[House Hearing, 109 Congress] [From the U.S. Government Publishing Office] DATA SECURITY: THE DISCUSSION DRAFT OF DATA PROTECTION LEGISLATION ======================================================================= HEARING before the SUBCOMMITTEE ON COMMERCE, TRADE, AND CONSUMER PROTECTION of the COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS FIRST SESSION __________ JULY 28, 2005 __________ Serial No. 109-48 __________ Printed for the use of the Committee on Energy and Commerce Available via the World Wide Web: http://www.access.gpo.gov/congress/ house __________ U.S. GOVERNMENT PRINTING OFFICE 22-989PDF WASHINGTON : 2005 _________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 ------------------------------ COMMITTEE ON ENERGY AND COMMERCE JOE BARTON, Texas, Chairman RALPH M. HALL, Texas JOHN D. DINGELL, Michigan MICHAEL BILIRAKIS, Florida Ranking Member Vice Chairman HENRY A. WAXMAN, California FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts CLIFF STEARNS, Florida RICK BOUCHER, Virginia PAUL E. GILLMOR, Ohio EDOLPHUS TOWNS, New York NATHAN DEAL, Georgia FRANK PALLONE, Jr., New Jersey ED WHITFIELD, Kentucky SHERROD BROWN, Ohio CHARLIE NORWOOD, Georgia BART GORDON, Tennessee BARBARA CUBIN, Wyoming BOBBY L. RUSH, Illinois JOHN SHIMKUS, Illinois ANNA G. ESHOO, California HEATHER WILSON, New Mexico BART STUPAK, Michigan JOHN B. SHADEGG, Arizona ELIOT L. ENGEL, New York CHARLES W. ``CHIP'' PICKERING, ALBERT R. WYNN, Maryland Mississippi, Vice Chairman GENE GREEN, Texas VITO FOSSELLA, New York TED STRICKLAND, Ohio ROY BLUNT, Missouri DIANA DeGETTE, Colorado STEVE BUYER, Indiana LOIS CAPPS, California GEORGE RADANOVICH, California MIKE DOYLE, Pennsylvania CHARLES F. BASS, New Hampshire TOM ALLEN, Maine JOSEPH R. PITTS, Pennsylvania JIM DAVIS, Florida MARY BONO, California JAN SCHAKOWSKY, Illinois GREG WALDEN, Oregon HILDA L. SOLIS, California LEE TERRY, Nebraska CHARLES A. GONZALEZ, Texas MIKE FERGUSON, New Jersey JAY INSLEE, Washington MIKE ROGERS, Michigan TAMMY BALDWIN, Wisconsin C.L. ``BUTCH'' OTTER, Idaho MIKE ROSS, Arkansas SUE MYRICK, North Carolina JOHN SULLIVAN, Oklahoma TIM MURPHY, Pennsylvania MICHAEL C. BURGESS, Texas MARSHA BLACKBURN, Tennessee Bud Albright, Staff Director David Cavicke, Deputy Staff Director and General Counsel Reid P.F. Stuntz, Minority Staff Director and Chief Counsel ______ Subcommittee on Commerce, Trade, and Consumer Protection CLIFF STEARNS, Florida, Chairman FRED UPTON, Michigan JAN SCHAKOWSKY, Illinois NATHAN DEAL, Georgia Ranking Member BARBARA CUBIN, Wyoming MIKE ROSS, Arkansas GEORGE RADANOVICH, California EDWARD J. MARKEY, Massachusetts CHARLES F. BASS, New Hampshire EDOLPHUS TOWNS, New York JOSEPH R. PITTS, Pennsylvania SHERROD BROWN, Ohio MARY BONO, California BOBBY L. RUSH, Illinois LEE TERRY, Nebraska GENE GREEN, Texas MIKE FERGUSON, New Jersey TED STRICKLAND, Ohio MIKE ROGERS, Michigan DIANA DeGETTE, Colorado C.L. ``BUTCH'' OTTER, Idaho JIM DAVIS, Florida SUE MYRICK, North Carolina CHARLES A. GONZALEZ, Texas TIM MURPHY, Pennsylvania TAMMY BALDWIN, Wisconsin MARSHA BLACKBURN, Tennessee JOHN D. DINGELL, Michigan, JOE BARTON, Texas, (Ex Officio) (Ex Officio) (ii) C O N T E N T S __________ Page Testimony of: Burton, Daniel, Vice President of Government Affairs, Entrust, Inc............................................... 35 Hintze, Michael, Senior Attorney, Microsoft Corporation...... 19 Hoofnagle, Chris, Senior Counsel and Director, Electronic Privacy Information Center, West Coast Office.............. 27 Maier, Fran, Executive Director and President, TRUSTe........ 13 Additional material submitted for the record: Retail Industry Leaders Association, statement for the record 53 (iii) DATA SECURITY: THE DISCUSSION DRAFT OF DATA PROTECTION LEGISLATION ---------- THURSDAY, JULY 28, 2005 House of Representatives, Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection, Washington, DC. The subcommittee met, pursuant to notice, at 10:07 a.m., in room 2123, Rayburn House Office Building, Hon. Cliff Stearns (chairman) presiding. Members present: Representatives Stearns, Pitts, Terry, Blackburn, Barton (ex officio), Towns, Green, Gonzalez, and Baldwin. Staff present: David Cavicke, general counsel; Chris Leahy, policy coordinator; Shannon Jacquot, counsel; Will Carty, professional staff; Billy Harvard, clerk; Chad Grant, clerk; Kevin Schweers, communications director; Terry Lane, deputy communications director; Consuela Washington, senior minority counsel; Jessica McNiece, minority research assistant; and Edith Holleman, minority counsel. Mr. Stearns. Good morning. I would like to thank, first of all, the witnesses for coming before us today and to offer their comments and suggestions and helping us to craft a better bill and a workable data protection bill that will greatly improve the protection and security for all consumers and their data. Data security breaches are an alarming trend that seems to be increasing hand in hand with the cases of identity theft and financial fraud in the United States. Identity theft and financial fraud represents the fastest growing criminal enterprise in the United States. As we learned from the Federal Trade Commission in several previous hearings, a recent survey showed that almost 10 million people in the United States discovered that they were involved in some sort of identity theft. That figure translates into almost $50 billion in losses for businesses and of course $5 billion for consumers. Consumer data breaches and related identity theft crimes threaten not only the financial and personal security of every consumer in the United States, but also have the potential to disrupt and impede commercial activity in every sector of our economy. Now, not surprisingly, there are now indications that consumer confidence in Internet-based and electronic transactions is starting to wane as reports mount about breaches potentially affecting millions of Americans. Regardless of statistics and trends, I would bet that a significant percentage of us in the committee room today have been touched personally by this problem. I also believe that we can not rely solely on law enforcement and existing law for protection against breaches and related criminal activity in this area. The Congress, and this committee in particular, is charged with the responsibility to ensure that the entities possessing and dealing in sensitive consumer data keep the doors locked and the alarm on. We intend to live up to that responsibility. The health of our modern network system of commerce demands this and all consumers deserve this. Data, especially personal data, is the currency of the digital world. Given the sheer scope and interconnectivity of our fast-moving commercial environment, one simple mistake or oversight can leave all of us vulnerable to the lone criminal with the