[Senate Hearing 118-728]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 118-728

                      STRENGTHENING DATA SECURITY 
                          TO PROTECT CONSUMERS

=======================================================================

                                HEARING

                               BEFORE THE

                    SUBCOMMITTEE ON CONSUMER PROTECTION, 
                     PRODUCT SAFETY, AND DATA SECURITY

                                 OF THE

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                    ONE HUNDRED EIGHTEENTH CONGRESS

                             SECOND SESSION

                               __________

                              MAY 8, 2024

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation
                             
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                             


                Available online: http://www.govinfo.gov
                
                                __________

                   U.S. GOVERNMENT PUBLISHING OFFICE                    
61-851 PDF                  WASHINGTON : 2025                  
          
-----------------------------------------------------------------------------------     
             
       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                    ONE HUNDRED EIGHTEENTH CONGRESS

                             FIRST SESSION

                   MARIA CANTWELL, Washington, Chair
AMY KLOBUCHAR, Minnesota             TED CRUZ, Texas, Ranking
BRIAN SCHATZ, Hawaii                 JOHN THUNE, South Dakota
EDWARD MARKEY, Massachusetts         ROGER WICKER, Mississippi
GARY PETERS, Michigan                DEB FISCHER, Nebraska
TAMMY BALDWIN, Wisconsin             JERRY MORAN, Kansas
TAMMY DUCKWORTH, Illinois            DAN SULLIVAN, Alaska
JON TESTER, Montana                  MARSHA BLACKBURN, Tennessee
KYRSTEN SINEMA, Arizona              TODD YOUNG, Indiana
JACKY ROSEN, Nevada                  TED BUDD, North Carolina
BEN RAY LUJAN, New Mexico            ERIC SCHMITT, Missouri
JOHN HICKENLOOPER, Colorado          J. D. VANCE, Ohio
RAPHAEL WARNOCK, Georgia             SHELLEY MOORE CAPITO, West 
PETER WELCH, Vermont                     Virginia
                                     CYNTHIA LUMMIS, Wyoming
                   Lila Harper Helms, Staff Director
                 Melissa Porter, Deputy Staff Director
                     Jonathan Hale, General Counsel
                 Brad Grantz, Republican Staff Director
           Nicole Christus, Republican Deputy Staff Director
                     Liam McKenna, General Counsel
                                 ------                                

         SUBCOMMITTEE ON CONSUMER PROTECTION, PRODUCT SAFETY, 
                           AND DATA SECURITY

JOHN HICKENLOOPER, Colorado, Chair   MARSHA BLACKBURN, Tennessee, 
AMY KLOBUCHAR, Minnesota                 Ranking
BRIAN SCHATZ, Hawaii                 DEB FISCHER, Nebraska
EDWARD MARKEY, Massachusetts         JERRY MORAN, Kansas
TAMMY BALDWIN, Wisconsin             DAN SULLIVAN, Alaska
TAMMY DUCKWORTH, Illinois            TODD YOUNG, Indiana
BEN RAY LUJAN, New Mexico            TED BUDD, North Carolina
PETER WELCH, Vermont                 CYNTHIA LUMMIS, Wyoming
                           
                           C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 8, 2024......................................     1
Statement of Senator Hickenlooper................................     1
Statement of Senator Blackburn...................................     3
Statement of Senator Welch.......................................    35
Statement of Senator Klobuchar...................................    37
Statement of Senator Budd........................................    41

                               Witnesses

James Everett Lee, Chief Operating Officer, Identity Theft 
  Resource Center (ITRC).........................................     4
    Prepared statement...........................................     6
Sam Kaplan, Senior Director and Assistant General Counsel, Public 
  Policy and Government Affairs, Palo Alto Networks..............    13
    Prepared statement...........................................    14
Prem Trivedi, Policy Director, New America's Open Technology 
  Institute......................................................    18
    Prepared statement...........................................    20
Jake Parker, Senior Director of Government Relations, Security 
  Industry Association...........................................    25
    Prepared statement...........................................    27

                                Appendix

Letter dated May 7, 2024 to Hon. Maria Cantwell, Hon. Ted Cruz, 
  Hon. John Hickenlooper and Hon. Marsha Blackburn from Main 
  Street Privacy Coalition (MSPC)................................    47
Letter dated May 8, 2024 to Hon. Maria Cantwell and Hon. Ted Cruz 
  from Karen R. Harned, Executive Director, Citizens for Legal 
  Reform.........................................................    51
Letter dated May 9, 2024 to Hon. John Hickenlooper and Hon. 
  Marsha Blackburn from Jordan Crenshaw, Senior Vice President, 
  U.S. Chamber of Commerce.......................................    53
Response to written questions submitted to James E. Lee by:
    Hon. Maria Cantwell..........................................    57
    Hon. Ben Ray Lujan...........................................    59
Response to written questions submitted to Sam Kaplan by:
    Hon. Maria Cantwell..........................................    60
    Hon. Ben Ray Lujan...........................................    62
Response to written questions submitted to Prem Trivedi by:
    Hon. Maria Cantwell..........................................    63
    Hon. Ben Ray Lujan...........................................    64

 
                      STRENGTHENING DATA SECURITY 
                          TO PROTECT CONSUMERS

                              ----------                              


                         WEDNESDAY, MAY 8, 2024

                               U.S. Senate,
      Subcommittee on Consumer Protection, Product 
                         Safety, and Data Security,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 2:30 p.m., in 
room SR-253, Russell Senate Office Building. Hon. John 
Hickenlooper, Chairman of the Subcommittee, presiding.
    Present: Senators Hickenlooper [presiding], Klobuchar, 
Schatz, Markey, Baldwin, Duckworth, Lujan, Welch, Blackburn, 
Fischer, Moran, Sullivan, Young, Budd, and Lummis.

         OPENING STATEMENT OF HON. JOHN HICKENLOOPER, 
                   U.S. SENATOR FROM COLORADO

    Senator Hickenlooper. Welcome to Subcommittee on Consumer 
Protection, Product Safety, and Data Security. We'll come to 
order. I apologize for a little bit of the wait, and we'll--
Senator Blackburn will be here quickly. She's en route.
    We're at a pivotal moment in the age of technologies that 
rely on increasing amounts of consumer data. Obviously, if 
artificial intelligence has gotten the lion's share of 
publicity, but that's nowhere near the limit. Businesses 
collect or process data ranging from personally identifiable 
information, name, address; likeness, they say, in college 
these days; obviously sensitive data, physical locations, 
browsing history.
    The threats to consumers' data that companies face is 
complex and in almost every way daunting. As companies collect 
more data, they become more attractive targets for data 
breaches. And by that, I mean criminal activity. Each breach 
costs companies nearly $4.2 million per incident, and consumers 
shoulder the financial burden and the reputational harm of each 
incident.
    How many more consumers need to be victims of identity 
theft for us to take action? How much longer should we allow 
personal data to be sold on the dark web for profit? When will 
cybercriminals be stopped, or at least deterred from preying on 
our data?
    These data breaches hope--hurt small businesses, large 
corporations, and everything in between.
    In 2023 alone, there were 3,205 data breaches in the U.S. 
That's what we know of, that were reported.
    353,000 individuals were severely impacted.
    Ten percent of publicly traded companies reported a data 
breach, impacting, in total, 143 million individuals.
    These data breaches could have devastating effects. 
Nationwide, wireless carriers' data breach exposed the data of 
70 million customers.
    A large health insurer--this was recently widely reported--
saw their system grind to a halt, which delayed important 
health care payments and exposed critical health data.
    This is why we need strong requirements for how companies 
collect and protect our data by conducting routine risk 
assessments and establishing strong internal and external 
safeguards for data.
    We need a strong national privacy standard that includes 
data minimization and data security. Obviously, data 
minimization establishes specific categories to--to turn off 
the spigot, as it were--to turn off the spigot of data so the 
companies collect--that the companies collect from consumers, 
so the companies aren't just collecting everything they can.
    Data security establishes clear requirements for how 
companies should safeguard the data that they do collect, so 
breaches are less common.
    We need to give consumers meaningful control over how their 
data is used. This will restore consumers' confidence in the 
technology that powers our economy. And I think states clearly 
are not waiting for the Federal Government to act. Already, 16 
states, including Colorado, have passed or are in the process 
of passing their own state privacy laws. Other states are 
talking about it.
    There are lessons we can learn from these state laws. For 
example, Colorado's law has a temporary right to cure for 
businesses to comply or adapt to privacy requirements.
    There are also areas where the Federal Government has to 
step in to issue rules and apply enforcement, consistent 
definitions for key terms like sensitive data, or to issue 
nationwide rules.
    The draft American Privacy Rights Act is an important 
bipartisan compromise framework for Congress to buildupon. I 
commend Chair Cantwell and Chair McMorris Rodgers in the House 
for their efforts to bring this proposal forward.
    We're committed here to listening to all perspectives on 
data minimization and data security. Minimization and security 
are obviously interconnected, interrelated. Together, they 
represent the foundation of a strong data privacy framework 
upon which we can build.
    We have an opportunity right now and an obligation right 
now to build meaningful bipartisan consensus around these 
complex issues. That's why I look forward to the hearing today 
with each of our witnesses. I'd like to welcome each of our 
witnesses who are joining us today: James Lee, Chief Operating 
Officer from Identity Theft Resource Center; Sam Kaplan, who's 
the Assistant General Counsel of Palo Alto Networks; Prem 
Trivedi, Policy Director for New America's Open Technology 
Institute; and Jake Parker, Senior Director of Security 
Industry Association.
    I now recognize our Ranking Member, our Vice Chair, Senator 
Blackburn, for her opening remarks.

              STATEMENT OF HON. MARSHA BLACKBURN, 
                  U.S. SENATOR FROM TENNESSEE

    Senator Blackburn. Thank you so much, Mr. Chairman, and 
welcome to each of you. And apologies for people kind of coming 
and going. We had a 230 vote that ended up getting called.
    But I am so pleased. I know Chair Cantwell and Ranking 
Member Cruz are on the floor right now, but I am appreciative 
that Chair Cantwell has brought privacy back into focus.
    And I've worked for over a decade for Congress to take an 
action in this area. And when Senator Welch and I were each on 
the House Energy and Commerce Committee, in 2012, we brought 
forward the Data Security and Breach Notification bill. It was 
the first of the privacy and data security bills, and it was 
bipartisan.
    It would take steps to protect the security of data there 
from businesses. It would have required consumer data breach 
notifications, and allowed the FTC and state attorneys general 
to hold companies accountable for violations of the law. So 
that is where we were in 2012.
    And as we now know, this issue, since it hasn't been 
addressed, and it hasn't been resolved, it is growing more and 
more urgent every single day for an action to be taken.
    The need for the swift adoption of smart and effective data 
privacy and security legislation is pressing for several 
reasons.
    First, China and other bad actors are not slowing down. Now 
FBI Director Christopher Wray was before us at a judiciary 
committee meeting, and he said something pretty significant. He 
said, ``If you are an American adult, it is more likely than 
not that China has stolen your personal data.'' And he also 
said, ``China's vast hacking program is the world's largest, 
and they have stolen more Americans' personal and business data 
than every other country combined.''
    We need to be paying attention to this. This threat is 
especially magnified as China seeks to become the world leader 
in artificial intelligence by the time we get to 2030. China 
plans for AI to power its vast surveillance state, and data 
collection and retention is at the heart of their strategy. At 
the same time, as AI technology becomes increasingly 
intertwined in our daily lives here in the U.S., consumers have 
valid questions about how their data is going to be used to 
train these large language models and AI applications.
    I hope today that we will discuss why we need Federal 
privacy and security legislation to combat these threats.
    Second, Congress is past the point where we risk ceding our 
authority to both states and other countries. As we all know, 
state governments are quickly enacting privacy laws, creating a 
patchwork of regulatory headaches for our businesses. Fifteen 
such laws exist, including Tennessee and Colorado.
    And the Europeans have also beaten us to the punch. Several 
years ago, they did GDPR. They are now using GDPR as the 
foundation for regulating AI.
    Yet, we can use the EU as something of a cautionary tale 
about the need to make our regulation smart and effective. I 
visited the EU to work on this issue last year, and I heard 
stories from one of their data protection authorities about how 
they've been asked to resolve disputes over bank accounts after 
a couple divorced, or to resolve a dispute between neighbors 
about the location of an antenna.
    So let's be smart, let's not make these same mistakes, and 
let's not overreach. We know our friends, the Europeans, always 
have a heavier-handed approach, which makes it even more 
imperative that we act in a thoughtful manner.
    More, without congressional action, the FTC will proceed 
ahead with its Commercial Surveillance and Data Security 
rulemaking, which it launched in 2022 without congressional 
authority and directive. Congress should be setting these 
rules, not unelected bureaucrats.
    Finally, while this hearing will likely feature much 
discussion on concepts like data minimization and other data 
security practices, we must not forget about the cybersecurity 
threats posed by new and emerging technologies.
    One area of great interest to Tennessee are quantum 
technologies. Through methods like harvest now, decrypt later, 
once bad actors steal encrypted data today, nothing can stop 
them from decrypting your data tomorrow with quantum 
technology.
    That is why this committee must move quickly to examine 
this technology and reauthorize the National Quantum Initiative 
Act.
    I would love to work on this with our Chairwoman and the 
team here at the Committee. Tennessee is a leader in financial 
innovation in technologies like quantum computing, and the Oak 
Ridge National Lab is at the forefront of basic and applied 
science research. When I speak with people in the state, they 
ask me how we can best tackle privacy and data security issues, 
while also continuing to allow innovation to flourish.
    This committee must be thoughtful in our approach, but also 
mindful of the realities the congressional calendar imposes.
    I look forward to our discussion today, and I so appreciate 
the testimony from each of you.
    Thank you, Mr. Chairman.
    Senator Hickenlooper. Great. Now we'll hear the opening 
remarks from each of our witnesses. The term ``witness'' gives 
a false sense of, I don't know, insecurity, perhaps, these 
days. Anyway.
    We'll start with James Lee, who's Chief Operating Officer, 
Identity Theft Resource Center.

   STATEMENT OF JAMES EVERETT LEE, CHIEF OPERATING OFFICER, 
             IDENTITY THEFT RESOURCE CENTER (ITRC)

    Mr. Lee. Thank you, Mr. Chairman, Ranking Member Blackburn.
    I am James Lee. I am the Chief Operating Officer of the 
Identity Theft Resource Center. I'll refer you to our full 
written remarks to find out more about the ITRC, but just so 
everybody knows, the core of our business is to provide free 
assistance to victims of identity crimes. And we also do 
research and analysis on identity crime trends, which we make 
available to both the public and private sector.
    So a lot has happened since we were in this room back in 
2021 to talk about this very same subject. We've seen bad 
actors shift their focus. We've seen them expand their reach, 
and we've seen them accelerate their innovation attempts.
    We may, in fact, be at the very beginning of what is a 
golden age of identity crime. It's fueled by stolen personal 
data, made highly effective and efficient by AI, with 
individuals and many businesses all but helpless to defend 
themselves.
    So why do I say that? I'm going to give you some scope of 
the problem.
    So data breaches are the fuel for identity crimes--all 
identity crimes--and a fair portion of cyberattacks, thanks to 
stolen login and passwords. In 2023, the total number of data 
compromises was 3,205, as the Chairman pointed out.
    That impacted an estimated 353 million people, because some 
people were hit more than once. That's a 78 percent increase 
from the year before. That's a 72 percent increase from the 
previous high, which happened the last time we had this 
hearing.
    From a financial standpoint, more than two-thirds of the 
people who contact the ITRC are losing more than $500. Within 
that subset, 30 percent of them are losing more than $10,000. 
And we are now routinely hearing from people who are losing six 
and seven figures in financial losses due to identity scams.
    The most troubling trend, though, is the number of people 
who have decided that their only way out is self-harm. Sixteen 
percent of the people who contacted us in 2023 said they 
contemplated taking their own life. For the decades before 
that, that number had never been higher than two to four 
percent. And now 16 percent, doubled in one year, and we do not 
see it slowing down.
    And also, unlike past years, we now hear routinely from 
grieving families who are still being attacked by the identity 
criminals who are trying to keep the scam going.
    We don't advocate one way or the other for legislation or 
regulation for the most part, but we do provide objective 
information. So with that in mind, we're still at the same 
place we were last time.
    The best way to help identity crime victims is to prevent 
victimization in the first place. And an important part of 
preventing identity crimes is through uniform minimum standards 
for data protection and use. Minimum technical and non-
technical standards are essential in our world that's driven by 
software and fueled by data.
    Compliance with comprehensive, but not necessarily 
prescriptive, minimum standards can reduce the risk of 
exploitation. Minimum standards are more than just metrics, 
though, which is what we tend to think of a lot of times.
    They are practices like data minimization, which is a 
concept that is predicated on a very simple truth. If you do 
not have the data, you cannot lose it. And if it's secure, it 
cannot be misused. Until we get to quantum computing. And 
that's a different discussion.
    Routine risk assessments also help ensure information 
systems are secured in a manner equal to the risk--that's very 
important--equal to the risk that an organization faces.
    You add two other complementary concepts, privacy by design 
and security by default. And you have all the tools needed to 
keep privacy and security at the forefront of a company's 
culture and in every stage of a product's life.
    To be effective in reducing identity crimes, uniform 
standards also need strong enforcement. Defenders must 
continually measure their progress and constantly adjust to the 
new tasks, and you do that through audits.
    There's also the need for strong enforcement actions when 
it comes to data breach notices, which are increasingly 
ineffective, even if a notice is issued.
    Let me give you two examples.
    In the first three months of this year, 32 percent--32 
percent of data breach notices had some information about what 
caused the data breach if it was linked to a cyberattack.
    Reverse that number, and that tells you how many didn't 
include information about what happened. That number was 100 
percent of data breach notices, until the fourth quarter of 
2021.
    The average number of new data breach notices in the U.S. 
is nine per day. In the European Union, one of the things they 
do get right, 335 every day.
    We are missing data breach notices. And there are plenty of 
examples to prove that.
    Let me leave you with one final thought. If we adopt data 
minimization, and we should, and if we give consumers more 
access and control over their personal information, that is a 
vital part of data protection. They can significantly reduce 
the amount of personal information at risk of a data breach and 
misuse by criminals.
    But, because you knew there was going to be one. But, 
personal information used responsibly and transparently is 
important for proving a person is who they claim to be in a 
variety of transactions, from opening a bank account to 
applying for a government benefit, et cetera.
    But they also effectively prevent someone from becoming a 
victim of identity fraud because of stolen personal 
information. Restricting the use of personal information for 
identity verification and fraud prevention as part of consumer 
control or data minimization could have the unintended effect 
of actually aiding identity criminals and negatively impacting 
communities that are already disproportionately affected by 
identity crimes.
    So thank you for your time and attention. I look forward to 
answering your questions.
    [The prepared statement of Mr. Lee follows:]

   Prepared Statement of James Everett Lee, Chief Operating Officer, 
                 Identity Theft Resource Center (ITRC)
Introduction
    Good afternoon, Chair Hickenlooper, Ranking Member Blackburn and 
members of the Subcommittee. Thank you for the honor of speaking with 
you today. My name is James Everett Lee and I am the Chief Operating 
Officer of the non-profit Identity Theft Resource Center (ITRC) based 
in San Diego, California.
    For 25 years the ITRC has offered free assistance to victims of 
identity crimes. In that time, our contact center staffed by trauma-
informed advisors has helped hundreds of thousands of victims recover 
their identities that have been stolen, misused, or otherwise 
compromised.
    Through our website and outreach programs, we have helped millions 
of individuals avoid becoming identity crime victims by teaching them 
how to protect their information. We also provide information about the 
latest scams that involve the theft or misuse of personal information.
    Since 2005, the ITRC has compiled the largest repository of 
publicly reported data breaches and other forms of identity data 
compromises. What started with a single notice and a handful of data 
points nearly 20 years years ago has grown into a database of more than 
20,000 data breaches with as many as 96 data points per event that is 
updated daily.
    The ITRC publishes an annual data breach report and quarterly 
updates that analyze the trends reflected in the data breach notices 
mandated by state law and Federal regulations. We make this information 
available for free to consumers in the form of a searchable database as 
well as a free alert service that informs them when an organization 
they enroll with the ITRC posts a data breach notice. A more robust 
version of the data and services are available to businesses, 
government agencies, and institutions for a nominal fee.
    Today I'll touch on our findings related to the current trends in 
identity crimes based on first-hand reports from the new victims who 
reported more than 13,000 incidents to the ITRC in 2023. I will also 
touch on the impacts of identity crimes and cyberattacks on general 
consumers and small businesses. This information comes from our annual 
research reports which are attached to these remarks.
    I will also reference two additional ITRC reports from 2023 that 
provide some context to the topic for today's hearing: Research of 
first impression on the impact of identity crimes in Black communities; 
and, a discussion paper on the challenges to verifying a person is who 
they claim to be in a time when key points of personal information has 
been compromised for most adults in the never-ending series of data 
breaches. These, too, are attached for your reference.
    Finally, for the Subcommittee's awareness, the ITRC is a 501(c)3 
non-profit funded primarily through grants from the U.S. Department of 
Justice, Office of Victims of Crime (DOJ-OVC) as well as private 
contributions, corporate sponsorships, and donations. We work closely 
with key Federal agencies on issues that involve identity crime victims 
including the Federal Trade Commission (FTC), the Internal Revenue 
Service (IRS), the Department of Treasury (Treasury), the Federal 
Reserve, the Pandemic Response Accountability Committee (PRAC), and the 
Department of Homeland Security (DHS). We provide data breach 
information to many of these same agencies. We also offer online, Live 
Chat access to ITRC Advisors to state and local law enforcement 
agencies and other non-profit organizations under a DOJ grant. A full 
list of our financial supporters and partner organizations is available 
on our website.
The Golden Age of Identity Crime
    A lot has transpired since the last time the ITRC was part of a 
full committee hearing on a similar topic in October 2021. On that day 
we coincidently published a quarterly data breach report that showed we 
had already passed the total number of compromises recorded in 2020 and 
were only 238 data events away from tying the all-time record set in 
2017. In fact, we did set a record for publicly reported data breaches 
later in 2021--1,860.
    We were still struggling at that time to understand the scope and 
scale of the identity fraud committed during the pandemic when identity 
criminals were able to use information stolen in data breaches to 
impersonate unwitting victims. That information was, and still is, used 
to open bank accounts, obtain loans, and trick innocent, trusting 
people into willingly sharing personal information with someone they 
thought they knew--often on a social media platform or as part of a 
romance scam.
    Given the ITRC's role as a victim advocacy organization, we offered 
a singular prescription: To reduce the number of identity crime 
victims--and crimes--reduce the number of data breaches linked to 
cyberattacks. To do that, we discussed three needs:

   The need for better cybersecurity and data protection 
        standards and practices

   The need for better enforcement of cybersecurity and data 
        protection regulations

   The need to fix the data breach notice system

    Fast forward to today and the needs are still the same. What has 
changed is the urgency required to address those needs along with the 
opportunity to devalue personal information stolen by identity 
criminals.
    Since 2021, we've seen bad actors shift tactics, expand their 
reach, and accelerate the pace of innovation. The results of these 
actions are the highest number of data breaches we've ever seen, often 
with devasting financial and emotional impacts on the individuals 
caught in the crossfire between professional identity criminals and the 
business or data source they target.
    Add to the mix the introduction of generative artificial 
intelligence, and you have a recipe for a prolonged period of identity 
crime--fueled by stolen personal data, made highly effective and 
efficient by AI, with individuals and many businesses all but helpless 
to defend themselves. What we now have is all the ingredients for a 
Golden Age of Identity Crime.
Today's Trends
    Today's trend lines support the classic definition of a Golden Age: 
great wealth, growth, innovation, and a kind of stability that supports 
long-term achievement.
    Beginning with data breaches--the fuel for virtually all identity 
crimes and a fair portion of cyberattacks. The number of data 
compromises reported in the United States surpassed two significant 
milestones in 2023: The highest number of data events reported in a 
single year and exceeding 2,000 (and ultimately 3,000) events in a 
single year.
    The total number of data compromises reached 3,205, impacting an 
estimated 353 million victims, including those affected by multiple 
compromises. The 2023 compromises represent a 78-percentage point 
increase over the previous year and a 72-percentage point hike from the 
previous all-time high number of compromises set in 2021.


    As of May 6, 2024, we have recorded 1,178 data breaches impacting 
an estimated 64 million people in 2024. Historically, Q1 is the lowest 
point in each year in terms of data breach notices, so we are already 
on a path for another record-setting year.
    The steady downward drift in terms of the estimated number of 
individual victims may appear to be a positive trend, but is in fact an 
illusion. The number of victims impacted in 2023 represents a 16-
percentage point reduction from 2022 when more than half of the total 
annual victim count was related to three breaches announced late in the 
previous year. By any measure, there are simply too many victims.
    A single or series of small events can also rapidly reverse a 
downward victim trend. Through Q1 2024, the number of victims reported 
by compromised organizations dropped 81 percent (81 percent) from the 
last Quarter of 2023. However, a series of breaches in April this year 
has already more than doubled the victim count for the year.
    That number does not include the ransomware-related breach at 
United Healthcare's Change subsidiary which will significantly increase 
the number of victims. Based on company comments, the number of victims 
could exceed one-third of U.S. residents given United Healthcare's 
market share. To date, United Healthcare has not offered a specific 
victim estimate.
    United Healthcare aside, the decline in the number of individual 
victims is largely attributed to the fact that organized cyber and 
identity criminals do not need to acquire personal and business 
information on the scale they once did. The kinds of attacks that lead 
to data breaches today are more targeted in terms of the organization 
that is attacked, the information sought, and the goal of the attack 
(financial or intelligence). The result is more attacks against a 
broader set of businesses, but a smaller footprint in terms of 
individual victims in any single attack. For example, in Q1 2024 
attacks increased in 15 of 17 industries year over year, but the 
overall victim count decreased.


    The trend of fewer individuals being impacted is somewhat offset by 
the fact individuals were likely to be the victim of multiple data 
breaches in 2023. Breach victims are also more likely to be the victims 
of identity misuse.


