[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
LEGISLATIVE PROPOSALS TO REFORM
THE CURRENT DATA SECURITY AND
BREACH NOTIFICATION REGULATORY REGIME
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON FINANCIAL INSTITUTIONS
AND CONSUMER CREDIT
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
MARCH 7, 2018
__________
Printed for the use of the Committee on Financial Services
Serial No. 115-78
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
_________
U.S. GOVERNMENT PUBLISHING OFFICE
31-383 PDF WASHINGTON : 2018
HOUSE COMMITTEE ON FINANCIAL SERVICES
JEB HENSARLING, Texas, Chairman
PATRICK T. McHENRY, North Carolina, MAXINE WATERS, California, Ranking
Vice Chairman Member
PETER T. KING, New York CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma BRAD SHERMAN, California
STEVAN PEARCE, New Mexico GREGORY W. MEEKS, New York
BILL POSEY, Florida MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri WM. LACY CLAY, Missouri
BILL HUIZENGA, Michigan STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin DAVID SCOTT, Georgia
STEVE STIVERS, Ohio AL GREEN, Texas
RANDY HULTGREN, Illinois EMANUEL CLEAVER, Missouri
DENNIS A. ROSS, Florida GWEN MOORE, Wisconsin
ROBERT PITTENGER, North Carolina KEITH ELLISON, Minnesota
ANN WAGNER, Missouri ED PERLMUTTER, Colorado
ANDY BARR, Kentucky JAMES A. HIMES, Connecticut
KEITH J. ROTHFUS, Pennsylvania BILL FOSTER, Illinois
LUKE MESSER, Indiana DANIEL T. KILDEE, Michigan
SCOTT TIPTON, Colorado JOHN K. DELANEY, Maryland
ROGER WILLIAMS, Texas KYRSTEN SINEMA, Arizona
BRUCE POLIQUIN, Maine JOYCE BEATTY, Ohio
MIA LOVE, Utah DENNY HECK, Washington
FRENCH HILL, Arkansas JUAN VARGAS, California
TOM EMMER, Minnesota JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York VICENTE GONZALEZ, Texas
DAVID A. TROTT, Michigan CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia RUBEN KIHUEN, Nevada
ALEXANDER X. MOONEY, West Virginia
THOMAS MacARTHUR, New Jersey
WARREN DAVIDSON, Ohio
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
TREY HOLLINGSWORTH, Indiana
Shannon McGahn, Staff Director
Subcommittee on Financial Institutions and Consumer Credit
BLAINE LUETKEMEYER, Missouri, Chairman
KEITH J. ROTHFUS, Pennsylvania, WM. LACY CLAY, Missouri, Ranking
Vice Chairman Member
EDWARD R. ROYCE, California CAROLYN B. MALONEY, New York
FRANK D. LUCAS, Oklahoma GREGORY W. MEEKS, New York
BILL POSEY, Florida DAVID SCOTT, Georgia
DENNIS A. ROSS, Florida NYDIA M. VELAZQUEZ, New York
ROBERT PITTENGER, North Carolina AL GREEN, Texas
ANDY BARR, Kentucky KEITH ELLISON, Minnesota
SCOTT TIPTON, Colorado MICHAEL E. CAPUANO, Massachusetts
ROGER WILLIAMS, Texas DENNY HECK, Washington
MIA LOVE, Utah GWEN MOORE, Wisconsin
DAVID A. TROTT, Michigan CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
C O N T E N T S
----------
Page
Hearing held on:
March 7, 2018................................................ 1
Appendix:
March 7, 2018................................................ 37
WITNESSES
Wednesday, March 7, 2018
Cable, Sara, Director, Data Privacy and Security, and Assistant
Attorney General, Office of the Attorney General, Commonwealth
of Massachusetts............................................... 3
Creighton, Francis, President and Chief Executive Officer,
Consumer Data Industry Association............................. 5
Kratovil, Jason, Vice President, Financial Services Roundtable... 9
Miller, John S., Vice President, Global Policy and Law,
Information Technology Industry Council........................ 7
APPENDIX
Prepared statements:
Cable, Sara.................................................. 38
Creighton, Francis........................................... 100
Kratovil, Jason.............................................. 126
Miller, John S............................................... 151
Additional Material Submitted for the Record
Luetkemeyer, Hon. Blaine:
Written statement from American Bankers Association (ABA).... 167
Written statement from Consumer Bankers Association (CBA).... 180
Written statement from Center for Democracy & Technology
(CDT)...................................................... 182
Coalition letter dated March 7, 2018......................... 184
Written statement from Credit Union National Association
(CUNA)..................................................... 187
Written statement from Independent Community Bankers of
America (ICBA)............................................. 189
Written statement from National Association of Convenience
Stores (NACS).............................................. 191
Written statement from National Association of Federally-
Insured Credit Unions (NAFCU).............................. 193
Written statement from National Retail Federation (NRF)...... 196
Letter from Kathleen McGee, State of New York Office of the
Attorney General........................................... 227
Letter from Rapid7........................................... 233
Letter from Society of Independent Gasoline Marketers of
America (SIGMA)............................................ 236
Green, Hon. Al:
Written statement from American Council of Life Insurers
(ACLI)..................................................... 238
Financial trades letter dated February 28, 2018.............. 241
Written statement from Property Casualty Insurers Association
of America (PCI)........................................... 243
Retailer coalition letter dated February 13, 2018............ 246
Cable, Sara:
Written responses to questions for the record sumbitted by
Representatives Waters and Ross............................ 250
Creighton, Francis:
Written responses to questions for the record sumbitted by
Representatives Waters and Ross............................ 263
Kratovil, Jason:
Written responses to questions for the record sumbitted by
Representatives Waters and Ross............................ 275
Miller, John S.:
Written responses to questions for the record sumbitted by
Representatives Waters and Ross............................ 283
LEGISLATIVE PROPOSALS TO REFORM
THE CURRENT DATA SECURITY AND BREACH
NOTIFICATION REGULATORY REGIME
----------
Wednesday, March 7, 2018
U.S. House of Representatives,
Subcommittee on Financial Institutions
and Consumer Credit,
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to notice, at 2:01 p.m., in
room 2128, Rayburn House Office Building, Hon. Blaine
Luetkemeyer [chairman of the subcommittee] presiding.
Present: Representatives Luetkemeyer, Rothfus, Lucas, Ross,
Pittenger, Tipton, Williams, Love, Trott, Loudermilk, Kustoff,
Tenney, Clay, Scott, Green, Heck, and Crist.
Also present: Representative Hensarling.
Chairman Luetkemeyer. The committee will come to order.
Without objection, the Chair is authorized to declare recess of
the committee at any time.
This hearing is entitled, ``Legislative Proposals to Reform
the Current Data Security and Breach Notification Regulatory
Regime.'' Before we begin, I would like to thank the witnesses
for appearing today. We appreciate your participation and look
forward to the discussion.
We have a great crowd today. We must have a very, very
interesting subject. So, thank you all for being here.
I now recognize myself for 5 minutes for purposes of doing
an opening statement. Forty-eight States, the District of
Columbia, Guam, Puerto Rico, and the Virgin Islands have all
enacted differing laws requiring private companies to notify
individuals of breaches of personal information. For each State
with robust safeguards or requirements in place, there is
another with protections that are simply insufficient, creating
a labyrinth that causes compliance nightmares while leaving
uncertainty or certainty as needed the most, consumer
notification.
And although these laws only cover certain sectors, the
protections vary widely from State to State. It is important to
ensure all consumers are afforded better protections and more
prompt notifications. Look at my home State of Missouri, where
our two largest cities straddle State borders. There is no
reason why a consumer sitting in East Saint Louis, Illinois
should have greater protections than one sitting less than 10
minutes away in Saint Louis.
One individual's personal information is no more or less
valuable than another's. This is a national problem that
requires an immediate national solution, which is my
legislation developed with the gentlelady from New York, Mrs.
Maloney, is both timely and necessary. First and foremost, our
legislation would create a national security standard for
entities that access, maintain, store, or handle personal
information, while providing flexibility based on an individual
company's size, complexity, and sensitivity of the information
it maintains.
With a responsible Federal standard in place, companies
will no longer have to spend valuable time tracking a maze of
regulations. That time can be better spent actually securing
the personal information of their customers and innovating to
fight against cyber crime. The draft legislation also includes
robust law enforcement and consumer notification regimes. A
covered entity has the responsibility to conduct an immediate
investigation and take responsible measures to restore the
compromised system.
If it is determined that the breach has or will cause
identity theft, fraud, or economic loss, the breached entity
must notify immediately law enforcement. On the consumer side,
the bill requires immediate notification without unreasonable
delay to any consumer who may be impacted by a breach of his or
her personal information. This is a strict timeline that rivals
even the most aggressive State laws. After all, it is the
consumer that should be front and center in any conversation
surrounding the protection of data.
Today, we will also examine legislation introduced by the
gentleman from North Carolina, Mr. McHenry. His PROTECT Act
would establish a new regulatory regime for credit reporting
agencies. Mr. McHenry's work on this legislation and on the
broader issue of data security and the protection of consumer
information has been an integral part of this debate, and we
all appreciate his leadership.
This isn't a question of if, but when there will be another
data security breach and the personal information of too many
consumers will be compromised. Congress will move a product
across the finish line. The legislation we consider today aims
to foster an environment where consumers are not just protected
but empowered. This is a challenging issue, one that has been
seriously debated in Congress for well over a decade, and the
time to act has come.
It is essential that the industry looks at the bigger
picture here and realizes the immeasurable benefits data
security safeguards and responsible notification process will
have on their customers and businesses. While some of us may
experience short-term pain, it will be far outweighed by the
long-term gain of delivering meaningful results for the
American people.
I thank my friend from New York, Mrs. Maloney, for working
with me on this discussion draft and the gentleman from North
Carolina for his diligent work on his legislation as well.
We have an excellent panel of witnesses today. I want to
thank you for appearing. I look forward to your testimony. The
Chair now recognizes the gentleman from Missouri, Mr. Clay, the
Ranking Member of the subcommittee for 5 minutes for an opening
statement.
Mr. Clay. Thank you, Mr. Chairman. I certainly will not
take the total 5 minutes. But I want to thank you for holding
this hearing.
Breaches are a growing problem and credit reporting agency
Equifax just reported one of the largest breaches ever. On July
29, 2017, Equifax detects their security breach. Bloomberg
reported that regulatory filings showed that on August 1st,
Chief Financial Officer John Gamble sold shares worth $946,000
and Joseph Loughran, President of U.S. Information Solutions
exercised options to dispose of stock worth $584,000. Rodolfo
Ploder, President of Workforce Solutions, sold $250,000 worth
of stock on August 2nd. None of the filings list the
transactions as being part of 10b5-1 scheduled trading plan.
On September 7, 2018, Equifax officially announces the
security breach to the public. The company directs consumers to
a dedicated website to check if they are included in the
breach. October 2, 2017, Equifax announces that forensic
computer security company Mandiant has identified another 2.5
million people whose personally identifiable information has
been compromised, taking the number of victims from 143 million
to 145.5 million. On March 1, 2018, Equifax reported that
another 2.4 million Americans were impacted by their already
enormous data breach. That brings the total to 147.9 million
Americans.