ability to victimize millions in an instant. Unfortunately, the crooks have discovered a lucrative new enterprise exploiting such vulnerabilities. And it is up to us to shut them down before they destroy the integrity of the data-driven commercial system that so many of us rely on. I believe consumers, businesses, and other important stakeholders must be empowered with adequate information to assess data security risk and provide sufficient incentives to encourage the most appropriate means, technical or otherwise, to enhance data security. My colleagues, at the most basic level, our bill would create a uniform national data breach notification regime based on risk of potential harm from identity theft. The bill also incorporates a number of provisions related to my earlier privacy bill that are intended to provide security guidelines for entities that keep personal data. I believe that once these practices are embraced, renewed consumer confidence in e- commerce and its multitude of applications will lead to even better data security in the marketplace. We need to promote the notion that security sells. Specifically, our bill contains three major elements. The first major element of the bill directs the Federal Trade Commission to develop rules for data security, including requirements that entities in possession of personal data have a security policy, have someone designated as responsible for that policy, and have a process for taking preventive and corrective action to ensure that policy is as robust as required. Two, the second main element of the bill relates to the special case of information brokers, which are defined in the draft as ``companies whose primary business is to compile and sell consumer data to third parties''. The bill requires these entities to submit their security policy to the Federal Trade Commission for audit and approval on an annual basis. In addition, any information broker is required to provide those who ask a free report of what information the entity holds on that individual. And last, the last element establishes a national uniform standard for consumer notification when there is a security breach. A security breach is defined using a risk-based standard that relates to the probability that the security breach results in a reasonable basis to conclude that identity theft may occur. The bill requires timely notification, both electronic and through the mail, of consumers affected. There are also a number of provisions relating to substitute notices in cases where there is a requirement of unduly burdensome to a business given its financial conditions. I look forward to the comments on our draft bill and would like to emphasize that the committee intends to develop this legislation through a bipartisan and open process that allows for constructive debate and discussion. We will solicit at least one or more rounds of comments and work hard to continue to refine the bill to best achieve effectiveness with this balance. So I look forward to our testimony by our witnesses today and working together with them on this important piece of legislation. [The prepared statement of Hon. Clifford Stearns follows;] Prepared Statement of Hon. Clifford Stearns, Chairman, Subcommittee on Commerce, Trade, and Consumer Protection Good morning. I first would like to thank the witnesses before us today as well as all who have offered comments and suggestions assisting our important work in crafting a robust and workable data protection bill that will improve greatly the protection and security of consumer data. Data security breaches are an alarming trend that seems to be increasing hand-in-hand with the cases of identity theft and financial fraud in the United States. Identity theft and financial fraud represent the fastest growing criminal enterprise in America. As we learned from the Federal Trade Commission in several previous hearings, a recent survey showed that almost 10 million people in the United States discovered that they are involved in some sort of identity theft. That figure translates into almost $50 billion in losses for business and $5 billion for consumers. Consumer data breaches and related identity theft crimes threaten not only the financial and personal security of every consumer in America but also have the potential to disrupt and impede commercial activity in every sector of the U.S. economy. Not surprisingly, there are now indications that consumer confidence in Internet-based and other electronic transactions is starting to wane as reports mount about breaches potentially affecting millions. Regardless of statistics and trends, I'd bet that a significant percentage of us in the committee room today have been touched personally by this menace. I also believe that we cannot rely solely on law enforcement and existing law for protection against breaches and related criminal activity in this area. The Congress and this great Committee, in particular, are charged with the responsibility to ensure that the entities possessing and dealing in sensitive consumer data keep the doors locked and the alarm on. We intend to live up to that responsibility. The health of our modern networked system of commerce demands this, and all consumers deserve this. Data, especially personal data, is the currency of the digital world. Given the sheer scope and interconnectivity of our fast-moving commercial environment, one simple mistake or oversight can leave all of us vulnerable to the lone criminal with the ability to victimize millions in an instant. Unfortunately, the crooks have discovered a lucrative new enterprise exploiting such vulnerabilities, and it's up to us to shut them down before they destroy the integrity of the data-driven commercial system that so many rely on. I believe consumers, business, and other important stakeholders must be empowered with adequate information to assess data security risk and provided sufficient incentive to encourage the most appropriate means, technical or otherwise, to enhance data security. At the most basic level, our bill will create a uniform, national data breach notification regime based on risk of potential harm from identity theft. The bill also incorporates a number of provisions related to my earlier privacy bill that are intended to provide security guidelines for entities that keep personal data. I believe that once these practices are embraced, renewed consumer confidence in e-commerce and its multitude of applications will lead to even better data security in the marketplace. We need to promote the notion that SECURITY SELLS. Specifically, our bill contains three major elements: The first major element of the draft bill directs the Federal Trade Commission to develop rules for data security, including requirements that entities in possession of personal data have