is a claim in our case.
    But speaking more broadly, Massachusetts has one of those 
State laws that requires notice, I believe the words are as 
soon as practicable and without unreasonable delay. It doesn't 
ascribe an outer limit or initial limit for notice.
    And I think that is for good reason. Every breach is 
different. The circumstances are different. There are times 
that an entity is not in a position, I have never seen an 
entity in a position to provide immediate notice. However, I 
have seen entities in a position to provide notice that delay 
it for their own purposes. And you can imagine the list of 
purposes that might be there. Words such as unreasonable, 
lawyers have a good time with those words.
    Ultimately, it would be up to a judge based on the facts 
and circumstances. So, I think those words are useful, that 
they provide a flexibility that is not a bad thing for 
consumers and provides entities the flexibility they need.
    Mr. Heck. Thank you.
    Chairman Luetkemeyer. The gentleman's time has expired.
    With that, we go to the gentleman from Colorado, Mr. Tipton 
is recognized for 5 minutes.
    Mr. Tipton. Thank you, Mr. Chairman.
    I appreciate the panel being here. I appreciate Congressman 
Heck's story, which we had a Colorado team that was just 
winning a championship there as well. But I think you brought 
up an important point and I think Ms. Cable had pointed to it 
just a little earlier, brought up Massachusetts, brought up 
your State regulators in regards to the insurance industry.
    And Mr. Kratovil or maybe Mr. Miller, maybe you would like 
to speak to some of the variances that we do see between 
different States and maybe speak to why it is important that 
you spoke to it in terms of some of your testimony, to be able 
to have some of that harmonization.
    Mr. Kratovil. Sure. I will start and hand it to my--
gentleman, Mr. Miller. I will give you some, at least one 
example on the security side and one example on the 
notification side and variances within State laws.
    On the one hand, not too many States have data security 
laws. Of course, Massachusetts has been a leader in that and 
certainly has arguably the strongest State law on the books 
right now. As Ms. Cable mentioned, there are many parallels to 
the Gramm-Leach-Bliley standards for financial institutions in 
her State's law.
    But then you look at other States, for example, that have a 
data security law that is perhaps just one line, you should 
have reasonable measures in place to secure data. Those are two 
ends of the spectrum when you think about data security.
    On notice, thinking about the question of timing, I know 
that is an important topic that the committee is considering. 
As Ms. Cable noted, her State has what is a variation of a 
standard that is used by the majority of States, which is 
something promptly without unreasonable delay.
    Some States have chosen to take and set date-specific 
timelines, say 30 days I think is what the majority of States 
that have chosen to pick a date have decided to use. So, again, 
it speaks to the importance of Congress acting here as to 
smooth out, set the right standard, an appropriately high 
standard for everyone in the country, because it shouldn't 
matter where you live as to whether or not your data is kept 
secure.
    Mr. Miller. Thank you. I agree very much with everything 
Mr. Kratovil said. Again, just to reiterate the security point, 
I think it has been pointed out a couple of different times 
that there are some States such as Massachusetts that do have 
high security standards in their State laws.
    But there are many other States, 30-something, that don't 
address data security standards at all, so it depends on your 
perspective, I suppose, when you look at the discussion draft. 
I would like to take the perspective that the discussion draft 
is appropriately trying to raise all those 30-something boats 
up to some type of meaningful, reasonable level for security.
    And then on the notification front, again I agree that, in 
particular, when we are talking about how companies function 
and have customers in an economy all across the country and the 
world--their customers are everywhere.
    It doesn't make a lot of sense that they are going to have 
varying requirements with respect to whether it was 
unreasonable or undue delay, or 30 days or 45 days. So, 
harmonizing a standard in that regard is really going to 
improve the purpose of the bill, which is to help consumers.
    Mr. Tipton. Right.
    Mr. Kratovil, maybe you could speak to the point in regards 
to startups and the private sector, private sector businesses. 
What incentives are in place for them to be able to set 
cybersecurity regimes within those businesses to make sure that 
we do have the ability for notification?
    Mr. Kratovil. I think increasingly privacy and security is 
being baked in from the moment the coders sit down and start 
writing the code to make their new technologies feasible. 
Privacy by design, security by design are starting to become 
the de facto standard by which entrepreneurs and technologists 
are building applications. And certainly, from our perspective, 
FSR's members tend to be on the leading edge of wanting to 
partner with and collaborate with those technology providers, 
and when that is the case, certainly our members are going to 
expect that their technology partners are living up to the 
absolute highest data security requirements.
    Mr. Tipton. And does that speak to the point where we don't 
want to have one specific regimen in place to be able to allow 
that innovation in the private sector for some of the different 
ideas that can then be shared with others?