We can all agree that consumers in the United States face a
data protection crisis. Currently, no Federal law requires
credit reporting agencies to offer credit freezes. So, I look
forward to this discussion and working with the Chairman and
others on this legislation.
I thank you, Mr. Chairman, and yield back.
Chairman Luetkemeyer. The gentleman yields back.
Today, we welcome the testimony of Ms. Sara Cable, Director
for Data Privacy and Security and Assistant Attorney General of
the Commonwealth of Massachusetts; Mr. Francis Creighton,
President and CEO, Consumer Data Industry Association (CDIA);
Mr. John Miller, Vice President, Global Policy and Law,
Information Technology Industry Council (ITI); and Mr. Jason
Kratovil, Vice President, Financial Services Roundtable (FSR).
We certainly thank each of you for being here today and
just a quick tutorial on those of you who haven't been here
before on the microphone system, please turn it on when you get
ready to speak. The green light will show and when you are
getting ready to the 1-minute mark left to talk, you get five
to speak, it will be yellow. And whenever you get that all done
it is red, and about that time I start to raise my gavel. So,
we will get along real well today. I am sure.
With that, we want to start with Ms. Cable. Welcome, and
you are recognized for 5 minutes.
STATEMENT OF SARA CABLE
Ms. Cable. Thank you, Chairman Luetkemeyer, Ranking Member
Clay, distinguished members of the subcommittee. I appreciate
being here today.
My name is Sara Cable. I am an Assistant Attorney General
with the Massachusetts Attorney General's Office and I am the
Director of Data Privacy and Security for its Consumer
Protection Division. I am here today on behalf of my office to
testify as to our concerns with the discussion draft bill, the
Data Acquisition and Technology Accountability and Security
Act.
My comments today are informed by my office's over a
decade's worth of experience in enforcing the Massachusetts
data breach notice law and data security regulations, which are
regarded as among the strongest in the country. This office
works hard to use those laws to protect our consumers and we
think that our consumers are better off as a result.
We are encouraged that the subcommittee recognizes the
critical necessity of data security and breach protections for
consumers, and we share this goal. The constant drum beat of
breaches over the last few years affecting some of the largest
and most sophisticated companies has brought the issue of data
insecurity to the forefront of the public's consciousness. It
is clear that more must be done to protect consumers and
preserve confidence in the marketplace.
Now is not the time to dilute the tools regularly and
successfully used by many States including Massachusetts to
combat this crisis. The subcommittee's first priority should be
on enhancing the existing protections consumers have under
State law, not minimizing compliance cost for businesses that
allow these breaches to occur.
While we understand that Federal standardization is the
thrust of the bill, Congress should not expose American
consumers to increased risks as a result of a new, less
stringent national standard. In our view, this bill would harm,
not help, consumers. It would restrict, not protect or even
preserve, the existing authority and role of the State AGs
(attorneys general) and it would disregard, not respect, the
important role of the States to enact protections they deem
appropriate for their own consumers.
I want to make my first point concerning the bill's
consumer notice provisions. Our view is that the notification
provision as drafted will leave consumers in a worse position
than the status quo. If preventing consumer harm is the goal of
a data breach notice regime which we think it is, quickly
notifying consumers that their data has been compromised must
be the first priority. This allows that consumer time to take
steps to protect their identity before the hacker or an
identity thief uses the breached information against them.
The consumer notice standards in this bill, as found in
section 4b-2, do not protect the consumers. They require notice
only after the consumer has suffered harm. This is contrary to
today's regime where consumers under most State laws are
notified of breaches before the harm occurs. Notifying
consumers of the breach after they are already harmed does
little for the consumer and instead, it allows entities to pass
the costs of its poor data security on to consumers and this is
unacceptable in our view. Especially unfair because the bill
does not clearly authorize any mechanism to remedy this harm,
including by not giving clear authority to the State attorneys
general to obtain restitution or consumer damages.
My second point concerns the proposed enforcement
mechanisms of the bill which make it harder for our office to
protect our consumers. The State AGs are the cops on the beat.
We have been on the frontlines of this problem for over a
decade. We use our authority under our consumer protection laws
and personal information protection acts to protect our
consumers from breaches and hold companies accountable for
failing to protect that data. This bill makes it harder for us
to do our jobs.
Among other problems that I have laid out in my written
testimony, the bill does not require entities to notify State
AGs of breaches impacting their State's residents. Under
Massachusetts law and currently under the law of at least 24
other States, State AGs get direct notice of breaches impacting
their residents, and this notice is critical for us because it
allows us to understand whether our consumers are impacted and
gives us an informed and comprehensive view of the risks that
are out there for consumers.
Over the last decade, 21,000 data breaches have been
reported to the Massachusetts Attorney General's Office. There
were 3,800 reported last year and as currently drafted, we
would get notified of none of these breaches. We also want to
point out that the threshold for Federal notice of 5,000
individuals affected we believe is too high and will fail to
capture breaches that have a significant impact in a State.
For example, in Massachusetts, less than 1 percent of the
3,800 breaches last year met this criteria and indeed 93
percent of the 3,800 breaches impacted fewer than 100 residents
each. So, we think this bill would create a significant blind
spot for Federal or State enforcement of poor security
practices by businesses. Thank you.
[The prepared statement of Ms. Cable can be found on page
38 of the Appendix.]
Chairman Luetkemeyer. OK. Thank you for your testimony.
Mr. Creighton, you are recognized for 5 minutes.
STATEMENT OF FRANCIS CREIGHTON
Mr. Creighton. Thank you.
Before discussing the legislation before us today and how
it would impact CDIA members and the credit reporting system in
general, I would like to just give a brief context about how
credit bureaus help the economy and how we are already
regulated.
Our credit reporting system today is the envy of the world.
It is a main reason we have such a diverse range of lenders and
products from which to choose. Without it, without access to a
full consumer report, community banks, credit unions, insurance
companies, and others won't know how a consumer has handled
their obligations unless they already know the customer.
Without credit reporting, smaller institutions would not be
able to compete against the very largest banks for your
business.
Credit reports are a check on human bias and assumptions by
providing facts that contribute to equitable treatment. CDIA
members make possible an accountable and color-blind system.
Without it, subjective judgments could replace the facts of
creditworthiness. Credit reporting companies are also
innovating to solve the problem of the un-banked, thin file,
and credit-invisible consumers who have not had a chance to
participate in the mainstream financial system, a goal shared
by many on this committee.
The Federal Fair Credit Reporting Act (FCRA) which governs
credit reporting subjects credit reporting companies to a
comprehensive regulatory and consumer protection regime. The
FCRA protects privacy. It includes criminal penalties for
people who abuse the system, mandates the accuracy and
completeness of consumer reports and makes the process
transparent for consumers. On data security, under the Gramm-
Leach-Bliley Act (GLBA), the nationwide consumer reporting
agencies are subject to the FTC's (Federal Trade Commission's)
Safeguards Rule as non-bank financial institutions. We are also
regulated and face enforcement in current law by the States.
Contractual obligations from our financial institution
customers make sure we meet the requirements of the Federal
Financial Institutions Examinations Council (FFIEC). At every
level, this is a well regulated industry. The PROTECT Act, one
of the bills before us today, would establish a new FFIEC data
security regulator for our companies. We believe that any major
change like this would be better informed by the outcome of the
Equifax investigation, which is still ongoing by the FTC and
the CFPB (Consumer Financial Protection Bureau).
The PROTECT Act also establishes a uniform standard for
credit freezes. We believe that this is in the best interest of
consumers who share the same concerns whether they live in
Missouri or Massachusetts. The patchwork quilt of State laws
creates confusion. Every consumer should have the same right
regardless of where they live. The last major provision of the
PROTECT Act would be to eliminate the use of Social Security
numbers in 2 years. We do not believe that this is a feasible
proposal and we look forward to working with Mr. McHenry and
this subcommittee on alternatives and marketplace innovations.
We have obligations under the FCRA to ensure maximum
possible accuracy, and the SSN is critical to meeting that
legal obligation. We use SSNs for the same reasons that
Government does. They are the only reliable and universal
identifier. SSNs help ensure that information is matched with
the correct file. There simply is no other identifier currently
in existence that gives us the confidence required to meet our
statutory obligations.
We take our data security responsibility seriously,
especially in light of the breach at Equifax. While the
investigation there is not yet completed as I said, it has put
a spotlight on our companies. We know that the most important
thing is not how a company responds to a breach; it is
preventing the breach in the first place. The Chairman's
legislation establishes a national standard for both data
security and for breach notification. The bill's provisions
would allow a company's prudential regulator to enforce these
rules, setting up the FTC as the regulator for those without
one already, with enforcement by State attorneys general.
Since credit bureaus are financial entities under GLBA,
they would continue to be subject to the FTC's Safeguards Rule
and to civil penalty authority for violations of the breach
notification provision of the bill. The trigger for what
constitutes a data breach is well defined, reasonable risk that
the breach of data security has resulted in identity theft,
fraud, or economic loss.
We are pleased to note that for breaches over 5,000
consumers, credit bureaus can be notified ahead of others,
ensuring that we can prepare for the increased volume that a
large breach generates. This legislation broadly conforms to
the policy goals CDIA members have had for breach notification
legislation and we are pleased to note the different interests
who are working together to solve this problem. As the
legislative process moves forward on both of these bills, we
anticipate that there will be perfecting amendments to improve
them, and we look forward to working with the bills' sponsors
and other members of the committee on whether and how to reform
our data security and breach notification regulatory regimes.
I look forward to your questions. Thank you.
[The prepared statement of Mr. Creighton can be found on
page 100 of the Appendix.]
Chairman Luetkemeyer. Thank you, Mr. Creighton.
Mr. Miller, you are recognized for 5 minutes.
STATEMENT OF JOHN MILLER
Mr. Miller. Chairman Luetkemeyer, Ranking Member Clay, and
members of the subcommittee, on behalf of ITI and its member
companies, thank you for the opportunity to testify today on
the discussion draft of the Data Acquisition and Technology
Accountability and Security Act.
ITI is a global policy and advocacy organization
representing over 60 of the world's leading information and
communications technology companies from all corners of the
sector, including hardware, software, Internet, networking, and
services companies. Our members are not only technology
solutions providers, but are also stewards of their own
sensitive data. As such, we have interests as both covered
entities and third parties in advancing Federal data security
and data breach notification legislation that serves important
consumer protection interests.
Chairman Luetkemeyer and Congresswoman Maloney, I would
like to begin my remarks by commending you for the transparent
and inclusive process through which you and your staffs have
worked to develop the discussion draft. We share your goal of
developing a uniform consumer protective data security and
breach regime and appreciate the openness with which you have
considered our priority issues. Congress and the business
community have worked for more than a dozen years to develop a
regime that balances the concerns of all stakeholders, and this
effort moves us closer to realizing that shared goal.