a security policy, have someone designated as responsible for that policy, and have a process for taking preventive and corrective action to ensure that policy is as robust as needed. The second main element of the bill relates to the special case of ``information brokers'', which are defined in the draft as companies whose primary business is to compile and sell consumer data to third parties. The bill requires these entities to submit their security policy to the Federal Trade Commission for audit and approval on an annual basis. In addition, any information broker is required to provide those who ask a free report on what information the entity holds on that individual. The last element establishes a national, uniform standard for consumer notification when there is a security breach. A security breach is defined using a risk-based standard that relates to the probability that the security breach results in ``a reasonable basis to conclude'' that identity theft may occur. The bill requires timely notification, both electronic and through the mail, of consumers affected. There also are a number of provisions relating to substitute notice in cases where this requirement may be unduly burdensome to a business given its financial condition. I look forward to the comments on our draft bill and would like to emphasize that the Committee intends to develop the legislation through a bipartisan and open process that allows for constructive debate and discussion. We will solicit at least one more round of comments and will work hard to continue to refine the bill to best achieve effectiveness with balance. I look forward to the testimony of our witnesses and to working together on this very important piece of legislation. Thank you. Mr. Stearns. And with that, the distinguished member from New York, Ranking Member Towns. Thank you. Mr. Towns. Thank you very much, Mr. Chairman. Let me begin by first thanking you for holding this hearing. And I would like to ask to place the 43 stakeholders' comments in the record. Mr. Stearns. By unanimous consent, so ordered. [The list of industry comments follow:] data security discussion draft--industry comments 1. American Bankers Association; 2. Business Software Alliance; 3. Center for Democracy and Technology; 4. Consumers Union; 5. Cyber Security Industry Alliance; 6. Direct Marketing Association; 7. Dun & Bradstreet; 8. eBay Inc.; 9. Electronic Privacy Information Center; 10. Entrust Inc.; 11. Experian; 12. Federal Reserve Board; 13. Federal Trade Commission; 14. Financial Services Roundtable; 15. First Data Corporation; 16. GC Services Limited Partnership ; 17. ID Analytics; 18. IdTheftAwareness--``The Real Danny Lents''; 19. Internet Commerce Coalition; 20. Internet Security Alliance; 21. Intersections Inc.; 22. MIB Group, Inc.; 23. Microsoft Corporation; 24. National Association for Information Destruction, Inc.; 25. National Automobile Dealers Association; 26. National Business Coalition; 27. National Council of Investigation & Security Services, Inc.; 28. Peter Kiewit Institute; 29 The Progress & Freedom Foundation; 30. Reed Elsevier Inc.; 31. Retail Industry Leaders Association; 32. Software & Information Industry Association; 33. Prof. Daniel J. Solove/George Washington Univ. Law School; 34. TALX; 35. Time Warner Inc.; 36. TRUSTe; 37. US Oncology, Inc.; 38. U.S. PIRG; 39. Viacom; 40. VISA U.S.A.; 41. Vontu Inc.; 42. Wexler & Walker PPA; and 43. Yahoo! Inc. Mr. Towns. Since we last met, the privacy of our constituencies have been compromised further, and their worries have increased tenfold. I was encouraged by the feedback that we received at our previous hearings. But there is much more work that needs to be done. The discussion draft that was recently circulated includes important requirements relating to information security programs and security breach notices, but recent security breaches have revealed that consumers also care about the lack of transparency as to how companies are using and to whom they are disclosing their personal information. I was pleased to see that the draft includes a trigger for notification purposes. Chairman Stearns and Ranking Member Schakowsky and the rest of my colleagues would agree that this issue has haunted us for too long. It seems as though a new data security breach happens bimonthly, resulting in destroyed bank accounts and financial headaches. As we begin to depend on technology more than ever, we must put our citizens' privacy at the top of our priority list. I hope the FTC is ready to help to stem the tide of identity theft and end the financial destruction that has plagued our constituents and web users worldwide. I look forward, Mr. Chairman, to working with you and the members of this committee to stem this very serious problem, because the more I travel back and forth into my District on the plane and wherever, you hear these horrible stories. I think the time has come to put an end to it. On that note, I yield back. [The prepared statement of Hon. Edolphus Towns follows:] Prepared Statement of Hon. Ed Towns, a Representative in Congress from the State of New York Thank you Mr. Chairman for holding this important hearing. Since we last met, the privacy of our constituents have been compromised further and their worries have increased ten-fold. I was encouraged by the feedback that we received in our previous hearings, but there is much more work to be done. The Discussion Draft that was recently circulated includes important requirements relating to information security programs and security breach notices. But recent security breaches have revealed that consumers also care about the lack of transparency as to how companies are using and to whom they are disclosing their personal information in the first place. I was pleased to see that the draft includes a ``trigger'' for notification purposes. No one likes to be inundated with dozens and dozens of risk-related notices, and I agree that warnings should only be sent when there are severe breaches capable of significant consumer burden. I think that Chairman Stearns, Ranking Member Schakowsky and the rest of my colleagues would agree that this issue has haunted us for too long. It seems as though a new data security breach happens bi- monthly, resulting in destroyed bank accounts and financial headaches. As we begin to depend on technology more than ever before, we must put our citizens' privacy at the top of the priority list. In July 18th's Wall Street Journal, Bill Hancock, Chief Security Officer of Savis, Inc., a major internet service provider, is quoted as saying, ``What people can do on computer networks and what they can find has increased ten-fold from a few years ago.'' He went on to state that ``Evil intent is easier than ever.'' I hope the FTC is ready to help to stem the tide of identity