    Mr. Kratovil. Yes. You are absolutely right. Innovation in 
both cyber and payment security, just as examples, is happening 
at a tremendous rate. And that is why I keep pointing back to 
the need, for whatever Congress does in this space to be 
flexible and scalable. A framework, a process and risk-based 
framework, that allows that innovation to continue. If you 
mandate technologies, you just drive everybody to try to comply 
with what standard you have baked into the law. That would 
probably not be in the best interest of innovation.
    Mr. Tipton. Thank you.
    And, Mr. Chairman, I appreciate your and Mrs. Maloney and 
Mr. McHenry's work on a very complex and tough issue that is 
going to continue to perplex in some areas, but we will be able 
to make some move forward with this legislation.
    Thank you, and I yield back.
    Chairman Luetkemeyer. Thank you for your comments. The 
gentleman's time has expired.
    With that, we go to the gentleman from Texas, Mr. Green, 
recognized for 5 minutes.
    Mr. Green. Thank you, Mr. Chairman. I thank the Ranking 
Member as well. Thank you, the witnesses, for appearing today.
    Mr. Chairman, I ask unanimous consent to introduce some 21 
letters into the record. These are letters from the American 
Bankers Association to the Financial Services Roundtable, to 
the National Association of Realtors, to the U.S. Travel 
Association, not naming them all. There are many more. With 
unanimous consent, I ask that they would be introduced.
    Chairman Luetkemeyer. Without objection.
    Mr. Green. Thank you. And, Mr. Chairman, the Ranking Member 
breached or broached if you will an area that I would like to 
go into. And in so doing, I would like to lay this predicate. 
There is an industry perspective on this.
    And it appears that the retailers, and I am reading now 
from the briefing book, have cautioned against replacing State 
standards with the weaker Federal standard. There is also an 
indication from the intelligence shared that consumer advocates 
of the opinion that a national data breach notification 
standard should not come at the expense of weakening the 
strongest standards already afforded in other States.
    So, my question is to you, in your opinion is the 
discussion draft a floor or a ceiling? And each of you can 
respond if you like. Well, why don't we start here with a show 
of hands first. If you think it is a floor, would you kindly 
raise your hand.
    And if you don't understand what a floor is, you can raise 
your hand and then I will say more. Or if you think it is a 
ceiling, raise your hand. OK. It seems we have unanimous 
consent that it is a ceiling.
    If you would, let us start with Ms. Cable, why, in your 
opinion, is a ceiling appropriate or inappropriate?
    Ms. Cable. Well, our position, perhaps not surprisingly, is 
a ceiling is inappropriate particularly in this realm. This is 
fundamentally drafted as a consumer protection measure. And for 
a variety of reasons set forth today and I suspect in the 
letters that were just submitted for the record, there are a 
variety of ways this bill offers weaker protections than 
currently are available to consumers under State law.
    And in light of Equifax, there appears no reason from our 
perspective to do so by then preempting States from enacting 
stronger protections or enforcing the existing strong 
protections that they have.
    It is really just locking consumers into a weaker set of 
protections for the foreseeable future at a time when breaches, 
risks continue to multiply. So, we are not in favor of a 
ceiling of protections.
    Mr. Green. And your name is Cable not Gable.
    Ms. Cable. Cable, yes.
    Mr. Green. Thank you.
    Let us move on to Mr. Miller. Mr. Miller, I believe you 
would contend that it is appropriate to have a ceiling, is that 
correct?
    Mr. Miller. I guess I would--yes?
    Mr. Green. Mr. Miller, I am going to have to ask that you 
not equivocate if you would.
    Mr. Miller. OK.
    Mr. Green. Are you a ceiling guy or are you a floor guy?
    Mr. Miller. Well, I think the bill tries to be both a floor 
and a ceiling--
    Mr. Green. Mr. Miller, Mr. Miller. I know. But the bill has 
to be a ceiling or a floor. It really does. So, this may be a 
time for you to pick sides.
    Mr. Miller. I think we want to have a common notification 
standard, and I think--
    Mr. Green. Let me ask another question, Mr. Miller. Let me 
go on to another question. Do you think that there should be 
some language somewhere indicating that if there is a breach, 
you cannot sell your stock if you are one of the executives? 
You can't sell your stock before you announce the breach. 
Should there be such language?
    Mr. Miller. I am not sure if that language should be in 
this bill or not, but it seems like a secure--
    Mr. Green. But, no, no, but Mr. Miller--
    Mr. Miller. --that sounds security--
    Mr. Green. If you will note, I said some place.