We recognize that compromises must be made to move this
effort forward and we do not wish the perfect to be the enemy
of the good. In that spirit of compromise, ITI supports many of
the provisions in the discussion draft but we also offer
several recommendations aimed at further improving and
clarifying the draft language. ITI developed principles that a
data breach law must include to achieve much needed regulatory
clarity and certainty. We are pleased the discussion draft
reflects the majority of these principles by preempting the
existing patchwork of State laws to reduce consumer confusion
and ensure quicker and more consistent notifications, providing
an exception for information that is rendered harmless via
technology such as encryption; avoiding over-notification by
appropriately limiting the definition of personal information
to data that can be used to inflict concrete financial harms;
acknowledging consumers are not well served by receiving
notices from companies they do not recognize, but allowing
companies and their third-party vendors to agree on
notification responsibility by contract as appropriate; and
recognizing criminal penalties are inappropriate for companies
who are themselves victims of criminal hacks.
Regarding the security provisions in the bill, ITI has long
advocated for security approaches that are voluntary, grounded
in sound risk management principles and international
standards, foster innovation in cybersecurity and data
protection, and are scalable for organizations of all sizes and
sophistication. Flexibility is key, as a company must be able
to protect the information it holds in a manner that is
reasonable and appropriate to the nature of its business
resources and the sensitivity of the data it handles.
The security safeguards appear largely consistent with
these key security principles, but we are concerned about the
multilayered approach established by the bill which sets forth
an enumerated list of sometimes prescriptive safeguards layered
by a reasonable security standard. To help alleviate this
concern, we recommend the inclusion of a heightened burden of
proof for regulators, which would simply require a more
thorough showing that a company who relied on and complied with
the Government-directed safeguards and yet still suffered a
breach nevertheless lacked reasonable security.
In addition to this suggestion, my written testimony offers
several additional recommendations to improve and clarify the
proposed notification regime. I will briefly highlight a few of
these recommendations here.
First, the discussion draft requires notification be made
immediately and without unreasonable delay. There are several
reasons why immediate notification is not only infeasible but
often inadvisable. Chief among them is that consumers will be
subject to further harm by would-be thieves if the public is
alerted to security vulnerabilities prior to their remediation.
We recognize the urgency required in notification and recommend
utilizing existing language from one of the existing State laws
to more effectively balance these considerations.
Second, the discussion draft requires third parties to
notify covered entities if breached personal data has or may
have occurred. Our companies deal with a large volume of
security incidents daily, and while breaches are frequently
suspected, preliminary investigations often reveal no breach
occurred. Third parties cannot and should not be expected to
notify based on a guess as to whether a breach may have
happened. They must be afforded the same opportunity as covered
entities to conduct an investigation to determine whether the
security incident resulted in a compromise of data.
Third, as the definitions are drafted, third parties will
simultaneously be considered covered entities in most
instances. This is problematic, because the discussion draft
imposes different requirements on covered entities versus third
parties. So, the overlapping definitions will subject third
parties to divergent sets of requirements for the same
activity. The definition of ``covered entity'' must be amended
to focus on entities that own or license the data.
Fourth, the discussion draft permits unlimited civil
penalties arising from a single incident. Most data breaches
are the result of criminal acts. Organizations can and should
do their part to protect consumer data from unauthorized access
and acquisition, but uncapped civil penalties are seemingly
punitive in nature and not appropriate when an organization has
been victimized by criminals or a nation state.
Thank you again for the opportunity to share our
perspective here today. I look forward to your questions.
[The prepared statement of Mr. Miller can be found on page
151 of the Appendix.]
Chairman Luetkemeyer. Mr. Miller, thank you so much.
Mr. Kratovil, you are recognized for 5 minutes. You have a
very high bar to keep. Each one of these witnesses so far has
stayed right at underneath their 5-minute allotment here.
STATEMENT OF JASON KRATOVIL
Mr. Kratovil. Mr. Chairman, Ranking Member Clay, and
members of the subcommittee, on behalf of the leading banking
and payments members of FSR, thank you for having me here today
to discuss two proposals closely linked in their goals to
improve cybersecurity and the protection of consumers' credit.
For companies across the economy, data isn't just a nice
thing to have. It is increasingly the engine of modern
commerce. For the better part of 13 years, I have been involved
in this committee's work on data security legislation. Back in
2005 when I worked for the late Congressman Steve LaTourette,
this committee passed his bipartisan legislation, marking the
first time a Congressional committee directly tackled this
issue.
Back then, high-profile data breaches grabbed headlines
much as they do today, but it was in many ways a simpler time.
The ability to harness the power of data was confined to the
Government or the largest, most sophisticated companies.
Household budgeting relied on balancing a checkbook, not data
aggregation platforms running advanced APIs, and the cloud was
simply an object in the sky.
While times have certainly changed, some principles remain
the same. Over the last 13 years, the financial industry has
consistently called for Congress to enact data security
legislation that sets strong but flexible and scalable
requirements for companies across the economy to protect data
and to ensure consumers receive notice of a breach when they
are at risk. The proliferation of sensitive consumer data
across the economy has only heightened the need for Congress to
act.
Today, a business with only a few employees and modest
resources can obtain the technology or develop an app to allow
them to come into contact with millions of pieces of data. The
implications of this from a consumer privacy and business
ethics perspective are significant. The discussion for
policymakers, however, must begin with security. That is why
both the PROTECT Act offered by Congressman McHenry and Mr.
Chairman, the discussion draft of data security and breach
notice legislation you and Congresswoman Maloney have put
forward are both so important and timely.
The discussion draft of data security legislation is an
excellent start and represents the best opportunity I have seen
to actually get a bill through the House. I provide a more
detailed review of both proposals in my written testimony, but
would like to offer a few observations on the Chairman's
discussion draft.
First, your draft sets a high bar for data security. For
the financial sector, this is critical. Underlying our advocacy
for Federal legislation is the hope that with the right
standard, the number of incidents can actually be reduced.
Reaching the right threshold means spelling out a process and
risk-based framework for companies to follow. Federal
legislation should not expect the small mom-and-pop merchant to
deploy the same cyber resources as their larger counterparts.
Your draft sets the right standard while not unduly burdening
firms that have little or no exposure to sensitive data.
Second, we strongly believe notification to consumers must
be tied to an assessment of risk as the discussion draft makes
clear. By that, a breach of commonly available phonebook-type
information or sensitive information that is encrypted should
not trigger notice. Notice must be viewed by consumers as a
call to action, based on an assessment that the nature of a
breach has exposed them to a risk of financial fraud.
Over-notification makes us desensitized. I guess most of us
are guilty of throwing out yet another breach letter we
received in the mail. With this draft, Congress has an
opportunity to reframe the importance of breach notification,
making receipt of a notice something we as consumers take
seriously.
Third, the United States has favored a sectoral approach to
the regulation of data security and that approach should be
preserved. By that, I mean new legislation should recognize
that sectors including the financial industry have existing
Federal obligations to secure data and notify consumers of a
breach and not add duplicative responsibilities.
Finally, we believe preemption of the patchwork of State
laws is the right approach for Congress to take. Few issues
better illustrate the need for a uniform Federal standard as
data breach. That said, I would be very concerned if the
measure before us only amounted to a weak data protection
standard. However, as I mentioned, the discussion draft hits
the right mark.
In conclusion, with the lessons of history as our guide, it
is clear that finding consensus is critical if we want to see
data security legislation enacted. FSR has worked for many
years to help bridge the policy divides that have caused the
legislative process to stall in the past. As evidenced by this
panel, more stakeholders are at the table today than ever
before, ready to work with this committee and others in the
interest of seeing a strong piece of consumer protection
legislation signed into law.
Thank you, Mr. Chairman. I look forward to your questions.
[The prepared statement of Mr. Kratovil can be found on
page 126 of the Appendix.]
Chairman Luetkemeyer. Thank you, Mr. Kratovil, and I thank
all of our witnesses. You guys did a great job and we certainly
appreciate your thoughtful suggestions. And again, we are
discussing a draft legislation with regards to what we are
doing with our particular bill. And so, it is a work in
progress and we appreciate your willingness to work with us on
that. It is not perfect. We are going to try and get it better
and hopefully, it would be something we can implement here down
the road.
So, with that in mind, I appreciate the statistics Ms.
Cable gave us, 28,000 breaches in the last 10 years. We have a
crisis on our hand, do we not? It would seem to me that this
is--we have to do something different than what we have done in
the past. So, I appreciate your comment. Also when you said
data insecurity, that is a new word. I like the way you phrased
that. It feels like after 28,000 breaches, we do probably have
data insecurity rather than security at this point.
So, with that, Mr. Creighton, I want to begin the
questioning with you. There has been a lot of conversation
around what this discussion draft might mean for credit
bureaus. Can you tell us what if anything would change for your
members if this bill was signed into law? And you have two
bills here today that address a little bit in your world, so,
if you don't mind.
Mr. Creighton. Yes, sure. Your bill, the Data Breach
Notification and Security Bill would--we are currently subject
to the FTC's Safeguards Rule and our reading of the bill is
that we would continue to be subject to the FTC's Safeguards
Rule, but we would be subject to a new data breach notification
standard at the Federal level, which currently doesn't exist.
Right now, we comply with a series of State laws around the
country--
Chairman Luetkemeyer. That a better deal or a worse deal
for you?
Mr. Creighton. Well, I think it would be a greater deal for
our consumers, for customers because we are trying to figure
out what we should be complying with at any one moment. If
there was one strong standard that we could live up to,
consumers would benefit from that.
Chairman Luetkemeyer. OK, very good.
Mr. Creighton. On the PROTECT Act, the most--the biggest
change would be the elimination of the use of Social Security
numbers in 2 years. We would like to talk to the committee
about that. That would not be something that we think we could
work with, but we are interested in how we can innovate and how
we can get other--find another universal identifier, but it
would be a very difficult thing to do.
We haven't solved that problem yet and Congress has been
studying it for many years. The other thing is it would set a
new data security regulator for the credit bureau industry that
would be set by the Federal Financial Institutions Examination
Council.
Chairman Luetkemeyer. Very good. Thank you.
Mr. Kratovil, as you know, financial institutions carry a
lot of sensitive information for consumers. Some have charged
that those institutions which are subject to the Gramm-Leach-
Bliley Act have no requirements when it comes to safeguards
notification. Is that accurate?
Mr. Kratovil. In a word, no.
Chairman Luetkemeyer. I like the brevity of that answer,
but I would like a little bit more explanation.
Mr. Kratovil. Of course.
Chairman Luetkemeyer. Thank you.
Mr. Kratovil. In 1999, Congress passed GLBA. In 2000, the
banking regulators and the FTC began implementing it. What they
implemented were a series of interagency guidance and
guidelines establishing information security practices and
breach notification.
Fundamentally, that guidance was issued as a core element
of safety and soundness regulation. Banks are examined to
ensure compliance with the guidance and compliance is demanded.
And if compliance is not met, examiners have an extensive set
of enforcement tools at their disposal which they can ensure
any financial institution in violation is compliant.
Chairman Luetkemeyer. So, I understand that there are all
different levels for compliance with this. Are there not?
Mr. Kratovil. Yes, sir.