theft and end the financial destruction that has plagued our constituents and web users worldwide. I look forward to monitoring the positive developments that are sure to stem from our committee draft. Thank you. Mr. Stearns. I thank my colleague. The gentleman, Mr. Pitts, is recognized. [No response.] Mr. Stearns. The gentleman waives. Mr. Gonzalez. Mr. Gonzalez. Thank you very much, Mr. Chairman. Again, I commend your continuous efforts. You have been on this issue for some time, and I appreciate you calling this particular hearing. I will be brief, but I will also request that my written statement be submitted in its entirety by unanimous consent. Mr. Stearns. With the record's consent, so ordered. Mr. Gonzalez. I guess what we are trying to find out today, and I appreciate the presence of the witnesses. Many times I feel that you all come here and give us the benefit of your knowledge and experience, and then you feel that maybe we are not listening, but the truth is, we have a record, we have your statements, and we do make reference to them as we proceed with this piece of legislation. My only observation is that we deal with this in a realistic framework and that is what is happening out there, what is it possible that you bring to this. We need your suggestions and recommendations. And that our policies will affect the abilities that technology give us today, we can't go out there and impose on what is going on out there in commerce and such, conditions that could never be met, technologically or otherwise. But I think that there can be certain compromises that still address the chief concerns as expressed by my constituents when we have town hall meetings. The greatest attendance that I have had in any town hall meeting, I guess second to Social Security, has been ID theft. It is out there. It is tremendous. And working together, hopefully we will come up again with a feasible, viable answer. The problem with technology, and I have said this before about technology, I guess it is the old proverbial key that opens the gates to paradise, but it is the same key that can open the gates to hell. And so somehow, we avoid that and do the best that we can. And again, thank you very much for your participation, and I yield back. [The prepared statement of Hon. Charles A. Gonzalez follows:] Prepared Statement of Hon. Charles A. Gonzalez, a Representative in Congress from the State of Texas Mr. Chairman, thank you for holding today's hearing on the discussion draft data protection bill that this subcommittee is developing. I would particularly like to thank both the majority and minority staff for their work on this. I know that they have been called upon in recent days and weeks to put many hours into other legislative items related to the Energy and Commerce Committee, so I especially appreciate their attention to this legislation. This discussion draft provides us with an excellent starting point for addressing the rash of data breaches that have been threatening the privacy and financial standing of consumers across America. I look forward to working with you, Mr. Chairman, the Ranking Member, and other members of this subcommittee to further build on the draft before us today. The problem of data security, and the risk of identity theft that it carries, is a serious concern to people. I know that in my own district in San Antonio, public attention is strong. I held a town hall meeting in my district in May, which brought together the Federal Trade Commission and federal and local law enforcement. The turnout from the public was impressive. And despite being in an auditorium without air- conditioning for over two hours, almost the entire audience stayed to the very end and asked many questions. The bottom line is that people want assurances that their private information is handled securely and that breaches in data security are handled swiftly and effectively. As we move forward with this legislation, I hope that we can have an end-product that adheres, as much as realistically possible, to the principle of ``don't collect it if you can't protect it.'' In other words, companies and organizations should not be collecting personal information from individuals if they are not going to be able to reasonably ensure the security of that information. In addition to the provisions already in the discussion draft, I would like to also consider several related issues. First: how we deal with paper records. ``Dumpster diving'' is a prevalent practice in which identity thieves go through dumpsters to find documents with individuals' personal information. San Antonio local law enforcement has cited this practice as one of the most prevalent forms of identity theft. We should explore the feasibility of including provisions in this bill to require companies to shred or otherwise destroy documents with individuals' personal information before throwing them away. Second, the draft bill gives the individual the right to get a free report on what data the information broker companies hold on that individual. If individuals feel the information in the broker's database is inaccurate, they should be able to add supplementary information to their file to clarify the existing information. Third. Under the draft bill's data breach notification requirements, a ``substitute notice'' system is established for companies that cannot afford to send a letter to every individual affected by a breach, or if they do not have complete addresses for those individuals. Substitute notification consists of the company alerting the media and posting a message on their website. We may want to consider whether the bill should also require that these companies notify the FTC and that the FTC maintain a central public website listing all data breaches, along with information for consumers on how to contact those companies and determine if their own personal data was compromised. I know that private websites with a similar intent have been established, but it may strengthen consumers' confidence to have such a function permanently and reliably carried out by the FTC. Finally, as I represent a district with a sizable population of Spanish-speakers, I would like to explore how we can ensure that these consumers and other language minorities, who are heavily targeted by companies for their business, are able to access notices sent to consumers about data breaches. We need to ensure that these notices are available in a language that these consumers can understand. Thank you Mr. Chairman. I look forward to hearing from our witnesses today, and to working with you on this subject. Mr. Stearns. The gentleman yields back. The gentlelady from Tennessee is recognized. Ms. Blackburn. Thank you, Mr. Chairman. I want to thank the chairman for holding this hearing and for the witnesses for