    Mr. Miller. OK.
    Mr. Green. OK, some appropriate place because this is what 
happened.
    Mr. Miller. Right.
    Mr. Green. And if you think that there should be some 
language, we know that security laws can deal with it, but 
should there be some language that specifically says if there 
is a breach you can't sell your stock before you announce the 
breach?
    Mr. Miller. That seems like reasonable guidance.
    Mr. Green. Raise your hand if you think that there should 
be such language. Yes, raise your hand please. That is all 
right. OK. Everybody. So, I see that we have one person who did 
not.
    Sir, would you explain why you don't think so?
    Mr. Creighton. Selling stock based on material nonpublic 
information is illegal. And this is under investigation. And if 
they were aware of a breach and they sold their shares based on 
that that is something that the SEC and other Federal--
    Mr. Green. I understand there are agencies and entities 
that will look into it, but given that it happened and we can 
put people on notice, is it so redundant that it would be 
harmful? Is it so superfluous to the extent that it makes no 
sense? It just seems that it is OK to tell people if you do 
this, there is a penalty.
    Mr. Creighton. It is already illegal. And I wouldn't have 
any objection to it, but it is already illegal.
    Mr. Green. OK. Thank you, Mr. Chairman.
    Chairman Luetkemeyer. The gentleman's time has expired.
    With that, we go to another gentleman from Texas, Mr. 
Williams, recognized for 5 minutes.
    Mr. Williams. Thank you, Mr. Chairman.
    And thank you to the witnesses today that are here. As this 
committee continues to work to protect American businesses and 
consumers that are under a constant threat from cyber thieves, 
as we have seen in the past year, cybersecurity breaches and a 
loss of personal identifiable information have unfortunately 
affected hundreds of millions of Americans.
    Mr. Kratovil, in your testimony you state that this 
legislation strikes the appropriate balance by setting a high 
bar for data protection while providing numerous considerations 
to ensure a small business that processes or maintains little 
or no personal information is not burdened with the same 
expectations as a large entity.
    As a small business owner myself for over 47 years and a 
steadfast defender of Main Street, I appreciate what you have 
to say about that. My question is, what importance does 
scalability play in ensuring a level playing field for entities 
of all sizes and how does this affect consumer protection?
    Mr. Kratovil. Thank you for that question, Congressman. It 
is one of the critical aspects that we believe should be 
included in any Federal legislation in this space. Scalability, 
flexibility--taking into consideration the size and complexity 
of a business--all has to be weighed in evaluating which 
cybersecurity resources a company should be deploying.
    If you were an FSR member, I think there are going to be--
there certainly are regulatory expectations that you are 
investing heavily in cyber defenses. I know just a handful of 
our members have invested over $1.5 billion a year in 
cybersecurity defenses.
    Juxtapose that against small businesses, perhaps such as 
your own. When you look at your business, perhaps you are not 
even--your employees aren't even coming into contact with 
sensitive financial information that would be covered under 
this legislation.
    It probably goes without saying then, you should not be 
employing the same cybersecurity resources as a national bank, 
for example.
    Mr. Williams. OK. Another question for you. In your 
testimony you state that legislation should recognize both the 
danger of alerting hackers to vulnerabilities before they have 
been remediated and risking potential further harm to 
customers, and then the risk of confusing or alarming consumers 
unnecessarily if companies are forced to notify prematurely. 
So, why is that important?
    Mr. Kratovil. The idea there, is that oftentimes, when a 
company discovers that they have been hacked, it is often the 
case that the hackers are still in their systems. That is why 
in the legislation it makes clear that hopefully law 
enforcement is going to be able to be involved in a situation 
like that and law enforcement may have an opportunity to trace 
where the hack is coming from. Maybe even to identify who is 
doing the hacking, in which case you definitely want to be able 
to allow that process to happen.
    Mr. Williams. OK.
    Mr. Creighton, the Senate has proposed limiting the amount 
in type of data that can be reported about consumers to credit 
bureaus. My question is, what effect would these types of 
restrictions have on the accuracy of consumer lending 
decisions? And how would they affect credit availability, 
particularly for vulnerable populations?
    Mr. Creighton. Thank you for that question. When we collect 
data, we are trying to collect data that is going to matter for 
a future lending or other decision. Those kinds of data are 
what kind of accounts do you have? What is your credit limit? 
How much credit are you using? Do you pay on time? Those kinds 
of questions.
    We are trying to continue to gather more information from 
other kinds of data furnishers--home renting companies, 
apartment companies, that kind of thing, cell phone companies, 
others so that we can expand the number of people who have thin 
files.