    In fact, there is a general victim impact trend where more 
individuals are reporting multiple instances of identity misuse as part 
of a single event in addition to being victimized multiple times. In 
2021, 29 percent of victims who contacted the ITRC reported being the 
victim of previous identity misuse. By 2023 that number was 41 percent. 
The number is even higher among the general population who do not 
contact the ITRC for help--69 percent (69 percent):


    From a financial standpoint, in 2021 only nine percent (9 percent) 
of victims of identity crimes lost more than $10,000, with 35 percent 
of victims losing less than $500. Today, nearly two-thirds of victims 
report losing more than $500 with 30 percent (30 percent) reporting 
losses of $10,000 or more. For the first time in the ITRC's 25-year 
history, we now routinely receive reports of six and seven-figure 
losses due to identity-related scams.
    The most troubling trend, though, is the dramatic rise in the 
number of individuals who contemplate self-harm as a result of being 
the victim of an identity crime. When we discussed the wide range of 
identity crime impacts during the 2021 committee hearing, the number of 
victims who contemplated suicide had jumped from a 20-year norm of two 
to four percent (2-4 percent) to eight percent (8 percent) during the 
pandemic.
    Today that number stands at 16 percent (16 percent) with no sign of 
slowing. And, unlike past years, we now regularly receive phone calls 
from grieving family members whose loved one took their own life--and 
are still being attacked by the same identity criminals seeking to keep 
the scam alive. From fake go-fund-me campaigns to raise money for 
funeral expenses to continuing to post from the deceased person's 
social media account to draw other people into the scam, victims are 
losing their life savings and their lives at the hands of identity 
criminals. Here's an example. [https://www.thedailybeast.com/feds-say-
sick-celebrity-romance-scam-led-to-retired-teachers-suicide]
    All of these impacts bring us back to the topic at hand: Can we 
reduce the number of identity crimes and crime victims with better 
cybersecurity and data protections?
    The short answer is yes.
    First, let me make it clear that the ITRC does not advocate for or 
against any particular legislation or regulation. We do, however, 
provide objective information on the underlying issues prompting a 
proposed or active policy. With that in mind, the ITRC continues to 
believe that the best way to help identity crime victims is to prevent 
victimization in the first place.
    And, the best way to prevent victimization is to prevent the loss 
of personal information in data breaches in conjunction with making 
stolen personal information less valuable to criminals. To do that we 
still believe we need:

   Minimum cybersecurity and data protection standards, 
        including regular risk assessments

   Enforcement of cybersecurity and data protection laws and 
        regulations backed by audits

   A new way of addressing data breach notices

    And I'll add a fourth item: Protect the appropriate uses of 
information and enhance anti-fraud and identity verification with the 
responsible use of biometrics to devalue stolen personal information.
    Let me take these one by one:

    Having uniform minimum standards for data security and protection 
that can be routinely measured is the price of entry to a world where 
software is part of every aspect of our lives. Our cars are computers 
on wheels. Our phones aren't just used for talking. The toothbrush I 
just bought is software-driven and I paid for it with a credit card 
that has a chip in it.
    We've seen the tragic results of poor software in the aviation 
industry, and we know the risks if a rogue actor or Nation/State 
exploits critical infrastructure.
    It's not just software that runs things that benefits from minimum 
standards and data protection practices. So can the information that 
makes up each and every person's identity today.
    In 2019, the ITRC did not track a single data breach attributed to 
a Zero Day\1\ftware flaw. By 2021, there were 4; in 2022 there were 8. 
In 2023 there were more than 100 data breaches caused by a bad actor 
exploiting a software bug the developer or security professionals did 
not know existed. Once considered rare, advanced tech like AI is making 
Zero Day attacks easy to plan and execute.
---------------------------------------------------------------------------
    \1\ A Zero Day software vulnerability is one that is discovered 
after software has been released into production. The term is commonly 
associated with cyberattacks.
---------------------------------------------------------------------------
    Once a software flaw is known, it can take months to apply a patch 
to enterprise software used to operate every aspect of businesses. The 
larger the company, the longer it takes to patch a known flaw, all the 
while hoping a bad actor does not discover an unpatched bug.
    The ITRC and other security researchers have all identified a steep 
rise in data breaches from unpatched software. If the worst-case 
scenario does occur and a flaw is exploited, security teams likely 
won't know about the attack until it's been underway for an average of 
204 days, according to IBM. It will still take another 73 days to 
contain the attack.
    With the advent of AI, defenders have the tools to help find bugs 
and resolve attacks faster. But technology is agnostic--users are not. 
Bad actors also have tools to help find and exploit the inevitable bugs 
that make their way into production versions of software. Just last 
month (April 2024), the University of Illinois announced a discovery 
that allows generative AI to develop malware to take advantage of a 
software flaw just by reading the public alert used to notify software 
users of the vulnerability.
    Minimum standards may also help reduce the number of so-called 
Supply Chain Attacks against third-party organizations that store or 
have access to the data of customers or partners. These smaller 
organizations tend to have fewer security resources and protections, 
but access to personal information from large and/or multiple entities.
    From an identity criminal's perspective, a supply chain is Nirvana. 
Why risk getting caught or expend the time and energy to attack a 
large, well-defended organization when you can attack a vendor with 
fewer protections and the data of hundreds of organizations?
    In the most recent ITRC data breach report from January 2024, we 
noted a steady increase in Supply Chain attacks over time.
    Since 2020, the number of organizations impacted has surged by 
nearly 300 percent (300 percent)


    The chart illustrating the growth in Supply Chain Attacks includes 
organizations impacted by one of the largest third-party vendor attacks 
ever--a 2023 attack against the company that offers the MOVEit file 
transfer software and service. Cybercriminals exploited previously 
unknown flaws in software and cloud versions of MOVEit used by 
businesses, governments, schools, hospitals and other organizations 
around the world to securely share documents and information.
    In Q1 2024, the number of organizations impacted by Supply Chain 
Attacks more than tripled compared to the same period in 2023. Fifty 
(50) new attacks in the Quarter impacted 243 organizations compared to 
73 entities in Q1 in the previous year.
    The United Healthcare/Change data breach will most likely turn out 
to be the largest Supply Chain attack we've ever seen just due to the 
sheer number of organizations in the Change supply chain and the number 
of individuals served by them.
    These are examples of what happens when we do not have uniform, 
minimum standard for collecting, processing, and storing personal 
information. The recent discussion draft of the proposed American 
Privacy Rights Act (APRA) includes concepts already in place around the 
world and in some state laws and regulations. In particular, data 
minimization, risk assessments and routine audits to ensure 
organizations are continually adapting to ever-changing risks.
    Data minimization is predicated on a simple truth: you cannot lose 
control of information you don't have or haven't secured. The logic is 
not complicated. If you don't need the information to complete a 
business transaction, don't collect it. If you need it, delete it as 
soon as the transaction is completed unless you are required to keep 
it. If you must keep the information, make sure it is secure and 
encrypted.
    Routine risk assessments help ensure information and systems are 
secured in a manner equal to the risk an organization faces. Add two 
other complementary concepts--privacy by design and security by 
default--to help keep privacy and security at the forefront of every 
stage of the product lifecycle.
    An organization that embraces these actions also has the foundation 
to build a company culture that ensures Security and Data Protections 
are not just departments, but integral parts of every team member's 
job.
    This leads to the second and third points: To be effective in 
reducing identity crimes, uniform standards need strong enforcement 
backed by routine audits. Cybersecurity is a race between attackers and 
defenders. Defenders must continually measure their progress and 
constantly adjust to the new risks at hand. An audit becomes part of 
the roadmap for building the defenses needed to keep pace with 
aggressive attackers.
    The need for strong enforcement actions also applies to data breach 
notices which are increasingly ineffective.
    Today, data security regulations are limited, compliance is weak 
and enforcement is spotty. Whether there are consequences for non-
compliance written into regulations or disciplinary actions taken by 
regulators depends almost exclusively on geography and/or industry.
    There are fines in the healthcare industry because HIPAA includes 
the ability to assess penalties when cyberattacks or data breaches 
result in personal health information being exposed. The Securities and 
Exchange Commission can, and does, take enforcement actions for failing 
to adequately secure data and systems that have a material impact on 
investors. The Federal Communications Commission also has a set of 
enforceable cybersecurity and data protection regulations.
    Individuals and groups of state attorneys general also litigate 
following major data breaches. A few states have also adopted separate 
health and biometric data protection laws.
    There is ample evidence to support the conclusion that the vast 
majority of breaches may go unreported; there are few if any 
consequences for non-compliance; and, breach notices increasingly 
contain little to no help helpful information for victims and other 
organizations seeking to avoid a similar attack. For example:

   From 2018 until 2021, 100 percent (100 percent) of data 
        breach notices tracked by the ITRC included information about 
        the root cause of the attack and a majority also included the 
        number of victims impacted. Since Q4 2021, that number has 
        dropped to the point where in Q1 2024, only 32 percent (32 
        percent) of data breach notices linked to cyberattacks 
        contained information about the cause of the attack.

   In late 2023, following an SEC investigation and litigation 
        by state attorneys general, tech services provider Blackbaud 
        admitted that client information of more than 13,000 
        organizations had been compromised, but only 604 data breach 
        notices were tracked by the ITRC. (Blackbaud was also fined for 
        making false statements about the type of information exposed 
        in the data breach, for making misleading statements about when 
        they knew the information to be false, and for failing to 
        secure sensitive personal information which it had earlier 
        denied).

   An average of nine (9) new data breach notices were issued 
        each day in 2023 in the United States. In the European Union in 
        2023, the daily rate of new data breach notices was 335 due to 
        the uniform requirements of the General Data Protection 
        Regulation (GDPR).

    I would offer one final thought. Adopting data minimization and 
giving consumers more access and control over their personal 
information for certain uses are vitally important parts of data 
protection. These practices can significantly reduce the amount of 
unnecessary personal information at risk of a data breach and misuse by 
criminals.
    However, there are also important uses of personal information that 
help ensure identity information is only used by the true person who 
owns that identity. Personal information, used responsibly and 
transparently, is important for proving a person is who they claim to 
be in a wide variety of transactions--from opening bank accounts to 
applying for government benefits, as examples.
    Restricting the use of personal information for identity 
verification and fraud prevention would have the unintended effect of 
aiding identity criminals and negatively impacting communities that 
already are disproportionately affected by identity crimes. A two-year 
study by the ITRC revealed the challenges facing Black communities that 
would be made worse if the tools needed to accurately identify a person 
were restricted.
    Data enhanced with tools such as biometric verification (not 
recognition) have the potential to reduce the value of stolen identity 
information. That, in turn, would reduce the incentive for criminals to 
steal the information in the first place and render already stolen 
information useless in verification processes.
    Thank you for your time and attention. I look forward to answering 
your questions.

    Senator Hickenlooper. Thank you very much.
    Now Mr. Sam Kaplan, who is the Assistant General Counsel of 
Palo Alto Networks and has spent a considerable amount of time 
in Colorado.

            STATEMENT OF SAM KAPLAN, SENIOR DIRECTOR

          AND ASSISTANT GENERAL COUNSEL, PUBLIC POLICY

           AND GOVERNMENT AFFAIRS, PALO ALTO NETWORKS

    Mr. Kaplan. Thank you Senator. Chairman Hickenlooper, 
Ranking Member Blackburn, and distinguished members of the 
Committee, thank you for the opportunity to testify on how 
cybersecurity is a critical and foundational element of data 
security and consumer protection.
    Again, my name is Sam Kaplan, and I'm Senior Director and 
Assistant General Counsel for Public Policy and Government 
Affairs at Palo Alto Networks.
    I've spent the bulk of my career working at the 
intersection of cybersecurity, national security, and data 
privacy. Prior to joining the private sector, I was proud to 
serve in a number of positions across the Federal Government, 
to include as the DHS Chief Privacy Officer, served on the 
Privacy and Civil Liberties Oversight Board, and at the U.S. 
Department of Justice.
    For those not familiar with Palo Alto Networks, we are an 
American-headquartered company founded in 2005 that has since 
become the leading cybersecurity company. We proudly provide 
cyber defense capabilities to enterprises around the world, 
supporting 95 of the Fortune 100, critical infrastructure of 
all shapes and sizes, the U.S. Federal Government, 
universities, educational institutions, and a wide range of 
state and local partners.
    This means that we have a deep and broad visibility into 
the cyber threat landscape. We are committed to being a good 
cyber citizen and a trusted security partner with the Federal 
Government.
    It's no secret that cyber-attacks cause real impact to our 
daily lives, from disruptions of public services like health 
care or emergency services, to compromises of American 
sensitive data.
    With that backdrop, Palo Alto Network strongly believes 
that deploying cutting edge cybersecurity defenses is a 
necessary and effective enabler of data security and privacy. 
Bottom line, effective data security and data privacy requires 
cutting edge cybersecurity protections.
    Organizations should be encouraged to protect data by 
implementing robust data and network security practices that 
can both help prevent incidents and data breaches before 
occurring in the first place, and mitigate the impact should an 
incident occur.
    To stay ahead of this evolving threat landscape, 
cybersecurity professionals regularly leverage security data, 
which is the network telemetry, the ones and the zeros, the 
malware analysis, the IP addresses, the vulnerability 
enumeration, that we must ingest and analyze in real time to 
optimize cyber defenses.
    To that end, we are heartened to see cybersecurity 
generally included in privacy frameworks as a permitted purpose 
that companies like ours can use to collect, process, retain, 
and transfer security data, to in turn better protect those 
systems and data from compromise. Today's cyber threat 
landscape requires that approach, and everyone's personal 
privacy will benefit from that framing.
    To that end, Palo Alto Networks recommends organizations 
focus on the following actions to bolster their cyber 
resilience, and increase their data security posture.
    First, leverage the power of AI and automation. For too 
long, cyber defenders have been inundated with alerts to triage 
manually, which can lead to data breaches. AI can help flip 
this paradigm.
    Second, ensure complete visibility of attack surfaces, to 
help identify and mitigate vulnerabilities before they can be 
exploited.
    Third, implement a zero trust network architecture to 
prevent and limit an attacker from moving laterally across the 
network.
    Fourth, promote secure AI by design, to assist with 
inventorying AI usage, applying policy controls, and securing 
applications built with artificial intelligence.
    Fifth, protect cloud infrastructure and applications. As 
cloud adoption accelerates, cloud security cannot be an 
afterthought.
    Sixth, maintain and test an incident response plan to 
prepare for and respond to cyber incidents.
    Our team at Palo Alto Networks is dedicated to securing our 
digital way of life. We enthusiastically participate in a 
number of forums like CISA's JCDC, and share our situational 
awareness and understanding of the threat landscape with those 
key partners.
    Our collaboration in forums like these reinforces that 
cybersecurity is truly a team sport.
    Thank you again for the opportunity to testify on how 
cybersecurity is a foundational requirement of data privacy, 
and I look forward to your questions.
    [The prepared statement of Mr. Kaplan follows:]

Prepared Statement of Sam Kaplan, Senior Director and Assistant General 
   Counsel, Public Policy and Government Affairs, Palo Alto Networks
    Chairman Hickenlooper, Ranking Member Blackburn, and distinguished 
members of the committee:

    Thank you for the opportunity to testify on the importance of data 
security. Your committee's interest in better understanding 
cybersecurity's foundational role in enabling data privacy is greatly 
appreciated. My name is Sam Kaplan, and I am the Senior Director and 
Assistant General Counsel, Public Policy & Government Affairs at Palo 
Alto Networks. I've spent the bulk of my career working at the 
intersection of cybersecurity, national security, and data privacy. On 
behalf of my company, I offer our commitment to work in partnership 
with you and your staffs as you continue to examine this important area 
of public policy.
    For those not familiar with Palo Alto Networks, we were founded in 
2005 and have since become the global cybersecurity leader--protecting 
businesses, people, and governments across more than 150 countries. We 
support 95 of the Fortune 100, critical infrastructure operators of all 
shapes and sizes, the U.S. Federal government, universities, 
educational institutions, and a wide range of state and local partners.
    Practically speaking, this means we have a unique vantage point 
into the cyber threat landscape. This information, paired with the 
insights we develop from helping organizations respond on a daily basis 
to complex cybersecurity incidents, puts us on the front lines of the 
cyber defense battle. We are committed to using this mantle to be good 
cyber citizens and trusted security partners.
Cybersecurity Enables Data Privacy
    Palo Alto Networks strongly believes that deploying cutting-edge 
cybersecurity defenses is a necessary enabler of data privacy. 
Organizations should be encouraged to protect data by implementing 
robust data and network security practices that both can help prevent 
cyber incidents and data breaches from occurring in the first place, 
and mitigate the impact should an incident occur.
    Palo Alto Networks supports efforts to develop a strong Federal 
privacy standard that:

  1.  Provides consistent and predictable requirements and protections 
        for individuals and businesses;

  2.  Establishes a single national standard to prevent a complex 
        compliance patchwork;

  3.  Promotes robust and adaptable data security standards, spanning 
        prevention to response, commensurate with today's evolving 
        cyber threat environment;

  4.  Fosters innovation by recognizing the importance of automation in 
        data security;

  5.  Prevents disclosure and transparency requirements from 
        unintentionally creating roadmaps for threat actors to break 
        through data and network defenses; and

  6.  Recognizes the beneficial uses of security data for permitted 
        purposes, such as cybersecurity.

    To keep pace with and respond to the increasingly sophisticated 
threat landscape, the cybersecurity community regularly leverages 
security data, through which cyber threat information is synthesized to 
develop a holistic picture of the techniques, tactics, infrastructure, 
and motives of cyber adversaries. Security data is the network 
telemetry--the 1s and 0s, the malware analysis, the IP addresses, the 
vulnerability enumeration--that we ingest and analyze to help defenders 
stay ahead of attackers.
    The necessity of cybersecurity firms collecting, processing, 
retaining, and transferring security data cannot be stressed enough. As 
explained further below, automated cyber defense tools are already 
proving transformational for network defenders. Security data--across 
the network, endpoint, and cloud--is now enhanced, stitched together, 
and correlated in real-time to differentiate the threat signal from the 
noise. This, in turn, results in better fortified systems and enhanced 
data security.
    To that end, recent policy approaches recognizing the importance of 
leveraging security data to bolster cyber defense is a positive 
development and one that will meaningfully help protect data privacy. 
Palo Alto Networks appreciates the growing recognition of this critical 
point, and believes that data privacy legislation should ensure that 
access to information for cyber defense purposes is not undermined by 
requirements intended to address other uses of consumer data.
    Any Federal privacy law must ensure that cyber defenders can 
leverage security data to prevent, detect, protect against, and respond 
to both known and unknown security vulnerabilities--bolstering both 
privacy and national security imperatives.
Today's Threat Landscape Demands Enhanced Data Security
    With the growing volume and sophistication of today's threats, it 
is critical for organizations to understand the threat landscape and 
how to properly defend against it. Every member of this committee 
likely has had a business, bank, school, or local government entity in 
their state victimized by a cybersecurity attack or data breach. These 
attacks affect our daily lives--from disruptions of public services 
like healthcare or emergency services, to leakage of Americans' 
sensitive data.
    Data breaches can result from several factors, including weak 
credentials, misconfigured security settings, internet-facing software 
vulnerabilities, and phishing attacks. These incidents can involve 
significant financial loss and damage to an organization's reputation, 
and compromise the security of individuals' critical data.
    This threat is not subsiding. Instead, adversaries continue to 
enhance their techniques and increase their sophistication. Bad actors 
can now execute numerous attacks simultaneously against one company, 
leveraging multiple vulnerabilities at once. We are also seeing 
evidence that adversaries are using AI to enhance what we call social 
engineering attacks--phishing e-mails and voice calls designed to lure 
users to ``click the link'' or provide access.
    A sobering yet persistent reality of our connected world is that 
far too many ``digital doors'' are left open for adversaries to walk 
through with relative ease.
    It is often said the Internet looks very small to an attacker but 
massive to a defender. After all, an enterprise that closes 99 percent 
of its digital doors but leaves one open inadvertently may well be 
destined for a breach. Entities of all sizes, public and private, have 
historically struggled to understand and manage their digital 
infrastructure, including phones, laptops, servers, and applications 
that have been exposed to the internet. In fact, we have found that 
even sophisticated enterprises actually have twice the number of 
systems exposed on the Internet than what they were internally 
monitoring--a visibility gap that gives adversaries the upper hand.
    The threat intelligence and incident response division at Palo Alto 
Networks, known as Unit 42, helps assess and test the security controls 
of organizations, transform their security strategies with a threat-
informed approach, and respond to incidents in record time. In 45 
percent of incident response cases led by Unit 42 last year, attackers 
exfiltrated data in less than a day after compromise, down from 44 days 
as recently as 2021. Slow response times increase the cost of resolving 
incidents, and increase the likelihood of sensitive data being 
compromised.
    Complementing our insights from incident response cases, Palo Alto 
Networks also leverages a capability that indexes the public-facing 
Internet through the eyes of the adversary to discover exposed systems, 
vulnerabilities, and misconfigurations. We are increasingly seeing 
cloud infrastructure as an inviting attack vector for adversaries. In 
fact, over 80 percent of the exposures we observed were cloud-based, 
and Unit 42 similarly saw a 115 percent increase in cloud-related 
incidents in 2023 compared to 2022.
    Modern organizations often depend on multiple cloud environments to 
store, process, and analyze data. The use of diverse cloud services 
drives many helpful operational efficiencies, but also creates 
fragmentation--scattering sensitive records across multiple datastores 
with opaque data flows, and complicated access control mechanisms. 
Organizations frequently struggle to understand what sensitive data 
(e.g., customer details, health data, financial information) they 
actually hold, who can access it, and where it is at risk.
    Recognizing these realities, promoting effective data security 
requires an innovative approach to fortifying cyber defenses, 
particularly given the constantly evolving threat landscape.
Securing Systems and Data with AI and Automation
    Fortunately, AI and automation are proving transformative for 
network defenders, enabling organizations not only to respond more 
quickly, but also to more nimbly ingest and analyze security data to 
proactively harden their networks against attacks.
    One of the most promising applications of AI and automation for 
cyber defense is to significantly uplevel and enhance the capabilities 
within Security Operation Centers (SOCs). For too long, our community's 
most precious cyber resources--people--have been inundated with 
security alerts that require manual triage, forcing them to play an 
inefficient game of ``whack-a-mole,'' while vulnerabilities remain 
exposed and critical alerts are missed.
    Two of the most important metrics for any security operations team 
are Mean Time to Detect and Mean Time to Respond. As the terms suggest, 
these metrics provide quantifiable data points for network defenders 
about how quickly they discover potential security incidents and then 
how quickly they can contain them to help mitigate their potential 
impact.
    Historically, organizations have struggled to execute against these 
metrics. A recent Unit 42 report that analyzed real-world cloud-related 
incident response cases found that, on average, security teams take 
nearly six days to resolve an alert. In contrast, we now see many 
adversaries moving from compromise to data exfiltration in just hours.
    Giving defenders the upper hand requires a new approach that 
leverages AI-driven SOCs. This technology will be a force multiplier 
for our cybersecurity professionals and will substantially reduce 
incident detection and response times.
    Early results from deploying this technology on our own company 
networks have been particularly promising. On average, we ingest 36 
billion events daily and use AI-driven data analysis to automatically 
triage that number down to just eight that require manual analysis. In 
addition, we have reduced our Mean Time to Detect to just 10 seconds 
and our Mean Time to Respond to just one minute for high priority 
alerts.
    Early customer benefits have been similarly encouraging. We have 
already seen a reduction in mean response times from weeks and days to 
hours and minutes. Such a reduction is critical to stopping threat 
actors before they can encrypt systems or steal sensitive information, 
and for minimizing the impact of an incident. This tool has 
dramatically improved incident close-out rates from 20 percent pre-
deployment to 100 percent post-deployment.
    Increased adversarial speed to steal or encrypt data demands rapid 
detection and response. In order to stay a step ahead of sophisticated 
adversaries, we must also detect never-before-seen anomalous behavior, 
not just previously identified attack patterns. AI now gives us the 
capability to do so--putting network defenders back in the driver's 
seat, not a step behind.
Key Data Security Recommendations
    As organizations seek to enhance their cybersecurity and data 
security postures, Palo Alto networks offers the following 
recommendations:

  1.  Ensure complete visibility of attack surfaces: 75 percent of 
        attacks and breaches fielded by Unit 42's incident response 
        team result from a common culprit--internet-facing attack 
        surface exposures. Deploying solutions that provide 
        centralized, near real-time visibility can help organizations 
        identify and mitigate vulnerabilities before they can be 
        exploited.

  2.  Promote Secure AI by Design: Enterprises will benefit from 
        capabilities that assist in inventorying AI usage, applying 
        policy controls, and securing apps built with AI.

  3.  Leverage the power of AI and automation in network defense to 
        modernize security operations and reduce the burden on 
        overworked analysts. The latest technology can help 
        organizations drive down key cybersecurity metrics like Mean 
        Time to Detect and Mean Time to Respond, denying attackers the 
        time they need to compromise an organization's systems or 
        exfiltrate its data. Additionally, technique-based protections 
        mapped to the MITRE ATT&CK Framework can help defenses nimbly 
        evolve in response to adversarial tactics.

  4.  Implement enterprise-wide zero trust network architecture: This 
        is a fundamental security principle that assumes the network is 
        already compromised and implements processes that continuously 
        validate the user, device, application, and data in a 
        controlled manner. Zero trust network architecture creates 
        layers of security that prevent or limit an attacker from 
        successfully moving laterally around the network. This provides 
        victims with more time to detect, properly contain, and 
        remediate the threat.

  5.  Protect cloud infrastructure, applications, and data: With cloud 
        migration accelerating, threat actors will continue to develop 
        tactics, techniques, and procedures designed to target and 
        compromise cloud workloads. Organizations leveraging cloud 
        infrastructure should implement a cloud security program and 
        platform that offers comprehensive cloud-native application 
        protection.

  6.  Maintain an incident response plan to prepare for and respond to 
        cyber incidents, including emerging ransomware tactics like 
        extortion, multi-extortion, and harassment. Organizations that 
        continuously review, update, and test their incident response 
        plans--ideally with input from cybersecurity experts--are much 
        more likely to effectively respond to and contain an active 
        attack. Organizational leadership must elevate cybersecurity as 
        a core part of their overall enterprise risk management 
        strategy.

    While there is no silver bullet in cybersecurity, prioritizing 
these recommendations will materially reduce the risk of falling victim 
to an attack, more effectively protect data if an attack does occur, 
and help increase the resilience of the entire cybersecurity ecosystem.
Partnerships and People Remain Critical
    It is often said that cybersecurity is a team sport, and 
partnership is very much in our DNA at Palo Alto Networks--and across 
the entire cybersecurity industry.
    Palo Alto Networks is proud to be a founding Alliance member of 
CISA's Joint Cyber Defense Collaborative (JCDC). In forums like these, 
we share technical threat intelligence on a daily basis through 
partnerships with U.S. government entities, private sector entities, 
and other allied nations to support global prevention and response to 
significant cyber incidents. We are also active members of the NIST 
National Cybersecurity Center of Excellence projects on 5G, zero trust, 
and post-quantum cryptography.
    It is critical we educate and train the cyber workforce of today 
and tomorrow with the advanced skills required for meaningful jobs that 
complement technological innovation. This approach is fundamental to 
improving our collective cyber defense and enabling data security.
    To that end, we have been encouraged to see the impact of several 
initiatives aimed at broadening access to cybersecurity education, 
including the Palo Alto Networks Cybersecurity Academy, which offers 
free and accessible curricula aligned to the NIST National Initiative 
for Cybersecurity Education (NICE) Framework, to academic institutions 
from middle school through college. Hands-on experiences with cyber and 
AI benefit the entire ecosystem as they help to upskill our own 
workforce as well as that of our customers.
    Palo Alto Networks offers several accelerated onboarding programs 
to diversify the workforce, including the Unit 42 Academy, which 
welcomes new early career participants each August as full-time members 
of our incident response and cyber risk management teams. We are 
pleased to report that our 2023-2024 class is 80 percent female.
    Taken together, the aspects I've highlighted in my testimony will 
help address a number of components associated with a holistic approach 
to data security--technology, processes, and people.
    Thank you for the opportunity to testify. I look forward to your 
questions.

    Senator Hickenlooper. Thank you, Mr. Kaplan.
    Now I'll introduce Prem Trivedi, who is the Policy Director 
for New America's Open Technology Institute.