taking your time and being here with us today. Many constituents in my District have expressed to me their concerns about identity theft, and we recently held a workshop, an identity theft workshop, in our District. It was enlightening. It was well attended. And it was something that we gained some information from, so we are looking forward to hearing what you have to say. And as this committee examines steps to prevent identity theft, we must ensure that companies and individuals are not burdened with unnecessary regulations, but that they have opportunities for privacy protection. Congress should focus on reasonable security measures that will protect personal information and provide enforcement mechanisms to penalize companies that readily buy and sell information on us to unscrupulous entities who will exploit our identities for their personal gain. Today, this committee looks at draft legislation on data security, which I believe is a good step, a good first step, in addressing the problem. I commend Chairman Barton and our subcommittee chairman for their efforts on this issue. And again, I thank you. We look forward to hearing your input. Thank you. Mr. Stearns. Thank you. The gentlelady from Wisconsin. Ms. Baldwin. Thank you, Mr. Chairman. I am also pleased that we are having this hearing today, Mr. Chairman, and our witnesses. This is an increasingly important question how we protect our sensitive personal information from theft and abuse. And the statistics are staggering. The 10 million Americans who were affected by identity theft in the year 2004, it is pretty staggering. Access to the right data bases and the touch of a button or two allows access to vast amounts of information about a person, things like date of birth, Social Security number, credit rating, debts, loans, insurance claims, magazine subscriptions, even DNA. American consumers deserve to have their personal information protected. And I am pleased that our subcommittee will act soon to address this. And I also agree that the discussion draft before us is a good first step. But as we consider next steps, changes, modifications, there are a number of issues that we need to address and questions we will need to answer, questions such as should we preempt State laws, and if so, how broad a preemption is appropriate. When should consumers be notified of data breaches and who decides? Should the FTC maintain public notices, public information about data breaches? Do we need to reach beyond our committee's jurisdiction to adequately address this problem? Should we exempt encrypted data? What role should States have in prevention and enforcement? So today, I hope our witnesses will articulate ways in which we can protect consumers from identity theft and misuse of their personal data and hopefully help us explore the answers to those questions. Thank you, Mr. Chairman, I yield back. Mr. Stearns. I thank the gentlelady. Mr. Green, the gentleman from Texas. Mr. Green. Thank you, Mr. Chairman. I would like to thank both you and our ranking member for taking lead on this issue and holding this important hearing. I would like to welcome our witnesses and thank you for your cooperation and being here and sharing your knowledge and experience. It is imperative for us when we begin drafting legislation to combat identity theft and data theft that we have the experience from the business community, so we make sure we pass legislation that really will do the job and again still allow us to enjoy the benefits of what we do. The committee has held four hearings since the fall of 2004, and we have had a lot of discussions on passing a bill on data security, and I believe the bill, as drafted, is a good start. I want to bring up a couple of issues, though, I have some concern on. The preemption issue, special attention to that provision. Currently, several States have stronger policies when it comes to data security that we are proposing, and we are proposing, furthermore, 18 States that have passed breach notification laws, all of them, including my home State of Texas, offer an encryption safe harbor. And I believe you should look at issues such as encryption and mask data to serve as a second form of defense. It is frustrating, because in March we heard testimony from Choice Point and Lexus Nexus, because both of these companies had a recent experience of breach in their security, and at that time, Lexus Nexus had almost 32,000 people affected. Well, then a few weeks later, we really found out it was 300,000 that may have been affected by the breach in security. And identity theft is the No. 1 crime in our country. In fact, it is getting worse all of the time. In our District, we have done identity theft workshops for our constituents, but you know, it is a very small group. We have to do something more for the mass of people who have that fear. And these workshops, even those only work when credit- reporting agencies and financial institutions and data brokers do their job to make sure information doesn't fall into the wrong hands. We are all a number now, and most often, it is our Social Security number, and every financial institution uses that number, including when I had to rent a U-Haul truck, Mr. Chairman, they wanted my Social Security number. And I said, ``Why?'' And they said, ``Well, we just require it.'' And I said, ``Well, I don't want to rent the truck.'' And they said I didn't have to. And that is what I suggest to my constituents. If it doesn't have anything to do with taxes or payroll, then just say no, or credit. And you can do that. But I still like to get the credit to use some other identifying number. And I know a lot of States are working on that. Our current systems of laws addressing the problem are piece meal. We have the Fair Credit Reporting Act. We have the Federal Trade Commission that addresses unfair and deceptive practices. We have separate laws and driver's license data. So what we need to do, Mr. Chairman, I am glad you are taking the lead in putting this together. And I would hope we would still look at empowering the States and just an example, when Congresswoman Heather Wilson and I worked on the stand for so many years, we ended up the compromises that we wanted uniform standards around the country, but we also still empowered the State Attorney Generals to be able to do their job as consumer representatives, but they had to use Federal law to do it. And as long as we pass a strong law and still empower the States in addition to whatever the FTC or whatever agency we give this authority to. But I look forward to participating and working on not only the hearing today but also in the drafting of legislation. Thank you. Mr. Stearns. I thank the gentleman. And I thank him for considering ways to do this in a bipartisan fashion. I don't think there