    Because if you have a thin file right now, and you go to 
get a loan, they will look and they say, ``Well, we don't know 
enough information about you to know whether you are a good 
risk or not.''
    So, we want to get more of that information because if we 
have more of that kind of information, we are going to do a 
better job of giving lenders what they need so that they can 
bring people into the regulated financial system, which is what 
we are all after.
    Mr. Williams. Good. Another question to you. In your 
testimony you stated that credit reporting agencies face only 
enforcement and not supervisory and examinations by the FTC. 
So, why do you believe that empowering the FFIEC to choose the 
correct overseer is the proper fix for this regulatory gap?
    Mr. Creighton. Yes. Thank you for that question. In the 
time since I submitted my testimony, what I have learned from 
my companies is that actually the Consumer Financial Protection 
Bureau has asserted its authority under UDAP (unfair or 
deceptive acts or practices) and other provisions to begin 
examination of credit reporting agencies on cybersecurity.
    While the GLBA specifically says that cybersecurity is 
carved out under UDAP authority, the CFPB has asserted its 
authority and is now examining at least two of our companies.
    Mr. Williams. OK. Thank you for being here. And I yield 
back my remainder of my time back.
    Chairman Luetkemeyer. The gentleman yields back his time.
    With that, we go to the gentleman from Georgia, Mr. 
Loudermilk is recognized for 5 minutes.
    Mr. Loudermilk. Well, thank you, Mr. Chairman. I appreciate 
the panel being here today.
    Mr. Kratovil, as I understand it, the Gramm-Leach-Bliley 
Act may not explicitly require financial institutions to comply 
with mandatory Federal data security and breach notification 
requirements, but these requirements are essentially mandatory 
in practice. Can you explain how that happens?
    Mr. Kratovil. Yes. Thank you for that question. And yes, 
sir, I agree with you. They are mandatory. There is nothing 
about Gramm-Leach-Bliley's security requirements or notice 
requirements that are treated as optional.
    As I mentioned earlier to the Chairman, fundamentally, 
these are safety and soundness standards. They are treated as 
such for examination purposes. Examiners view compliance with 
both the security requirements and notice obligations as 
affirmative duties under safety and soundness regulations, and 
the examiners themselves have a variety of enforcement tools at 
their disposal should they find a firm is not living up to 
either of those obligations.
    Mr. Loudermilk. OK, I appreciate that. I had my staff ask 
the Congressional Research Service and they advised the same 
thing, and so, I just want make sure that we had a good 
understanding of that and I appreciate that.
    Mr. Miller, I want to talk about the third party liability 
issue. I understand both sides of this debate. And on the one 
hand, understand the--and I appreciate the argument that the 
company that is breached should be responsible for the 
notification, but on the other hand, are we subjecting the 
consumers to even more or greater risk by transferring more 
data into an entity that was just breached. I am trying to find 
a good medium there. Can you comment on that?
    Mr. Miller. I just want to make sure I understand your 
question, you are talking about transferees of more data to 
third party because of this breach--
    Mr. Loudermilk. Well, in a third party situation where 
there was a breach but the third party may not have the contact 
information. And if we require them to actually make the 
notification, are we not risking the consumer by even sending 
more data to that third party?
    Mr. Miller. Absolutely, particularly if the third party is 
the one who was breached. Probably there are questions 
regarding security, so sending a bunch of additional 
information to them seems questionable.
    Mr. Loudermilk. Yes. And I feel like there is some 
liability there, but then we have that issue, and I don't know 
if anybody else would like to comment on that if you have 
feelings, it is just one of those, that they are issues we are 
struggling with at this point, of how do we resolve that if 
they were, the third party was actually the factor that caused 
the breach.
    Mr. Miller. If I could just comment a little bit further on 
the third party, it is true that third parties, again, if we 
look at business arrangements and particularly of large 
companies across a variety of industries, they are using third 
parties for a variety of different purposes. Some of those 
third parties are small companies, some of those third parties 
are large companies and providing all different types of 
services.
    There was one very notorious breach a few years ago where a 
major company was breached through a third-party HVAC vendor 
for instance.
    Mr. Loudermilk. Right.
    Mr. Miller. So, the most sensible way it seems to deal with 
the apportionment of liability in these types of scenarios is 
through a contractual arrangement between the parties who are 
free to contract with different parties if they would like to 
choose different entities with which to work and requiring 
strong security practices is certainly something I would advise 
any party to do.
    Mr. Loudermilk. OK. I appreciate that. This is one of the 
issues that I have been struggling with because I understand 
that there is some liability there but also do you provide more 
information to the entity that was just breached.