Chairman Luetkemeyer. I appreciate that. Thank you very
much.
Mr. Miller, one of the most discussed elements of the bill
deals with requirements of third parties to notify in case of a
breach. I think you discussed this a little bit in your opening
statement. But can you give us your thoughts on how those
requirements should be structured?
Mr. Miller. Thank you for the question. Well, there are a
couple of aspects of the third party requirements that I did
point out in my testimony which could be improved.
One of those is with respect to the overlapping
requirements between third parties and covered entities. I
think this could be tightened up by, I suggested, fixing some
of the definitions and focusing both sets of definitions on
what types of data is being handled or stored and using terms
like that is actually very--it really creates a lot of
confusion and, in particular, focusing the covered entity
definition on companies that own or license data certainly
seems better to us.
With respect to the third party and the notifications
themselves, the goal of the bill, we think, should be to
provide, of course, meaningful notice to consumers. The
entities with whom the consumers have a relationship, if we are
really going to effectuate that goal, should be the ones
providing that sort of notice. There are always going to be
other parties involved in a breach, when we look at today's
interconnected ecosystem, and the bill appropriately provides
for those parties to work out the details of how those costs
are shared.
Chairman Luetkemeyer. Thank you for that. My time is up. I
didn't get a chance to discuss this with you, but just to give
you a heads up and hopefully some of the members of the
committee will follow up on this. There are some European
standards that are being promoted by some of the folks in
Europe and I am not a big fan of letting Europe tell us how to
do our business over here.
So, I am concerned about that and I will hope that one of
our members will follow up with some questions with regards to
how you all view those sort of standards and if some of them
are good, some of them are not so good, which ones we need to
be thinking about.
So, with that, I yield my time to--my time is up and I
yield to Mr. Clay, the Ranking Member, for 5 minutes.
Mr. Clay. Thank you, Mr. Chairman.
Ms. Cable, according to Attorney General Healy, data
security and breach notification legislation marked up by this
committee last Congress would have drastically undercut your
State's data security regulation. Would the concerns raised by
AG Healy still apply to the discussion draft under
consideration today, and can you explain specifically which
Massachusetts safeguards would be undermined if the discussion
draft were enacted in this current form?
Ms. Cable. Thank you for the question. I will say the
difference between this bill and prior bills that I think is
positive is that it does have a data security minimum standard.
In my written testimony, I have included some areas where that
standard can be improved in a way that I think decreases
compliance cost for businesses and protects consumers.
Putting that aside, the way that this bill changes the
status quo in a way that is worse for consumers is, as I
mentioned, it doesn't put notice in their hands--mentioned, it
does not require notification to consumers until after they
have been harmed. It also allows the entity to conduct a
preliminary investigation as to the scope of the breach and
allows them to take remedial steps to secure the information
but puts no outward timeframe for that investigation.
And we believe in our experience, we have certainly seen,
this creates opportunities for abuse and further delay before
consumers are notified. So, we think that that is a big
departure from current law. That does not help consumers at
all.
Mr. Clay. And as the committee considers creating national
data security and breach notification standards, can you
comment on whether you believe it is critical that we preserve
the ability of States to protect their residents from emerging
threats to the privacy and security of their data?
Ms. Cable. It is absolutely critical. Currently, and our
office has been actively engaged with our State legislature on
improvements and the additional tools that we can use to
protect our consumers in light of Equifax, and we are not the
only State. I think States have been extremely active after
Equifax in taking a look at their security freeze legislation,
their data breach notification legislation, they are doing
their jobs. They are doing what States do best, which is being
agile, being innovative, and coming up with protections that
they think fit their consumers and their consumers' needs.
This bill, the preemptive effect of this bill, we think is
not in the consumers' interest. And one thing I want to point
out about the preemption as it currently is drafted--it
preempts any State law, quote, ``with respect to securing
information from unauthorized access or acquisition.''
It is not limited to securing statutorily defined personal
information. There is a big gap between what constitutes
information and what constitutes personal information. And in
my written testimony, I included some examples of some existing
State law that arguably this bill would preempt. That have
nothing to do with data breach notification or data security.
I think we are not for weaker Federal standards that
preempt stronger State. To the extent there is preemption, we
think it needs to be narrowly tailored to the precise matters
that the bill is addressing, not spread on other areas.
Mr. Clay. And, Mr. Chairman, I couldn't agree more with the
witness. She is making the point as to why should we weaken
current protections under State laws that have already been
enacted instead of us erring on the side of trying to craft
this bill in a way that is consistent with the strongest
protections of what the States have enacted to this point.
I think she makes a great point about that and hopefully
going forward, we as a committee can find some common ground in
that area. And that is just a comment to you. I haven't
finished yet.
But look, it makes sense that we actually err on the side
of giving the strongest protection possible to the American
consumer and don't weaken them because we are trying to come up
with a national law. Don't make it weaker in order to appease
one side or the other. Make it stronger. Anyway, my time is up.
And I yield back.
Chairman Luetkemeyer. I appreciate the gentleman's comments
and I appreciate Ms. Cable's comments. In fact, the first
comment that you made, we are in the process of fixing that as
we speak. I think we were aware of that, but we appreciate you
bringing that point to us.
Again, we want to make sure that we do this in the right
way and, to the gentleman's concerns, this is the reason for
the draft, is to come up with better ways of doing things. And
we want to hopefully get that done here. Some of the States
have some standards that are not able to be adhered to by
everybody, so we want to make sure this is something that
everybody can live with.
So, we may back off the top standard a little bit to make
sure it works, but we are going to try and get this all done.
So, again, thank you very much.
With that, we will go to the gentleman who is the Vice
Chair of the committee, Mr. Rothfus. He is from Pennsylvania.
You are recognized for 5 minutes.
Mr. Rothfus. Thank you, Mr. Chairman.
And Mr. Miller, when we look back at the Equifax breach,
one of the major questions that stands out is why it took so
long to notify the public. Millions of Americans had their
personal data compromised and Equifax knew this, but they were
not able to take steps to protect themselves some time after
the breach occurred because they were unaware.
At the same time, I understand a firm that has been
breached goes public before any vulnerabilities can be patched,
bad actors can continue to exploit gaps in the firm's cyber
defenses. What is the best way to strike a balance between
prompt notification and thorough corrective action?
Mr. Miller. Thank you very much for the question. I think
you point out how it is a bit of a paradox. We, of course, want
to provide notification as quickly as possible when there is a
breach. By the same the token, there are a lot of breaches,
unfortunately. I think the Chairman mentioned a couple of times
already, there is a crisis of sorts. And not all of those
breaches are going to actually result in a breach of consumer
data.
Organizations have to have the opportunity to conduct an
investigation to understand both the scope of the breach and
also, in particular, to patch a vulnerability before actually
providing notice, particularly public notice to consumers.
So, that is one of the reasons that we advocate against any
types of very strict timelines and certainly against an
immediate notification, but rather one that is without undue or
unreasonable delay, or something like that. Thank you.
Mr. Rothfus. Well, the Chairman raised the issue of the
European situation with their general data protection
regulation and the requirement of a notification within 72
hours. Have you had a chance to take a look at that?
And also Mr. Kratovil, I am just curious what you are
thinking on what the Europeans have done. If Mr. Miller, you
could comment, then maybe Mr. Kratovil?
Mr. Miller. Sure, happy to. I have taken a look at the GDPR
and that legislation. And I think it points to the importance
of really being clear about which notification we are talking
about.
There actually is not a 72-hour notification provision in
the GDPR with respect to consumer notifications, that there is
again an--without undue delay standard there. There is a 72-
hour notification obligation where feasible to regulatory
authorities. So, again, those are different types of
notifications, of course. Thank you.
Mr. Rothfus. Mr. Kratovil?
Mr. Kratovil. Congressman, I would align myself with Mr.
Miller. I completely agree with what he said. No two breaches
are the same. If we have learned anything, it is that fact
alone, and it does take companies time to get their arms around
the breach and to stop the bleeding as it were.
And also to figure out, as Mr. Miller said, did the breach
result in something that is actually of harm to consumers? If
what was breached was fully encrypted data that is unusable by
the person who exfiltrated it from the system and consumers
aren't at risk, does that trigger notice? Should that trigger
notice? We would argue that it doesn't.
In terms of timing, immediate is arguably an unprecedented
concept in terms of speed and certainly among the States. As
Mr. Miller said, most rely on some variations on the theme of
promptly and without unreasonable delay and we would suggest
that that is probably the best way to strike a balance in
Federal legislation.
Mr. Rothfus. In your testimony, you wrote, ``Congress needs
to act to require firms of all shapes and sizes that handle
sensitive information to protect the data.'' Why do you believe
it is important that firms of all types that handle sensitive
data comply?
Mr. Kratovil. Thank you for that question. And what I was
getting at, I mentioned in my opening statement, you can be a
very small business and with modest resources, you can get
access to the technology to allow you to be processing millions
and millions of pieces of consumer data.
It is very difficult to say that just based on the size of
a company alone should determine how or what data security
protection you should have on businesses. That is why the
approach in the discussion draft that builds in a flexible and
scalable framework that looks at a variety of considerations so
that a company can look at itself and make the appropriate
decisions based on the type of data that they hold, for
example, and how sensitive that data is, as to what cyber
protections they need to have in place.
Mr. Rothfus. And how would the bill appropriately tailor
data security obligations for firms of different sizes and
different industries without compromising our collective
security?
Mr. Kratovil. Yes. It is a great question and you can look
even to our law Gramm-Leach-Bliley for some reference and there
are parallels with what is in the discussion draft. And as I
mentioned, the bill lays out right up front a number of
considerations that a firm should take into consideration, such
as the size and complexity of the firm, the sensitivity and the
type of data it holds, the cost of available products and
security.
Again, getting to the idea that you want a small firm that
really isn't touching personal information or sensitive
financial information should not have the same data security
obligations as any of my members of large, nationwide
companies.
Mr. Rothfus. My time has expired. I yield back.
Chairman Luetkemeyer. The gentleman's time has expired.
With that, we go to the gentleman from Texas, Mr. Green is
recognized. Oh, Mr. Scott. I am sorry.
OK. The distinguished gentleman from Georgia is recognized
for 5 minutes.
Mr. Scott. Chairman Luetkemeyer, first of all, I want to
thank you and Ranking Member Clay for having this very
important hearing. Data security is very, very important. It is
on the minds of all the American people. And we can do a whole
lot better. We better get to work on it very quickly.
And, of course, I represent Georgia, the home of the most
unfortunately drastic cyber-attack with a very good company,
Equifax, that we are working to get that straight as well.
But, Mr. Chairman, I would like to just address my remarks
to one of the pieces of legislation we have before the
committee on data security and that is my good friend
Congressman McHenry's PROTECT Act, House Resolution 4028.
I just want to trump that and I have had a few moments of
being able to talk to Representative McHenry about my concerns
on this. And that is that in his bill, I found that one of the
problems is that it only requires enhanced cybersecurity
supervision for larger consumer reporting agencies.