are any more members, so let me welcome---- Mr. Towns. Mr. Chairman, will you yield for one moment? Mr. Stearns. Yes. Yes. Mr. Towns. I ask unanimous consent that we place the statement of Ranking Member Jan Schakowsky in the record. She has a family emergency. Mr. Stearns. I heard that, and I am sorry to hear that. So with unanimous consent, so ordered. I appreciate you doing that. [Additional statements submitted for the record follow:] Prepared Statement of Hon. Joe Barton, Chairman, Committee on Energy and Commerce Thank you, Chairman Stearns, for holding this hearing today and for your good leadership on data security issues. Millions of records in other people's computers define and describe our lives. The recent rash of security breaches has made us keenly aware of just how vulnerable our records are to release through inept data security practices or, worse, intentional theft. Past hearings at this Subcommittee have explored those breaches and exposed the gaps in protection. Today, the Committee puts forth a bipartisan draft that aims to fill the gaps in protection. I want to thank Chairman Stearns, Ranking Member Schakowsky of the subcommittee, Ranking Member Dingell of the full committee, and all of the staffs for their work on this bipartisan discussion draft. I am pleased with the careful consideration this Committee is giving to this important issue. Our goal is to work with industry and consumer groups in developing this legislation to encourage a culture of strong data security. Data security has not been the priority it ought to be and must become. I hope that the testimony we receive here today will help us to perfect the draft bill. There are two critical components to the draft bill: One, a legal requirement for establishing and implementing information security practices; and Two, notification requirements in the event of a security breach. In mandating information security policies, we hope to strike the right balance between ensuring real protection for consumers without halting the evolution of technology and best practices. We would be remiss not to mandate robust security for personal information, but we'll do it in a way that allows companies to implement the security measures most effective for the types of information they maintain. I would like to point out that the draft bill does not yet include guidelines for what companies must include in their information security policies. I believe guidelines similar to those of the FTC's Gramm-Leach-Bliley Safeguards Rule are a good place to start. I request that our panel of experts provide the Committee with some guidance on this issue. Over the August recess, we will be perfecting the draft and readying it for introduction, and your guidance will be an important part of that preparation. We have also been careful in crafting the notification requirements of the bill. While consumers ought to be notified when a breach of their information puts them at risk for identity theft, they should not be showered with warnings when there is no risk. The notification requirement of the bill has a trigger to avoid both ``over- notification'' and ``under-notification''. The bill provides that notice should be prompt and meaningful so that consumers can best shield themselves from identity theft. The draft bill also places additional requirements on information brokers, those who trade in non-customer data. Because the normal market incentives for protecting customer information are absent or diminished with this business model, the draft imposes federally supervised security audit requirements for these entities. I plan to move data security legislation though this Committee in September, and I hope that we can get a bill signed into law this Congress. I would also like to mention that I support Congressman Clay Shaw's bill protecting individual Social Security numbers. I will do my part to quickly move the portions of the bill that are within our Committee's jurisdiction, once we get a referral of the bill. I thank the witnesses for participating in the hearing today and look forward to your testimony on the draft legislation. Thank you Mr. Chairman, I yield back the balance of my time. ______ Prepared Statement of Hon. Jan Schakowsky, a Representative in Congress from the State of Illinois Thank you, Chairman Stearns, for holding today's hearing on our draft legislation to address the recent spate of security breaches of personal information. I would also like to thank Chairman Barton and Ranking Member Dingell for working with us to protect consumers' personal information where current business practices and data security laws have failed to do so. The time has come for us to ensure that personally-identifiable information is protected and that consumers are notified when their information has been compromised. In the last five months alone, over 50 million consumers have had their personal information lost, stolen, hacked into, exposed online, or sold by corrupt insiders--and through no fault of their own. Personal information is being collected, transferred, and sold everyday. Consumers are told that if they want to rent an apartment, buy a pair of shoes, or contribute to a university, they have to divulge their name, address, Social Security number, credit card number, mother's maiden name--and more--just to do so. So many consumers are willing to provide the key facts of their lives because they believe that since they are dealing with a well- known retailer, their alma mater, or an established bank, their personal information will be treated as just that--personal--and that it will be secure. Until recently, most people had no idea that the teenage hacker looking for some kicks and the most sophisticated crime rings alike were raiding the virtual treasure troves of personal information at businesses, universities, and information brokers. But, news of the breaches at DSW, Bank of America, and Boston College, to name a few, has made consumers and Congress alike realize that more needs to be done to protect consumers' personal information. The bill we have been working on seeks to stop the pillaging of personal information by raising the bar for the handling and security of consumers' data. It seeks to make information brokers--those whose business is to turn your name into a commodity--more accountable to consumers. The bill would also take California's groundbreaking idea-- that consumers have a right to know when their information has been compromised--and turn it into the standard for our country. The draft at hand is a good start, but we have to do more to make sure that we provide the best protection for consumers that we can. When we consider the scope of the information our bill covers, we need to remember that it does not matter to the victim of identity theft where