    And dealing with the information, I will throw this out to 
anyone in the panel in the last few seconds we have, are we 
collecting and maintaining too much data, because we know the 
more data you have the more data we require through the 
Government to be maintained, the more risky it is when you 
don't have to protect what you don't have.
    Anyone want to comment on are we collecting and maintaining 
too much data?
    Ms. Cable. I think your point is well stated. If you don't 
have it you have automatically reduced the risks to your 
company.
    I can't speak to, I know that it is extremely valuable to 
businesses and it provides benefits for consumers for those 
businesses to have that data. However, we do see a lot of 
companies collecting data that is very sensitive for consumers 
without having a present need for it or holding on to data for 
years and years and years when they are not using it. So, I do 
think that is part of the concern, good practice, data 
management practices would reduce the amount of data that you 
are not using that you don't have.
    Mr. Loudermilk. Well, I appreciate that and I think that 
would expand also to our Government as well.
    Mr. Creighton. Very briefly I was just going to make that 
same point. This is a problem across the economy in both public 
and private sectors.
    Mr. Loudermilk. Thank you, Mr. Chairman.
    Chairman Luetkemeyer. The gentleman's time has expired.
    With that we go to the gentlelady from Utah, Mrs. Love is 
recognized for 5 minutes.
    Mrs. Love. Thank you.
    Do the standards for credit bureaus differ from the 
standards for other sectors of the economy? If so how, why, and 
I want to get into the European cybersecurity initiatives just 
to follow up from the Chairman's questions.
    Mr. Creighton. Sure, the National Credit Reporting Agencies 
are subject to the FTC's Safeguards Rule, which is the rule 
that applies to, under the Gramm-Leach-Bliley Act, to non-bank 
financial entities. So, there is no data security standard for 
most companies in the country, but financial institutions have 
standards. So, if you are a bank you are covered by your 
prudential regulator but if you don't have a prudential 
regulator like the OCC or the Federal Reserve, then you are 
subject to the FTC's Safeguards Rule. And the credit bureaus 
are one kind of company that is subject to that.
    Mrs. Love. OK. So, I guess this is an opinion for everyone. 
I am interested in the European standards, how do you view 
these standards? Do you think that these standards are going to 
be influential? I just wanted to follow up because I think 
that, I agree with the Chairman, I would hate to have somebody 
else dictate what we do. So, I just wanted to know what your 
thoughts were on that.
    And anyone can answer. I am just--
    Mr. Creighton. I will kick it off because I will be very 
brief. Generally speaking, our reading is that for credit 
bureaus specifically there would not be much impact from it 
because we are collecting as credit bureaus very narrow parts 
of the larger information environment. Again, as I said, we are 
collecting the ``do you have credit, how much credit, with 
whom, do you pay on time?'' And those sorts of--that sort of 
information is part of an ongoing business relationship that 
you have with your lender.
    So, if you have a credit card account, that credit card 
company is reporting that information up and that would 
continue even under GDPR. The larger data broker issue would 
come into--is more implicated by that and that is not a part of 
the environment that I generally work in.
    Mrs. Love. OK.
    Mr. Miller. Thanks for the question. With respect to the 
GDPR there are a few different requirements particular to 
breach.
    As I mentioned previously, there is a ``without undue 
delay'' standard for consumers and with respect to 
notifications to regulatory authorities there is ``where 
feasible, but not later than 72 hours'' language.
    I would additionally say this, to speak to the Chairman's 
question that he teed up at the outset, it is premature to be 
looking to the GDPR as a best practice for anything, in my 
opinion, to the extent that it hasn't been implemented yet. It 
is going to be implemented this May. There are a lot of 
questions regarding how certain provisions are going to be 
implemented, particularly around data breach. So, I would say--
I wouldn't worry too much yet about that particular issue.
    There are also a variety of cybersecurity standards in 
Europe that are being proposed that I would also be happy to 
get into, but--
    Mrs. Love. Is it important to keep an eye on that and to 
look on how that affects?
    Mr. Miller. It is definitely important because, again, all 
of our companies are global companies doing business globally, 
so they are going to have to comply with that if they are doing 
business in Europe, or doing business with European citizens. 
So, it is important.
    I am just commenting on, not looking to something that 
hasn't yet been implemented, to see if it can be implemented as 
designed, as a model. I think it is premature to do that.
    Mrs. Love. Do you have any concerns with the present model? 
I know you are concerned about because you don't know how it is 
going to be, what the reaction is going to be or what the 
results are going to be, but do you have concerns with the way 
that it is set up and what the standards are currently?