I think it is very important to realize that Americans have
lost faith in all of their credit reporting agencies, so only
applying these new standards in his bill to just the largest
agencies would mean we would have some agencies that would meet
enhanced security standards while others would not.
I wanted to just point that out and see if we cannot build
upon that. But more importantly, I want to talk about this
organization that we refer to as the FFIEC. And that
organization is the Federal Financial Institution Examination
Council.
And that is where we will be passing this hot potato to. It
is the interagency council for financial regulators. But I
think that this isn't enough. I really think Americans really
would want us to go a bit farther.
Everyone should be reminded that most Americans don't have
a choice about whether credit reporting agencies like Equifax
collects information on you. The American people, their data
are the products of these companies.
This world of the credit reporting agencies and how this
industry works has been a total mystery to everyone up to this
point. And after learning about what is happening, some of the
people--American people feel quite a bit helpless and
frustrated about it.
Let me just ask you and this panel, with that said, I don't
think that the Gramm-Leach-Bliley standards in Mr. McHenry's
bill go far enough. And I think we should hold the credit
reporting agencies to a higher standard than we have.
We had the worst data breach in American history, 145, 146
million American families lost very valuable data. And so, I
was wondering if you all agree with me on this. Ms. Cable,
would you respond to that?
Ms. Cable. Absolutely, thank you for the question. I
absolutely agree. In our experience, again, over 10 years,
21,000 data breaches. Equifax is by far the worst. Both in
terms of size and scope, the sensitivity of the data and what
Equifax is.
It is in the very business of protecting this precise data.
And as the full committee learned a few months ago, our office
has viewed Equifax through the law. Putting aside the PROTECT
Act and looking at the Federal data security proposed
legislation, I will note that it does appear to tie the hands
of the State against a future breach by an entity such as
Equifax. It is a little unclear, but comparing this bill, if it
were to go forward, against the status quo, an entity like
Equifax would frankly receive a windfall in terms of having one
less source of regulators over it and that would be the States.
We don't think that is appropriate at all. We think there
is no justification whatsoever, especially in light of Equifax
for that to be the case.
Mr. Scott. I thank you, Ms. Cable. My time is up. Mr.
Chairman, I just make note that I look forward to working with
Mr. McHenry on this and see if we can apply it to all of the
agencies. I think he will be agreeable to that.
Chairman Luetkemeyer. Thank you for your thoughtful work
here. Thank you, Mr. Scott. His time has expired.
With that we go to the gentleman from North Carolina, Mr.
Pittenger is recognized for 5 minutes.
Mr. Pittenger. Thank you, Mr. Chairman for holding this
important hearing today. I would like to thank all of you for
being here. It has been very revealing for me. Data security is
an essential part of any company. It is a critical part of
ensuring that consumers' data is protected, that all customers'
information is obviously kept safe. I would like to thank, as a
result, Mr. McHenry, Mr. Luetkemeyer, Mrs. Maloney for their
efforts and the hard work, all this important legislation.
With the ever-present threat of data breach has many
Americans sick and tired of frankly, their Social Security
numbers being breached and being identified. And I would like
to address first Mr. Miller, and then Mr. Creighton. What can
we do about our Social Security numbers being compromised?
Mr. Miller. Thank you for the question, Congressman
Pittenger. Well, I know that the PROTECT Act discusses Social
Security numbers and the potential for phasing out Social
Security numbers. I think if you talk to most security experts,
they will tell you that that is a laudable goal, moving away
from static universal identifiers.
The question, of course, as your question implies, is how
do we get there? There are all types of innovative technologies
and progress being made around different types of
authentication using biometrics, et cetera.
I can't sit here today and tell you I have the answer on
what the alternative is for protecting or even not using Social
Security numbers so much, but I do know that we need to keep
looking for other solutions to what Social Security numbers are
currently serving in terms of their purpose.
Mr. Pittenger. Mr. Creighton, would you like to weigh in on
this?
Mr. Creighton. Yes, Sir. The Social Security number is
really used as an identifier, not as an authenticator. And that
is an important difference. You would be surprised at how many
people in this country share the same name and even share the
same date of birth.
And the Social Security number gives us the ability to
match the right information with the right file, for example, a
father and a son who share the same name and maybe even the
same address.
We believe it is very important that the Social Security
number stay out there for identification purposes only. Now, if
that was all that was necessary for you to go out and to get a
loan, there would be a much greater incidence of new identity
fraud or new account fraud in financial institutions because
the Social Security number has been compromised so many times
that they are out there, right?
The OPM (U.S. Office of Personnel Management) hack, which I
was subject to and I am sure others on this committee were, is
one example of many other examples where the Social Security
number has already been compromised.
The wide-scale usage of Social Security numbers didn't
happen overnight. It really was something that is a decades-
long process that started with the Executive Branch and
eventually moved into the private sector.
But now it is there. And the question that I think we need
to answer is, if we are going to replace it what do we replace
it with? We still need something that is going to identify
people.
Mr. Pittenger. And?
Mr. Creighton. I don't have the answer for that.
Mr. Pittenger. OK.
Mr. Creighton. And I wish I did. Believe me because--
Mr. Pittenger. I thought it was just going to burst out.
Mr. Creighton. Oh no, I wish. But I personally have been
breached so many times. It makes you crazy.
Mr. Pittenger. Sure. I have too--
Mr. Creighton. I understand that, but there is nothing
right now that it could be replaced with, unfortunately.
Mr. Pittenger. We will wait for that magic moment.
Mr. Creighton. Yes, sir. Me too.
Mr. Pittenger. Mr. Kratovil, kindly tell me the role again,
just clarify, of law enforcements and what they play in
determining the notification timing after a breach has
occurred?
Mr. Kratovil. Sure, thanks for that question Congressman.
Financial institutions work very, very closely with two primary
law enforcement bodies, that would be the Secret Service and
the FBI.
They very often maintain very close working relationships
with field offices, so that in the event of a cyber incident it
can be a mutual effort to help ascertain what has happened, get
a handle on the breach. The main purpose of involving law
enforcement is to see if they have the capacity in the course
of investigating a breach to identify who has done the hacking
and maybe even go after them and get them.
And thinking about it in the context of the timing question
that we have talked about for notification, it is very
important to let that process happen. Our members take
engagement with law enforcement very, very seriously. And I
know having them involved in an investigation is critical.
Mr. Pittenger. Mr. Creighton, would you like to weigh in?
Mr. Creighton. Yes and in fact, in some cases, law
enforcement actually requests that the breached entity not
disclose until they can finish their investigation, and that is
something that the law should probably accommodate as well.
Mr. Pittenger. Thank you. My time has expired.
Chairman Luetkemeyer. The gentleman's time is about to
expire. With that we go to the gentleman from Washington, Mr.
Heck is recognized for 5 minutes.
Mr. Heck. Thank you, Mr. Chairman.
Last night I had the pleasure of watching my wife's--whose
birthday is today--beloved alma mater, Gonzaga University, put
the hurt on BYU, apologies to Congresswoman Love for the WCC
championship.
This will be our 19th straight State trip to the dance
under Coach Few who is the winningest active coach in the NCAA.
And many years ago the big schools started coming after him
because of his success. They try to lure him away with a
contract a multiple, far away from the little Jesuit University
in Spokane, Washington. And he kept saying, ``No, no, no, no.''
And he has said, ``No, no, no, no'' ever since.
And eventually they stopped asking. And then reporters
started asking, why did you say no all those years? And his
response was, ``Why mess with success?'' And that wisdom
reminds me of a provision that is included in this draft bill
and that is the carve-out for State insurance regulators.
I want to thank the Chair for that. I fought very hard for
that last year when we were in the midst of that and extend my
gratitude to Mrs. Maloney as well. I think it is a recognition
that for those of us who have as a goal protecting consumers,
acknowledge that State insurance commissioners oftentimes are
doing this very well.
I know they are in my State. My goal is protecting
consumers and my insurance commissioner is doing that. But that
is not to say, of course, that we don't have significant cyber
threats in this area.
And so, Sara, I want to direct this to you if I may, Ms.
Cable. We are having a hearing on data security. So, if you
could suggest to insurance regulators anything that they might
do to strengthen their cybersecurity rules, what comes to your
mind?
Ms. Cable. That is a big question. I think I will answer
if--
Mr. Heck. It is a great lead-up, though.
Ms. Cable. It is. It is. I will answer it by saying this is
not unique to insurance companies but institutions in general
and to comment on a comment made earlier that most breaches are
criminal in nature, that has not been our experience. And I
think there are other statistics to back this up, but by far
most breaches we see are a result of human error because humans
are humans.
And sometimes companies have fantastic policies and
employees just don't follow them. Oftentimes, however,
companies do not have good policies or they have a policy on
paper that doesn't actually get implemented.
And even criminal breaches, we see in the case with
Equifax, they result because of a failure to do even basic--
take even basic security precautions such as patching a
software the company knows to be vulnerable.
And so, I think the advice to a regulator would be looking
to enhance or enact minimum data security standards, is they
are critically important because there is an awful lot of room
for improvement.
And I think the standards established in Massachusetts
which are similar to the Gramm-Leach-Bliley standards, somewhat
similar to those proposed in this bill, although again there
are some improvements that we have put forth in our testimony
that we think are critical because it is impossible to stop all
breaches, but it is definitely possible to stop a lot of them.
Insurance companies handle tremendously sensitive
information. Sometimes a company has agents all over the place
that they have a hard time getting their arms around in terms
of making sure that those agents have secure systems, their
computers are secure and what not. So, I do think that data
security for insurance companies is critically important. The
States have been active in this. We had a resolution against
Nationwide Insurance a year so ago.
So, I encourage State insurance commissioners to consider
minimum security standards. I think it is critically important.
Mr. Heck. So, in the short period of time I have left, and
prefacing this question with the disclosure I am not a lawyer.
I note that there is a use of terms like a reasonable risk,
economic loss, and unreasonable delay within the notification
section of this bill.
As it relates to Equifax, I guess I would be curious, Ms.
Cable, if you think 40 days was unreasonable. And does
unreasonable delay have any legal meaning?
Ms. Cable. Thank you for the question. I see my time to
answer--we have sued Equifax so I would like to not speak to
the specifics on the facts that the timing of the notification
is a claim in our case.
But speaking more broadly, Massachusetts has one of those
State laws that requires notice, I believe the words are as
soon as practicable and without unreasonable delay. It doesn't
ascribe an outer limit or initial limit for notice.
And I think that is for good reason. Every breach is
different. The circumstances are different. There are times
that an entity is not in a position, I have never seen an
entity in a position to provide immediate notice. However, I
have seen entities in a position to provide notice that delay
it for their own purposes. And you can imagine the list of
purposes that might be there. Words such as unreasonable,
lawyers have a good time with those words.
Ultimately, it would be up to a judge based on the facts
and circumstances. So, I think those words are useful, that
they provide a flexibility that is not a bad thing for
consumers and provides entities the flexibility they need.
Mr. Heck. Thank you.
Chairman Luetkemeyer. The gentleman's time has expired.
With that, we go to the gentleman from Colorado, Mr. Tipton
is recognized for 5 minutes.
Mr. Tipton. Thank you, Mr. Chairman.