          STATEMENT OF PREM TRIVEDI, POLICY DIRECTOR, 
            NEW AMERICA'S OPEN TECHNOLOGY INSTITUTE

    Mr. Trivedi. Chair Hickenlooper, Ranking Member Blackburn, 
members of the Committee, thank you very much for the 
opportunity to speak with you today.
    I'm Prem Trivedi, the Policy Director of the Open 
Technology Institute at New America, a nonprofit and 
nonpartisan organization dedicated to realizing the promise of 
America in an era of rapid technological and social change.
    Since 2009, the Open Technology Institute, or OTI, has 
worked to ensure every community has equitable access to 
digital technology and its benefits. OTI has long emphasized 
the need for a strong Federal standard in privacy and data 
security that protects consumers while retaining sufficient 
flexibility for innovation.
    This takes me to my first point. Data security and consumer 
privacy are two sides of the same coin. Strong data security 
safeguards, including minimization, are vital to protecting 
consumers. And data minimization, as you mentioned in your 
remarks, is a powerful principle that requires collecting, 
using, sharing, and retaining only the data necessary to 
provide a service or a product.
    And strong data security safeguards are urgently needed in 
this era of AI. Training many AI models requires ingesting huge 
data sets, and as companies race to acquire more data, the 
pressures to adequately protect it keep increasing. And so a 
baseline Federal standard on privacy and data security is 
essential to ethically and effectively regulating AI 
development.
    And I'll add, cybersecurity practitioners also recognize 
minimization's benefits go beyond consumer privacy, because it 
can reduce threats posed by breaches and other security 
incidents.
    In short, companies can't misuse data that they don't have. 
And hackers can't steal data that companies don't have.
    My next point is that research shows Americans want strong 
data security and minimization protections. There's no uniform 
national standard that protects all types of data, and 
Americans know that online data collection and tracking of 
their activities is pervasive.
    It's probably why 75 percent of Americans lack confidence 
that the government will hold a company accountable if it 
misuses or compromises their data. And all of this concern 
about data security and privacy is negatively impacting 
consumer trust in AI and in leading AI companies, many of which 
are U.S. companies, small and large.
    And the good news is that more than two-thirds of 
Republicans and Democrats support more regulation of companies' 
data use. And we've been heartened to see the recent 
reemergence of a credible bipartisan, bicameral legislative 
proposal on privacy and data security via the American Privacy 
Rights Act.
    The next point I'd like to make is that a strong Federal 
data minimization regime would replace the broken approach in 
American privacy governance that relies on notice and consent 
alone. We know it would take people hundreds of hours to read 
all the privacy policies that they encounter in just a year. 
And most Americans, even most privacy professionals, respond to 
this unfair burden on consumers by clicking ``agree'' without 
reading those policies.
    This isn't meaningful notice, it's not meaningful consent, 
and it's not clear either is really achievable in most of our 
online activities. Data minimization is so important because it 
shifts the responsibility onto companies, from consumers, to 
use only what the companies need to provide products or 
services.
    And I want to point out, this is far from a new concept in 
law or corporate risk management playbooks. So I think we can 
get the benefits of data minimization without stifling 
innovation or overburdening smaller companies.
    The last main point I'd like to make is that a broad set of 
best practices in data security should become baseline 
safeguards across all sectors of our economy. And here's a 
short list of those best practices.
    First, as I've emphasized so far, collect, use, share, and 
retain only data that's relevant.
    Second, whenever possible, use encryption to securely store 
and process data.
    Third, apply strong controls that ensure only the people 
who should be able to access data can, in fact, access that 
data.
    Fourth, use strong methods for authentication, including 
multi-factor authentication.
    Fifth, further study and standardize over time uses of 
privacy enhancing technologies.
    And sixth, routinely assess and mitigate against data 
security vulnerabilities, something you've heard from other 
witnesses as well.
    There's no such thing as perfect data security. But these 
common sense best practices should be requirements in Federal 
law that are applied flexibly enough to account for different 
companies' sizes and technical capacity.
    In conclusion, data protection is consumer protection, and 
we need a national legislative framework that requires and 
incentivizes responsible data stewardship. Continued U.S. 
leadership on AI requires Congress to address the consumer 
trust gap. And we appreciate the Committee's bipartisan 
leadership on data security and privacy.
    Thank you again for the opportunity to testify before the 
Subcommittee. I look forward to your questions.
    [The prepared statement of Mr. Trivedi follows:]

 Prepared Statement of Prem M. Trivedi, Policy Director, New America's 
                       Open Technology Institute
Introduction
    Chair Cantwell, Ranking Member Cruz, Subcommittee Chair 
Hickenlooper, Ranking Member Blackburn, and Members of the Committee, 
thank you for the opportunity to offer testimony today on how strong 
data security safeguards protect consumers. A Federal standard for data 
security, and particularly for data minimization, is critical to 
protecting American consumers and American companies from the over-
collection of data, subsequent misuse of such data, and the harms of 
data breaches.
    My name is Prem Trivedi, and I am the policy director of the Open 
Technology Institute at New America, a nonprofit and nonpartisan 
organization dedicated to realizing the promise of America in an era of 
rapid technological and social change.\1\ Since 2009, the Open 
Technology Institute (OTI) has worked at the intersection of technology 
and policy to ensure that every community has equitable access to 
digital technology and its benefits. We promote universal access to 
communications technologies that are both open and secure, using a 
multidisciplinary approach that brings together advocates, researchers, 
organizers, and innovators.\2\
---------------------------------------------------------------------------
    \1\ Our Story, New America, https://www.newamerica.org/our-story/
    \2\ About, New America's Open Technology Institute, https://
www.newamerica.org/oti/about/
---------------------------------------------------------------------------
    OTI has long emphasized the need for strong, common Federal 
standards in privacy and data security that protect consumers while 
retaining sufficient flexibility for innovation. We have been heartened 
to see the reemergence of a credible bipartisan legislative proposal on 
privacy and data security via the American Privacy Rights Act 
(APRA).\3\ Data security and consumer privacy are two sides of the same 
coin. Perhaps no principle better illustrates that fundamental truth 
than data minimization, which requires companies to collect, use, 
share, and retain only what they need to provide a product or service. 
Strengthening Federal protections for privacy and data security is 
vital to protecting Americans, a key foundation of responsibly 
regulating artificial intelligence, and an important part of 
safeguarding our economic and national security. We at OTI commend the 
Subcommittee for its leadership in spotlighting how data security and 
data minimization play an essential role in protecting consumers and 
data.
---------------------------------------------------------------------------
    \3\ American Privacy Rights Act of 2024 (discussion draft), https:/
/d1dth6e84htgma.cloudfront
.net/
American_Privacy_Rights_Act_of_2024_Discussion_Draft_0ec8168a66.pdf.
---------------------------------------------------------------------------
    My testimony makes four key points:

  1.  Strong data security safeguards, including data minimization, are 
        essential to protecting consumers.

  2.  Consumer research shows that Americans want stronger data 
        security and privacy laws, including the protections of data 
        minimization.

  3.  Data minimization requirements in a Federal privacy law could fix 
        the broken notice and consent approach to U.S. privacy law.

  4.  Codifying a broader set of data security practices in Federal law 
        would also meaningfully protect consumers' and companies' data.
I. Strong Data Security Safeguards, including Data Minimization, Are 
        Vital to Protecting Consumers
    ``Data minimization'' may seem like a dry and technocratic-sounding 
term. But, at its core, it is a powerful principle for collecting, 
using, sharing, and retaining only the data that is necessary to 
provide a service or product. Data minimization is an essential element 
of effective privacy and data governance that protects people and 
organizations from misuse and mitigates the harms of data breaches. And 
it is already a well understood, common requirement in international, 
federal, and state laws and regulations. In addition, data minimization 
is a core part of internal company rules and risk assessments, but it 
is not consistently applied with sufficient rigor. A brief examination 
of first-and third-party tracking on the Internet powerfully 
illustrates why we need a common national baseline for data 
minimization.
    The average modern web page or smartphone application collects 
information about you--like the browser you use, your IP address, 
metrics about how you engage with the site or app, and any information 
you actively provide. This is ``first-party'' data collection. But a 
web page also uses code from other companies or entities, which are 
referred to as third parties--sometimes dozens of them. This type of 
code may be placed on a website to improve your experience or to 
provide a service like web analytics for the site's owner. Each of 
those third parties is in a position to track that site's visitors and 
collect and retain a broad range of data about them. If a third party's 
code is included on multiple websites, then you can be tracked as 
having visited both pages, and data brokers can potentially bundle and 
sell that data to entities ranging from domestic and foreign 
governments to insurance companies and credit bureaus.
    Even if a third party is providing a legitimate service, it is 
almost impossible for the average person to know if that is the case 
because all of this code is loaded silently in the background. Finding 
out which third parties a site loads requires special tools and then a 
further step of researching the services those third parties provide. 
While it might be feasible to investigate a site like senate.gov, which 
only loads code from two third parties, it is simply not practical to 
do that on very popular pages, like mainstream news websites--many of 
which load code from dozens of third parties. Similarly, developers of 
smartphone apps may include third-party libraries that can analogously 
track users via their devices and sometimes their activity in other 
apps, which is known as ``cross-app tracking.''
    There are certainly companies in this ecosystem that follow 
responsible privacy practices, but many others do not show the same 
regard for privacy and data security. Strong data minimization rules 
would restrict both first-party and third-party data collection and 
use. They would alleviate some of the unrealistic responsibility forced 
onto website visitors and app users to figure out how their data is 
collected and used and which third parties may be tracking them. Strong 
rules would also bolster public trust if people knew that a Federal law 
reasonably minimized the amount of data about them that could be 
gathered, used, and stored. Companies cannot use data that they don't 
have.
    Cybersecurity practitioners recognize the importance of 
minimization. Consistent reductions in data collection and use would 
significantly reduce the threats posed by breaches and other security 
incidents. Responsible data minimization also lowers the possible harms 
when companies get hacked. A common data security maxim is ``If you 
can't protect it, don't collect it.'' \4\ A common privacy maxim is 
``Collect and use only what you need.'' And here is a synthesis that I 
will borrow from another civil society organization: ``You don't have 
to protect what you don't collect.'' \5\ This perfectly illustrates how 
data minimization is a cornerstone of protecting consumers and 
companies, safeguarding privacy, and securing data. Hackers cannot 
steal data that companies do not have.
---------------------------------------------------------------------------
    \4\ Richard Bejtlich, New cybersecurity mantra: ``If you can't 
protect it, don't collect it.'', Brookings, Sep. 3, 2015, https://
www.brookings.edu/articles/new-cybersecurity-mantra-if-you-cant-
protect-it-dont-collect-it/.
    \5\ John Davisson, Data Minimization: A Pillar of Data Security, 
But More Than That Too, Electronic Privacy Information Center, Jun. 22, 
2023, https://epic.org/data-minimization-a-pillar-of-data-security-but-
more-than-that-too/.
---------------------------------------------------------------------------
    The central role of data minimization in data security is even 
clearer when we think about how some of Americans' most sensitive data 
is held by institutions like schools and hospitals. These organizations 
may have varying levels of technical capacity to implement data 
security measures. Although Federal privacy laws cover sectors like 
health, finance, and education, the reality is that virtually every 
institution is likely to hold and use sensitive data--including data 
not covered by data security or privacy laws. A strictly sectoral 
approach to data security and privacy leaves unprotected many 
institutions and Americans who need a baseline level of support from a 
strong Federal standard for data minimization and other security 
practices.
    In addition, the need for robust data minimization and other 
security provisions is increasingly evident in this era of artificial 
intelligence (AI). The training of many AI models--particularly 
powerful ``foundation'' models designed to be adapted for a variety of 
purposes--requires the ingestion of huge data sets. As companies race 
to acquire more and more data, the pressures on privacy and data 
security are becoming even more acute.\6\ Although there appears to be 
broad consensus on the need to regulate AI, public debate sometimes 
overlooks the fact that a baseline Federal standard on privacy and data 
security is foundational to ethically and effectively regulating AI 
development.
---------------------------------------------------------------------------
    \6\ Cade Metz, Cecilia Kang, Sheera Frenkel, Stuart A. Thompson, 
and Nico Grant, How Tech Giants Cut Corners to Harvest Data for A.I, 
New York Times, Apr. 8, 2024, https://www.nytimes.com/2024/04/06/
technology/tech-giants-harvest-data-artificial-intelligence.html.
---------------------------------------------------------------------------
II. Research Shows Americans Want Strong Data Security and Minimization 
        Protections
    We don't need to take data protection professionals' word about the 
importance of protecting data security and privacy. Consumer research 
by companies and nonprofits shows that Americans feel a lack of control 
over their data and are unsure of what data companies collect from them 
and how they use it. This environment of uncertainty and mistrust 
leaves them wanting stronger privacy and data security protections.
    According to a 2023 report from the International Association of 
Privacy Professionals, nearly 68 percent of consumers globally said 
they were somewhat or very concerned about their privacy online. And 
only 29 percent of consumers surveyed said it was easy for them to 
understand how a company protects their personal data.\7\ A 2023 KPMG 
survey of 2,000 Americans found that 86 percent of those surveyed said 
their data privacy is a source of growing concern.\8\
---------------------------------------------------------------------------
    \7\ Muge Fazlioglu, Privacy and Consumer Trust, IAPP, Mar. 2023, 
https://iapp.org/media/pdf/resource_center/
privacy_and_consumer_trust_report_summary.pdf.
    \8\ Corporate data responsibility: Bridging the consumer trust gap, 
KPMG, 2023, https://kpmg.com/us/en/articles/2023/bridging-the-trust-
chasm.html.
---------------------------------------------------------------------------
    Consumers are similarly worried about data security. A 2024 
Deloitte study reveals that about 60 percent of survey respondents 
worry that their devices are vulnerable to security breaches and are 
concerned that organizations or people could track them through their 
devices.\9\ These are not abstract fears. A third of the survey 
respondents said ``they experienced at least one type of breach or scam 
in the past year, and 16 percent fell victim to two or more kinds.'' 
\10\
---------------------------------------------------------------------------
    \9\ Jana Arbanas et al., Data privacy and security worries are on 
the rise, while trust is down |2023 Connected consumer survey, 
Deloitte, 2023, https://www2.deloitte.com/us/en/insights/industry/
telecommunications/connectivity-mobile-trends-survey.html#explore.
    \10\ Id.
---------------------------------------------------------------------------
    In the United States, as the Committee knows well, we have sector-
specific data security and privacy laws at the Federal level but no 
uniform national standard that applies to all Americans and establishes 
a baseline for protecting all types of data.
    Perhaps that helps to explain why, according to a 2019 Pew Research 
study, 72 percent of ``Americans report feeling that all, almost all or 
most of what they do online or while using their cellphone is being 
tracked by advertisers, technology firms or other companies.'' \11\ It 
surely is part of the reason why 75 percent of Americans are not 
confident that the government will hold a company accountable if it 
misuses or compromises their data.\12\ According to Pew's updated 
research in 2023, the concerns have only grown worse. Last year, 67 
percent of Americans reported that ``they understand little to nothing 
about what companies are doing with their personal data.'' \13\
---------------------------------------------------------------------------
    \11\ Brooke Auxier, Lee Rainie et al., Americas and Privacy: 
Concerned, Confused and Feeling Lack of Control Over Their Personal 
Information at p. 6, Pew Research, Nov. 15 2019, https://
www.pewresearch.org/internet/wp-content/uploads/sites/9/2019/11/Pew-
Research-Center_PI_
2019.11.15_Privacy_FINAL.pdf.
    \12\ Brooke Auxier, Lee Rainie et al., Americas and Privacy: 
Concerned, Confused and Feeling Lack of Control Over Their Personal 
Information at p. 9, Pew Research, Nov. 15 2019, https://
www.pewresearch.org/internet/wp-content/uploads/sites/9/2019/11/Pew-
Research-Center_PI_
2019.11.15_Privacy_FINAL.pdf.
    \13\ Colleen McClain, Michelle Faverio et al., Americans and 
Privacy: Concerned, Confused and Feeling Lack of Control Over Their 
Personal Information, Pew Research, Oct. 18, 2023, https://
www.pewresearch.org/internet/2023/10/18/how-americans-view-data-
privacy/
---------------------------------------------------------------------------
    All of this concern about data security and privacy is negatively 
impacting consumer trust in AI technology and leading AI companies. 
According to a Cisco survey, 62 percent of global consumers are 
concerned about the business use of AI today, and 60 percent say that 
the use of AI by organizations so far has already eroded their 
trust.\14\ American consumers are no exception to the global trend. 
When surveyed last year, 70 percent of Americans who have heard about 
AI have little to no trust in companies to make responsible decisions 
about how they use it in their products.\15\
---------------------------------------------------------------------------
    \14\ Generation Privacy: Young Consumers Leading the Way Cisco 2023 
Consumer Privacy Survey, Cisco, Oct. 18, 2023, https://www.cisco.com/c/
en/us/about/trust-center/consumer-privacy-survey.html
    \15\ Colleen McClain, Michelle Faverio et al., Americans and 
Privacy: Concerned, Confused and Feeling Lack of Control Over Their 
Personal Information, Pew Research, Oct. 18, 2023, https://
www.pewresearch.org/internet/2023/10/18/how-americans-view-data-
privacy/.
---------------------------------------------------------------------------
    Another statistic demonstrates the loss of agency that Americans 
feel over their data and illustrates why data minimization and other 
data security measures are so important in restoring Americans' trust 
in their government's ability to require responsible data stewardship. 
Although 78 percent of Americans trust themselves to make ``the right 
decisions about their personal information,'' a majority doubt that 
anything they do will make much of a difference. Only about one in five 
Americans are confident that those who have their personal information 
will treat it responsibly.\16\
---------------------------------------------------------------------------
    \16\ Id.
---------------------------------------------------------------------------
    These studies are just a small sampling of consumer research that 
reveals deep-seated concerns--both globally and in the United States--
about privacy, data use, and trust in AI companies. But Americans are 
also clear about the solutions to this problem, with 72 percent of 
Americans wanting more regulation of companies' data practices.\17\ 
Notably, this support is bipartisan, with 68 percent of Republicans and 
78 percent of Democrats expressing this view.\18\ And most Americans 
are also clear that the specific path forward involves data 
minimization and other data security protections. Research consistently 
shows that Americans are concerned about how much data companies 
collect from them.
---------------------------------------------------------------------------
    \17\ Id.
    \18\ Id.
---------------------------------------------------------------------------
    Interestingly, some studies suggest that company leaders understand 
the trust deficit among their consumers and broadly agree on the path 
forward. A 2023 KPMG survey of 250 business leaders found that 70 
percent said their company increased data collection over the previous 
year.\19\ One out of three business leaders surveyed said that 
consumers should be concerned about how their company uses personal 
data. Tracking consumer sentiment, 62 percent of leaders said their 
company should do more to protect their consumers' personal data.\20\
---------------------------------------------------------------------------
    \19\ Corporate data responsibility: Bridging the consumer trust 
gap, KPMG, 2023, https://kpmg.com/us/en/articles/2023/bridging-the-
trust-chasm.html.
    \20\ Id.
---------------------------------------------------------------------------
III. Strong Federal Data Minimization Rules Could Fix the Broken Notice 
        and Consent Privacy Paradigm in the United States
    A strong Federal data minimization regime would respond to consumer 
concerns and finally replace the broken notice and consent approach 
that has defined American data security and privacy governance for 
decades. The ``notice and consent'' approach requires private entities 
to notify individuals and ask for their permission before collecting 
and utilizing their personal data.\21\ These notices often take the 
form of privacy policies. But it would take people hundreds of hours to 
read all the privacy policies for websites and applications that most 
of us encounter in just a year.\22\ In 2019, one in five Americans said 
they often or always read privacy policies,\23\ and even that figure 
seems surprisingly high. In 2023, a majority of Americans responded to 
this unfair burden on consumers by just clicking ``agree'' without 
reading privacy policies.\24\ This isn't meaningful notice, it isn't 
meaningful consent, and it is not clear that either is achievable in 
the course of most of our online activities.\25\ Enter data 
minimization, which shifts the responsibility onto companies to 
exercise restraint by collecting and using data only that they need to 
provide their products or services.
---------------------------------------------------------------------------
    \21\ Claire Park, How ``Notice and Consent'' Fails to Protect Our 
Privacy, New America's Open Technology Institute, Mar. 23, 2020, 
https://www.newamerica.org/oti/blog/how-notice-and-consent-fails-to-
protect-our-privacy/ (``Notice and consent is too weak in practice to 
meaningfully shield individual privacy. Instead, we need comprehensive 
privacy legislation that will empower individuals with explicit user 
rights over their data, and provide strict limits on how private 
entities handle that data.'').
    \22\ Geoffrey A. Fowler, I Tried to Read All My App Policies. It 
Was 1 Million Words, Washington Post, May 31, 2022, https://
www.washingtonpost.com/technology/2022/05/31/abolish-privacy-policies/; 
Aleecia M. McDonald and Lorrie Faith Cranor, The Cost of Reading 
Privacy Policies, I/S: A Journal of Law and Policy for the Information 
Society, vol. 4, no. 3 (2008), 543-568, https://kb.osu.edu/server/api/
core/bitstreams/a9510be5-b51e-526d-aea3-8e9636bc00cd/content.
    \23\ Brooke Auxier, Lee Rainie et al., Americas and Privacy: 
Concerned, Confused and Feeling Lack of Control Over Their Personal 
Information, Pew Research, Nov. 15 2019, https://www
.pewresearch.org/internet/2019/11/15/americans-attitudes-and-
experiences-with-privacy-policies
-and-laws/
    \24\ Michelle Faverio, Key findings about Americans and data 
privacy, Pew Research, Oct. 18, 2023, https://www.pewresearch.org/
short-reads/2023/10/18/key-findings-about-americans-and
-data-privacy/.
    \25\ Daniel J. Solove, Privacy Self-Management and the Consent 
Dilemma, 126 Harv. L. Rev. 1880 (2013) https://scholarship.law.gwu.edu/
cgi/viewcontent.cgi?referer=&httpsredir=1&article
=2093&context=faculty_publications; David Medine and Gayatri Murthy, 
Companies, not people, should bear the burden of protecting data, David 
Medine and Gayatri Murthy, Brookings, Dec. 18, 2019, https://
www.brookings.edu/articles/companies-not-people-should-bear-the-burden-
of-protecting-data/.
---------------------------------------------------------------------------
    Right now, the U.S. legislative regime for data security is 
fragmented in ways that make consumers more vulnerable and require 
companies to develop complicated compliance programs in the absence of 
clear national rules of the road. In broad terms, a credible Federal 
data minimization standard would require that companies only collect 
and process data that is reasonably necessary for the products and 
services that they offer, in addition to fulfilling other permissible 
purposes like data security and protection against fraud. A Federal 
data privacy and security law would make clear that the obligation to 
minimize data applies to all aspects of the data life cycle: data 
collection, use, transfer, and retention. Congress has made progress in 
this respect, most recently in the discussion draft of the American 
Privacy Rights Act (APRA), which would establish a data minimization 
regime and robust data security requirements.
    We at the Open Technology Institute believe in the power of digital 
technology to produce transformative innovation that serves the public 
interest. However, the costs of continuing to operate without a 
reasonable Federal standard on data minimization--to American 
consumers, American companies, and the health of our economy--are 
simply too high. The proposed solution--a comprehensive Federal privacy 
law rooted in data minimization and data security obligations--would 
not overburden industry.
    Data minimization is not a rigid concept that by itself would 
stifle innovation or hamstring companies, whether large or small, 
incumbent or start-up. Properly applied, data minimization can reduce 
security concerns, protect user data, and lead to better products and 
services.
    Data minimization is not a new concept that is difficult to 
incorporate in Federal law. Minimization and other well-established 
data protection principles stem from an earlier era of U.S. leadership 
on responsible data governance. The U.S. Department of Health, 
Education, and Welfare, in 1973, published a landmark report that 
established a set of five Fair Information Practices (FIPs).\26\ Those 
five principles have been further developed into principles like the 
Organisation for Economic Co-operation and Development (OECD) Privacy 
Guidelines, which include the core requirements of data minimization. 
Those requirements, in turn, have been incorporated into legislation 
around the world, including Europe's General Data Protection Regulation 
(GDPR), Brazil's General Personal Data Protection Law (LGPD), and 
India's Digital Personal Data Protection Act (DPDPA).\27\ Each of these 
laws takes a slightly different approach to minimization, but they all 
adopt the principle as a legal requirement. Against this global 
backdrop, a comprehensive U.S. Federal law on data protection and 
privacy is conspicuously absent.
---------------------------------------------------------------------------
    \26\ U.S. Dep't. of Health, Education and Welfare, Secretary's 
Advisory Committee on Automated Personal Data Systems, Records, 
computers, and the Rights of Citizens (1973), https://www.justice.gov/
opcl/docs/rec-com-rights.pdf.
    \27\ Using the OECD Privacy Guidelines as an illustration, the 
following principles collectively fall under the broader umbrella of 
data minimization: collection limitation, purpose specification, and 
use limitation. See OECD Privacy Guidelines (last amended Oct. 2013), 
Organisation for Economic Cooperation and Development, https://
legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0188.
---------------------------------------------------------------------------
    Data minimization is also widely understood by companies as a 
principle of risk management, but the application across companies and 
sectors is inconsistent. Federal codification of data minimization 
rules would not be seen as a novel regulatory requirement. Major U.S. 
tech companies, for example, already include data minimization in their 
privacy and data governance frameworks.\28\
---------------------------------------------------------------------------
    \28\ See, e.g., Meta, Privacy Progress Update (Privacy Review), 
https://about.meta.com/privacy-progress/#how-we-do-it (listing data 
minimization as a core privacy principle); Google, Your privacy is 
protected by responsible data practices, https://safety.google/privacy/
data/ (noting that data minimization ``limit[s] the personal 
information that is used and saved); Google, Our Privacy Principles, 
https://safety.google/principles/ (listing as the fourth principle ``We 
reduce the data we use to further protect your privacy.'').
---------------------------------------------------------------------------
IV. Strong Federal Data Security Standards Are Essential to Addressing 
        Variations across Sectors and Data Types
    OTI focuses considerably on data minimization because it is often 
an underappreciated aspect of securing data and protecting consumers, 
but there are also other basic best practices in data security that 
should be required as a baseline across all sectors of the economy. 
Strong Federal legislative requirements could require companies and 
other organizations to do the following:

   Securely store and process data. When feasible, given the 
        intended uses of the data, it is a best practice to encrypt 
        data at rest (stored data) and data in transit (data being 
        transmitted between devices and servers).

   Apply strong access controls, which can be implemented 
        through technical controls and administrative rules. It is 
        critical to ensure that only the people who need to be able to 
        access data actually can access it.

   Use strong methods for authentication and identity 
        management. Companies must ensure that data access is 
        accompanied by robust authentication requirements, which 
        include but are not limited to using appropriately strong 
        passwords in combination with multi-factor authentication. 
        Unfortunately, many data breaches take place because weak or 
        default passwords enable the success of password-guessing 
        efforts.\29\
---------------------------------------------------------------------------
    \29\ Verizon Business, 2024 Data Breach Investigations Report p. 
43-44, https://www
.verizon.com/business/resources/T990/reports/2024-dbir-data-breach-
investigations-report.pdf; State of Security 2024: The Race to Harness 
AI, Splunk, https://www.splunk.com/en_us/form/state-of-security.html 
(`` ``. . . attackers often use older vulnerabilities, default 
passwords, and other low hanging fruit to target organizations, so a 
commitment to cyber hygiene is more important than ever.'' '').