    Mr. Miller. Well, again, as the number of--I think all the 
witnesses have said at one point or another today having a very 
tight timeline for any notification such as 72 hours is very 
problematic just because, again, as we can point to lots and 
lots of high-profile breaches, you can look at some Government 
breaches like OPM, it takes months sometimes to even realize 
there has been a breach and then to figure out what exactly is 
going on.
    So, a 72-hour provision in many instances is going to be 
impossible to comply with.
    Mrs. Love. Do they have that in their standard, they have a 
72-hour--
    Mr. Miller. Yes, the 72 hour for notification to regulators 
but not for notification to citizens.
    Mrs. Love. OK. Do you have anything that--you mentioned, 
you look like you had something that you wanted to add.
    Mr. Kratovil. I would just agree on what Mr. Miller, the 
point he made about it might be a little too early to make any 
judgment calls on GDPR. I know many of FSR's members are global 
in nature, and so, it is already, there is already a tremendous 
amount of discussion as to how do we come into compliance with 
this and make that system work.
    Mrs. Love. Thank you.
    Thank you, Mr. Chairman. I yield back.
    Chairman Luetkemeyer. The gentlelady's time has expired.
    With that we go to the gentlelady from New York, Ms. Tenney 
is recognized for 5 minutes.
    Ms. Tenney. Thank you, Mr. Chairman.
    And thank you, panel, for this discussion. As we know, 
obviously, cybersecurity, cyber attacks are becoming the new 
way to rob a bank, to rob a store, to rob citizens from their 
living room.
    Last year, the New York City Attorney General reported 16 
percent, or that cybersecurity invasions are up 60 percent, and 
more and more of New York's personal records, in fact, have 
been tripled since last year. Obviously the Equifax breach was 
huge for us with eight million people in New York State being 
exposed in the Equifax breach out of about 19 million.
    Actually, this past January, our own New York State 
Education Department was also breached. These things are 
certainly of concern. I want to just give a little shout-out to 
a local college in my community. Utica College has teamed up 
with the cybersecurity department in our county to try to 
prevent against these attacks and identify potential risks and 
weaknesses in our data system.
    But my question involves, first, I would just like to find 
out to what extent will a national standard provide for better 
security than something on the local or State level?
    Obviously, I am just curious if you could comment, maybe 
Mr. Kratovil, you could mention it first?
    Mr. Kratovil. Sure. Thank you very much for the question.
    If it is done correctly and by that I mean if it is an 
appropriately strong standard, as we have talked about a lot, 
it takes into consideration a variety of factors to not overly 
burden small businesses, we believe that is the absolute best 
way for Congress to act to ensure that no matter where you live 
in the country, that your data is protected with a strong 
standard. That is really the core for the financial industry.
    Ms. Tenney. Great. And I think it is great that we are 
tackling this issue but I am a small business owner, and so, 
for us, obviously our customers and their security is of 
paramount interest to us like smaller banking institutions and 
other types of retailers.
    So, how can we make this in a way that is cost effective so 
that the smaller players which often can't afford the 
compliance costs of a national standard, how do we come up with 
something that is affordable to them because what often happens 
is you come up with a national standard and then these people 
will get left on the wayside and then you end up with the 
collapse of the small business community because they just 
can't--this is a perpetual problem in State government. I know 
when I was in State government, we just put these big one-size-
fits-all regulations and then we ended up with the loss of a 
small business community, which is really important to our 
area.
    Mr. Kratovil. Yes, that is a very important point and I am 
glad you raised it. And the discussion draft actually gets 
right to the heart of the cost question, because securing data 
is not a cheap proposition. And 3.A.2.c reads the cost of 
available tools to improve security and reduce vulnerabilities.
    Ms. Tenney. Is there enough flexibility in this standard 
that would allow groups, different retail groups or different 
sectors, to get together in a way that they could provide for 
their own security and to manage the costs? Is that something 
that has been contemplated and anyone on the panel can comment 
on that quickly if you have a question, without violating any 
kind of Federal standard.
    I know there is a lot of--obviously we are dealing with 
Social Security numbers and sensitive information which is--
which is in there. Anyone have a comment on that? There is no 
way to make that so that they are able to do, to be able to 
collaborate or come up with a retail institution?
    Mr. Creighton. I am probably not the best person to talk 
but the establishment of sector-specific ISACs (information 
sharing analysis centers)--
    Ms. Tenney. Right, OK.
    Mr. Creighton. --is really the best way for companies to be 
able to share information, build relationships with Government 
and to prepare for breaches and then respond to them. And 
there--we have them in financial services, energy, lots of 
different entities.
    Mr. Miller. Yes. There are several dozens of ISACs in the 
country.