their information was stolen from -a small business or a massive data broker, and it does not matter what form it was in--paper or electronic. It does not matter if access was gained by an outsider who was not authorized to do so or an insider who had the key to the encryption code. It does not matter if their file was the only one compromised or if it was one of thousands. We also must keep in mind that identity theft is not the only threat with which we should be concerned. Information in the wrong hands could put domestic violence and stalkers' victims' lives at risk. Additionally, consumers need to know more than that their information is secure. Since data brokers sell personal information to those who will decide whether consumers will get jobs, roofs over their heads, and even whether they have the legal right to vote, consumers must have the right to make sure that the information that is meant to represent what kind of risk they are to employers, landlords, and the local government is correct. We have heard claims from information brokers that allowing consumers to correct their files would be difficult to do because much of the data they have is from public records and the brokers do not have the legal authority to correct them. However, I believe we should not throw up our hands and say that nothing can be done. I believe that if consumers question the accuracy of their files, data brokers could-- at a minimum--``flag'' that information to let those using the files know that there is a question of the accuracy of the file. And, a common problem with inaccurate reports is not that the original record is incorrect, but that one person's file has been mixed with another's. For instance, my file may be mixed with a Jean Schakowsky's or Jan Stockowski--or both. I believe that data brokers should be compelled to fix those ``mixed files.'' Consumers must have every opportunity possible to set the record straight because of the impact incorrect information can have on their lives. Finally, I believe it is important that we establish a strong federal standard so that we do not have to worry about preempting 50 state laws. While I can understand the desire to see one federal standard, I believe that if we set the floor high enough, states will not have to go beyond our requirements. Because so many states have beat us to protecting consumers--including Illinois, Florida, and Texas-- I believe we must exercise great caution when we consider how we will contend with state laws on data security and breach notification. Once again, Mr. Chairman, I look forward to working with you on our common goal of protecting consumers. Although there are many issues that are still on the table, I think that using consumers' rights and safety as our guiding principles, we will be in good shape. Thank you. ______ Prepared Statement of Hon. Edward J. Markey, a Representative in Congress from the State of Massachusetts Mr. Chairman, thank you for holding this important hearing today. Mr. Chairman, on March 15th, following massive breaches of personal information at ChoicePoint, Bank of America and LexisNexis, you wisely convened a hearing in this Subcommittee to question executives from major data profiling firms. This hearing provided important momentum for ongoing efforts to strengthen privacy protections for the millions of Americans whose private information is gathered by data merchants who view our Social Security numbers, credit records and other sensitive personal information as commodities to be bought and sold for a profit. Since the Subcommittee hearing, a tidal wave of personal data has gushed from a long list of data brokers, public companies, universities, financial institutions, high schools, hospitals and other organizations. The Privacy Rights Clearinghouse has reported that more than 48 million personal records have been lost or stolen over the past four months alone. Mr. Chairman, today's hearing on draft legislation you are preparing in collaboration with the Democrats on the Committee is another step towards providing Americans with increased control over their most precious and private personal information. I commend you for your efforts to date.As you know, Mr. Chairman, the draft bill defines personal information as ``an individual's first and last name in combination with any 1 or more of the following data elements for that individual: Social Security account number, driver's license number or other State identification number, financial account number, or credit or debit card number' that would enable access to an individual's financial account. [Sec. 5. Definitions, Page 9]. The bill also permits the Federal Trade Commission to modify this definition. [Sec.5. Definitions, Page 11]. Last week, the full Energy and Commerce Committee marked up H.R. 1132, legislation to provide grants to states for building or enhancing state-run prescription drug databases. These databases will contain personal information about patients--their name, address and phone number--along with the type of prescription, quantity dispensed, the number of refills and related data about the drugs they are prescribed that are subject to the bill's reporting requirement. I appreciate the Chairman's comments during last week's mark-up about the importance of securing this health information and notifying patients in the event that their electronic medical records are lost, stolen or used for an unauthorized purpose. As the data security bill before this Subcommittee evolves, I look forward to working with the Chairman to ensure that consumers' medical information is covered by the protections contained in this bill. I would also like to point out a few other areas of this draft legislation that deserve further review and adjustment. 1. The scope of the bill: As noted in the testimony provided by Fran Maier of Trust-e (TRUST-E), it appears that the bill, in its current form, does not cover personal information held by banks, unions, thrifts and government entities like the state-run databases that maintain records on patients and the prescription drugs they take. I agree with the Mr./Ms. Maier that when a consumer's personal information is leaked from a database, it matters not whether the information was leaked from a bank or a university or a state's department of health. This bill's privacy protections should be brought to bear whenever a consumer's personally-identifiable information is lost, stolen or divulged for an unauthorized purpose. 2. Pre-emption of state law: I am concerned that this bill would pre-empt stronger state laws. For example, because California has a law that requires consumer notification in the event of data breaches at financial firms and government institutions, consumers in California would be denied this protection if this bill were to become law, since it contains no such coverage and would pre-empt the California statute. 