   Retain only data that is still needed by periodically 
        reviewing data sets for relevance and deleting what is no 
        longer needed. As discussed in Sections I-III, minimizing the 
        amount of available data is an important safeguard against 
---------------------------------------------------------------------------
        misuse and mitigates the harms from data breaches.

   Standardize privacy-enhancing technologies. Advancements in 
        encryption and increasingly secure computing environments have 
        led to a new generation of data processing tools. Technologies 
        like multi-party computation and zero-knowledge proofs allow 
        for data to be processed in a way that all the data remains 
        encrypted and no private information is disclosed. These and 
        other privacy-enhancing technologies should become the standard 
        for processing data.

   Routinely assess and mitigate against data security 
        vulnerabilities at the device, network, and application levels. 
        Companies should not only regularly apply updates and security 
        patches for their hardware and software, but they should also 
        be aware of and implement other common security practices, like 
        network segmentation.\30\
---------------------------------------------------------------------------
    \30\ See, e.g., What is Network Segmentation?, Cisco, https://
www.cisco.com/c/en/us/products/ security/what-is-network-
segmentation.html#how-segmentation-works.

    There is, of course, no such thing as perfect security in either 
the digital or physical worlds. But common-sense best practices like 
these should be standard requirements in Federal law, so long as they 
are applied with enough flexibility to account for variation in 
organizations' size and capacity to develop sophisticated data security 
programs.
Conclusion
    Americans want strong and consistent protections for their data. 
They realize that their data can represent the most sensitive aspects 
of their lives. Data protection is consumer protection, and this 
committee is deeply aware of the need for companies to serve as 
responsible stewards of data--personal or otherwise.
    Rapid advances in artificial intelligence serve as a reminder that 
now is the time to ensure a strong, common national standard for data 
security and privacy. We appreciate the Committee's bipartisan 
leadership on privacy and data security legislation. OTI looks forward 
to working with Members of Congress to help advance strong privacy and 
data security protections into law.

    Senator Hickenlooper. Thank you very much.
    I'll now go to Mr. Parker. I forget--you're the director 
of--Senior Director of Security Industry Association. Thank you 
for being here.

                   STATEMENT OF JAKE PARKER,

            SENIOR DIRECTOR OF GOVERNMENT RELATIONS,

                 SECURITY INDUSTRY ASSOCIATION

    Mr. Parker. Good afternoon, Chairman Hickenlooper, Ranking 
Member Blackburn. Thank you for the opportunity to participate 
in today's hearing.
    Again, I'm Jake Parker with the Security Industry 
Association. This is a nonprofit trade association representing 
more than 1,500 companies that provide products for protecting 
lives, property, businesses, schools, and critical 
infrastructure throughout the Nation.
    So data security is essential to the operation of security 
systems and services, and our members are committed to 
protecting personal data, whether it is consumer or operational 
data. Practices like data minimization and privacy-by-design, 
enhance the end-to-end security needed for successful 
implementation of many types of these products.
    For example, when it comes to access control and video 
systems, features like data encryption, which we talked a bit 
about here, permissions-based access, decentralized data 
storage, edge device processing, audit capabilities, and data 
deletion schedules all serve to limit the availability of data 
for potential misuse, and limit the usefulness of data if it is 
compromised.
    In another example, our members provide the multi-factor 
authentication and remote identity proofing services that are 
becoming essential to preventing identity theft and fraud as 
attackers become more sophisticated.
    These advanced technologies provided by our industry, 
especially biometrics, are providing higher-assurance 
authentication, while reducing exposure of passwords and other 
personal information that is far more vulnerable to 
exploitation by identity thieves and cyber hackers.
    As we've heard from the other witnesses, there are very 
serious and rapidly increasing threats to data security that 
must be addressed. And beyond technical standards, product 
features, best practices, and security tools, the right--having 
the right public policies in place will also address data 
privacy and security. There's a key role for those.
    So states like Colorado, Texas, Tennessee, and by my count, 
by the end of this month, there will be a total of 19 states 
that have enacted comprehensive data privacy and security laws, 
which cover over 160 million Americans, or almost half the 
population.
    However, having a uniform national standard could provide 
more benefits to businesses and consumers, while further 
enhancing data security. And a national standard is something 
our members support. We've been following the renewed 
discussions here in Congress regarding the development of such 
a standard, and we are encouraged by the progress.
    In this, it's essential that data can continue to be 
utilized as needed for safety and security purposes. For 
example, our members and their customers are often the first to 
raise the alarm in emergencies, where having the right data 
helps law enforcement and other responders get to where they 
need to be as quickly as possible.
    And also mentioned earlier, there are many technologies 
used for authentication that will be essential to accomplishing 
the goals of the draft proposal that we are looking at in 
section 9, which I think was mentioned earlier.
    So having a uniform and workable national standard requires 
strong state and local preemption to avoid layering additional 
requirements. This is really important to our industry.
    It also needs to limit risks to businesses from 
opportunistic abusive lawsuits, which we've certainly seen in 
some jurisdictions over privacy matters. And need to make sure 
that we accomplish those two objectives in what we put forward.
    So I appreciate you holding this hearing, and your 
leadership, and putting a spotlight on data security. And as an 
organization, we're doing what we can, through our data privacy 
advisory board and our cybersecurity advisory board in 
particular, to provide key resources and urge adoption and best 
practices for data security in our industry, as I outlined in 
my written statement.
    Again, thank you for the opportunity to participate. And on 
behalf of SIA and our members, we look forward to continue 
working with you on these issues.
    [The prepared statement of Mr. Parker follows:]

   Prepared Statement of Jake Parker, Senior Director of Government 
                Relations, Security Industry Association
    Chairman Hickenlooper, Ranking Member Blackburn and distinguished 
members of the Committee, my name is Jake Parker, Senior Director of 
Government Relations for the Security Industry Association (SIA). SIA 
is a nonprofit trade association representing more than 1,500 companies 
that provide safety and security products essential to protecting 
lives, property, businesses, schools, and critical infrastructure 
throughout the U.S. and employ thousands of technology leaders.
Best Practices and Commitment of the Security Industry to Data 
        Protection
    Data security is essential to the delivery and operation of 
security systems and services. SIA members are committed to protecting 
personal data, whether it is consumer or operational data. Through our 
Data Privacy Advisory Board\1\ and Cybersecurity Advisory Board,\2\ SIA 
is encouraging members to implement best practices for data security by 
providing resources like our Privacy Code of Conduct,\3\ Ten Tips for 
Implementing Data Privacy,\4\ How to Counter AI-Driven Cybersecurity 
Threats to Physical Security Products,\5\ and enterprise security risk 
management (ESRM) strategies for our industry.\6\
---------------------------------------------------------------------------
    \1\ https://www.securityindustry.org/committee/data-privacy-
advisory-board/
    \2\ https://www.securityindustry.org/committee/cybersecurity-
advisory-board/
    \3\ https://www.securityindustry.org/report/sia-privacy-code-of-
conduct/
    \4\ https://www.securityindustry.org/report/ten-tips-for-
implementing-data-privacy/
    \5\ https://www.securityindustry.org/2023/10/05/how-to-counter-ai-
driven-cybersecurity-threats
-to-physical-security-products/
    \6\ See Security Convergence 2024, https://
www.securityindustry.org/wp-content/uploads/2024
/02/SIA-Security-Convergence-2024.pdf
---------------------------------------------------------------------------
    It is critical to provide our customers with tools and strategies 
that address risks both inside and outside their organizations. Data 
minimization--in the operational sense--is important to the secure 
implementation of key security products like access control and video 
security systems. Across many applications, privacy-by-design also 
enhances end-to-end security. Features like strict permissions-based 
data access, de-centralized data storage, encryption of data in 
transit/at rest, customer-only access to cloud-hosted data, ``edge'' 
device processing, user audit capabilities and data retention schedules 
all serve to enhance privacy and security by limiting the availability 
of data for potential misuse and limiting the usefulness of data if it 
is compromised. Our members provide technology for multi-factor 
authentication and high assurance identity authentication, including 
remote identity proofing services that are essential to meeting today's 
(and tomorrow's) identity theft and fraud prevention needs. And in 
emergency communications applications, our members are the first to 
raise the alarm in an emergency, using the right data to help law 
enforcement and other first responders get to where they need to be as 
quickly as possible.
Key Role of Authentication Technologies in Data Security
    Technology innovations are playing a key role in enhancing data 
security. Biometric technologies are a good example as they are 
becoming increasingly important for many types of secure transactions. 
When provided as an option to consumers to authenticate identity for 
example, these technologies provide more convenience and additional 
data security at the same time. Biometric technologies offer faster and 
higher-assurance authentication while reducing the transfer or exposure 
of personal information that is more vulnerable to exploitation. In 
fact, there is natural cryptography for biometric data that prevents 
identity hacking even if that data is stolen, and naturally serves to 
limit unauthorized use by third parties. It is far less vulnerable than 
information like social security numbers and passwords, that is easily 
exploited by identity thieves and cyber-attackers.
    Biometric software creates a numerical ``template'' based on an 
individual's physical characteristics to compare with a template or 
templates already enrolled in a database or on a device. This numerical 
string of data (based on ``mathematical vectors'') is created and 
readable only within that specific software. Contrary to a common 
misunderstanding that such data is unchangeable and more vulnerable, 
this data is in fact infinitely ``changeable,'' both software version 
to software version and in that templates will be slightly different 
each time they are created by the software (due to varying positions of 
a finger placed on a sensor or varying photography conditions for 
example). Templates are then ``matched'' based on mathematical 
similarity with the enrolled information.
    A biometric template itself does not contain any personally 
identifiable information, and it is unusable outside of the software 
system that created it. Importantly, a template cannot be used to re-
create the image (of a fingerprint, face, etc.) or physiological 
feature that it was derived from. Since each provider uses a different 
process to create and compare templates unique to that proprietary 
system, a template created in one system cannot be used in another. 
While such data would be useless if sold or shared, its collection, 
storage and processing should optimize privacy and security using 
encryption and other best practices in securing sensitive information.
Importance of Uniform Data Privacy Rules in Enhancing Data Security
    We are following with interest recent renewed discussions in 
Congress regarding the development of a Federal data privacy standard 
that would bolster data security through data minimization among other 
elements. Such a standard could potentially provide tremendous benefits 
if it applies clear, workable and uniform rules that are predictable 
for both businesses and consumers. We believe any national standard 
must ensure the continued functionality and effectiveness of safety and 
security technology applications and the benefits to society. This 
means ensuring data can be collected and processed as needed for these 
purposes, as well as ensuring requirements do not inadvertently create 
new security risks.
    Uniformity is essential. Express preemption of all state and local 
laws related to data privacy and security that is iron-clad against 
challenge in court is necessary to avoid the potential for adding layer 
upon layer of complex requirements. Recent legislation in Colorado is 
just one example of layering that could continue to occur without 
strong preemption. Despite the Colorado Privacy Act having just become 
effective in July 2023, the legislature recently passed a measure\7\ 
imposing an extra layer of different requirements specifically for 
biometric data despite existing regulation of this data under the CPA. 
The measure dramatically expands applicability both to small businesses 
and to employee data, which had previously been out of scope under the 
CPA. The potential increasing complexity of such state-by-state rules 
covering an ever-expanding set of data and number of entities that must 
comply is likely to cause confusion and slow business decisions both 
locally and nationally. The same goes for potential non-preemption of 
state and local laws providing a private right of action to enforce 
data privacy and security requirements.
---------------------------------------------------------------------------
    \7\ https://leg.colorado.gov/bills/hb24-1130
---------------------------------------------------------------------------
    A national data privacy law should limit the potential for abusive 
lawsuits by plaintiffs' attorneys seeking ``sue-and-settle'' outcomes, 
as the applicability to nearly all sectors of the economy could provide 
an irresistible target. We have seen the impact firsthand under the 
deeply flawed Illinois Biometric Information Protection Act (BIPA) 
where such lawsuits have been filed against many of our members and 
their customers in Illinois, even though no actual consumer harm is 
alleged. 88 percent of the cases have been related to biometric 
timekeeping processes for hourly employees to clock in to work, but 
many others have involved security and identity verification 
services.\8\ As a result, today there are many industry products that 
suppliers refuse to provide to Illinois businesses and consumers due to 
the litigation risk, despite wide availability elsewhere, cutting off 
access to effective technologies for home and building security, 
workplace safety, security investigations and emergency response.
---------------------------------------------------------------------------
    \8\ https://progresschamber.org/wp-content/uploads/2023/03/Who-
Benefits-from-BIPA-Analysis-of-Cases-Under-IL-Biometrics-Law.pdf
---------------------------------------------------------------------------
    Any national standard should also limit the potential for layers of 
conflicting requirements and/or frivolous litigation stemming from 
local jurisdictions enacting their own data privacy laws. For example, 
the latest class action lawsuit under the City of New York's 2021 
Biometric Identifier Information Law,\9\ a major retailer is being sued 
over allegations it is ``profiting from'' data in violation of the 
measure, simply due to use of security systems to protect employees and 
customers, and limit victimization by organized retail crime gangs.\10\ 
And, during the City of Baltimore's 18-month ban on use of certain 
biometric technologies by businesses that ended in 2022, a popular 
rideshare service was forced to discontinue its remote authentication 
of drivers in the area, with potential impact to rider safety. Again, 
such issues can be addressed by full and uniform state and local 
preemption.
---------------------------------------------------------------------------
    \9\ https://codelibrary.amlegal.com/codes/newyorkcity/latest/
NYCadmin/0-0-0-42626
    \10\ https://findbiometrics.com/t-mobile-profited-from-biometric-
security-by-preventing-theft-lawsuit-alleges/
---------------------------------------------------------------------------
Conclusion
    On behalf of SIA, I appreciate the opportunity to provide 
collective input from our industry on the important matter of data 
security. We are committed to working in partnership with Members of 
Congress in addressing related areas of public policy. I will do my 
best to answer any questions you may have. However, if there is any 
information requested that I cannot provide today, I will be happy to 
work with our members to provide helpful information.

    Senator Hickenlooper. Great.
    Thank you all again for being here. I realize how busy you 
all are, and it's some sacrifice. You come and share your 
information, your wisdom, your data with us.
    Let me start off with you, Mr. Trivedi. Lincoln famously 
said, ``With public sentiment, nothing can fail. Without it, 
nothing could succeed.'' Various states have established their 
own laws, soon to be 19 states that will pass their laws. And 
this is all about how--what types of data businesses can 
collect, how consumers should be notified.
    Consumers can be better protected. I think businesses can 
more fairly compete when there are clear, consistent rules of 
the road, and especially for small businesses, I think this is 
especially important.
    So Mr. Trivedi, how do you believe a national standard for 
data minimization and securing data ultimately benefits 
customers and their privacy? And maybe a thought about how we 
get the word out to them to get that public sentiment behind 
us.
    Mr. Trivedi. Thanks so much for that question, Chair 
Hickenlooper.
    I mean, I'd start by saying Americans know that their data 
represents the most sensitive aspect of their lives, and that's 
why they're clamoring for strong protections for it. And as 
you've said, a national standard would set equal protections 
for all Americans, but also set uniform expectations for all 
companies, which is something that they have been clamoring for 
as well.
    And that kind of clarity in the regulatory environment is 
sorely needed, because the U.S. legislative regime for data 
privacy and security is fragmented in ways that make consumers 
more vulnerable and then require companies--and this is 
particularly burdensome, I think, for, for smaller companies--
to develop complicated compliance programs in response to state 
patchworks and in the absence of clear national rules of the 
road.
    I think I would also add to your question about small 
business in particular, that many of these small businesses do 
not want to be hoovering up as much data as possible to run 
their business. But because there aren't sort of credible, 
strong, inflexible national standards, they may feel as though 
there's a competitive disadvantage if they're not collecting as 
much data as possible.
    That, as we've heard, puts consumers at risk. It also puts 
those companies at risk.
    And so I think that a data minimization approach and a data 
security approach that's common at the Federal level helps 
these companies do what they want to do, which is be 
responsible data stewards.
    Senator Hickenlooper. Well, I agree, but certainly hope 
you're right. Certainly AI has created a fascination with the 
value of all data, and there seems to be a little bit of a race 
on. Minimization is not quite appearing as frequently as it had 
been since AI has gotten more currency.
    Mr. Kaplan, on a bipartisan basis, Congress passed the 
Cyber Incident Reporting for Critical Infrastructure Act a 
couple years ago to require critical infrastructure operators 
to quickly report cyber incidents, wo we can understand the 
threat landscape as it changes.
    The FTC has also investigated and issued penalties against 
companies it found were unfair or deceptive in their data 
security practices after the consumer data was exposed.
    Gathering and sharing information about specific ongoing 
attacks, as well as the broader industry trends, helps us 
establish the defenses to prevent future incidents, especially, 
obviously, data breaches across sectors.
    So in your experience, Mr. Kaplan, which vulnerabilities do 
you think are most important to address in order to prevent 
data--prevent criminals from assessing--or accessing consumer 
data?
    Mr. Kaplan. Thank you, Senator. That's a very great 
question. So in our experience--and conveniently, every year, 
Palo Alto Networks publishes an incident response report, which 
provides an aggregated summary of the key trends that we've 
seen and how adversaries are looking to break into systems 
across the country.
    In this past year, we found that Internet-facing software 
vulnerabilities actually surpassed phishing attempts as the 
primary vector for attacks to take place. These are essentially 
open doors that are available on public websites that haven't 
been patched through updates or upgrades to software and 
systems. As a result, the adversaries are able to leverage 
these vulnerabilities with relevant ease to gain entree into 
these systems.
    To that vein, all vulnerability should be taken seriously. 
But the one vulnerability that we've noticed that is 
particularly troublesome is called a remote desktop protocol, 
or an RDP vulnerability. This in particular, if exploited, 
these can provide threat actors and attackers easy access to a 
deep level of administrative privilege into a victim's system 
to better and quicker exfiltrate data. These RDP 
vulnerabilities will unlock the keys to the kingdom, if you 
will. So they're a particular concern for our company.
    With adversaries growing increasingly sophisticated, it's 
critical that we make it as difficult as possible through 
layered defenses, and some of the best practices that I 
identified in my opening statement with regard to zero trust 
architecture, to prevent attackers from moving laterally across 
the system, and to close those open doors, and to have better 
understanding and visibility into your relative attack surface.
    Senator Hickenlooper. And we'll get back to some of that. 
The--you know, the danger of any hearing like this is we do 
call attention to some of those open doors, but increases your 
commercial activity in all of yours.
    I'm going to turn it over to my Vice Chair, Senator 
Blackburn, for some questions.
    Senator Blackburn. And thank you all so much for your 
testimony. And I appreciate getting your perspectives on this.
    I want to start with GDPR. I mentioned that in my opening 
remarks. And let me ask you, are each of you involved in some 
way in the EU? Are your companies involved in some way in the 
EU? A show of hands is fine. OK, so two of you are. Mr. 
Trivedi, you're trying to decide if you are or not?
    Mr. Trivedi. Only to say that we're not a company, so no 
business in the EU, but we're a nonprofit that's certainly 
tracking.
    Senator Blackburn. Right. Yes. Mr. Lee, likewise.
    What--as we look at this, and as I mentioned, our friends 
in the EU know they went a little bit too far. But companies 
already have these protocols in place to meet the GDPR 
standard. So as you look at what they have done in the EU, and 
Canada has a law, and New Zealand has a law, and Australia has 
a law, all protecting their citizens in the virtual space.
    Mr. Lee, start with you, and just go down the line, what 
should be the lessons that we learned and what should we take 
away from the GDPR experience? Go ahead and just very quickly 
so I can work on through my questions.
    Mr. Lee. The things that I think they got right do deal 
with some of the more technical aspects of making sure that you 
are having the programs that you need in place, and that they 
meet the risk that you are facing. So it's not a prescriptive 
necessary--necessarily standard, but it's you have to assess 
and report. And then when there is a data breach, you have to 
report that to the data authority for that country.
    Senator Blackburn. So their assessment reporting 
mechanism----
    Mr. Lee. Yes.
    Senator Blackburn.--you would say they got it right?
    Mr. Kaplan.
    Mr. Kaplan. Thank you, Senator. That's a great question. I 
would say from a macro level, the things that they got right 
are sort of a uniform standard.
    Senator Blackburn. Right.
    Mr. Kaplan. Regulatory complexity across multiple markets 
just increases costs. And from a cybersecurity perspective, the 
sources that--and the resources that are dedicated to 
responding to incidents should be operationally responding to 
incidents rather than looking at regulatory responses.
    Senator Blackburn. As I say, we need one set of rules for 
the entire Internet ecosystem, with one regulator. Yes.
    Mr. Kaplan. Predictability and lessening regulatory 
complexity----
    Senator Blackburn. Yes.
    Mr. Kaplan.--is one of the hallmarks.
    Senator Blackburn. It's a good thing, isn't it?
    Mr. Trivedi.
    Mr. Trivedi. Thank you, Senator, for the question. I think 
the first lesson is something you highlighted, which is moving 
swiftly to establish that uniform standard. That's something we 
should----
    Senator Blackburn. Yes.
    Mr. Trivedi.--should emulate. I think it's worth saying 
GDPR has probably not been strong enough on data minimization, 
that I think the regime we're hopefully working toward here in 
the United States could do it better. I think GDPR arguably 
gives too much deference to companies to decide what 
minimization means. And I think while we should have sort of a 
reasonableness thing and a flexibility, we need a strong and 
flexible approach, I think there's an opportunity for an 
American approach that's different and that works for us.
    Senator Blackburn. OK.
    Mr. Parker.
    Mr. Parker. I would say the--I mean, the emphasis on 
reasonableness, proportionality, and consent is very similar to 
what a lot of the states have done already. I see the 
similarities between those two, which obviously was pointed 
out, is a little bit different than what the proposal we're 
talking about now at the Federal level is.
    But just based on what I've also--some feedback from 
members we've had is, there has definitely been an issue with 
conflicting interpretations over time from the national data 
protection authorities within the EU that is causing problems 
for businesses that are doing, you know, work across the--
across the EU, different jurisdictions.
    But also there's the potential, and this is, I think, 
relevant for us here, that there's overlap between the AI Act 
and the GDPR. And in some cases, those areas of overlap are 
going to need to get resolved one way or another, but it's 
causing some confusion.
    Senator Blackburn. And digital marketing, and digital 
services, and some other--the overlap there.
    Let me, I want to go to the data minimization issue. And 
again, just down the line. Mr. Lee, starting with you, what is 
your opinion of data minimization as a security principle in 
this debate?
    Mr. Lee. I think it has to be integral.
    Senator Blackburn. OK.
    Mr. Lee. If we're going to reduce identity crimes, we're 
going to have fewer victims, we have to reduce the supply. Of 
data----
    Senator Blackburn. Right.
    Mr. Lee.--that can be abused by individuals if it's stolen, 
or even if it's just accidentally exposed. If you don't have 
it, you can't expose it, you can't----
    Senator Blackburn. So you tie the two.
    Mr. Lee. I do.
    Senator Blackburn. Yes. OK. As you said, data breaches are 
the fuel. So that ties in.
    Mr. Kaplan.
    Mr. Kaplan. Senator, from a macro perspective, I think data 
minimization is an increasing useful principle, especially in 
lessening the attack surface, particularly for those companies 
that are doing business with consumer-focused data. To that 
end, that's also where we think that, you know, legitimate and 
broad--not broad, but targeted permissible purposes like 
protecting the information, can be critical. But minimization 
can be an important tool.
    Senator Blackburn. So you would segment it?
    Mr. Kaplan. Correct.
    Senator Blackburn. OK.
    Mr. Trivedi.
    Mr. Trivedi. Thank you, Senator. I would say data 
minimization is an essential part of data security safeguards. 
Central to it, for the reasons that other witnesses have 
highlighted as well, which is to say, the attack surface is 
lessened when you sort of are intentional about collecting only 
what you need. You can't--again, you can't exfiltrate or hack 
what isn't there in the first place.
    Senator Blackburn. All right.
    Mr. Parker.
    Mr. Parker. Yes, I would say there's a--I mean, there is a 
bit of a difference between data minimization as an operational 
principle and a policy principle. So certainly from an 
operational standpoint, you know, this definitely plays a big 
role in data security. From a policy perspective, I know 
there's, you know, the overall approach of having a set number 
of permissible purposes for collecting and processing data. It 
certainly could work.
    I know there are some questions out there about, what about 
future-proofing this. So that in the future, is that going to 
be too narrow? Do they cover what they need to now? Those are 
all legitimate questions, but certainly an interesting 
approach.
    Senator Blackburn. Great. Can I ask----
    Senator Hickenlooper. Sure.
    Senator Blackburn. Oh, Peter's here, so I didn't see him. 
Go ahead and go to him. I've got another question I want to 
ask.
    Senator Hickenlooper. And I've got Senator Klobuchar on as 
well.
    Senator Blackburn. OK.
    Senator Hickenlooper. Do you want to ask a particular 
question?
    Senator Blackburn. I do. I wanted to talk about China. 
Because we just enacted legislation to force ByteDance to 
divest from TikTok. And the data security threat from China is 
broader than just TikTok. And a more holistic approach, rather 
than playing Whack-A-Mole is required on this. The problem goes 
beyond apps. And we know that China is using drones and cranes 
and potentially routers to spy on Americans.
    So how should Congress approach the broader data security 
threat from China? And what do you see as a good policy 
solution to this? Mr. Lee.
    Mr. Lee. I'm just a humble victim's advocate, but we do 
have to recognize that nation states, maybe not for the same 
reason as professional criminals, they want the information, 
and it's important that it is protected from whomever wants to 
misuse it, for whatever reason they want to use it.
    China is certainly a nation state that has great 
capabilities. We know that they have a lot of data about 
individuals for intel purposes. We have to assume there are 
other countries, friends and foes, that do the same.
    So an approach for data protection needs to be universal in 
its approach to whomever is acquiring the information.
    Senator Blackburn. Mr. Kaplan.
    Mr. Kaplan. Senator, yes. The threat from China is 
something that we are tracking every day on a regular basis, 
both the threat with exfiltrating information to China, but 
also other malign nation states that are looking to leverage 
sort of data within the United States.
    As a cybersecurity company, we're principally focused on 
the security of the networks and information systems upon which 
that data relies. So broader policy sort of questions about how 
to deal more holistically with a problem, may be outside of our 
purview.
    To that end, we would encourage strong cyber protections 
with regard to those systems and encourage information sharing 
with the Federal Government like we enjoy and we regularly 
partner in--with regard to that threat.
    Senator Blackburn. Mr. Trivedi.
    Mr. Trivedi. Thank you for the question. I think you're 
importantly highlighting the ways in which data security and 
data protection have a national security dimension. We've been 
talking about consumer protection, which is vital. We've been 
talking about people's privacy.
    But this is not all occurring just in the context of what's 
happening with our own borders. And as Mr. Kaplan mentioned, I 
think there are a number of nations in competition for one 
another's data, and there are costs to that.
    I would say, to answer your question about the right policy 
approach, at the top of the list should be establishing a 
Federal data security and privacy protection standard. Right? 
That's--I think that's essential because it does all the things 
we've talked about, but also confers national security benefits 
on America as well.
    Mr. Parker. And certainly what was just mentioned is 
establishing that standard in the Federal privacy framework 
we're talking about would be--would go a long way to doing 
that.
    Certainly, anything that's Internet-connected devices is a 
target for exploitation by nation state actors. So 
implementing--you know, certain encryption protocols in our 
industry, as I'm aware, is pretty important. Protecting those 
specific kind of devices.
    And I say, though, as an additional side note, there has 
been also a large shift within our industry away from 
manufacturers in China, and sourcing equipment there, that 
could possibly have vulnerabilities. So I'd say especially in 
the commercial sector, it has been near--a near complete move 
away from those sources.
    Senator Hickenlooper. Great. Thank you.
    Senator Welch.