    Ms. Tenney. Right.
    Mr. Miller. Financial services ISAC includes thousands and 
thousands of financial institutions in the country. Retail ISAC 
was stood up in the last few years. Again, to Mr. Creighton's 
point, to be able to share that threat information and help 
each other defend against cyber attacks.
    Ms. Tenney. Right. And I think that should be helpful. 
Obviously it is sensitive information.
    One of the big concerns I have is just a little bit outside 
of this space, is that we have--the State governments typically 
don't have the ability and the resources to provide really 
adequate security and data. Do you think that that is something 
that could be done--so we have a national standard, what about 
the State government's requiring some of these data be turned 
over in the regulator process, for example, the banking 
institutions, insurance institutions, and other retailers?
    Mr. Kratovil. Well, we have many of those same concerns at 
the Federal level because the bank regulators do expect 
tremendous amounts of very sensitive and proprietary 
information, for example, about financial institutions' 
cybersecurity programs to be turned over as part of the 
examination process.
    Ms. Tenney. I am running out of time, but one quick thing, 
for example, Congress gets hit almost every day and the 
Government institutions are probably the most vulnerable. Would 
you agree or disagree?
    Mr. Kratovil. Yes, ma'am, I would agree with that.
    Ms. Tenney. Thank you so much. I appreciate your testimony. 
Thanks.
    Chairman Luetkemeyer. The gentlelady's time has expired.
    With that we will go to the gentleman from Michigan, Mr. 
Trott is recognized for 5 minutes.
    Mr. Trott. Thank you, Chairman.
    I want to thank the panel for joining us this afternoon. 
And one of my concerns when we work on data security and 
standards is a desire, on the part of some, to set up 
``gotcha'' moments. And if you look at the Equifax breach, 
terrible set of facts but it provides good 30-second soundbites 
for people here in D.C. to attack Equifax and they deserve some 
of it, that is for certain.
    But one of my concerns and I would be interested in, Mr. 
Miller, your thoughts on whether either bill that we are 
looking at, are the standards reasonable? And I know section 3 
of the Chairman's bill says, ``reasonably designed to protect 
individuals.''
    If you start with the premise that no business or database 
including the Government is beyond being hacked. When I was in 
business we used to hire brilliant high school students to 
figure out a way to hack into our firewall and our databases. 
And they always seem to figure out a way to do it, and we spend 
a lot of money on trying to protect our data.
    But do you feel like there is enough flexibility such that 
some of these businesses aren't being set up to fail?
    Mr. Miller. Thank you for the question. I think for the 
most part, there is a significant amount of flexibility in the 
security standards in the bill and that is appropriate. As 
others on the panel have said, it is really important that we 
aren't too prescriptive in our standards and require the same 
level of specific security standard for a large multinational 
corporation or the Department of Defense, as we do for a small 
or medium-sized business or a startup. There are a whole bunch 
of reasons for that.
    In particular, one of the good things about the list of 
safeguards in the bill, is that they are consistent with a lot 
of risk management-based principles, and while we certainly 
advocate for risk-based approaches, I think it is important 
that we also, when we talk about data security, we often talk 
about the protect function and that piece of the puzzle, and 
that is really important.
    But there is the reality that breaches are going to happen 
so you need to be focusing also on how you respond and how you 
recover from that breach, and that is the bill.
    The one thing in the safeguard section that does seem to 
not really account for that sort of flexibility to us is the 
requirement to have, essentially, to designate a security 
official who is in charge of the safeguards.
    Again, if you have a two-person startup it is questionable 
whether you need to have the same type of mechanism, a 
designated security official at a two-person company or at a 
major bank, for instance. And that is the one thing I would say 
about that.
    Mr. Trott. Yes the two-person startup, the designated 
person might also be cleaning the coffee pot out at night, too. 
So, that is a problem.
    One question, this area is constantly evolving, so what 
kind of flexibility should we build into any solution to deal 
with the changes that are inevitable with respect to the 
technology and how consumers are using the Internet and other 
places where they are putting their confidential information?
    Any thoughts would be helpful, because there is no question 
that today's safeguard is going to be updated tomorrow when 
they figure out some other new and better way to hack into it.
    Mr. Miller. Well, I completely agree with that. We want to 
have technology-neutral requirements. The point was made 
earlier about innovation and the fact that there are new 
security measures and tools being developed all the time. And 
it is obviously something that we need to do, because the 
attackers are also innovating and coming up with new 
techniques.
    There are plenty of examples that we probably don't have 
time for now. But, there are security technologies that were 
state-of-the-art 10 years ago that simply aren't state-of-the-
art today. If you bake those into a statute and say you must 
use technology X eventually that is going to be an obsolete 
statute.