I appreciate the panel being here. I appreciate Congressman
Heck's story, which we had a Colorado team that was just
winning a championship there as well. But I think you brought
up an important point and I think Ms. Cable had pointed to it
just a little earlier, brought up Massachusetts, brought up
your State regulators in regards to the insurance industry.
And Mr. Kratovil or maybe Mr. Miller, maybe you would like
to speak to some of the variances that we do see between
different States and maybe speak to why it is important that
you spoke to it in terms of some of your testimony, to be able
to have some of that harmonization.
Mr. Kratovil. Sure. I will start and hand it to my--
gentleman, Mr. Miller. I will give you some, at least one
example on the security side and one example on the
notification side and variances within State laws.
On the one hand, not too many States have data security
laws. Of course, Massachusetts has been a leader in that and
certainly has arguably the strongest State law on the books
right now. As Ms. Cable mentioned, there are many parallels to
the Gramm-Leach-Bliley standards for financial institutions in
her State's law.
But then you look at other States, for example, that have a
data security law that is perhaps just one line, you should
have reasonable measures in place to secure data. Those are two
ends of the spectrum when you think about data security.
On notice, thinking about the question of timing, I know
that is an important topic that the committee is considering.
As Ms. Cable noted, her State has what is a variation of a
standard that is used by the majority of States, which is
something promptly without unreasonable delay.
Some States have chosen to take and set date-specific
timelines, say 30 days I think is what the majority of States
that have chosen to pick a date have decided to use. So, again,
it speaks to the importance of Congress acting here as to
smooth out, set the right standard, an appropriately high
standard for everyone in the country, because it shouldn't
matter where you live as to whether or not your data is kept
secure.
Mr. Miller. Thank you. I agree very much with everything
Mr. Kratovil said. Again, just to reiterate the security point,
I think it has been pointed out a couple of different times
that there are some States such as Massachusetts that do have
high security standards in their State laws.
But there are many other States, 30-something, that don't
address data security standards at all, so it depends on your
perspective, I suppose, when you look at the discussion draft.
I would like to take the perspective that the discussion draft
is appropriately trying to raise all those 30-something boats
up to some type of meaningful, reasonable level for security.
And then on the notification front, again I agree that, in
particular, when we are talking about how companies function
and have customers in an economy all across the country and the
world--their customers are everywhere.
It doesn't make a lot of sense that they are going to have
varying requirements with respect to whether it was
unreasonable or undue delay, or 30 days or 45 days. So,
harmonizing a standard in that regard is really going to
improve the purpose of the bill, which is to help consumers.
Mr. Tipton. Right.
Mr. Kratovil, maybe you could speak to the point in regards
to startups and the private sector, private sector businesses.
What incentives are in place for them to be able to set
cybersecurity regimes within those businesses to make sure that
we do have the ability for notification?
Mr. Kratovil. I think increasingly privacy and security is
being baked in from the moment the coders sit down and start
writing the code to make their new technologies feasible.
Privacy by design, security by design are starting to become
the de facto standard by which entrepreneurs and technologists
are building applications. And certainly, from our perspective,
FSR's members tend to be on the leading edge of wanting to
partner with and collaborate with those technology providers,
and when that is the case, certainly our members are going to
expect that their technology partners are living up to the
absolute highest data security requirements.
Mr. Tipton. And does that speak to the point where we don't
want to have one specific regimen in place to be able to allow
that innovation in the private sector for some of the different
ideas that can then be shared with others?
Mr. Kratovil. Yes. You are absolutely right. Innovation in
both cyber and payment security, just as examples, is happening
at a tremendous rate. And that is why I keep pointing back to
the need, for whatever Congress does in this space to be
flexible and scalable. A framework, a process and risk-based
framework, that allows that innovation to continue. If you
mandate technologies, you just drive everybody to try to comply
with what standard you have baked into the law. That would
probably not be in the best interest of innovation.
Mr. Tipton. Thank you.
And, Mr. Chairman, I appreciate your and Mrs. Maloney and
Mr. McHenry's work on a very complex and tough issue that is
going to continue to perplex in some areas, but we will be able
to make some move forward with this legislation.
Thank you, and I yield back.
Chairman Luetkemeyer. Thank you for your comments. The
gentleman's time has expired.
With that, we go to the gentleman from Texas, Mr. Green,
recognized for 5 minutes.
Mr. Green. Thank you, Mr. Chairman. I thank the Ranking
Member as well. Thank you, the witnesses, for appearing today.
Mr. Chairman, I ask unanimous consent to introduce some 21
letters into the record. These are letters from the American
Bankers Association to the Financial Services Roundtable, to
the National Association of Realtors, to the U.S. Travel
Association, not naming them all. There are many more. With
unanimous consent, I ask that they would be introduced.
Chairman Luetkemeyer. Without objection.
Mr. Green. Thank you. And, Mr. Chairman, the Ranking Member
breached or broached if you will an area that I would like to
go into. And in so doing, I would like to lay this predicate.
There is an industry perspective on this.
And it appears that the retailers, and I am reading now
from the briefing book, have cautioned against replacing State
standards with the weaker Federal standard. There is also an
indication from the intelligence shared that consumer advocates
of the opinion that a national data breach notification
standard should not come at the expense of weakening the
strongest standards already afforded in other States.
So, my question is to you, in your opinion is the
discussion draft a floor or a ceiling? And each of you can
respond if you like. Well, why don't we start here with a show
of hands first. If you think it is a floor, would you kindly
raise your hand.
And if you don't understand what a floor is, you can raise
your hand and then I will say more. Or if you think it is a
ceiling, raise your hand. OK. It seems we have unanimous
consent that it is a ceiling.
If you would, let us start with Ms. Cable, why, in your
opinion, is a ceiling appropriate or inappropriate?
Ms. Cable. Well, our position, perhaps not surprisingly, is
a ceiling is inappropriate particularly in this realm. This is
fundamentally drafted as a consumer protection measure. And for
a variety of reasons set forth today and I suspect in the
letters that were just submitted for the record, there are a
variety of ways this bill offers weaker protections than
currently are available to consumers under State law.
And in light of Equifax, there appears no reason from our
perspective to do so by then preempting States from enacting
stronger protections or enforcing the existing strong
protections that they have.
It is really just locking consumers into a weaker set of
protections for the foreseeable future at a time when breaches,
risks continue to multiply. So, we are not in favor of a
ceiling of protections.
Mr. Green. And your name is Cable not Gable.
Ms. Cable. Cable, yes.
Mr. Green. Thank you.
Let us move on to Mr. Miller. Mr. Miller, I believe you
would contend that it is appropriate to have a ceiling, is that
correct?
Mr. Miller. I guess I would--yes?
Mr. Green. Mr. Miller, I am going to have to ask that you
not equivocate if you would.
Mr. Miller. OK.
Mr. Green. Are you a ceiling guy or are you a floor guy?
Mr. Miller. Well, I think the bill tries to be both a floor
and a ceiling--
Mr. Green. Mr. Miller, Mr. Miller. I know. But the bill has
to be a ceiling or a floor. It really does. So, this may be a
time for you to pick sides.
Mr. Miller. I think we want to have a common notification
standard, and I think--
Mr. Green. Let me ask another question, Mr. Miller. Let me
go on to another question. Do you think that there should be
some language somewhere indicating that if there is a breach,
you cannot sell your stock if you are one of the executives?
You can't sell your stock before you announce the breach.
Should there be such language?
Mr. Miller. I am not sure if that language should be in
this bill or not, but it seems like a secure--
Mr. Green. But, no, no, but Mr. Miller--
Mr. Miller. --that sounds security--
Mr. Green. If you will note, I said some place.
Mr. Miller. OK.
Mr. Green. OK, some appropriate place because this is what
happened.
Mr. Miller. Right.
Mr. Green. And if you think that there should be some
language, we know that security laws can deal with it, but
should there be some language that specifically says if there
is a breach you can't sell your stock before you announce the
breach?
Mr. Miller. That seems like reasonable guidance.
Mr. Green. Raise your hand if you think that there should
be such language. Yes, raise your hand please. That is all
right. OK. Everybody. So, I see that we have one person who did
not.
Sir, would you explain why you don't think so?
Mr. Creighton. Selling stock based on material nonpublic
information is illegal. And this is under investigation. And if
they were aware of a breach and they sold their shares based on
that that is something that the SEC and other Federal--
Mr. Green. I understand there are agencies and entities
that will look into it, but given that it happened and we can
put people on notice, is it so redundant that it would be
harmful? Is it so superfluous to the extent that it makes no
sense? It just seems that it is OK to tell people if you do
this, there is a penalty.
Mr. Creighton. It is already illegal. And I wouldn't have
any objection to it, but it is already illegal.
Mr. Green. OK. Thank you, Mr. Chairman.
Chairman Luetkemeyer. The gentleman's time has expired.
With that, we go to another gentleman from Texas, Mr.
Williams, recognized for 5 minutes.
Mr. Williams. Thank you, Mr. Chairman.
And thank you to the witnesses today that are here. As this
committee continues to work to protect American businesses and
consumers that are under a constant threat from cyber thieves,
as we have seen in the past year, cybersecurity breaches and a
loss of personal identifiable information have unfortunately
affected hundreds of millions of Americans.
Mr. Kratovil, in your testimony you state that this
legislation strikes the appropriate balance by setting a high
bar for data protection while providing numerous considerations
to ensure a small business that processes or maintains little
or no personal information is not burdened with the same
expectations as a large entity.
As a small business owner myself for over 47 years and a
steadfast defender of Main Street, I appreciate what you have
to say about that. My question is, what importance does
scalability play in ensuring a level playing field for entities
of all sizes and how does this affect consumer protection?
Mr. Kratovil. Thank you for that question, Congressman. It
is one of the critical aspects that we believe should be
included in any Federal legislation in this space. Scalability,
flexibility--taking into consideration the size and complexity
of a business--all has to be weighed in evaluating which
cybersecurity resources a company should be deploying.
If you were an FSR member, I think there are going to be--
there certainly are regulatory expectations that you are
investing heavily in cyber defenses. I know just a handful of
our members have invested over $1.5 billion a year in
cybersecurity defenses.
Juxtapose that against small businesses, perhaps such as
your own. When you look at your business, perhaps you are not
even--your employees aren't even coming into contact with
sensitive financial information that would be covered under
this legislation.
It probably goes without saying then, you should not be
employing the same cybersecurity resources as a national bank,
for example.
Mr. Williams. OK. Another question for you. In your
testimony you state that legislation should recognize both the
danger of alerting hackers to vulnerabilities before they have
been remediated and risking potential further harm to
customers, and then the risk of confusing or alarming consumers
unnecessarily if companies are forced to notify prematurely.
So, why is that important?
Mr. Kratovil. The idea there, is that oftentimes, when a
company discovers that they have been hacked, it is often the
case that the hackers are still in their systems. That is why
in the legislation it makes clear that hopefully law
enforcement is going to be able to be involved in a situation
like that and law enforcement may have an opportunity to trace
where the hack is coming from. Maybe even to identify who is
doing the hacking, in which case you definitely want to be able
to allow that process to happen.