                STATEMENT OF HON. PETER WELCH, 
                   U.S. SENATOR FROM VERMONT

    Senator Welch. Thank you very much. It's good to be here. 
Senator Blackburn, it's always wonderful to see you continuing 
this pioneering work that you began when you were in the House.
    And it has only gotten more complicated, actually. Let me 
ask you a few questions about the privacy issues for 
individuals, and then the cybersecurity that's essential for 
everyone.
    I mean, as you know, about 72 percent of Americans believe 
there should be more regulation over what companies do with 
people's data; 67 percent, and I'm among the 67, report little 
to no understanding of how companies use their data. And 73 
percent report that they believe they have little or no control 
over what companies do.
    So there's a question about my data, citizens' data, and 
what companies do. Then there's the question about hacking into 
systems. And companies, tech companies have a high self 
interest in doing everything possible to protect against 
hacking, because it hurts them and their customers.
    I mean, where's the difference in the responsibility for 
protecting the system from being hacked? And I hear you saying 
there should be a national standard.
    And that national standard, what does that mean for small 
businesses that just don't have the financial wherewithal to be 
able to bear that burden? And how what those recommended 
protections, how they could be integrated affordably, 
organically, into systems that a small mom-and-pop business 
might deploy?
    And I guess I'd start with you, Mr. Lee.
    Mr. Lee. Thank you, Senator. Let's work backward. 
Particularly for small businesses, this concept of the risk 
assessment is very important.
    Senator Welch. That they have to do themselves?
    Mr. Lee. That they would do themselves, because that's 
where they understand where the risk is. So if you're 
prescriptive, and ``You say you must do X,'' but you have no 
risk of that ever happening, that is a waste of their time and 
their energy and their money.
    But if you do a risk assessment, so you understand exactly 
what you are facing in your unique business based on the 
information you have from your customers, then you are meeting 
that risk as it is today, and you're monitoring it----
    Senator Welch. OK.
    Mr. Lee.--to see what you have to do to move it forward.
    Senator Welch. You know, I--let me push back a little bit. 
I'm just thinking, let's say it's a small record producer in 
Nashville, and they're a new startup. I mean, for that person 
in business to be talking to the customers about what they 
need, and then being able to make the decisions to deploy, that 
requires a level of sophistication that may not be the level of 
sophistication required to be a good record producer.
    I mean, you know, I have a--or you're a small law firm, 
let's say. You know? I was in a law firm with four lawyers. It 
was pretty smart--small. We didn't have the demands or the 
capacity to do what the major Wall Street firms do.
    So what you're describing as a step that we should take 
seems out of reach to me for the millions of small businesses 
we have. It seems to me that--this should be just available, 
baked into what it is you buy.
    Mr. Lee. I guess I would view that that's actually the 
foundational step. It's--the one-size-fits-all approach, which 
we have taken heretofore is what burdens small businesses. But 
when you take a tailored approach where it's specific to their 
business and specific to their data, then you don't have to do 
things which you know you're never going to implement.
    Senator Welch. So no, that makes sense. But what's the 
expense associated with that?
    Mr. Lee. Well, there--it depends on which tool you're 
using. If you----
    Senator Welch. Give me a ballpark. I mean, I'm worried 
about the small businesses having to deal with these massive 
impacts on their small business.
    Mr. Lee. As a--you know, we've got representatives of the 
world's largest, you know, cybersecurity organization, but 
there are small, managed services providers that that's what 
they do. There's--I'm sure, hundreds of them, even in the 
Nashville area. In every city, there are people who do that.
    I'll let you respond----
    Senator Welch. OK. Mr. Parker thinks--you know, you 
mentioned future-proofing, which makes a lot of sense to me. 
But one of the things that I've found frustrating as a member 
of the House and now in the Senate is, we can't keep up with 
all the changes and all the methodologies by which there is 
hacking. And even those who are far more expert in Congress on 
technology issues, I don't think, can keep up with it.
    Senator Bennett and I think that we--the time has come 
where we actually need an agency, a digital commission, much 
like, say, the FTC or the FCC, that is properly staffed, 
properly resourced, and has the capacity to keep up.
    Because if it's a one-off bill that's dealing with problem 
A or problem B, it's a very cumbersome and difficult process to 
get it done in a timely way through Congress.
    Do you have any thoughts on the wisdom of having such an 
entity that would have as its ongoing challenge protecting 
privacy and--in considering other issues related to tech?
    Mr. Parker. Yes, I mean, so that's a great question. And I 
apologize, I don't have a great answer, but I know that the--
obviously, the state of California has done something like 
that, having a privacy agency.
    And so I know the issue has been discussed here as far as 
creating something like that. I know there's probably the 
opinion that most of the--that we have existing agencies are 
playing that role, but I understand what you're saying. I know 
that it's definitely bifurcated the way it is currently.
    Senator Welch. Well, Mr. Trivedi, you mentioned there 
should be a national standard? Right?
    Mr. Trivedi. Yes. Yes, I did.
    Senator Welch. That makes sense to me. Who determines what 
that national standard is?
    Mr. Trivedi. Well, I think that legislation would emerge 
from a number of stakeholders working together. But I would 
emphasize that it should be both strong and flexible. To your 
point about how smaller businesses are able to comply, we 
cannot expect, you know, a small record store, to your point, 
collecting potentially far less digital data than, you know, a 
large tech company, to meet the standard.
    Senator Welch. Well, what would a national standard look 
like? And ``strong and flexible'' makes a lot of sense to me. 
So what you're saying, I agree with. But I'm trying to think 
about the practical way (a) to define it, (b) to implement it, 
(c) to change it. And this--sitting up here, I know that's a 
tough ask for the folks in this job who are determined to do 
the best they possibly can. So do your best to answer that 
question.
    Mr. Trivedi. Sure. Thank you, senator. It's a very good 
question. I mean, I think there are some--some best practices I 
listed out as near-universal, that would apply.
    So for example, even small businesses can think about and 
implement access controls to make sure employers who don't need 
certain data can't access it. They can, you know, engage in 
data minimization relevant to their--or relative to their 
capacity, which is to say, think hard about what they really 
need, and what they don't need, they shouldn't keep, because 
it's also a risk to them. And it's----
    Senator Welch. No, but we have to make--the legislation has 
to determine that. It's not like you're asking the individual 
to determine that. Right?
    Mr. Trivedi. That's right. I think--I think legislation 
should establish sort of a strong set of practices, but that 
there should, of course, be flexibility in how businesses of 
varying sizes comply with it. But there should be some basic 
requirements that are common.
    Senator Welch. So do you have a template of what it is you 
think Congress should pass?
    Mr. Trivedi. Well, I think we've seen some credible 
bipartisan proposals. I think there's good progress being made 
via the discussion draft of the American Privacy Rights Act.
    Senator Welch. Mm-hmm.
    Mr. Trivedi. I do think that is a very promising proposal 
on the table today.
    But in terms of a template specifically for how small 
businesses can operate, I think that's something that we could 
get back to you on and think more about.
    Senator Welch. All right, thank you.
    I yield back.
    Senator Hickenlooper. Thank you.
    Now we have by remote, Senator Klobuchar.

               STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Thank you very much, Mr. Chair. Thank 
you to the witnesses.
    I'll just start out by generally saying that we need a 
national privacy law that creates rule of the road. I support, 
after reviewing it, Senator Cantwell's discussion draft of the 
American Privacy Rights Act. I strongly believe that consumers 
should have access and control over how their personal data is 
being used.
    Mr. Trivedi, do you agree that consumers should have the 
ability to access their data and control how it is used by 
companies?
    Mr. Trivedi. I do, Senator. Thank you. I think access and 
control rights are very important for consumers.
    Senator Klobuchar. OK, thank you.
    Mr. Lee? And I'm having trouble hearing it--I'll just try 
my best here.
    Mr. Lee, we also need to educate Americans on how to 
identify and react to cyber threats. We know there are phishing 
schemes going on. Senator Thune and I have introduced the 
American Cybersecurity Literacy Act to educate the public on 
cybersecurity risks by requiring NIST to conduct a 
cybersecurity literacy campaign.
    Can you talk about the importance of educating Americans on 
how to identify and avoid cybersecurity threats?
    Mr. Lee. Well, education is a key to so many different 
things, and particularly in this case, it is a part and parcel 
of keeping people safe.
    One of the things that we learn from talking to victims 
every day is they are very curious about how to make sure it 
doesn't happen to them again.
    So having a comprehensive approach that is led by the 
Federal Government would be very helpful, because we overall--
identity crime victims don't get a lot of support anyway, 
because a lot of times people think of them as victimless 
crimes. And trying to avoid that crime is even more difficult.
    So education is going to be a key part of making sure that 
we are keeping people safe in this increasingly dangerous cyber 
world.
    Senator Klobuchar. Agree.
    Mr. Kaplan, in just the past 5 months, we've seen 
significant data security breaches. Obviously United Health 
Group, AT&T, Microsoft. Because these companies maintain large 
amounts of data on huge swaths of the population, hacks often 
can affect tens of millions of people.
    In your testimony, you noted that large companies have 
twice the number of systems exposed on the Internet than what 
they were monitoring. What complications to protecting consumer 
data arise from simply holding such vast amounts of it?
    Mr. Kaplan. Thank you for that question, Senator. Yes. 
Holding that vast amount of data just increases sort of your 
attack surface and your vulnerability, and makes you a more 
likely target of sort of the malign threat actors and nation 
states that are looking to sort of divine and exploit and pull 
out that data to make strategic use of it.
    With regard to the attack surface, this was one of the 
basic cyber principles that we also talked about. It's 
understanding what your Internet-exposed attack surface looks 
like, understanding how many of the portals into your system 
are open to the public Internet, and having visibility into 
existing vulnerabilities, misconfigurations, you know, not 
updated pieces of equipment or software that are exposed to the 
open Internet, that just give those malign actors entree into 
the system.
    So having visibility into the ecosystem and what your 
attack surface looks like to the attacker, we think, is a 
critical piece of securing your infrastructure. That, 
combined----
    Senator Klobuchar. Mm-hmm. Can----
    Mr. Kaplan.--with knowing what your data is, is all a 
critical element of maintaining----
    Senator Klobuchar. Yes. You----
    Mr. Kaplan.--customer confidence.
    Senator Klobuchar. You also noted in your testimony that 
the United Healthcare chain data breach is likely to be the 
largest supply chain breach of this--Mr. Lee--the largest 
supply chain attack in history, because of how many 
organizations depend on Change to process insurance payments.
    When an entire industry relies on only one or two digital 
supply chain providers that hold and process huge amounts of 
data, how does that affect the impact of a cyber attack?
    Mr. Lee. It's--for a cybercriminal, it's a nirvana if you 
can find a supply chain. Rather than have to attack a series of 
companies one at a time, if you can find that one organization 
that has weak cybersecurity, but lots of data from not just one 
company, but all of their customers, all of the people they 
support, they are going to get massive amounts of data.
    And we've seen--at the ITRC, we've seen a 2,600 percent 
increase in the number of organizations hit by supply chain 
attacks. Not just that they were attacked--you may only have 
100 companies attacked last year, but you had 2,600 companies 
that were impacted by it. Their data was exposed.
    So for a criminal, these things are incredibly profitable. 
And it's something that we--well, the whole topic of this 
conversation is, how can we bring these other organizations up 
to speed so you do not have that risk from vendors to the 
larger organization?
    Senator Klobuchar. Yes, I mean, we have been helping dozens 
and dozens of hospitals and pharmacies and other health care 
providers in our state to become whole and to be able to 
function ever since this data breach.
    And clearly work has to be done here, so you have--you 
can't have all this data in one place, and then they don't have 
backup systems.
    Is that--would that be one of your suggestions? What would 
be your suggestions to protect this data? And this will be my 
last question.
    Mr. Lee. I mean, from a data protection standpoint--I mean, 
there's a lot to that, only one part of which would be backups.
    You know, there are just so many parts of the healthcare 
supply chain. It has been the industry that is most attacked 
for the last 6 years running, because there are just so many 
different parts of it, so many members, you know, from mom-and-
pop organizations all the way up to a United Healthcare.
    So while there are key things that they need to be done, a 
big part of it is just making sure that everybody in that 
supply chain is aware they are a target.
    Senator Klobuchar. Yes.
    Mr. Lee. They are at risk. And to act accordingly.
    Senator Klobuchar. Exactly. OK. Thank you very much. Thanks 
everyone. Appreciate it.
    Senator Hickenlooper. Thank you, Senator.
    I still got some questions, and I think there are one or 
two people might be on their way here. So I'll indulge myself.
    Mr. Parker--and I don't want to get you in trouble with any 
of your members in any way. But you know, the requirements for 
reporting a breach, whether it's ransomware or phishing or 
whatever it is, there are really--the penalties. Unless someone 
pays a ransom, the penalties so far don't appear to be 
significant in almost all cases.
    Does there need to be some sort of an incentive or some way 
to reward some of the smaller breaches that are happening more 
frequently, that don't get the attention, and yet are, as I'm 
sure you're aware, costing us tens of hundreds of millions of 
dollars as a country?
    Is that--I mean, how--within the framework of your 
membership, how do we get everyone eager to make sure that they 
report each incident?
    Mr. Parker. You know, that's a great question. I know--it 
has been a little while since I looked at this. I know every--I 
think every state has a law and--or a breach notification, 
they're different in some ways. Some have a private right of 
action applied to them. I think it----
    Senator Hickenlooper. First----
    Mr. Parker.--definitely would----
    Senator Hickenlooper.--first to have some of those 
requirements as well. But there's just not a heavy hand. It's 
fairly light.
    Mr. Parker. I mean, I know that some--I know--yes, the 
other witnesses may have a better idea here, but you know, 
certainly something should be a priority for the AGs that are 
enforcing these rules.
    Senator Hickenlooper. Right. But again, they need--they'll 
need some penalty or there needs to be some incentive, some way 
of moving people. Anybody else want to comment on that? You 
know, don't feel the obligation, because I have more questions.
    Mr. Lee. Oh, I've got comments. To your point, it took from 
2003 until 2018 to get all 50 states, the territories, and the 
District of Columbia, to have a data breach law. And they are 
all different. They all have different triggers of what 
constitutes a breach. They all have different requirements for 
what is in a data breach notice.
    And in every instance, it is the organization that has lost 
control of the data that gets to decide if there is a notice. 
Oregon will allow a consultation with law enforcement. But 
other than that, the organization makes the determination.
    Where you live determines how much information you have, if 
you have any information, and what resources are made available 
to you. So when we talk about national standards, that's why we 
mentioned data breach notifications have to be part of that, 
because those are both education opportunities for the 
individuals, and they're opportunities to make sure that we 
don't have repeat occurrences.
    Senator Hickenlooper. Absolutely.
    Anyone else? You've all referred to at one point or 
another--I don't know whether there's a certain amount of irony 
in some of the comments, but the swiftness of response. Would 
you all agree that swiftness needs to be a goal, something that 
we should find ways, both within government but also within the 
business community, of accelerating responses and making sure 
that swiftness is--swiftness becomes an important factor.
    Start with Mr. Parker, we'll go up this way just for a 
change of direction.
    Mr. Parker. Absolutely agree with that.
    Mr. Trivedi. Yes. I think both on the cybersecurity 
incident response side, as well as on the pace at which we 
should move on data security and privacy legislation, swiftness 
is essential.
    Senator Hickenlooper. Say that louder when you say that. 
Just--no, I'm just kidding. We want it to fill the room.
    Mr. Kaplan. Senator, swiftness when responding to a cyber 
incident is critically important.
    One of the things that we've seen from Palo Alto Networks 
is the average incident response time for companies, as 
recently as 2021, was 44 days that it would take companies to 
address a cyber incident when it occurred. And it was 44 days 
till they started seeing data exfiltrated from those attackers.
    We've seen that exfiltration timeline decrease to just days 
and hours. And if you take that in context with the average 
time that it takes for a company to respond to a cyber incident 
and mitigate it, is 6 days? If attackers are starting to 
exfiltrate data in one day, in just a handful of hours, you're 
losing data. So swiftness is a critical aspect.
    Senator Hickenlooper. All right. Absolutely. Mr. Lee.
    Mr. Lee. I agree.
    Senator Hickenlooper. Great. Thank you. And I might have 
one more question.
    First, I'm going to turn to Senator Budd.

                  STATEMENT OF HON. TED BUDD, 
                U.S. SENATOR FROM NORTH CAROLINA

    Senator Budd. Thank you, Mr. Chairman.
    And again, thank you all for being here today. So much 
commerce, business work, and social interaction now takes place 
online, as you all know, and there's a large volume of 
sensitive data that goes into those online interactions. In 
many ways, that data has become the lifeblood of the digital 
economy, connecting small businesses with customers and 
improving online services.
    So I know this firsthand as a small business owner who has 
run digital advertising campaigns myself.
    I also know that the majority of businesses take data 
security extremely seriously. Burdening customers with what may 
feel like arbitrary, excessive, or overly sensitive personal 
information disclosures is a poor way to instill customer 
trust. And protecting against devastating breaches, it's a 
must.
    Mr. Parker, you mentioned how important uniform standards 
and laws are to the Security Industry Association members. Is 
there an example that you could share where conflicting laws 
between states have reduced business opportunities for any 
member of companies?
    Mr. Parker. Sure. Absolutely.
    So the kind of prime example of this is the Illinois 
Biometric Data Privacy Law, known as BIPA, where it was 
formulated, I think, more than 15 years ago, when that 
technology was in its infancy. A lot of misunderstandings about 
it.
    But it's certainly--because of the way it was structured 
and the private right of action attached, it has created a sue-
and-settle environment where there's tremendous litigation risk 
in fielding the technologies, even if they're deemed to be 
compliant.
    And so, as a result, there are a number of our member 
companies who do not actually offer their products to customers 
in Illinois anymore, because of what's happened with that.
    Senator Budd. Any particular products that you can recall?
    Mr. Parker. Well, you know, there's--within biometrics, 
there are many different types of products. But just to give 
you an idea, 88 percent of the lawsuits under that law had been 
on--regarding biometric time clocks. Basically a way to 
authenticate your identity for punching in and out of work. No 
allegations that harm actually occurred to anyone. There was 
some, you know, misstep in the collecting consent and things 
like that that were found, and that was a basis for class 
action lawsuits.
    And that's--things like that, even--it's--even though it's 
not in some products, certainly in the security area, cannot 
even be filled with there under the rules. But in other cases, 
you know, products like that, some people are just--say, forget 
it. We're not going to even bother.
    Senator Budd. You know, the savings from those systems, I 
would know firsthand, and they save businesses money, they make 
them more competitive, allow them to pay employees more, hire 
more employees. So I see the challenge there.
    Mr. Parker, can you speak to how uniform national 
requirements and legal liabilities would improve the ability of 
your member companies to protect personal data?
    Mr. Parker. Yes, so, I mean, I think having a national 
standard, you know, that fully preempts, you know, state and 
local laws and data privacy would definitely save on compliance 
costs. But it would also be better, you know, for the global 
competitiveness of our companies that can align what they're 
doing, you know, with other parts of the world as well, versus 
having people track what's going on in each individual states 
and what products can be offered where, and under what 
circumstances. So there's definitely a tremendous advantage of 
having a national framework and standard.
    Senator Budd. Thank you. You mentioned that the Security 
Industry Association encourages its members to implement 
resources like how to counter AI-driven cybersecurity threats 
to physical security products, just an example. So your members 
seeing criminals use AI in new ways?
    Mr. Parker. Yes, so one thing we're certainly--I was just 
talking to some of our cybersecurity experts in the industry 
about this. But one thing that's emerging is the ability to 
detect when video has been altered. And so security video is 
obviously very important to, you know, what we do and provide 
to customers.
    But you want to make sure that that can't be manipulated by 
bad actors for fraudulent purposes, or maybe even further, some 
other criminal activity. And so there's definitely technology 
available that is verifying the authenticity of data that's 
stored and making sure it hasn't been altered. So that's one--
that's one area.
    Senator Budd. Thank you. Thank the panel.
    Chairman.
    Senator Hickenlooper. Thank you, Senator.
    OK, I'll be quick. I know you guys been here for a while. 
And you've--a couple of you already commented on this. But I 
just put in a fair amount of--our office put in a fair amount 
of work on the American Privacy Rights Act.
    And you guys, it affects what we're talking about today. It 
is about security in addition to privacy. I think all of you 
have pointed out that there's a connection there that is 
inviolate.
    What's your feelings--and we'll go right down the list on 
APRA in terms of, if you've got some constructive--something 
bothers you or constructive criticism, it's out with it. But if 
you, if you think we need to have a sense of urgency, a couple 
people have referred to quantum computing as it comes down the 
pike. If it isn't giving us a sense of urgency around these 
issues, then nothing will.
    Anyway, start with you, Mr. Lee.
    Mr. Lee. I do think there should be a sense of urgency just 
because of--we don't even have to get to quantum. You can just 
look at artificial intelligence, and just the efficiency and 
the depth and breadth that it's bringing to everything from 
creating malware to a phishing attack.
    We're seeing more and more phishing attacks, which are very 
basic, that are letter-perfect, that fool even professionals, 
they are so good. Whereas, you know, a couple of years ago, 
everybody kind of go, yes, yes. There's only, you know, Bank of 
America isn't spelled with B-A-A-N-K. You can't do that 
anymore.
    It is good, and it is getting better. You have--for the 
most sophisticated, you've got Deepfake video, you have voice 
cloning. You have risks that are primarily to businesses, but 
individuals will be the vehicle to get to the business attack.
    So there is a sense of urgency. My watch-out on the Privacy 
Rights act would be, beware of the law of unintended 
consequences. As we talked about a little bit with data 
minimization, we still need data, and we need it for some very 
specific purposes, because it's used for anti-fraud. It's used 
for identity verification, to prevent identity crimes.
    So in our zeal to protect consumers and give them access, 
we also have to be realistic that we still need some data.
    Senator Hickenlooper. Thank you.
    Mr. Kaplan.
    Mr. Kaplan. Senator, we're still evaluating APRA. We do 
think that this current version, there are some beneficial 
aspects, like specifically----
    Senator Hickenlooper. Wait, so I started this with a sense 
of urgency. You're still evaluating, come on.
    Mr. Kaplan. Well, with a sense of urgency, and I can hit 
that. So what we've seen with regard to artificial 
intelligence, for example, is, you know, to echo what Mr. Lee 
said, is we have seen threat actors leverage this to create 
really sophisticated spear-phishing attacks.
    Senator Blackburn brought up quantum. Quantum threats--
right now, there is a campaign of harvest now and decrypt 
later, where malign nation states are collecting data, even 
encrypted data, knowing that this day is coming, where they'll 
be able to decrypt it.
    So the urgency is really, harden your systems now and 
secure your systems now, and secure your data now.
    One of the beneficial aspects of APRA that we see is those 
strong permissible purposes for cybersecurity companies. Mr. 
Lee also talked about the uses of data. Both for our cyber 
defenses, but also in the artificial intelligence.
    And just a quick stat, we leverage AI across our systems 
and capabilities, and we are able to detect 2.3 million unique 
attacks that weren't there the day before.
    This is a process of continuous discovery, and we're able 
to leverage our security data and those AI tools to block 11.3 
billion attacks per day.
    And that's just one player, one company, in the cyber 
ecosystem. So the utility of this data, I think, is proven. And 
that's where sort of the flexibility of something like the 
permissible purposes and APRA are critical to securing 
everybody's data.
    Senator Hickenlooper. Great, great.
    Mr. Trivedi.
    Mr. Trivedi. Thanks for the question, Senator. I think, you 
know, and we've said publicly that APRA includes some of the 
necessary pillars of sound privacy legislation. I won't list 
all of them, but I think it is germane to today's conversation. 
Strong data minimization principles, online civil rights 
protections, privacy rights for users to be able to view, 
correct, and opt out and delete their data, stop at sale or 
transfer, these are essential elements of data protection and 
consumer protection. And so we are heartened to see this 
credible proposal reemerge.
    In terms of constructive areas to focus on, I think one of 
the areas of concern for us has been the scope of FCC 
preemption in APRA. We've seen with the recent announcement 
from the FCC fining wireless carriers, and the depth of their 
expertise and ability to act, to be a cop on the beat with 
respect to ISP privacy, Internet service provider privacy, I 
think that's essential.
    And so we would focus on this issue not to have over-broad 
preemption of the FCC's ability to exercise long-standing 
expertise in their domain on privacy.
    Senator Hickenlooper. Interesting. All right, thank you.
    Mr. Parker.
    Mr. Parker. So just to speak to urgency from a policy 
perspective versus cybersecurity, you know, three years ago, 
there was one state that had their data privacy law, and now 
there are 19. So, I think there's definitely a window of 
opportunity to have a Federal standard. Many of those states 
that have acted since then have very similar frameworks, so.
    But there is a potential, if they're different enough, that 
a 50-state patchwork laws can harm the economy. And so it's 
important to consider acting soon.
    That said, we're still looking at the proposal and 
gathering input from members, but definitely applaud Chair 
Cantwell and Chair Rodgers for working to get to this place. 
And I would say that they're significant improvements over what 
we saw two years ago.
    In one example in particular, we're pleased with the data 
minimization, permissible use purposes related to 
cybersecurity, and physical security, which we think are very 
well defined and well crafted.
    But there are some other issues and questions, mainly, I 
think, that need to be addressed, you know, in moving forward.
    I mentioned earlier how important it is to have strong 
preemption. We're definitely getting questions from members 
about whether what's in the proposal now is adequate enough to 
be truly the national standard that it's intended to be. So I 
think that needs a clear, you know, a clear answer.
    And there are a few other kind of more detailed issues in 
the bill, but we're definitely still looking at it and 
providing input.
    Senator Hickenlooper. OK, well, keep those cards and 
letters coming, as they say on TV--I guess they used to say on 
TV.
    Appreciate all those comments about APRA. I think--I have a 
great sense of urgency on it, and I think that this is a 
wonderful time to work on something like data privacy on a 
bipartisan basis right before big election. But this should not 
be a partisan issue.
    And I think we've seen a lot of bipartisan participation so 
far. But I'm hopeful that the people you all represent will 
continue to push with a sense of urgency this year to get this 
done. I think it's doable.
    I think we're done here for today. But thank you all for 
your effort. Members can submit additional questions for the 
record until May 22. We thank you in advance for taking the 
chance to--taking the time to, and the chance, to answer those, 
provide responses hopefully by June 5.
    And with that, I will adjourn.
    [Whereupon, at 4 p.m., the hearing was adjourned.]