    Mr. Trott. No question.
    Mr. Creighton, you I think mentioned the CFPB a few minutes 
ago, can you just briefly comment on how the decisions by the 
CFPB and the FTC and other banking regulators have conflicted 
in this area? And maybe this was covered earlier by someone--I 
got delayed getting here--and, do you think that UDAP authority 
that the CFPB utilized is even appropriate?
    Mr. Creighton. Well, in GLBA, in Dodd-Frank the data 
security was specifically carved out of the CFPB's authority. 
And we would suggest that Congress would probably want to 
revisit that as the McHenry bill does, as the PROTECT Act does. 
But the CFPB does and always has maintained UDAP authority and 
they are in the process now of asserting that authority and 
getting in there, and, if they are in there, they are in there. 
We are not in the business of criticizing our regulators.
    Mr. Trott. Yes. OK. I will do that for you, so no worries.
    But I think I am about out of time so I yield back. Thank 
you again for your time, gentlemen.
    Chairman Luetkemeyer. The gentleman yields back.
    We are without any further folks in the queue. So, with 
that we will wrap up the hearing.
    Just some closing comments. We were discussing today the 
ability to protect consumers' data. We also need to be able to 
allow them not only to be protected, we also need it to be 
accessible by them. And when we do that it makes it very 
difficult to have both at the same time. This is where you 
can't lock it up and you have to be accessible to it but that 
makes it vulnerable, so how can we protect the data? That is 
the trick.
    One of the questions that we were working here throughout 
the discussion was with an immediate notification. I knew 
coming in this was going to be a discussion point and I left it 
there intentionally to get everybody started, and I appreciate 
the discussion we had. But I am a little disappointed because 
in the bill it says, the draft bill, that you don't notify 
until you recognize that you had a breach, until you make sure 
that an individual person's information has been breached, who 
that person is, and where that person is something that could 
cause--that information could cause a loss.
    Therefore you are not notifying immediately when a breach 
occurs, you are notifying exactly whenever you determine that 
there is a reasonable expectation that the data that was 
breached was for an individual that could suffer a loss. And so 
I am a little disappointed with the comments that were made.
    Obviously, everybody wants to have as much time as they can 
to resolve the situation, but I can tell you that this is a 
touch-point for a lot of my constituents, your customers. They 
want to be able to protect their data as quickly as possible. I 
can tell you that when we put in there reasonable or 
expeditious or something that somebody could drive a truck 
through, they are not going to be happy, because they want to 
be able to have confidence that their information is going to 
be protected and they will have access to it and be able to 
protect it themselves if necessary and as quickly as possible.
    So, we want to work with you on that language to try and 
make sure this works, and we thank you for your thoughtful 
suggestions along all the lines.
    Ms. Cable has made some great suggestions. We realize you 
have a strong standard and we appreciate that.
    We have to find a balance somewhere in all of this where we 
can be, as Mr. Kratovil continuously said, flexible, scalable, 
and have some balance to what we do so it can be something that 
everybody all along, the scale here can actually use this 
information and do something that we think is productive.
    I have been tasked with putting this bill together by 
leadership because of the thousands of breaches that have 
occurred.
    Ms. Cable's testimony indicated 28,000 over the last 10 
years, it was 1,700 last year; something has to be done. We 
are, I think, close to a crisis situation here, and quite 
frankly we are one major breach away from this new legislation 
being fast-tracked, quite frankly. So, I think that everybody 
here today appreciated the large audience that we had.
    I think that we are all going to continue to work together 
to get this bill to a point where it is a good bill or 
something that we can address as many of the concerns that we 
can get to. Or it is going to be a very difficult bill to get 
everybody to yes. We want to get everybody to neutral if 
possible and a yes. We are going to continue to work with 
everybody and we appreciate your suggestions, but again, I want 
to emphasize we are one breach away from this being a bill that 
is going to be dropped and we are going to run it, because our 
constituents are going to demand it and we are going to be in 
the cross-hairs.
    So, with that thank you so much for your time today. Thank 
you for your testimony and I appreciate your participation. I 
have some final comments. Here we go.
    The Chair notes that some Members may have additional 
questions for this panel, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 5 legislative days for Members to submit written questions 
to these witnesses and to place their responses in the record. 
Also, without objection, Members will have 5 legislative days 
to submit extraneous materials to the Chair for inclusion in 
the record.
    [Whereupon, at 3:53 p.m., the committee was adjourned.]

                            A P P E N D I X



                             March 7, 2018
                             
                             
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]