Mr. Williams. OK.
Mr. Creighton, the Senate has proposed limiting the amount
in type of data that can be reported about consumers to credit
bureaus. My question is, what effect would these types of
restrictions have on the accuracy of consumer lending
decisions? And how would they affect credit availability,
particularly for vulnerable populations?
Mr. Creighton. Thank you for that question. When we collect
data, we are trying to collect data that is going to matter for
a future lending or other decision. Those kinds of data are
what kind of accounts do you have? What is your credit limit?
How much credit are you using? Do you pay on time? Those kinds
of questions.
We are trying to continue to gather more information from
other kinds of data furnishers--home renting companies,
apartment companies, that kind of thing, cell phone companies,
others so that we can expand the number of people who have thin
files.
Because if you have a thin file right now, and you go to
get a loan, they will look and they say, ``Well, we don't know
enough information about you to know whether you are a good
risk or not.''
So, we want to get more of that information because if we
have more of that kind of information, we are going to do a
better job of giving lenders what they need so that they can
bring people into the regulated financial system, which is what
we are all after.
Mr. Williams. Good. Another question to you. In your
testimony you stated that credit reporting agencies face only
enforcement and not supervisory and examinations by the FTC.
So, why do you believe that empowering the FFIEC to choose the
correct overseer is the proper fix for this regulatory gap?
Mr. Creighton. Yes. Thank you for that question. In the
time since I submitted my testimony, what I have learned from
my companies is that actually the Consumer Financial Protection
Bureau has asserted its authority under UDAP (unfair or
deceptive acts or practices) and other provisions to begin
examination of credit reporting agencies on cybersecurity.
While the GLBA specifically says that cybersecurity is
carved out under UDAP authority, the CFPB has asserted its
authority and is now examining at least two of our companies.
Mr. Williams. OK. Thank you for being here. And I yield
back my remainder of my time back.
Chairman Luetkemeyer. The gentleman yields back his time.
With that, we go to the gentleman from Georgia, Mr.
Loudermilk is recognized for 5 minutes.
Mr. Loudermilk. Well, thank you, Mr. Chairman. I appreciate
the panel being here today.
Mr. Kratovil, as I understand it, the Gramm-Leach-Bliley
Act may not explicitly require financial institutions to comply
with mandatory Federal data security and breach notification
requirements, but these requirements are essentially mandatory
in practice. Can you explain how that happens?
Mr. Kratovil. Yes. Thank you for that question. And yes,
sir, I agree with you. They are mandatory. There is nothing
about Gramm-Leach-Bliley's security requirements or notice
requirements that are treated as optional.
As I mentioned earlier to the Chairman, fundamentally,
these are safety and soundness standards. They are treated as
such for examination purposes. Examiners view compliance with
both the security requirements and notice obligations as
affirmative duties under safety and soundness regulations, and
the examiners themselves have a variety of enforcement tools at
their disposal should they find a firm is not living up to
either of those obligations.
Mr. Loudermilk. OK, I appreciate that. I had my staff ask
the Congressional Research Service and they advised the same
thing, and so, I just want make sure that we had a good
understanding of that and I appreciate that.
Mr. Miller, I want to talk about the third party liability
issue. I understand both sides of this debate. And on the one
hand, understand the--and I appreciate the argument that the
company that is breached should be responsible for the
notification, but on the other hand, are we subjecting the
consumers to even more or greater risk by transferring more
data into an entity that was just breached. I am trying to find
a good medium there. Can you comment on that?
Mr. Miller. I just want to make sure I understand your
question, you are talking about transferees of more data to
third party because of this breach--
Mr. Loudermilk. Well, in a third party situation where
there was a breach but the third party may not have the contact
information. And if we require them to actually make the
notification, are we not risking the consumer by even sending
more data to that third party?
Mr. Miller. Absolutely, particularly if the third party is
the one who was breached. Probably there are questions
regarding security, so sending a bunch of additional
information to them seems questionable.
Mr. Loudermilk. Yes. And I feel like there is some
liability there, but then we have that issue, and I don't know
if anybody else would like to comment on that if you have
feelings, it is just one of those, that they are issues we are
struggling with at this point, of how do we resolve that if
they were, the third party was actually the factor that caused
the breach.
Mr. Miller. If I could just comment a little bit further on
the third party, it is true that third parties, again, if we
look at business arrangements and particularly of large
companies across a variety of industries, they are using third
parties for a variety of different purposes. Some of those
third parties are small companies, some of those third parties
are large companies and providing all different types of
services.
There was one very notorious breach a few years ago where a
major company was breached through a third-party HVAC vendor
for instance.
Mr. Loudermilk. Right.
Mr. Miller. So, the most sensible way it seems to deal with
the apportionment of liability in these types of scenarios is
through a contractual arrangement between the parties who are
free to contract with different parties if they would like to
choose different entities with which to work and requiring
strong security practices is certainly something I would advise
any party to do.
Mr. Loudermilk. OK. I appreciate that. This is one of the
issues that I have been struggling with because I understand
that there is some liability there but also do you provide more
information to the entity that was just breached.
And dealing with the information, I will throw this out to
anyone in the panel in the last few seconds we have, are we
collecting and maintaining too much data, because we know the
more data you have the more data we require through the
Government to be maintained, the more risky it is when you
don't have to protect what you don't have.
Anyone want to comment on are we collecting and maintaining
too much data?
Ms. Cable. I think your point is well stated. If you don't
have it you have automatically reduced the risks to your
company.
I can't speak to, I know that it is extremely valuable to
businesses and it provides benefits for consumers for those
businesses to have that data. However, we do see a lot of
companies collecting data that is very sensitive for consumers
without having a present need for it or holding on to data for
years and years and years when they are not using it. So, I do
think that is part of the concern, good practice, data
management practices would reduce the amount of data that you
are not using that you don't have.
Mr. Loudermilk. Well, I appreciate that and I think that
would expand also to our Government as well.
Mr. Creighton. Very briefly I was just going to make that
same point. This is a problem across the economy in both public
and private sectors.
Mr. Loudermilk. Thank you, Mr. Chairman.
Chairman Luetkemeyer. The gentleman's time has expired.
With that we go to the gentlelady from Utah, Mrs. Love is
recognized for 5 minutes.
Mrs. Love. Thank you.
Do the standards for credit bureaus differ from the
standards for other sectors of the economy? If so how, why, and
I want to get into the European cybersecurity initiatives just
to follow up from the Chairman's questions.
Mr. Creighton. Sure, the National Credit Reporting Agencies
are subject to the FTC's Safeguards Rule, which is the rule
that applies to, under the Gramm-Leach-Bliley Act, to non-bank
financial entities. So, there is no data security standard for
most companies in the country, but financial institutions have
standards. So, if you are a bank you are covered by your
prudential regulator but if you don't have a prudential
regulator like the OCC or the Federal Reserve, then you are
subject to the FTC's Safeguards Rule. And the credit bureaus
are one kind of company that is subject to that.
Mrs. Love. OK. So, I guess this is an opinion for everyone.
I am interested in the European standards, how do you view
these standards? Do you think that these standards are going to
be influential? I just wanted to follow up because I think
that, I agree with the Chairman, I would hate to have somebody
else dictate what we do. So, I just wanted to know what your
thoughts were on that.
And anyone can answer. I am just--
Mr. Creighton. I will kick it off because I will be very
brief. Generally speaking, our reading is that for credit
bureaus specifically there would not be much impact from it
because we are collecting as credit bureaus very narrow parts
of the larger information environment. Again, as I said, we are
collecting the ``do you have credit, how much credit, with
whom, do you pay on time?'' And those sorts of--that sort of
information is part of an ongoing business relationship that
you have with your lender.
So, if you have a credit card account, that credit card
company is reporting that information up and that would
continue even under GDPR. The larger data broker issue would
come into--is more implicated by that and that is not a part of
the environment that I generally work in.
Mrs. Love. OK.
Mr. Miller. Thanks for the question. With respect to the
GDPR there are a few different requirements particular to
breach.
As I mentioned previously, there is a ``without undue
delay'' standard for consumers and with respect to
notifications to regulatory authorities there is ``where
feasible, but not later than 72 hours'' language.
I would additionally say this, to speak to the Chairman's
question that he teed up at the outset, it is premature to be
looking to the GDPR as a best practice for anything, in my
opinion, to the extent that it hasn't been implemented yet. It
is going to be implemented this May. There are a lot of
questions regarding how certain provisions are going to be
implemented, particularly around data breach. So, I would say--
I wouldn't worry too much yet about that particular issue.
There are also a variety of cybersecurity standards in
Europe that are being proposed that I would also be happy to
get into, but--
Mrs. Love. Is it important to keep an eye on that and to
look on how that affects?
Mr. Miller. It is definitely important because, again, all
of our companies are global companies doing business globally,
so they are going to have to comply with that if they are doing
business in Europe, or doing business with European citizens.
So, it is important.
I am just commenting on, not looking to something that
hasn't yet been implemented, to see if it can be implemented as
designed, as a model. I think it is premature to do that.
Mrs. Love. Do you have any concerns with the present model?
I know you are concerned about because you don't know how it is
going to be, what the reaction is going to be or what the
results are going to be, but do you have concerns with the way
that it is set up and what the standards are currently?
Mr. Miller. Well, again, as the number of--I think all the
witnesses have said at one point or another today having a very
tight timeline for any notification such as 72 hours is very
problematic just because, again, as we can point to lots and
lots of high-profile breaches, you can look at some Government
breaches like OPM, it takes months sometimes to even realize
there has been a breach and then to figure out what exactly is
going on.
So, a 72-hour provision in many instances is going to be
impossible to comply with.
Mrs. Love. Do they have that in their standard, they have a
72-hour--
Mr. Miller. Yes, the 72 hour for notification to regulators
but not for notification to citizens.
Mrs. Love. OK. Do you have anything that--you mentioned,
you look like you had something that you wanted to add.
Mr. Kratovil. I would just agree on what Mr. Miller, the
point he made about it might be a little too early to make any
judgment calls on GDPR. I know many of FSR's members are global
in nature, and so, it is already, there is already a tremendous
amount of discussion as to how do we come into compliance with
this and make that system work.
Mrs. Love. Thank you.
Thank you, Mr. Chairman. I yield back.
Chairman Luetkemeyer. The gentlelady's time has expired.
With that we go to the gentlelady from New York, Ms. Tenney
is recognized for 5 minutes.
Ms. Tenney. Thank you, Mr. Chairman.
And thank you, panel, for this discussion. As we know,
obviously, cybersecurity, cyber attacks are becoming the new
way to rob a bank, to rob a store, to rob citizens from their
living room.
Last year, the New York City Attorney General reported 16
percent, or that cybersecurity invasions are up 60 percent, and
more and more of New York's personal records, in fact, have
been tripled since last year. Obviously the Equifax breach was
huge for us with eight million people in New York State being
exposed in the Equifax breach out of about 19 million.