                            A P P E N D I X

                              Main Street Privacy Coalition
                                                        May 7, 2024

Hon. Maria Cantwell,
Chair,
U.S. Senate Committee on Commerce, Science & Transportation,
Washington, DC.

Hon. John Hickenlooper,
Chair,
U.S. Senate Subcommittee on Consumer Protection, Product Safety, and 
Data Security,
Washington, DC.

Hon. Ted Cruz,
Ranking Member,
U.S. Senate Committee on Commerce, Science & Transportation,
Washington, DC.

Hon. Marsha Blackburn,
Ranking Member,
U.S. Senate Subcommittee on Consumer Protection, Product Safety, and 
Data Security,
Washington, DC.

RE: Hearing on ``Strengthening Data Security to Protect Consumers'' on 
            May 8, 2024

Dear Chair Cantwell, Ranking Member Cruz, Chair Hickenlooper, and 
            Ranking Member Blackburn:

    The Main Street Privacy Coalition (MSPC) appreciates your holding a 
subcommittee hearing on May 8 and the opportunity to share our initial 
views on the discussion draft of the American Privacy Rights Act 
(APRA). MSPC supports the goal of establishing a national privacy and 
data security law that applies equivalently to all businesses handling 
consumers' information and avoids potentially unintended consequences 
that would have disproportionate impacts on Main Street businesses and, 
in turn, negatively impact consumers and the American economy.
    The House Energy and Commerce Committee's efforts last Congress on 
the American Data Privacy and Protection Act (ADPPA) included, in some 
instances, ways to address concerns that had long been difficult to 
reconcile. In some specific provisions affecting our members, such as 
preserving customer loyalty plans, service provider requirements, and 
the treatment of franchise businesses, however, the APRA significantly 
departs from the successful compromises achieved in the consideration 
of the ADPPA. We look forward to working collaboratively this year with 
you and your colleagues on the Senate Commerce Committee to address the 
issues outlined below with the ultimate goal of enacting privacy 
legislation that establishes a single, uniform national privacy law.
    MSPC firmly believes that consumers across the country should be 
empowered to control their personal data. Having data privacy and 
security laws that create clear protections for Americans while 
allowing our members' businesses to serve their customers in the ways 
they have come to rely upon is a key goal. Achieving that goal, 
however, has been elusive. One of the challenges central to the 
Committee's legislative effort is that the overwhelming focus on the 
data practices of so-called ``big tech'' companies can obscure the 
reality that data privacy laws also apply to, and must work for, Main 
Street businesses whose employees directly serve Americans in their 
daily lives.
    The MSPC is comprised of 20 national trade associations that 
together represent more than a million American businesses--a broad 
array of companies that line America's Main Streets\1\ and interact 
with consumers day in and day out. From retailers to REALTORS, hotels 
to home builders, grocery stores to restaurants, gas stations to travel 
plazas, and self-storage to convenience stores, including franchise 
establishments, the businesses represented by MSPC member associations 
can be found in every town, city, and state, providing jobs, supporting 
our economy, and serving Americans as a vital part of their 
communities.
---------------------------------------------------------------------------
    \1\ The Main Street Privacy Coalition website and member list may 
be accessed at: https://mainstreetprivacy.com.
---------------------------------------------------------------------------
    Collectively, the industries that MSPC members represent directly 
employ approximately 34 million Americans and constitute over one-fifth 
of the U.S. economy by contributing $4.5 trillion (or 21.8 percent) to 
the U.S. gross domestic product (GDP). Our success depends on 
maintaining trusted relationships with our customers and clients: trust 
that goods and services we provide are high quality and offered at 
competitive prices; and trust that information customers provide to us 
while we are serving them is kept secure and used responsibly. For 
these reasons, our associations have been actively engaged for many 
years with policymakers on data privacy legislation and regulations.
Six Principles for Effective Federal Privacy Legislation
    Main Street businesses have no higher priority than earning and 
preserving trusted relationships with their customers, including by 
protecting and responsibly using the personal data that customers share 
with them. As policymakers consider the APRA and other legislative 
solutions to address data privacy concerns, our coalition urges 
adoption of legislation meeting the following core principles to ensure 
a comprehensive and effective national privacy law:

   Establish a Uniform National Privacy Law: The United Stats 
        should have a sensible Federal framework for data privacy 
        legislation that benefits consumers and businesses alike by 
        ensuring that consumers' personal data is protected in a 
        consistent manner regardless of the state in which a consumer 
        resides. Preempting state laws with a set of Federal rules for 
        all businesses handling consumers' personal data is necessary 
        to achieve the important public policy goal of establishing a 
        single, uniform national privacy law.

   Protect Consumers Comprehensively with Equivalent Standards 
        for All Businesses: To protect consumers comprehensively, 
        Federal data privacy frameworks should apply requirements to 
        all industries that handle personal data and not place a 
        disproportionate burden on certain sectors of the economy while 
        simultaneously alleviating other sectors from providing equal 
        protection of consumer data. An equivalent data privacy 
        standard should apply, regardless of whether a business 
        directly collected data from a consumer or obtained it in a 
        business-to-business transaction.

   Create Statutory Obligations (Not Contractual Requirements) 
        for All Entities that Handle Consumers' Data: Given imbalances 
        in contractual negotiating power, effective consumer protection 
        cannot be achieved by relying on Main Street businesses to 
        regulate the conduct of market-dominant service providers 
        through contracts. Service providers and third parties must 
        have statutory obligations like all other entities to ensure 
        their compliance with a Federal privacy framework, particularly 
        when offering data processing, transmission, storage, or other 
        services to tens of thousands of Main Street businesses.

   Preserve Customer Loyalty Rewards and Benefits: Any Federal 
        data privacy framework should preserve the ability of consumers 
        and businesses to voluntarily establish mutually beneficial 
        business-customer relationships and set the terms of those 
        relationships. Legislation should include safe harbors to 
        ensure that consumers can purchase, or otherwise obtain, the 
        goods and services they want by taking advantage of benefits, 
        incentives, or enhanced services they earn from being loyal 
        customers, even if other customers choose not to engage in such 
        loyalty programs.

   Require Transparency and Customer Choice for All Businesses: 
        Consumers deserve to know the categories of personal data 
        businesses collect, how it is generally used to serve them, and 
        the choices they have regarding those uses. These policies 
        should be clearly disclosed in company privacy policies and 
        readily accessible to consumers. These transparency and choice 
        obligations should apply to all businesses handling consumers' 
        personal data, including service providers, third parties, and 
        financial services businesses.

   Hold Businesses Accountable for their Own Actions: Privacy 
        legislation should not include terms that potentially expose 
        businesses, including contractors and franchises, to liability 
        for the actions or noncompliance of a business partner. Those 
        business partners should be responsible for their own 
        compliance and any resulting liability. In particular, 
        consumer-facing businesses should not be unfairly saddled with 
        liability for other businesses that do not fulfill their own 
        obligations under a Federal privacy law.
Main Street Privacy Coalition Views on the APRA Discussion Draft
    We appreciate Chair Cantwell's efforts to develop the APRA 
discussion draft with House Energy and Commerce Chair Rodgers, however, 
we have initial concerns that the bill, as drafted, disproportionately 
and negatively impacts the industry sectors MSPC member associations 
represent. We appreciate the opportunity to work constructively with 
Senate Commerce Committee members and their staff to address the 
potential unintended consequences of new language in the APRA prior to 
its introduction and advancement in Committee markups, consistent with 
our coalition's history of productive dialogue on past legislation, 
such as the ADPPA.
    1. Preemption of State Law: We appreciate the Senate Commerce 
Committee's past efforts to develop preemptive legislation that would 
establish a single, uniform national privacy law benefitting consumers 
and businesses alike by ensuring privacy protections are the same 
regardless of the State in which a consumer resides or a business is 
located. This is necessary to address the increasing patchwork of newly 
enacted state privacy laws that conflict and threaten the ability to 
provide comprehensive and uniform privacy protections to all Americans. 
Despite the underlying goal of preempting state laws in past committee 
legislation, we are concerned the APRA's current preemption provision 
is unlikely to withstand anticipated legal challenges in Federal court, 
potentially leaving States free to continue adopting privacy laws that 
would leave American consumers with different rights depending on where 
they live and would saddle Main Street businesses with compliance 
burdens exceeding the Federal standards set by Congress. We therefore 
urge the Committee to modify the APRA's preemption provision to meet 
the standards the Supreme Court has consistently ruled sufficient to 
create a preemptive Federal law. For instance, the APRA could avoid 
using a general rule that necessitates pages of exceptions--a form 
Federal courts have used as the basis to preserve similar State laws 
and frustrate Congressional intent--by instead specifying precisely 
which State laws are preempted by the APRA and making clear that future 
laws related to the specifically preempted laws would be similarly 
preempted. Such an approach would make the APRA much more likely to 
achieve its primary goal of creating a single, uniform national privacy 
law for all Americans.
    2. Private Rights of Action: We understand the Committee's interest 
in authorizing private rights of action (PRA) in privacy legislation as 
a politically desirable element to advance a bipartisan privacy bill 
through Congress. Our member companies are concerned, however, with the 
APRA taking a leap that no State law has taken due to the technical 
complexity involved in entities achieving mistake-free compliance with 
data privacy laws, as well as Main Street companies' extensive 
experience with large volumes of demand letters threatening lawsuits 
with questionable legal claims that recently have proliferated under 
other areas of the law (e.g., patent trolls and ADA website 
accessibility claims). More importantly, the APRA differs significantly 
from the ADPPA in that the APRA does not authorize the PRA to enforce 
the requirements for service providers or third parties under Section 
11(a) through (c) because it limits the PRA's application only to 
covered entities under subsection 11(d). This is a surprising reversal 
of the ADPPA's application of the PRA in this section that 
disproportionately impacts Main Street businesses compared to their 
business partners. Under this PRA, private litigants' only recourse 
would be to sue the covered entities for failing to exercise reasonable 
judgment in selecting service providers or transferring data to third 
parties because they cannot sue the service providers or third parties 
directly for their own failures to comply with their Section 11 
requirements. Further, the APRA does not offer a way for well-
intentioned Main Street businesses to avoid litigation because it 
denies them any opportunity to cure alleged violations in claims for 
damages. All too often, provisions like this PRA permit potential 
litigants to exploit the Main Street business reality that obtaining 
legal representation to defend against alleged claims under a complex 
Federal law is too expensive. Those costs lead Main Street businesses 
to agree to settlements of even non-meritorious claims simply to avoid 
litigation, which has the compounding effect of making it more 
challenging for them to cover operational expenses and consequently 
costs Americans their jobs. Due to the complexity of achieving 
compliance, the disproportionate impact that the APRA would have on 
Main Street businesses, and their inability to avoid litigation for 
alleged violations, our members would prefer the Committee adopt an 
enforcement approach similar to what all State privacy laws have 
adopted as the most effective way to drive compliance with privacy 
laws: exclusive government agency enforcement against businesses after 
a 30-or 60-day cure period following agency notice of non-compliance. 
If that is not achievable politically, we urge the Committee to at 
least address the serious concerns raised above to ensure that 
America's Main Street businesses, their employees, and the customers 
they serve are not disproportionately impacted, compared to other 
stakeholders, by the APRA's enforcement provisions as currently 
drafted.
    3. Preserving Customer Loyalty Rewards and Benefits: It is clear 
that Americans overwhelmingly wish to continue participating in their 
customer loyalty programs that provide rewards, discounts and other 
benefits.\2\ Additionally, the fifteen States that have passed 
comprehensive data privacy laws have all preserved loyalty program 
benefits for consumers by protecting the ability of businesses to 
continue offering better prices and services to customers who 
voluntarily participate in bona fide customer loyalty, club or rewards 
programs. Under the State privacy laws, loyalty plan clauses protect 
against construing the laws to prohibit (as discriminatory acts) the 
offering of discounted prices or other benefits to customers who 
voluntarily choose to participate in the plans, even if other customers 
choose not to participate in them. However, the APRA adds a new page of 
novel requirements for loyalty plans not seen in any State law. We have 
significant concerns that the draft text alters the carefully balanced 
language of the ADPPA that MSPC member associations previously 
supported after all stakeholders negotiated with the House Energy and 
Commerce Committee to ensure the ADPPA provision would preserve 
customer loyalty programs. For example, one of the current APRA 
requirements prohibits all transfers of any data in ways that exceed 
the bill's already established data transfer provisions that permit 
covered data transfers subject to an opt-out and sensitive covered data 
transfers subject to an opt-in, excluding permissible purposes. With 
these same APRA transfer provisions applying to covered entities 
offering loyalty programs, similar to how all State privacy laws' 
consumer rights and privileges apply to plan participants' data as 
well, it is unclear why the draft APRA would impose a new, more 
restrictive data-transfer regulation on loyalty programs that consumers 
must already opt into under the law. In its forthcoming consideration 
of the APRA, we urge the Committee to restore the previous balance 
achieved in the ADPPA's loyalty provision that mirrors the balance 
achieved in all enacted State laws. This is important to American 
consumers who wish to maintain their earned points, rewards and 
discounts, and is a critical need for Main Street businesses.
---------------------------------------------------------------------------
    \2\ According to a survey by Bond Brand Loyalty Inc., 79 percent of 
consumers say loyalty programs make them more likely to continue doing 
business with brands that offer them, and 32 percent of consumers 
strongly agree that a loyalty program makes their brand experience 
better. Bond Brand Loyalty Inc., The Loyalty Report (2019).
---------------------------------------------------------------------------
    4. Service Provider and Third Party Requirements: Similar to the 
loyalty plan provisions, we are concerned that the APRA draft text of 
Section 11 alters the carefully achieved balance previously achieved in 
the ADPPA's service provider and third party requirements following 
stakeholder negotiations with House Energy and Commerce Committee staff 
over that bill's provisions. We appreciated that the ADPPA placed 
direct statutory obligations on service providers and third parties, 
and enforced these obligations with the same enforcement mechanisms as 
covered entities, to ensure their compliance with the law. However, we 
are concerned the draft APRA has altered the text of these requirements 
to remove both the direct statutory obligations as well as the 
enforcement mechanisms for service providers and third parties in ways 
that obviate their obligations to protect the consumer data received 
from covered entities. The APRA ultimately allows service providers and 
third parties to avoid liability by shifting it onto covered entities 
through subsection 11(d), the only subsection enforceable by private 
rights of action (as explained in point 2 above). As a result, under 
the APRA, nationwide and global service providers would not have the 
equivalent privacy requirements or enforcement provisions that apply to 
even the smallest Main Street businesses. To protect Americans' data 
privacy comprehensively, the APRA should ensure that businesses in all 
industry sectors face equivalent privacy requirements and enforcement 
of the law in order to close of any privacy loopholes that would leave 
consumers unprotected when their personal data is handled by a range of 
service providers and third-party businesses. For example, the APRA's 
critical data minimization obligations do not apply to service 
providers or third parties--these are privacy requirements that exist 
nowhere else in Federal privacy law and should be required of all 
businesses in the APRA.
    5. Common Branding: One issue that the House Energy and Commerce 
Committee was able to resolve in their consideration of the ADPPA was 
an unintended consequence of holding franchisors and franchisees liable 
for each other's privacy law compliance. Many franchisees and 
franchisors share common branding but are distinct companies and should 
be treated as such. But the language of the APRA currently defines them 
as one single ``covered entity'' because the businesses operate with 
``common branding.'' That language had been used in the ADPPA at one 
time, but the bill sponsors recognized that it could lead to unintended 
consequences and took the ``common branding'' language out of the ADPPA 
before it was reported by the House Energy and Commerce Committee in 
July 2022. The same should be done for the APRA in its definitions of 
``covered entity'' and ``third party'' to avoid making broad groups of 
independent businesses jointly liable for one another's behavior.
    We appreciate your consideration of the views of Main Street 
businesses regarding the APRA as the Committee considers the discussion 
draft before it is introduced. This is not just a bill for ``big tech'' 
companies, and Main Street businesses will bear the full burden of 
complying with the regulatory obligations under the APRA. As you 
consider ways to improve the APRA prior to its introduction and 
advancement in the legislative process, the members of the MSPC 
appreciate your consideration of the above principles and concerns with 
the discussion draft, as well as our efforts to address these concerns 
prior to approving the APRA in Committee. We look forward to continuing 
our constructive dialogue with the Committee on these critical matters 
and welcome the opportunity to address each specific topic with your 
staff.
            Sincerely,
                                     The Main Street Privacy Coalition.

cc: Members of the U.S. Senate Committee on Commerce, Science & 
Transportation
                                 ______
                                 
                                  Citizens for Legal Reform
                                                        May 8, 2024

Hon. Maria Cantwell,
Chair,
U.S. Senate Committee on Commerce, Science, and Transportation,

Hon. Ted Cruz,
Ranking Member,
U.S. Senate Committee on Commerce, Science, and Transportation,

RE: Hearing entitled, ``Strengthening Data Security to Protect 
            Consumers''

Dear Chair Cantwell and Ranking Member Cruz:

    Citizens for Legal Reform submits this testimony for the record of 
the above-referenced hearing held on May 8, 2024, by the Committee on 
Commerce, Science, & Transportation.
    CLR is a 501(c)(4) organization that is dedicated to preserving the 
separation of powers and the accountability of the political branches 
at all levels of government in the United States. CLR opposes laws that 
delegate law enforcement power to litigants who are not actually 
injured by the people or organizations whom they are suing. CLR 
believes such laws are unconstitutional, eviscerate political 
accountability, and undermine the rule of law.
    CLR applauds Chair Cantwell for her work in developing a 
legislative framework designed to safeguard the personal information of 
all Americans as reflected in the recently released discussion draft of 
the American Privacy Rights Act (ARPA). We understand that data and 
personal information are integral to the functioning of our economy but 
also can easily be exploited by bad actors. With that as background, 
while CLR appreciates the important policy objectives the APRA seeks to 
achieve, it believes only government officials, who are accountable to 
the people, should be charged with enforcing the law.
    Consequently, as the Committee considers the ARPA, CLR urges you 
not to authorize individuals to function as private Attorneys General 
who may sue to enforce statutory violations even when they have not 
suffered any actual injury.
Constitutional and Policy Concerns with Citizen Enforcement of Public 
        Laws
    CLR appreciates the need for private plaintiffs to have the ability 
to sue to vindicate their rights when they have suffered actual harm by 
a person or entity who has acted illegally. But, as previously 
mentioned, there are significant constitutional and policy concerns 
with laws that rely in whole or in part on citizen enforcement.
    First, there is a serious question about whether such enforcement 
mechanisms are constitutional. Under Article II of the United States 
Constitution, only the President has the power and responsibility to 
direct the actions of those who execute and enforce the law. The 
Vesting Clause makes clear that the ``executive Power'' vests 
exclusively in the President.\1\ The Take Care Clause requires the 
President ``take Care that the Laws be faithfully executed.'' \2\ 
Finally, the Appointments Clause provides for the President to appoint 
Officers of the United States, and provides that Congress may vest the 
appointment of ``inferior Officers, as they think proper, in the 
President alone, in the Courts of Law, or in the Heads of 
Departments.'' \3\ Taken together, these three clauses make it clear 
that the power to enforce Federal law--and the accountability for 
enforcement decisions--lies solely with the Executive Branch.
---------------------------------------------------------------------------
    \1\ U.S. Const. art. II, Sec. 1.
    \2\ Id. art. II, Sec. 3.
    \3\ Id. art II, Sec. 2.
---------------------------------------------------------------------------
    In Transunion LLC v. Ramirez, the Supreme Court held that in order 
to have standing to sue, a plaintiff must show actual injury--a 
statutory violation alone is not enough.\4\ In that opinion, Justice 
Kavanaugh explained that, ``[a] regime where Congress could freely 
authorize unharmed plaintiffs to sue defendants who violate Federal law 
not only would violate Article III but also would infringe on the 
Executive Branch's Article II authority.'' \5\
---------------------------------------------------------------------------
    \4\ Transunion LLC v. Ramirez, 594 U.S. 413, 426-27 (2021).
    \5\ Id. at 429.
---------------------------------------------------------------------------
    Second, private enforcement provisions eviscerate political 
accountability, which is a vital part of our representative democracy. 
Private parties empowered to enforce public laws have largely unchecked 
enforcement power because they are not accountable to voters or elected 
officials when they use a law for unintended purposes. Voters cannot 
vote them out of office, and legislators cannot meaningfully use 
standard tools like oversight hearings or appropriations to guide 
enforcement. Because of this, private enforcement provisions are often 
abused by financially or ideologically motivated private plaintiffs and 
their attorneys, who can enforce the law for any reason (e.g., to force 
defendants into settlements in unmeritorious cases; because the 
defendant is a business competitor to the plaintiff; because the 
plaintiff disagrees with the enforcement priorities of the current 
Executive; or simply because the plaintiff dislikes the defendant) 
without accountability to anyone.
    Third, laws and law enforcement must be predictable, and penalties 
must correlate to the severity of the statutory violation committed. 
Individuals and businesses complying with the law often rely on the 
executive's interpretation of the law through, among other things, 
formal rulemaking and guidance documents. But when individuals are 
given broad authority to enforce general welfare statutes, they often 
will advance novel legal theories that, when successful, lead to 
unpredictable results. Moreover, citizen enforcement of public laws 
leaves no room for enforcement discretion, which is vital to just 
public policy and preserving liberty.\6\ To the individual suing, they 
are the hammer and every statutory violation--no matter how small--is a 
nail.
---------------------------------------------------------------------------
    \6\ United States v. Texas, 599 U.S. 670, 679-80 (2023) (``[T]he 
Executive Branch must prioritize its enforcement efforts [to] 
constantly react and adjust to the ever-shifting public-safety and 
public-welfare needs of the American people.''); Heckler v. Chaney, 470 
U.S. 821, 832 (1985) (explaining decision to ``refus[e] to institute 
proceedings'' is part of the Executive Branch's Article II powers); In 
re Aiken, 725 F.3d 255, 264 (D.C. Cir. 2013) (Kavanaugh, J.) (``One of 
the greatest unilateral powers a President possesses under the 
Constitution . . . is the power to protect individual liberty by 
essentially under-enforcing Federal statutes regulating private 
behavior.'').
---------------------------------------------------------------------------
Problematic Private Rights of Action in the APRA
    CLR appreciates the efforts of the Committee to limit the scope of 
the private rights of action in the APRA by targeting citizen 
enforcement to specific provisions of the Act.\7\ However, section 19 
in the APRA discussion draft still creates an enforcement structure for 
certain provisions that would deputize the plaintiff's bar and private 
citizens to act as roving, unaccountable ``private attorneys general.''
---------------------------------------------------------------------------
    \7\ American Privacy Rights Act, Sec. 19 (a)(1).
---------------------------------------------------------------------------
    Section 19 does not itself limit private actions to individuals who 
suffer an actual injury from an alleged violation of the APRA's 
substantive terms. Although section 19 allows for recovery of ``actual 
damages'' for individuals who do suffer harm, there is no requirement 
in that section for any individual to prove actual damages to obtain 
other statutory remedies, including injunctive relief and--critically--
attorney's fees and other litigation costs. Any limitation must 
therefore come from the substantive sections themselves, and CLR finds 
three substantive provisions that private individuals may enforce in 
the discussion draft especially concerning because they impose no 
injury requirement.
    Section 4(a) Notice Violations: Under this section, citizens would 
be permitted to sue to enforce requirements that each covered entity 
and service provider make ``publicly available, in a clear, 
conspicuous, not misleading, easy-to-read, and readily accessible 
manner, a privacy policy that provides a detailed and accurate 
representation of the covered entity or service provider's data 
collection, processing, retention, and transfer activities.'' Nothing 
in this section limits a violation--or the enforcement of a violation--
to someone who was harmed by the lack of a publicly available notice of 
a privacy policy. Moreover, most, and arguably all, of the criteria set 
forth in section 4(a) for judging a privacy policy are subjective in 
nature and could invite litigation (e.g., arguing a policy is not 
``easy-to-read''). To the extent the Federal Trade Commission issues 
clarifying regulations of what is required to be in a privacy policy, 
any mistaken omission of a particular requirement would expose the 
covered entity/service provider to a lawsuit. Accordingly, not only are 
citizens empowered to sue to enforce this section regardless of whether 
they incurred any actual harm, but the vagueness of the statutory terms 
would encourage unscrupulous attorneys and plaintiffs to seek out 
marginal violations and pressure settlements.
    Section 11(d) Due Diligence Violations: Citizen enforcement also 
would be permitted to ensure that a covered entity exercises reasonable 
due diligence (1) in selecting a service provider and (2) deciding to 
transfer covered data to a third party. Whether a covered entity acted 
with due diligence in selecting a service provider is subjective. An 
individual who has experienced no actual injury could nonetheless sue 
under this provision and allege lack of due diligence was used simply 
because the individual does not like the company who the covered entity 
chose to serve as the service provider or transfer data to. Moreover, 
the FTC would have up to two years after enactment to publish guidance 
regarding how a covered entity is to comply with this section. As 
before, an uninjured individual could sue under this provision 
asserting that the covered entity did not act with appropriate due 
diligence and is encouraged to do so given section 19's attorneys' fees 
provision.
    Section 13(a) Civil Rights Enforcement: Finally, citizen 
enforcement is permitted to ensure a covered entity or service provider 
does not ``collect, process, retain or transfer covered data in a 
manner that discriminates in or otherwise makes unavailable the equal 
enjoyment of goods or services on the basis of race, color, religion, 
national origin, sex, or disability.'' While CLR appreciates the need 
to ensure that the civil rights of individuals are not violated, anti-
discrimination statutes are not immune from enforcement actions by 
uninjured individuals. The Americans with Disabilities Act, for 
example, allows for citizen enforcement. Over the last three decades we 
have seen thousands of lawsuits filed by uninjured ``tester'' 
plaintiffs alleging business do not meet ADA accessibility standards 
and engaging in abusive sue-and-settle tactics.\8\
---------------------------------------------------------------------------
    \8\ Minh Vu, Kristina Launey, & Susan Ryan, ADA Title III Federal 
Lawsuits Numbers Are Down But Likely To Rebound in 2023, Seyfarth Shaw 
(Feb. 14, 2023), bit.ly/42e1o5c; Bob Blum, The Ninth Circuit Recently 
Undercut Defenses Against ADA `Serial Plaintiffs', Daily J. (Feb. 17, 
2023), bit.ly/3BZT3Ym; see also Brief of Amicus Curiae Center for 
Constitutional Responsibility in Support of Petitioner, Acheson Hotels, 
LLC v. Laufer, 22-429 (U.S.) (June 12, 2023), available at https://
tinyurl.com/CCRLauferAmicus (discussing abusive litigation tactics 
present with ADA tester claims).
---------------------------------------------------------------------------
    As the Committee and Congress consider this legislation, CLR 
recommends Congress ensure that only government officials, who are 
directly accountable to the people, are empowered to enforce the 
statute. To the extent a private right of action remains in the bill, 
it should be limited to those individuals who have suffered an actual 
injury.
    Thank you for your consideration.
                                           Karen R. Harned,
                                                Executive Director.
                                 ______
                                 
                                   U.S. Chamber of Commerce
                                        Washington, DC, May 9, 2024

Hon. John Hickenlooper,
Chairman,
Subcommittee on Consumer Protection, Product Safety and Data Security,
United States Senate.

Hon. Marsha Blackburn,
Ranking Member,
Subcommittee on Consumer Protection, Production Safety and Data 
Security,
United States Senate.

Dear Chairman Hickenlooper and Ranking Member Blackburn:

    Thank you for the opportunity for the U.S. Chamber of Commerce 
(``Chamber'') to share our views regarding data minimization issues and 
our opposition to the draft American Privacy Rights Act (``APRA'') in 
the Subcommittee's ``Strengthening Data Security to Protect Consumers'' 
hearing.
    In its current form, APRA is deeply flawed and unworkable because 
it would fail to create a single national data privacy and security 
standard, would rely on the private trial bar for enforcement through 
private right of action provisions, and would impose unnecessary 
restrictions on goods and services that consumers enjoy.
    In the absence of such Federal privacy legislation, we have 
supported harmonized and workable proposals like the bipartisan 
Consensus Privacy Approach\1\ in states like Virginia,\2\ Texas,\3\ and 
Tennessee\4\ where more than 100 million Americans now enjoy privacy 
protections under a common framework.\5\
---------------------------------------------------------------------------
    \1\ U.S. Chamber Model Privacy Legislation (February 13, 2019) 
available at https://www.uschamber.com/assets/documents/
uscc_dataprivacymodel_legislation.pdf.
    \2\ Letter to Governor Northam available at https://
americaninnovators.com/wp-content/uploads/2022/08/Virginia-Data-
Privacy-Act-Letter.pdf.
    \3\ Letter to Texas House available at https://
americaninnovators.com/wp-content/uploads/2023/04/
State_HB4_TexasDataPrivacyandSecurityAct_TXHouse.pdf.
    \4\ Letter to Tennessee Senate available at https://
americaninnovators.com/wp-content/uploads/2023/04/230417_State_BS73_ 
TNPrivacy_TNSenate.pdf.
    \5\ Jordan Crenshaw, ``What Congress Can Learn from the States on 
Data Privacy,'' Real Clear Policy (January 2024) available at https://
www.realclearpolicy.com/2024/01/30/what_congress
_can_learn_from_the_states_on_data_privacy_1008521.html.
---------------------------------------------------------------------------
    As drafted, APRA would reject full preemption and empower states to 
regulate beyond Federal standards.


I. Data Minimization
    The Chamber recommends that APRA be revised to follow the Consensus 
Privacy Approach to data minimization to effectively protect consumers. 
Data minimization can be an important component of regulation to ensure 
the privacy and security of individuals, but overly broad, 
unnecessarily strict, or poorly crafted data minimization standards 
would impede innovation.
    States that incorporated the Consensus Privacy Approach in law have 
enacted a balanced and workable data minimization standard. For 
example, states like Colorado, Tennessee, and Texas mandate that 
companies limit data collection to what is ``adequate, relevant, and 
reasonably necessary'' related to a disclosed or specified purpose.\6\
---------------------------------------------------------------------------
    \6\ See, e.g., Colo. Rev. Stat.Sec. 6-1-1308(3); Tenn. Code Ann 
Sec. 47-18-3208(a)(1); Tex. Bus. & Com. Code Ann Sec. 541.101(1).
---------------------------------------------------------------------------
    By contrast, APRA as drafted would limit all data collection and 
processing to ``necessary, proportionate, and limit[ed] to provide or 
maintain'' a specific product or service or consumer or anticipated 
communications.\7\ Although both the Consensus Privacy Approach and 
APRA have exceptions for certain practices like security, APRA would 
limit companies from collecting data that may be necessary for 
providing a service but can also have a societally beneficial purpose 
utilized by other companies. These secondary purposes include anti-
fraud protections, Know Your Customer, and other web-based security 
applications, including those used by Federal programs to reduce theft 
of benefits and identity fraud. Secondary data sets have also enabled 
law enforcement to intervene and stop incidents of violence, human 
trafficking, and organized crime.\8\
---------------------------------------------------------------------------
    \7\ American Privacy Rights Act Discussion Draft Sec. 3(a).
    \8\ Chamber Technology Engagement Center, ``Data For Good: 
Promoting Safety, Health and Inclusion,'' (January 2020) available at 
https://americaninnovators.com/wp-content/uploads/2020/01/
CTEC_DataForGood_v4_-DIGITAL.pdf.
---------------------------------------------------------------------------
II. APRA Fails to Create a Single National Privacy Standard
    Congress should include in any Federal privacy legislation full 
preemption of state standards. A national privacy law without strong 
preemption would enable a state patchwork of laws that would be 
confusing to consumers and would potentially make it impossible for 
small businesses to comply.
    A recent report highlighted that a national patchwork of privacy 
laws would cost the United States economy $1 trillion and 
disproportionately impact small businesses with a $200 billion economic 
burden.\9\ Many small businesses are worried that a patchwork of state 
laws will increase litigation and compliance costs.\10\
---------------------------------------------------------------------------
    \9\ ITIF, ``The Looming Cost of a Patchwork of State Privacy 
Laws,'' (January 2022) available at https://itif.org/publications/2022/
01/24/50-state-patchwork-privacy-laws-could-cost-1-tri1
1ion-more-single-federaI/.
    \10\ U.S. Chamber ``Empowering Small Business: The Impact of 
Technology on U.S. Small Business,'' (September 2023) available at 
https://americaninnovators.com/wp-content/uploads/2023/09/Empowering-
Small-Business-The-Impact-of-Technology-on-U.S.-Small-Business.pdf.
---------------------------------------------------------------------------
    The APRA draft does not address concerns of the Chamber and other 
groups regarding of APRA's predecessor from the 117th Congress, the 
American Data Privacy and Protection Act. Although APRA's advocates 
express an intention to create ``uniform national data privacy and 
security standard,'' the actual provisions of the draft provide only 
limited preemption and would allow states to pass more restrictive 
privacy laws. APRA only preempts ``any law, regulation, rule, or 
requirement covered by [emphasis added] the provisions of this Act or a 
rule, regulation, or requirement promulgated under this Act.''
    According to a Congressional Research Service report, to provide 
the strongest preemption, Congress should use clearer and more forceful 
terms than ``covering'' or ``covered by.'' \11\ Congress should avoid 
merely preempting what a proposed bill is ``covering'' or ``covered 
by,'' because such clauses are considered by the Supreme Court to be 
less restrictive on states than phrases like ``related to.'' \12\ 
According to the Supreme Court, `` `[c]overing' is a more restrictive 
term which indicates that preemption will lie only if the Federal 
regulations substantially subsume the subject matter of the relevant 
state law.'' \13\ A national privacy law that merely preempts what it 
``covers'' and then provides for exceptions to that preemption would 
likely be taken by many as evidence that Congress has not intended to 
``substantially subsume'' regulation.
---------------------------------------------------------------------------
    \11\ Congressional Research Service ``Federal Preemption: A Legal 
Primer,'' (May 2023) available at https://crsreports.congress.gov/
product/pdf/R/R45825.
    \12\ Id. at 10.
    \13\ CSX Transportation, Inc. v. Easterwood, 507 U.S. 663 (1993).
---------------------------------------------------------------------------
    The APRA draft would also create exceptions to preemption in the 
areas of consumer protection, health data, and remedies based on 
California's Consumer Privacy Act and highly abused lawsuits under the 
Illinois Biometric Privacy Law. These exceptions could easily be 
exploited in lawsuits and state legislatures to circumvent preemption 
in APRA.
    There are better models. In recent years, legislation has been 
authored by both Republicans and Democrats that would provide strong 
preemption, including:

   H.R. 3388, the ``SELF DRIVE Act,'' from the 115th Congress, 
        which preempted broad categories of activities and passed the 
        House by unanimous consent.

   H.R. 1816, the Information Transparency and Personal Data 
        Control Act, from the 117th Congress, that provided: ``No State 
        or political subdivision of a State may adopt, maintain, 
        enforce, or continue in effect any law, regulation, rule, 
        requirement, or standard related to [emphasis added] the data 
        privacy or associated activities of covered entities.'' \14\
---------------------------------------------------------------------------
    \14\ https://www.congress.gov/bill/117th-congress/house-bill/1816/
text (emphasis added).

   Financial Services Committee Chairman Patrick McHenry's 
        ``Data Privacy Act of 2023'' draft from the current Congress, 
        which provides that Federal legislation ``supersedes any 
        statute or rule of a State.'' \15\
---------------------------------------------------------------------------
    \15\ https://financialservices.house.gov/uploadedfiles/
glb_2023_xml_2.24_934.pdf.
---------------------------------------------------------------------------
III. APRA Fails by Providing a Private Right of Action
    Comprehensive privacy legislation should leave enforcement to 
agencies like the Federal Trade Commission and state attorneys general, 
not the private trial bar. Such private rights of action would invite 
unwarranted lawsuits that would ultimately hamstring innovation and the 
viability of some innovators. Frivolous, non-harm-based litigation has 
been used in the past to extract costly settlements from companies, 
including small businesses. Private rights of action are ill-suited in 
privacy laws because they:\16\
---------------------------------------------------------------------------
    \16\ U.S. Chamber Institute for Legal Reform, ``Ill-Suited: Private 
Rights of Action and Privacy Claims,'' (July 2019) available at https:/
/instituteforlegalreform.com/wp-content/uploads/2020/10/Ill-Suited_-
_Private_Rights_of_Action_and_Privacy_Claims_Report.pdf.

   Undermine appropriate agency enforcement and allow 
        plaintiffs' lawyers to set policy nationwide. By contrast, 
        statutes enforced exclusively by agencies are appropriately 
        guided by experts in the field who are best positioned to 
        understand the complexities of compliance, promote innovation, 
---------------------------------------------------------------------------
        and prevent and remediate harms.

   Entail inconsistent and dramatically varied, district-by-
        district court rulings. Agency enforcement can provide 
        constructive, consistent decisions that shape privacy 
        protections for all American consumers and provide structure 
        for companies aiming to align their practices with existing and 
        developing law.

   Are, when combined with the power handed to the plaintiffs' 
        bar in Federal Rule of Civil Procedure 23, routinely abused by 
        plaintiffs' attorneys, leading to grossly expensive litigation 
        and staggeringly high settlements that disproportionally 
        benefit plaintiffs' lawyers.

   Hinder innovation and consumer choice by the uncertain and 
        pervasive threat of lawsuits, particularly for companies at the 
        forefront of transformative new technologies.

    Private rights of action would be particularly devastating for 
business under a privacy law that does not have a strong preemptive 
effect. Not only would states be able to continue passing their own 
laws, but individual judicial district precedent could also create 
further confusion and conflict.
IV. Substantive Concerns with APRA
   Artificial Intelligence & Algorithms--As drafted, Sections 
        13 and 14 of APRA would significantly impair America's lead in 
        Artificial Intelligence. APRA as drafted would encourage 
        lawsuits against companies that do not allow individuals to opt 
        out of using basic technologies in any place of public 
        accommodation, which could severely limit consumers' access to 
        things like insurance, credit, employment opportunities, and 
        other apps and services.

   Small Business Impacts--Small businesses would have to meet 
        three elements of a vague test to determine if are exempt under 
        the bill. Given APRA's private right of action provisions, 
        small businesses would likely have to bear high litigation 
        costs just to prove they are not covered by the bill. Even if a 
        small business is not directly covered by the bill, we are 
        concerned that the digital tools small businesses rely on could 
        be threatened by other elements of APRA.

   Digital Advertising--The online advertising ecosystem is 
        what enables Americans to enjoy the benefits of low-cost access 
        to websites and apps. Unfortunately, as drafted APRA's data 
        minimization, new FTC authorities to define what data is 
        subject to opt-in consent, and universal opt-out for targeted 
        advertising will threaten the contextual and personalized 
        advertising that has driven U.S. Internet growth and 
        innovation.

   Data Broker Requirements--While the Chamber does not take 
        issue with a data broker registry, we are concerned that the 
        bill's mass ``Do Not Collect'' requirements for data brokers 
        would inhibit such important and beneficial uses as fraud 
        prevention, small business marketing, healthcare, charitable 
        contributions, and commercial credit and financing services.

   Loyalty Program--We are concerned that the APRA draft's 
        prohibition on price and service discrimination could impair 
        customer loyalty programs. Section 8(b)(a)(i)(IV) would require 
        companies obtain ``affirmative express consent for the transfer 
        of any data collected in connection with a bona fide loyalty 
        program.'' There is concern this provision would require 
        consent every time data is transferred and would subject 
        companies to private rights of action for inadvertent errors if 
        consent is required every time. Such a requirement would have a 
        chilling effect on offering loyalty programs like hotel, 
        restaurant, and retail programs consumers enjoy.

    The Chamber opposes APRA in its current form. We stand ready with 
the Subcommittee and other members of Congress to enact meaningful and 
workable national privacy legislation.
            Sincerely,
                                           Jordan Crenshaw,
                                             Senior Vice President,
                                  Chamber Technology Engagement Center,
                                              U.S. Chamber of Commerce.
cc: Committee on Commerce, Science, and Transportation
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Maria Cantwell to 
                              James E. Lee
Cultural Change
    Culture change is hard, even when organizations have the tools and 
resources necessary to implement change. This is also true with respect 
to creating a culture of data security.

    Question 1. From your perspective, do you think U.S. companies are 
beginning to do a better job of adopting a culture of data security?
    Answer. Yes and no.
    Cybersecurity spending to prevent data compromises that expose 
personal information continues to increase overall and security teams 
are able to prevent or block the vast majority of attacks that lead to 
most security and data breaches. Even an organization as small as the 
ITRC is attacked hundreds of times each day, requiring constant 
improvements and investments to keep pace with threat actors--yet, 
improved security products and postures allow the successful defense of 
systems and data.
    Increased investment in employee training, especially among small 
businesses, is also contributing to an improved environment for 
cybersecurity and data protection according to ITRC research and 
analysis of data breaches at SMBs. The overall number of preventable 
data compromises resulting from physical attacks as well as human and 
system errors have dropped significantly since 2018. Compromises from 
physical attacks have dropped from 13 percent (13 percent) of all 
compromises in 2018 to two percent (2 percent) today. Compromises from 
human and system errors have dropped from 23 percent (23 percent) to 19 
percent (19 percent).\1\
---------------------------------------------------------------------------
    \1\ The number of human and system errors would be nine percent (9 
percent) today but for a recent rise in correspondence containing 
personally identifiable information (PII) being shared with employees 
or other individuals not authorized to receive the PII--i.e. someone 
attached a file containing PII to an e-mail that included people not 
authorized to receive the information. There is no indication data was 
shared with identity criminals in these compromises.
---------------------------------------------------------------------------
    However, no sector and no industry is immune from attack and threat 
actors continue to successfully target organizations that are under-
resourced, under-staffed, and rely extensively on legacy technology. 
Supply chains are especially vulnerable to attack and data breach 
statistics since 2018 show a dramatic rise in attacks against supply 
chains--2600 percent. The MoveIT Supply Chain Attack in 2023 is a 
classic example where 102 organizations were directly attacked, but the 
data of more than 1,270 organizations was compromised impacting an 
estimated 72M individuals. Likewise, the more recent attack against 
Change Healthcare involved a supply chain attack where 40 year-old 
technology was still the core of the company's network and facilitated 
the breach.
    The patchwork of state and Federal laws and regulations that exist 
today have created the current environment. A fundamental shift toward 
enforceable minimum standards can address the gaps that exist today 
that allow threat actors to exploit weak security practices and 
victimize millions of U.S. residents each year.
    Nowhere is this more evident than in the lack of a national 
standard for issuing data breach notices. Today, where you live 
determines if a compromise of personal information warrants a data 
breach notice and what, if any, information is shared with victims 
about the attack, the corrective actions taken, and protections & 
support provided to victims. Even state officials are not informed of 
data breaches in 16 states.
    In 2023 the ITRC tracked an average of nine (9) new data breach 
notices each day compared to the 335 filed each day last year with data 
protection authorities in the European Union. Further, Federal court 
decisions since 2019 have resulted in only 32 percent (32 percent) of 
data breach notices filed in Q1 2024 containing information about the 
root cause of cyberattacks that led to data compromises.
    Uniform minimum standards for data practices and security backed by 
risk assessments, audits, and strong enforcement actions can help 
elevate the practices, processes, and outcomes at all organizations 
that collect, process, and maintain personal and business data.

    Question 2. What are best practices that can guide companies 
towards improved data security?
    Answer. Significant improvement will require broad adoption across 
all sectors and industries of a variety of best practices--some 
technical and some practical--that will reduce the risk of personal 
information being compromised in data breaches and/or cyberattacks. 
These include the adoption of:

   Data Minimization practices to reduce the volume of 
        information collected and/or retained which reduces the 
        likelihood it could be compromised in a data breach.

   Zero Trust principles to require the verification of 
        software and hardware before implementation and reverification 
        when updated or modified.

   Least Privilege Access to give employees access only to 
        information directly related to their jobs.

   Security by Design/Privacy by Default product design 
        principles to ensure data and privacy protection are parts of 
        the entire product lifecycle.

   Regular Risk Assessments to require cyber and data 
        protections equal to or greater than the actual risks an 
        organization faces; regularly scheduled risk assessments help 
        ensure security programs address the ever-evolving threat 
        landscape rather than the threats that existed when a security 
        plan was originally developed or devote resources to ``one size 
        fits all'' defenses that are not based on addressable risks.

   Mandatory third-party audits that ensure organizations 
        comply with their own security policies/procedures as well as 
        ensure the data protection program design is equal to the risk 
        the entity faces.

   Data Encryption in transit and at rest will help ensure that 
        if personal information is intercepted, exfiltrated or 
        otherwise exposed, the data is useless without decryption keys.

   DevSecOps practices to link security outcomes to software 
        development. Generally, software developers are not evaluated 
        on the security of the code they write before it is put into 
        production, resulting in significant dwell time between when 
        threat actors begin their attack, when the attack is 
        discovered, and when the flaw is ultimately patched. IBM 
        reported in 2023 the mean time required to identify a breach 
        was 204 days with an additional 73 days required to halt the 
        attack and fix an underlying flaw.

   Virtual Patching and Real-time Rule Application reduces the 
        time to patch and secure vulnerable enterprise applications 
        from months to minutes. Independent researchers at Vanson 
        Bourne reported in April 2024 that one-third of ransomware 
        attacks were the result of a known but unpatched software 
        flaws. Verizon analysis showed the number of global data 
        breaches resulting from unpatched software increased 180 
        percent (180 percent) in 2023. Virtual Patching allows security 
        teams to temporarily fix flawed code until a permanent patch 
        can be applied when updating source code. Real-time Rules can 
        be applied while an application runs, protecting enterprise 
        software from Zero Day and other broad classes of attacks.

    In addition, there are technologies that rise to the level of best 
practices that can also help improve data protection, including:

   Biometric Verification (not recognition) to help prove a 
        person is who they claim to be since personal information used 
        for ID purposes has been widely compromised in data breaches. 
        Verification against a known source of truth--a photo in a DMV 
        database, for example--with the applicant's consent helps 
        secure an individual's identity and devalues the personal 
        information stolen in a data breach that would otherwise be 
        used to impersonate an individual.
Data Minimization
    Data minimization--the principle that businesses should only 
collect the personal information they need and keep it only for as long 
as they need it--is where good data hygiene starts.
    Just over a month ago, we learned from AT&T that the personal 
information of over 70 million of its American customers was released 
on the dark web. What is particularly concerning is that over 65 
million of those consumers are not current AT&T account holders and 
haven't been since at least 2019. The sensitive data on the dark web 
social security numbers, account numbers, and passcodes.
    This raises questions about why AT&T retained the information 
belonging to nearly 65 million Americans years after they stopped being 
AT&T Customers.

    Question 1. What are the risks to consumers when companies hold on 
to data longer than they need to?
    Answer. Maintaining excess data or personal information beyond its 
useful life creates a multitude of risks for the individuals who are 
the subject of the information as well as the organizations that hold 
the data. Static or near-static data such as SSNs, dates of birth, 
passports, state-issued driver's licenses or state IDs, are often 
misused in real identity fraud as well as synthetic identity fraud 
where identities are created from bits & pieces of real or imaginary 
data.
    In 2023, the most reported types of identity misuse to the ITRC 
were Existing Account Takeover (52 percent) and New Account Creation 
(36 percent). Today, real but compromised identities are used to 
impersonate someone to open new bank accounts, take-over existing 
accounts, apply for state or Federal government benefits, secure loans, 
file tax returns, and obtain letter-perfect fake credentials that can 
be used to pass identity verification processes. Fake credentials with 
information of victims but with the photo and physical characteristics 
of the identity criminal are also used to evade law enforcement.
    Information stolen in data breaches may circulate for years and the 
time to resolve any actual misuse of the information may also have a 
long tail. In many cases, the victims of these instances of identity 
fraud do not know their identities have been misused until months or 
even years later when they receive a notice from a creditor or 
government agency. Other victims learn of the misuse when they are 
denied a benefit or when an application for employment, insurance, or 
credit is rejected. Sixty-five percent (65 percent) of victims who 
reported their issues in 2022 to the ITRC listed their issues as 
``unresolved'' as of August 2023.
    The particular instance involving AT&T is another example of the 
ineffectiveness of state data breach notice laws which allow the 
organizations that have lost control of information to determine if a 
breach notice is required. The data in question first appeared in 2019 
in a criminal identity forum where the information was listed as being 
AT&T account information. The company speculated the source of the data 
was a vendor with access to account information as the source of the 
breach and did not issue breach notices.
    The same information was offered multiple times for sale subsequent 
to 2019 and each time AT&T denied being the source of the information. 
In early 2024 when the data was again offered to identity criminals, 
this time for free, AT&T acknowledged the information was related to 
past and current customers.
    While the Federal Communications Commission and the Securities and 
Exchange Commission have recently strengthened the requirements for 
issuing security and data breach notices for telecommunications and 
publicly traded companies respectively, the vast majority of 
organizations that report data breaches are not covered by either 
agency's rules. In 2023, only 358 out of 3,205 data breaches (or 11 
percent) were reported by public companies subject to Federal 
disclosure rules.
                                 ______
                                 
    Response to Written Question Submitted by Hon. Ben Ray Lujan to 
                              James E. Lee
    Question. Please enumerate the cybersecurity risks that generative 
AI has introduced and share your recommendations for how Federal 
policymakers can design policies that mitigate these risks.
    Answer. Hard statistics quantifying the increased identity risks 
associated with generative AI are rare. Anecdotally, the IRTC has 
received reports since generative AI reached the mass market in 2023 
from victims and small businesses that support the analysis that 
generative AI is having several key impacts on cyberattacks and 
identity crimes. For example:

   Phishing attacks are more effective as generative AI has 
        improved both the messaging and execution of phishing lures. No 
        longer riddled with bad grammar, poor spelling, ill-designed 
        graphics, and tone-deaf pitches, phishing e-mails and texts are 
        now harder to spot and can fool even the most skilled 
        cybersecurity professionals. The narrative they weave is far 
        more compelling, too, thanks to generative AI. The end result 
        is more people believing phishing lures.

   Generative AI tools have allowed identity criminals to move 
        from ``Deep Fakes'' that are expensive and labor intensive to 
        ``Cheap Fakes'' that allow criminals with little to no tech 
        skills to create voice clones and photo realistic facial clones 
        for the price of a couple of cups of Starbucks coffee. These 
        fakes are used to attempt to fool rudimentary verification 
        tools to give criminals access to new or existing accounts or 
        trick employees into taking a particular action such as paying 
        a fake invoice.

   AI-designed cheap fakes are being used to attack individuals 
        on an opportunistic basis, but the primary targets remain 
        businesses--using the cloned voices of company executives and 
        employees to prompt the payment of fake invoices or transfer of 
        funds to fraudulent accounts.

   With access to troves of stolen identity data and openly 
        shared personal information on social media platforms, identity 
        criminals use generative AI tools to identify targets for 
        various scams and identity fraud as well as refine the criminal 
        pitch to make it more compelling to the intended victims.

   Cybersecurity researchers at the University of Illinois have 
        proven it is possible to by-pass common generative AI security 
        protocols allowing bad actors to create malware using 
        generative AI that is designed to exploit software flaws based 
        solely on the public notice of the vulnerability filed with 
        NIST or MITRE.

    While the ITRC generally does not lobby for or against any 
particular policy or legislative solution, we believe U.S. residents 
and organizations are at increased risk from the misuse of legitimate 
AI tools offered by legitimate developers. Many of those risks, 
however, can be addressed by the principles already under consideration 
in the APRA.
    Operationalizing data minimization, risk assessments that envision 
a defense to AI-driven attacks, and audits that demonstrate the 
effectiveness or weaknesses of AI defenses--backed by strong 
enforcement regimes--are good examples of principles that would reduce 
the risks associated with the misuse of mainstream generative AI tools.
    The greater risks to people and organizations, though, are from the 
malicious use of generative AI tools by identity criminals and Nation/
States who do not ``play by the rules.'' In these cases, strong law 
enforcement and national security responses will be required.
    Another area that warrants further consideration is the lack of 
user support for compromised social media accounts that could lead to 
large scale identity scams and mis-or disinformation using AI. Social 
Media Account Takeover (ATO) impacts 50 percent (50 percent) of victims 
of non-financial ATO, most of whom never regain access to their 
accounts according to ITRC surveys of individual and small business 
victims. With little to no support from the social media platforms, 
these compromised accounts often remain under the active control of an 
identity criminal and represent an on-going threat to other individuals 
who may be lured into a scam.
    While there is no direct evidence at this time these attacks are 
being automated using AI, there is sufficient anecdotal evidence to 
warrant concern that threat actors could weaponize compromised accounts 
using malicious AI tools at scale. A bipartisan coalition of state 
attorneys general have recently contacted the major social media 
platforms seeking dialogue on the lack of responsiveness from platforms 
regarding ATO and the difficulty users face in reclaiming or shutting 
down compromised accounts. The ultimate answer may lie in a standard 
that addresses how social media platforms respond to ATO attacks and 
similar account compromises.
    Finally, a comprehensive and sustained education program is needed 
that leverages the public, private and non-profit sectors to help 
individuals and small businesses avoid falling victim to AI-fueled 
scams, fraud, and dis-& misinformation campaigns. One example of a 
consumer education program is the partnership between the ITRC and the 
New Mexico Attorney General's Office where identity crime victims can 
access expert advice about identity theft and fraud, free of charge, 
directly from the ITRC using a Live Chat link embedded in the AG's 
website.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Maria Cantwell to 
                               Sam Kaplan
Quantum Computing
    Existing public-key encryption systems, which rely on math problems 
that are virtually unsolvable for conventional computers, can be 
quickly broken by quantum computers which can perform such calculations 
exponentially faster than conventional computers.
    Such computers capable of overcoming current encryption techniques 
are not yet available, but researchers warn that organizations need to 
start preparing now.
    Already, cyber-criminals are stealing and storing encrypted data so 
they can one day use quantum computers to decrypt the data.
    To address this threat, NIST is leading a multi-year effort to 
develop and standardize new ``post-quantum'' cryptographic algorithms 
to resist attacks from quantum computers.