Actually, this past January, our own New York State
Education Department was also breached. These things are
certainly of concern. I want to just give a little shout-out to
a local college in my community. Utica College has teamed up
with the cybersecurity department in our county to try to
prevent against these attacks and identify potential risks and
weaknesses in our data system.
But my question involves, first, I would just like to find
out to what extent will a national standard provide for better
security than something on the local or State level?
Obviously, I am just curious if you could comment, maybe
Mr. Kratovil, you could mention it first?
Mr. Kratovil. Sure. Thank you very much for the question.
If it is done correctly and by that I mean if it is an
appropriately strong standard, as we have talked about a lot,
it takes into consideration a variety of factors to not overly
burden small businesses, we believe that is the absolute best
way for Congress to act to ensure that no matter where you live
in the country, that your data is protected with a strong
standard. That is really the core for the financial industry.
Ms. Tenney. Great. And I think it is great that we are
tackling this issue but I am a small business owner, and so,
for us, obviously our customers and their security is of
paramount interest to us like smaller banking institutions and
other types of retailers.
So, how can we make this in a way that is cost effective so
that the smaller players which often can't afford the
compliance costs of a national standard, how do we come up with
something that is affordable to them because what often happens
is you come up with a national standard and then these people
will get left on the wayside and then you end up with the
collapse of the small business community because they just
can't--this is a perpetual problem in State government. I know
when I was in State government, we just put these big one-size-
fits-all regulations and then we ended up with the loss of a
small business community, which is really important to our
area.
Mr. Kratovil. Yes, that is a very important point and I am
glad you raised it. And the discussion draft actually gets
right to the heart of the cost question, because securing data
is not a cheap proposition. And 3.A.2.c reads the cost of
available tools to improve security and reduce vulnerabilities.
Ms. Tenney. Is there enough flexibility in this standard
that would allow groups, different retail groups or different
sectors, to get together in a way that they could provide for
their own security and to manage the costs? Is that something
that has been contemplated and anyone on the panel can comment
on that quickly if you have a question, without violating any
kind of Federal standard.
I know there is a lot of--obviously we are dealing with
Social Security numbers and sensitive information which is--
which is in there. Anyone have a comment on that? There is no
way to make that so that they are able to do, to be able to
collaborate or come up with a retail institution?
Mr. Creighton. I am probably not the best person to talk
but the establishment of sector-specific ISACs (information
sharing analysis centers)--
Ms. Tenney. Right, OK.
Mr. Creighton. --is really the best way for companies to be
able to share information, build relationships with Government
and to prepare for breaches and then respond to them. And
there--we have them in financial services, energy, lots of
different entities.
Mr. Miller. Yes. There are several dozens of ISACs in the
country.
Ms. Tenney. Right.
Mr. Miller. Financial services ISAC includes thousands and
thousands of financial institutions in the country. Retail ISAC
was stood up in the last few years. Again, to Mr. Creighton's
point, to be able to share that threat information and help
each other defend against cyber attacks.
Ms. Tenney. Right. And I think that should be helpful.
Obviously it is sensitive information.
One of the big concerns I have is just a little bit outside
of this space, is that we have--the State governments typically
don't have the ability and the resources to provide really
adequate security and data. Do you think that that is something
that could be done--so we have a national standard, what about
the State government's requiring some of these data be turned
over in the regulator process, for example, the banking
institutions, insurance institutions, and other retailers?
Mr. Kratovil. Well, we have many of those same concerns at
the Federal level because the bank regulators do expect
tremendous amounts of very sensitive and proprietary
information, for example, about financial institutions'
cybersecurity programs to be turned over as part of the
examination process.
Ms. Tenney. I am running out of time, but one quick thing,
for example, Congress gets hit almost every day and the
Government institutions are probably the most vulnerable. Would
you agree or disagree?
Mr. Kratovil. Yes, ma'am, I would agree with that.
Ms. Tenney. Thank you so much. I appreciate your testimony.
Thanks.
Chairman Luetkemeyer. The gentlelady's time has expired.
With that we will go to the gentleman from Michigan, Mr.
Trott is recognized for 5 minutes.
Mr. Trott. Thank you, Chairman.
I want to thank the panel for joining us this afternoon.
And one of my concerns when we work on data security and
standards is a desire, on the part of some, to set up
``gotcha'' moments. And if you look at the Equifax breach,
terrible set of facts but it provides good 30-second soundbites
for people here in D.C. to attack Equifax and they deserve some
of it, that is for certain.
But one of my concerns and I would be interested in, Mr.
Miller, your thoughts on whether either bill that we are
looking at, are the standards reasonable? And I know section 3
of the Chairman's bill says, ``reasonably designed to protect
individuals.''
If you start with the premise that no business or database
including the Government is beyond being hacked. When I was in
business we used to hire brilliant high school students to
figure out a way to hack into our firewall and our databases.
And they always seem to figure out a way to do it, and we spend
a lot of money on trying to protect our data.
But do you feel like there is enough flexibility such that
some of these businesses aren't being set up to fail?
Mr. Miller. Thank you for the question. I think for the
most part, there is a significant amount of flexibility in the
security standards in the bill and that is appropriate. As
others on the panel have said, it is really important that we
aren't too prescriptive in our standards and require the same
level of specific security standard for a large multinational
corporation or the Department of Defense, as we do for a small
or medium-sized business or a startup. There are a whole bunch
of reasons for that.
In particular, one of the good things about the list of
safeguards in the bill, is that they are consistent with a lot
of risk management-based principles, and while we certainly
advocate for risk-based approaches, I think it is important
that we also, when we talk about data security, we often talk
about the protect function and that piece of the puzzle, and
that is really important.
But there is the reality that breaches are going to happen
so you need to be focusing also on how you respond and how you
recover from that breach, and that is the bill.
The one thing in the safeguard section that does seem to
not really account for that sort of flexibility to us is the
requirement to have, essentially, to designate a security
official who is in charge of the safeguards.
Again, if you have a two-person startup it is questionable
whether you need to have the same type of mechanism, a
designated security official at a two-person company or at a
major bank, for instance. And that is the one thing I would say
about that.
Mr. Trott. Yes the two-person startup, the designated
person might also be cleaning the coffee pot out at night, too.
So, that is a problem.
One question, this area is constantly evolving, so what
kind of flexibility should we build into any solution to deal
with the changes that are inevitable with respect to the
technology and how consumers are using the Internet and other
places where they are putting their confidential information?
Any thoughts would be helpful, because there is no question
that today's safeguard is going to be updated tomorrow when
they figure out some other new and better way to hack into it.
Mr. Miller. Well, I completely agree with that. We want to
have technology-neutral requirements. The point was made
earlier about innovation and the fact that there are new
security measures and tools being developed all the time. And
it is obviously something that we need to do, because the
attackers are also innovating and coming up with new
techniques.
There are plenty of examples that we probably don't have
time for now. But, there are security technologies that were
state-of-the-art 10 years ago that simply aren't state-of-the-
art today. If you bake those into a statute and say you must
use technology X eventually that is going to be an obsolete
statute.
Mr. Trott. No question.
Mr. Creighton, you I think mentioned the CFPB a few minutes
ago, can you just briefly comment on how the decisions by the
CFPB and the FTC and other banking regulators have conflicted
in this area? And maybe this was covered earlier by someone--I
got delayed getting here--and, do you think that UDAP authority
that the CFPB utilized is even appropriate?
Mr. Creighton. Well, in GLBA, in Dodd-Frank the data
security was specifically carved out of the CFPB's authority.
And we would suggest that Congress would probably want to
revisit that as the McHenry bill does, as the PROTECT Act does.
But the CFPB does and always has maintained UDAP authority and
they are in the process now of asserting that authority and
getting in there, and, if they are in there, they are in there.
We are not in the business of criticizing our regulators.
Mr. Trott. Yes. OK. I will do that for you, so no worries.
But I think I am about out of time so I yield back. Thank
you again for your time, gentlemen.
Chairman Luetkemeyer. The gentleman yields back.
We are without any further folks in the queue. So, with
that we will wrap up the hearing.
Just some closing comments. We were discussing today the
ability to protect consumers' data. We also need to be able to
allow them not only to be protected, we also need it to be
accessible by them. And when we do that it makes it very
difficult to have both at the same time. This is where you
can't lock it up and you have to be accessible to it but that
makes it vulnerable, so how can we protect the data? That is
the trick.
One of the questions that we were working here throughout
the discussion was with an immediate notification. I knew
coming in this was going to be a discussion point and I left it
there intentionally to get everybody started, and I appreciate
the discussion we had. But I am a little disappointed because
in the bill it says, the draft bill, that you don't notify
until you recognize that you had a breach, until you make sure
that an individual person's information has been breached, who
that person is, and where that person is something that could
cause--that information could cause a loss.
Therefore you are not notifying immediately when a breach
occurs, you are notifying exactly whenever you determine that
there is a reasonable expectation that the data that was
breached was for an individual that could suffer a loss. And so
I am a little disappointed with the comments that were made.
Obviously, everybody wants to have as much time as they can
to resolve the situation, but I can tell you that this is a
touch-point for a lot of my constituents, your customers. They
want to be able to protect their data as quickly as possible. I
can tell you that when we put in there reasonable or
expeditious or something that somebody could drive a truck
through, they are not going to be happy, because they want to
be able to have confidence that their information is going to
be protected and they will have access to it and be able to
protect it themselves if necessary and as quickly as possible.
So, we want to work with you on that language to try and
make sure this works, and we thank you for your thoughtful
suggestions along all the lines.
Ms. Cable has made some great suggestions. We realize you
have a strong standard and we appreciate that.
We have to find a balance somewhere in all of this where we
can be, as Mr. Kratovil continuously said, flexible, scalable,
and have some balance to what we do so it can be something that
everybody all along, the scale here can actually use this
information and do something that we think is productive.
I have been tasked with putting this bill together by
leadership because of the thousands of breaches that have
occurred.
Ms. Cable's testimony indicated 28,000 over the last 10
years, it was 1,700 last year; something has to be done. We
are, I think, close to a crisis situation here, and quite
frankly we are one major breach away from this new legislation
being fast-tracked, quite frankly. So, I think that everybody
here today appreciated the large audience that we had.
I think that we are all going to continue to work together
to get this bill to a point where it is a good bill or
something that we can address as many of the concerns that we
can get to. Or it is going to be a very difficult bill to get
everybody to yes. We want to get everybody to neutral if
possible and a yes. We are going to continue to work with
everybody and we appreciate your suggestions, but again, I want
to emphasize we are one breach away from this being a bill that
is going to be dropped and we are going to run it, because our
constituents are going to demand it and we are going to be in
the cross-hairs.
So, with that thank you so much for your time today. Thank
you for your testimony and I appreciate your participation. I
have some final comments. Here we go.
The Chair notes that some Members may have additional
questions for this panel, which they may wish to submit in
writing. Without objection, the hearing record will remain open
for 5 legislative days for Members to submit written questions
to these witnesses and to place their responses in the record.
Also, without objection, Members will have 5 legislative days
to submit extraneous materials to the Chair for inclusion in
the record.
[Whereupon, at 3:53 p.m., the committee was adjourned.]
A P P E N D I X
March 7, 2018
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]