    Question 1. How are these programs going?
    Answer. Many industry and government experts have been preparing 
for the challenge of encryption-breaking quantum computers for a long 
time. The U.S. National Institute of Standards and Technology (NIST) is 
soon expected to conclude a seven-year process, and publish the first 
set of Post-Quantum Cryptographic (PQC) algorithms, with the ultimate 
goal of establishing new, secure, quantum computer-resistant encryption 
standards. Upon their release, organizations will be able to begin 
validating whether their existing security technologies are 
interoperable with the newly selected PQC algorithms.
    At Palo Alto Networks, we are committed to being a strategic 
partner to organizations on their journey towards quantum readiness. We 
have begun implementing quantum-resistant capabilities across our 
technologies, starting with a Post-Quantum VPN and new capability to 
discover PQC algorithm use within an organization's network. We 
emphasize the importance of embracing several core principles that we 
see as essential capabilities of a comprehensive PQC security 
capabilities:

   Open Standards-Based: PQC security capabilities should be 
        built on open standards, such as the cryptographic standards 
        being developed by NIST, and not proprietary technologies.

   Integrated: PQC security capabilities should be fully 
        integrated into existing cybersecurity technologies that 
        organizations already know and trust.

   Scalable: PQC security capabilities should be able to be 
        deployed in a tailored manner, commensurate with risk.

   Agile: PQC security capabilities must be capable of rapidly 
        shifting to use different cryptographic algorithms seamlessly, 
        with minimal operational disruption.

    It is critical to not just talk about these core principles, but to 
demonstrate them technically in real world and test lab environments. 
Towards that end, we are honored to serve as a partner in NIST's 
National Cybersecurity Center of Excellence (NCCoE) Migration to Post-
Quantum Cryptography project. At the NCCoE, Palo Alto Networks partners 
with NIST, the NSA, CISA, and over thirty industry peers. The project 
provides a critical forum to demonstrate our latest technological 
innovations and our commitment to open-standards-based interoperability 
with the broader technology ecosystem.
    The outcome of this public-private partnership will be a series of 
NIST Special Publications--blueprints to help organizations tackle 
common quantum security use cases, like conducting baseline 
cryptographic inventories, prioritizing which high value digital assets 
require PQC protections, and ultimately implementing validated PQC 
security solutions that demonstrate core attributes, like multi-vendor 
interoperability, crypto-agility and alignment to open standards.

    Question 2. In your view, is quantum decryption something that we 
need to be concerned about?
    Answer. Every day, the security of billions of global digital 
transactions, from e-mail and online banking to internet-connected 
medical devices, relies on a time-tested form of encryption called 
public key cryptography. This secures methods of identifying users, 
devices, and applications within a network, which is fundamental to 
authentication and confidentiality, and underpins a significant amount 
of today's data sharing, data transfer, and transactions.
    However, the arrival of encryption-breaking quantum computers 
(possibly within a decade) will undermine this foundational 
cryptographic underpinning of modern cybersecurity, resulting in 
decrypted and stolen secrets and intellectual property theft. Quantum 
decryption has been financially fueled by nation states seeking to use 
it as a potential geopolitical cyber tool.
    As a U.S. government advisory warned, organizations everywhere 
should begin now to plan their transition to ``Quantum Readiness'' as a 
fundamental part of their security and business continuity strategies. 
Organizations should immediately take the following steps to kickstart 
their quantum readiness journeys: assign resources and build awareness; 
define responsibilities within the organization; develop an inventory 
and priority list; evaluate, experiment, and test solutions to secure 
assets; and review, monitor, and refine policies.
    We urge organizations to invest in quantum readiness, including the 
deployment of Post-Quantum VPN capabilities, now to prevent so-called 
``Harvest Now, Decrypt Later'' attacks.
Privacy Enhancing Technologies
    There are several techniques for keeping our data secure that fall 
under the term ``Privacy Enhancing Technologies,'' or PETs. PETs 
encompass many different technologies and techniques and can provide 
both data security and the ability for businesses to use data without 
accessing personally identifiable information about consumers.

    Question 1. Without getting too deep into the weeds, can you 
describe these technologies and how they are used to secure our data?
    Answer. At a high-level, PETs are capabilities that companies or 
organizations can use and deploy to protect the personal information 
they collect, while being able to simultaneously gather analytics or 
research from the data without having to access the actual personal 
information. General examples can include types of anonymization, 
encryption, or data masking. PETs can be helpful tools to protect 
personal data from unauthorized access or inadvertent data leaks.

    Question 2. Do you agree that Congress can do more to incentivize 
the development and deployment of PETs?
    Answer. PETs have the potential to help shrink the attack surface 
by limiting the amount of data that entities need for critical 
functions. It is important to study the efficacy and effectiveness of 
these tools to ensure any proposed policies or mandates would be 
complementary to cybersecurity efforts to protect privacy across the 
digital ecosystem.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Ben Ray Lujan to 
                               Sam Kaplan
    Question 1. What can the Federal government do to strengthen 
cybersecurity in smaller, rural health care facilities that have less 
resources to dedicate to cybersecurity protection?
    Answer. Cybersecurity companies can help provide holistic and 
integrated platforms, backed by cutting-edge ML and AI technologies, 
that simplify complexity and streamline cybersecurity operations for 
resource-strapped organizations, helping to combat two of the largest 
hurdles: budget and human capital.
    I mentioned six general recommendations in my written testimony to 
drive cyber resilience. All certainly apply to small businesses and 
rural healthcare facilities, but it is worth reinforcing two of them.

  1).  Ensure complete visibility of attack surfaces to help identify 
        and mitigate vulnerabilities before they can be exploited. You 
        can't secure what you can't see. It is critical to understand 
        what you have exposed on the internet.

  2).  Maintain and test an incident response plan. Adversaries are 
        simply too sophisticated for any entity to be caught flat 
        footed.

    There are also free resources available to help small businesses 
build cyber resilience. For example, CISA offers a number of free 
CyberHygiene tools. In October 2023, CISA published its ``Mitigation 
Guide: Healthcare and Public Health (HPH) Sector,'' which provides 
guidance on combating cyber threats in the healthcare and public health 
sector.

    Question 2. In the hearing and within your written testimony, you 
describe the positive role that AI is playing in enabling swifter and 
stronger cybersecurity protection. Please enumerate the cybersecurity 
risks that generative AI has introduced and share your recommendations 
for how Federal policymakers can design policies that mitigate these 
risks.
    Answer. Cyber adversaries are already leveraging AI to advance 
their tradecraft and will continue to do so going forward. For example, 
we see evidence that adversaries are using generative AI to enhance 
what we call social engineering attacks--phishing e-mails designed to 
lure users to ``click the link.'' Historically, these messages have 
been littered with poor grammar and typos, making their fraudulent 
nature relatively easy to detect, but they are becoming more accurate 
and therefore more believable. Adversaries are now able to generate 
flawless, mistake-free text, enabling click-through rates to skyrocket.
    Additionally, bad actors are innovating with AI to accelerate and 
scale attacks and find new attack vectors. They can now execute 
numerous simultaneous attacks on one company across multiple 
vulnerabilities. Adversarial use of AI allows faster lateral movement 
within networks and more rapid weaponization of reconnaissance data. 
Going forward, there is the potential for a significant surge in 
malware variants as the cost of creating customized malware drops 
substantially.
    These risks heighten the importance of leveraging AI and automation 
in threat detection and cyber defense. They also underscore the 
importance of safeguarding the entire lifecycle of an AI system, from 
data collection and model training to deployment and maintenance. These 
secure AI by design concepts encompass protecting data used for 
training AI models, ensuring the integrity of AI algorithms, and 
guarding against unauthorized access or tampering.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Maria Cantwell to 
                              Prem Trivedi
Data Minimization
    Data minimization--the principle that businesses should only 
collect the personal information they need and keep it only for as long 
as they need it--is where good data hygiene starts.
    Just over a month ago, we learned from AT&T that the personal 
information of over 70 million of its American customers was released 
on the dark web. What is particularly concerning is that over 65 
million of those consumers are not current AT&T account holders and 
haven't been since at least 2019. The sensitive data on the dark web 
social security numbers, account numbers, and passcodes.
    This raises questions about why AT&T retained the information 
belonging to nearly 65 million Americans years after they stopped being 
AT&T Customers.

    Question 1. What does the AT&T breach tell us about data 
minimization?
    Answer. As with many large-scale breaches, the AT&T breach 
powerfully underscores the need for data minimization throughout the 
data life cycle. Data should be minimized when it is collected, while 
it is being used, and retained only as long as it is needed.
    Data that isn't collected in the first place cannot subsequently be 
stolen in a breach and released by hackers onto the dark web. Companies 
that minimize data collection will reduce their need to safeguard 
sensitive data like Social Security Numbers once breaches occur.\1\ In 
addition, many companies are collecting so much data that they cannot 
identify where some breaches originate. Three years after a different 
data breach that occurred in August 2021,\2\ AT&T still could not say 
exactly where that data set originated and whether or not it came from 
a third-party vendor.\3\ These data governance challenges also manifest 
in many companies' ability to appropriately minimize data use.
---------------------------------------------------------------------------
    \1\ AT&T Addresses Recent Data Set Released on the Dark Web, AT&T, 
Mar. 30, 2024, https://about.att.com/story/2024/addressing-data-set-
released-on-dark-web.html.
    \2\ Millions of customers' data found on dark web in latest AT&T 
data breach, NPR, Mar. 30, 2024, https://www.npr.org/2024/03/30/
1241863710/att-data-breach-dark-web.
    \3\ Zach Whittaker, AT&T won't say how its customers' data spilled 
online, TechCrunch, Mar. 22, 2024, https://techcrunch.com/2024/03/22/
att-customers-data-leak-online/.
---------------------------------------------------------------------------
    Companies also continue to demonstrate that they will not 
responsibly self-govern on data retention in the absence of data 
minimization requirements. More than 90 percent of the 70 million 
individuals impacted by the most recent AT&T data breach were no longer 
AT&T customers, but they still must confront the impact of their 
information being released and the very real threat of identity 
theft.\4\ AT&T's failure to delete at least some of this data through 
periodic reviews of its holdings drives home the inadequacy of its 
current data minimization practices. And AT&T is hardly the only 
company in this position.\5\
---------------------------------------------------------------------------
    \4\ Consumer Sentinel Network | Data Book 2022, Federal Trade 
Commission, Feb. 2023, https://www.ftc.gov/system/files/ftc_gov/pdf/
CSN-Data-Book-2022.pdf.
    \5\ Large-scale breaches in recent years have implicated a range of 
companies as diverse as First American Financial, Marriott, and 
Equifax. See, e.g., AJ Dellinger, Understanding the First American 
Financial Data Leak: How Did It Happen and What Does It Mean?, May 26, 
2019, https://www.forbes.com/sites/ajdellinger/2019/05/26/
understanding-the-first-american-financial-data-leak-how-did-it-happen-
and-what-does-it-mean/?sh=340923d7567f; Marriott Announces Starwood 
Guest Reservation Database Security Incident, Nov. 30, 2018, https://
news
.marriott.com/news/2018/11/30/marriott-announces-starwood-guest-
reservation-database-security-incident; Equifax to Pay $575 Million as 
Part of Settlement with FTC, CFPB, and States Related to 2017 Data 
Breach, Jul. 22, 2019, FTC press release, https://www.ftc.gov/news-
events/news/press-releases/2019/07/equifax-pay-575-million-part-
settlement-ftc-cfpb-states-related-2017-data-breach
---------------------------------------------------------------------------
    AT&T has experienced numerous breaches over the past years and 
while this latest breach may not have had a ``material impact'' on the 
company's operations,\6\ it can and does have a material impact on its 
customers. This isn't an issue exclusive to AT&T, as the 2023 T-Mobile 
data breach illustrates,\7\ or even to telecommunications companies, as 
a Kaiser Permanente data breach earlier this year demonstrates.\8\ 
Enshrining a data minimization rule in Federal law is a key to greater 
accountability for the many companies and industries that have 
persistently failed to adequately safeguard privacy and security.
---------------------------------------------------------------------------
    \6\ AT&T Addresses Recent Data Set Released on the Dark Web, AT&T, 
Mar. 30, 2024, https://about.att.com/story/2024/addressing-data-set-
released-on-dark-web.html.
    \7\ Nicholas Reimann, T-Mobile Data Breach: Hackers Stole 37 
Million Customers' Info, Company Says, Forbes, Jan. 19, 2023, https://
www.forbes.com/sites/nicholasreimann/2023/01/19/t-mobile-data-breach-
hackers-stole-37-million-customers-info-company-says/.
    \8\ Troy Wolverton, Here's what you should know about the Kaiser 
Permanente data leak, San Francisco Examiner, May 7, 2024, https://
www.sfexaminer.com/news/technology/what-you-should-know-about-the-
kaiser-permanente-data-leak/article_7d6f9256-0be7-11ef-a085-533bb1c22
009.html.
---------------------------------------------------------------------------
    We are repeatedly confronting--across industries and dozens of 
companies--the human costs of data breaches. A strong data minimization 
standard is an essential part of lowering the harms when data breaches 
inevitably occur. More broadly, a Federal privacy law that requires 
meaningful data minimization can help to ensure that companies' data 
collection, use, and retention protects consumers and increases their 
trust in companies.

    Question 2. How does data minimization support data security?
    Answer. Data minimization requires companies to collect, use, 
share, and retain only what they need to provide a product or service. 
By narrowing the funnel of data held and handled at the collection 
stage, data minimization also reduces companies' risk surface. A 
company cannot willfully misuse or accidentally mishandle data that it 
doesn't have. And hackers cannot steal what isn't there in the first 
place. In this most basic sense, data minimization is a key pillar of 
data security.
    In addition, when a company is required to assess its own data 
collection and handling practices consistent with a minimization 
requirement, that company must critically assess its data governance 
decisions at every stage of the data life cycle (collection, use, and 
retention). These decisions include safeguarding against the potential 
misuse of data, weighing the risk of misuse against the current need 
for the data, and periodically assessing the utility of data holdings 
so that all data is not stored indefinitely by default. Responsible 
data minimization lowers the possible harms posed by breaches and other 
security incidents, and is thus a cornerstone of protecting consumers 
and companies, safeguarding privacy, and securing data.
    In addition, organizations may have varying levels of technical 
capacity to implement data security measures and data audits. Although 
Federal privacy laws cover sectors like health, finance, and education, 
virtually every institution is likely to hold and use sensitive data--
including data not covered by data security or privacy laws. A strictly 
sectoral approach to data security and privacy leaves unprotected many 
institutions and Americans who need a baseline level of support from a 
strong Federal standard for data minimization and other data security 
practices.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Ben Ray Lujan to 
                              Prem Trivedi
    Question 1. In the hearing, you stated that ``GDPR gives too much 
deference to companies about what data minimization means'' and that 
``there's an opportunity for an American approach that's different and 
works for us.'' Can you elaborate on what specific data minimization 
requirements OTI would recommend within national privacy legislation?
    Answer. A strong data Federal minimization standard in U.S. Federal 
law would have at least four core components: a strong substantive 
standard, clear permissible purposes for data processing, additional 
mechanisms for consumers to exercise control over their data, and a 
strong enforcement mechanism.
    First, a Federal data minimization standard should operate as a 
substantive requirement, not merely a procedural one. A minimization 
standard that amounts to a check-box exercise in which companies 
disclose the purposes of data processing and then nominally comply with 
those purposes is not a meaningful minimization requirement. Instead, a 
specific substantive standard (like ``necessary, proportionate, and 
limited to provide or maintain a product or service'') links 
minimization to the ``functionality of a product or service.'' \9\ A 
substantive standard should be paired with authorization for the 
Federal Trade Commission to further define what constitutes compliance 
with the standard and to enforce it. Relatedly, a Federal data 
minimization standard should provide for heightened protections for 
processing sensitive data.
---------------------------------------------------------------------------
    \9\ Jordan Francis, Unpacking the shift toward substantive data 
minimization rules in proposed legislation, International Association 
of Privacy Professionals, May 22, 2024, https://iapp.org/news/a/
unpacking-the-shift-towards-substantive-data-minimization-rules-in-
proposed-legislation (``The majority of state comprehensive privacy 
laws . . . require controllers to limit the collection and processing 
of personal data to what is `adequate, relevant, and reasonably 
necessary' to achieve the purposes that are disclosed to a data 
subject. Any unnecessary or incompatible secondary uses of personal 
data under these regimes require separate, affirmative consent. This 
rule can be labeled as `procedural data minimization,' because whether 
or not collection or processing can occur turns on whether the 
controller has taken the correct procedural step--adequately disclosing 
processing purposes--rather than the substance of the processing 
activity.'')
---------------------------------------------------------------------------
    Second, a Federal data minimization requirement should clearly 
enumerate additional permissible purposes (like fraud prevention or 
protecting data security, to name two examples) for processing data. 
Identifying and appropriately scoping these permissible purposes 
provides meaningful flexibility for companies without creating 
exceptions--like a broadly construed permissible purpose to process 
data for product improvement--that could swallow up an entire 
minimization rule.
    Third, a data minimization standard must be paired with a mechanism 
for consumers to take control over their data in ways that go beyond 
companies' obligations to minimize data. This mechanism should include 
a universal opt-out mechanism that consumers can exercise with respect 
to further data collection and a data deletion tool for data already 
collected.
    Fourth, a Federal data minimization rule must be paired with strong 
enforcement, which requires that the Federal Trade Commission be 
appropriately empowered and resourced to enforce the requirement. This 
multi-pronged approach to data minimization would avoid overly broad 
discretion to companies to decide what minimization means in practice, 
impose a strong substantive standard for minimization, and empower the 
Federal Trade Commission to further define that standard and enforce 
it.

    Question 2. In your written testimony, you describe a ``broken 
notice and consent approach in U.S. privacy law''. Should Congress 
require companies to clearly disclose their data privacy and security 
policies during the notice and consent process?
    Answer. The Open Technology Institute (OTI)'s view is that a 
comprehensive privacy law should strengthen the substance of companies' 
disclosures and make them more understandable to consumers. OTI 
therefore welcomes the approach in the American Privacy Rights Act 
(APRA) discussion draft that incorporates provisions of the TLDR 
Act.\10\
---------------------------------------------------------------------------
    \10\ S. 2225, The TLDR Act, https://www.congress.gov/bill/118th-
congress/senate-bill/2225.

    a. If you agree with the above statement that companies should 
clearly disclose their data privacy and security policies, please 
explain your perspective on the role that clear disclosure and informed 
consent play in protecting consumer privacy.
    Answer. A strong data minimization regime is essential, but it does 
not remove the need for concise and meaningful disclosure. On the 
contrary, when paired with a legislative requirement to minimize data, 
meaningful notice and consent can help ensure responsible privacy and 
data governance. Consumers cannot make informed decisions without a 
clear understanding of companies' data practices.
    Our current U.S. data privacy regime of notice and consent rarely 
results in meaningful notice. Instead, people are usually granted a 
perfunctory moment of ``choice'' that most often leads them to accept 
terms they don't understand or even read.\11\ Addressing this issue by 
improving companies' disclosures and data minimization practices can 
lead to stronger data protection and a renewed sense of agency and 
choice for people engaged in activities online.
---------------------------------------------------------------------------
    \11\ See, e.g., Michelle Faverio, Key findings about Americans and 
data privacy, Pew Research, Oct. 18, 2023, https://www.pewresearch.org/
short-reads/2023/10/18/key-findings-about-americans-and-data-privacy/.

    b. Does OTI have any recommendations to ensure that disclosure and 
consent processes are clear and accessible?
    Answer. Meaningful disclosure should be clear, truthful, and 
present critical information that consumers can actually use to make a 
decision about whether to proceed with using a product or service. 
Legislative requirements for company disclosures should be accompanied 
by strong, tiered enforcement while also allowing for appropriate 
flexibility via rules or guidance issued by the FTC. The TLDR Act is a 
recent example of proposed legislation that pairs meaningful disclosure 
requirements with appropriate regulatory rulemaking and enforcement.
    The Act requires companies to provide a short-form summary of their 
terms of service on their websites, create graphic representations of 
data flows, and present their full terms of service in an interactive 
data format.\12\ The short-form summary statement must include, among 
other things, the categories of sensitive information the company 
processes, directions for users to delete their information, and a list 
of data breaches over the last three years that the company was legally 
required to report.\13\ The Act requires the FTC to issue a rulemaking 
on the Act's core requirements and provides for enforcement by the FTC 
and state attorneys general (AGs).
---------------------------------------------------------------------------
    \12\ S. 2225, The TLDR Act Sec. 2(a), https://www.congress.gov/
bill/118th-congress/senate-bill/2225.
    \13\ S. 2225, The TLDR Act Sec. 2(c)(3), https://www.congress.gov/
bill/118th-congress/senate-bill/2225.

    Question 3. What role should the FCC have in protecting the privacy 
of consumers? Please explain OTI's recommendation for what the FCC's 
role should be within comprehensive privacy legislation.
    Answer. The nation's communications networks are technologically 
complex and provide a uniquely comprehensive view into the lives and 
habits of their users. The FCC, as the government's expert agency on 
communications networks, already possesses the deep technical 
understanding necessary to protect consumer privacy in this sector. 
Congress recognized this in the 1996 Telecommunications Act when it 
gave the Commission specific and flexible authority under Sec. 222 to 
protect consumer information. The FCC has exercised that authority by, 
for example, expanding the definition of protected consumer information 
in response to technological advances and requiring disclosure of data 
breaches of telecommunications providers.\14\ The FCC's core competence 
in protecting consumer privacy was on display in the April 29, 2024 
fine of major wireless carriers and the focus on Internet service 
providers (ISPs) sharing customers' location data with data 
brokers.\15\
---------------------------------------------------------------------------
    \14\ Implementation of the Telecommunications Act of 1996: 
Telecommunications Carriers' Use of Customer Proprietary Network 
Information and Other Customer Information; IP-Enabled Services, CC 
Docket No. 96-115, Report and Order and Further Notice of Proposed 
Rulemaking, 22 FCC Rcd 6927 (2007) (2007 CPNI Order); Implementation of 
the Telecommunications Act of 1996: Telecommunications Carriers' Use of 
Customer Proprietary Network Information and Other Customer 
Information, CC Docket No. 96-115, Declaratory Ruling, 28 FCC Rcd 9609, 
9609-10, paras. 2-4 (2013) (2013 CPNI Declaratory Ruling).
    \15\ FCC Fines Largest Wireless Carriers for Sharing Location Data, 
Federal Communications Commission, April 29, 2024, https://www.fcc.gov/
document/fcc-fines-largest-wireless-carriers-sharing-location-data.
---------------------------------------------------------------------------
    While it would be possible for another agency, such as the FTC, to 
replicate the FCC's existing expertise and capacity (if it were 
sufficiently resourced to do so), it would be the height of false 
economy to require that outcome in the name of ``efficiency.'' It would 
be a mistake--and a decidedly inefficient allocation of government 
resources--to cast aside the FCC's existing expertise with respect to 
the privacy considerations specific to communications networks.
    Instead, the FCC should be permitted to continue in its role as a 
complement to the FTC. This approach balances the FTC's broad purview 
and enforcement actions focused on business practices with the FCC's 
rulemaking ability and focused expertise on the privacy aspects 
specific to the operation of communications networks. And given the two 
agencies' long track record of working together, there's no need to 
force a false choice.\16\
---------------------------------------------------------------------------
    \16\ See, e.g., FTC and FCC Sign Memorandum of Understanding on 
Continued Cooperation on Consumer Protection Issues, April 30, 2024, 
https://www.ftc.gov/news-events/news/press-releases/2024/04/ftc-fcc-
sign-memorandum-understanding-continued-cooperation-consumer-
protection-issues; FTC Joins FCC in Renewing Memorandum of 
Understanding to Promote Cross-Border Law Enforcement Efforts to Combat 
Spam, Scams, and Illegal Telemarketing, September 21, 2023, https://
www.ftc.gov/news-events/news/press-releases/2023/09/ftc-joins-fcc-
renewing-me
morandum-understanding-promote-cross-border-law-enforcement-efforts-
combat; FTC and FCC Sign Memorandum of Understanding For Continued 
Cooperation on Consumer Protection Issues, November 16, 2015, https://
www.ftc.gov/news-events/news/press-releases/2015/11/ftc-fcc-sign-
memorandum-understanding-continued-cooperation-consumer-protection-
issues; Joint FCC/FTC Policy Statement For the Advertising of Dial-
Around And Other Long-Distance Services To Consumers, March 1, 2000, 
https://www.ftc.gov/legal-library/browse/joint-fccftc-policy-statement-
advertising-dial-around-other-long-distance-services-consumers.

    Question 4. Does OTI believe that the American Privacy Rights Act 
bill draft sufficiently addresses data broker practices?
    Answer. The American Privacy Rights Act (APRA) discussion draft 
(May 21, 2024) represents a useful first step toward holding data 
brokers accountable and empowering consumers. Notably, APRA Sec. 112 
requires data brokers to register with the FTC, allowing the agency to 
create a central registry through which consumers may submit a ``Do Not 
Collect'' request to all registered brokers. Sec. 112 also supplements 
this prospective mechanism with a retrospective universal delete-my-
data mechanism. APRA would thus allow consumers to meaningfully 
exercise their privacy rights with respect to data brokers, a sorely 
needed first step in addressing the power asymmetry between 
corporations and individuals. In addition, APRA would require data 
brokers to identify themselves as such on public websites that include 
a link to the FTC registry, prohibit them from engaging in certain 
actions, and direct the FTC to provide guidance on proper disclosure 
requirements for brokers.\17\
---------------------------------------------------------------------------
    \17\ American Privacy Rights Act of 2024 (discussion draft), May 
21, 2024, https://d1dth6e
84htgma.cloudfront.net/PRIVACY_04_xml_d1d6b82f10.pdf.
---------------------------------------------------------------------------
    Other provisions of APRA may also have the effect of restricting 
the information that data brokers can now easily buy or collect online. 
For example, APRA prohibits companies from transferring sensitive 
information they collect to third parties without customers' consent, 
provides opt-out rights for consumers, and requires companies to 
establish data security programs that minimize the harms of 
hacking.\18\ These provisions may reduce the information available to 
data brokers.
---------------------------------------------------------------------------
    \18\ Derek B. Johnson, Congressional privacy bill looks to rein in 
data brokers, Cyberscoop, Apr. 15, 2024 https://cyberscoop.com/
congressional-privacy-bill-looks-to-rein-in-data-brokers/.
---------------------------------------------------------------------------
    If passed, APRA would follow the enactment of U.S. legislation 
aimed at foreign governments' ability to acquire information from data 
brokers. The Protecting Americans' Data from Foreign Adversaries Act 
(PADFA), which passed in April 2024 as part of a supplemental 
appropriations bill, prohibits data brokers from selling Americans' 
``personally identifiable sensitive data'' to entities that are 
controlled by certain foreign adversary governments.\19\ While there 
appear to be loopholes through which data brokers' sales to third 
parties could ultimately result in adversary governments acquiring 
data, PADFA's objectives are laudable and may have some salutary effect 
by restricting data brokers' direct sales to certain foreign 
governments.
---------------------------------------------------------------------------
    \19\ PL 118-50, Division I: Protecting Americans' Data from Foreign 
Adversaries Act of 2024, https://www.congress.gov/bill/118th-congress/
house-bill/815/text.
---------------------------------------------------------------------------
    But PADFA attempts to tackle only the downstream effects of one 
type of data brokers' activities. APRA would directly empower consumers 
vis-a-vis data brokers. While APRA could go further in restricting the 
activities of data brokers, comprehensive privacy legislation requires 
bipartisan compromise. The draft bill makes important progress on 
regulating data brokers that sets the stage for future improvements.

                                  [all]