3. The trigger for notification: While the method and content of the consumer notification requirement in the bill is specific and detailed [Page 5], the conditions that trigger this notification are murky. For consumers to be notified of a breach that affects their personal information there must be a compromise of security that results in ``the acquisition of personal information by an unauthorized person that may result in identity theft.'' [Page 5] I would suggest that this trigger be expanded so that notification would occur if the information were lost, stolen or used for an unauthorized purpose. The ``identity theft test'' is too difficult to determine, particularly in the immediate aftermath of a breach, and there is other damage--beyond identity theft--that can be inflicted upon consumers by the misuse of their personal information. Consumers should be notified in these instances too, even if the breach may not result in someone stealing their entire identity. I commend the gentleman from Florida, Chairman Stearns, for holding today's hearing, and I look forward to working with you to refine this bill. I appreciate the witnesses appearing before us this morning and look forward to their testimony. Thank you. Mr. Stearns. We will ask the witnesses to come forward. We have Ms. Fran Maier, Executive Director and President of TRUSTe, San Francisco, California; Mr. Michael Hintze, Senior Attorney, Microsoft Corporation, Redmond, Washington; Mr. Chris Hoofnagle, Electronic Privacy Information Center, Senior Counsel and Director, West Coast office in San Francisco; and Mr. Daniel Burton, Vice President of Government Affairs, Entrust, Inc., McLean, Virginia. Ms. Maier, we welcome your opening statement. STATEMENTS OF FRAN MAIER, EXECUTIVE DIRECTOR AND PRESIDENT, TRUSTe; MICHAEL HINTZE, SENIOR ATTORNEY, MICROSOFT CORPORATION; CHRIS HOOFNAGLE, SENIOR COUNSEL AND DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER, WEST COAST OFFICE; AND DANIEL BURTON, VICE PRESIDENT OF GOVERNMENT AFFAIRS, ENTRUST, INC. Ms. Maier. Mr. Chairman---- Mr. Stearns. Yes, there is a little switch there. Ms. Maier. Hello. Mr. Stearns. Yes. Ms. Maier. Thank you. Mr. Stearns. Yes, that is good. Ms. Maier. Mr. Chairman, and members of the subcommittee, Ranking Member Towns, I want to thank you for the opportunity to address you today on this important proposed legislation and to tell you about TRUSTe's security guidelines, which we released earlier this year. TRUSTe is an online privacy leader. We have been around since 1997 as an independent, non-profit organization. As you mentioned, we come from San Francisco, adjacent to Silicon Valley, and we have been very close to the issues related to California's State Bill 1386. Our mission is to enable individuals and organizations to establish trusting relationships based on respect for their personal identity and information in the ever-evolving networked world. We are very concerned about Internet, and we are very concerned about trust and e-commerce. We have over 1,500 companies, their websites, who have been certified by TRUSTe's process and carry the TRUSTe trustmark, the green and black symbol you have seen. We are also approved as a safe harbor for Children's Online Privacy Protection Act with the FTC and by the U.S. Department of Commerce for the EU Safe Harbor. We are also deeply involved in e-mail practices. For example, we just launched a new e-mail privacy seal for websites, which is based on permission from consumers and allows a company to post a seal that says, ``We don't spam,'' if they meet the strict standards that we require. We also serve as an e-mail accreditation authority for Bonded Sender, one of the leading legitimate e-mail sender programs. Again, this is to address another issue that faces consumers in terms of spam. My remarks today will be brief and will focus first on TRUSTe's security guidelines and then specific thoughts on the proposed legislation. Our security guidelines were released in March of this year in consultation with many of our shareholders and others in industry. As you well know, privacy is closely intertwined with security. You can't really deliver privacy unless you have security. Security is necessary but not sufficient to deliver acceptable privacy to consumers. So we felt that it was very important for us to address security and to provide some guidelines for our members who are obviously engaged in and value privacy. The guidelines, of course, are expected to evolve, much as we expect this legislation to evolve, to address new technologies, new threats, and new consumer concerns. The guidelines are drafted in checklist form, and the reason why that is important is because small companies and large companies, depending on the size, depending on the kind of information they collect, might have different reasons or different expectations for the kind of security that they should abide by. Larger, more complex companies which handle data with the highest level of sensitivity will likely find it appropriate to adopt all of the recommended practices. However, smaller companies collecting less sensitive information may conclude that adopting only some set of these controls will still enable it to have a security program appropriate to the nature of data it collects and its consumers. The guidelines like the FTC's guidelines and others echo the structure that you could find at those other pieces of rules. For example, we have administrative rules. This includes drafting an internal security policy and appointing someone to be the executive in charge of security, which is similar to what you have proposed in the legislation before us. Administrative controls also include training of employees and other items such as procedures internally. Of course, a big part of security guidelines includes tentacle measures. This includes password practices, controlling employee access to sensitive information, ongoing monitoring, firewalls, vulnerability testing, and the like, and then finally physical controls which include monitoring access to data, securing one's data facilities, and those kinds of physical things, covering not only electronic data but also paper-based data. All of these guidelines can be found within TRUSTe's testimony that we submitted, and of course, on our website. Now let us turn to the proposed data protection breach notification legislation. We, of course, would like to applaud the committee on its hard work on the draft legislation. We believe that this is the right balance and mandates high standards and allows for flexibility in their implementation. And we think it also provides the right incentives for companies to put meaningful security safeguards into place in their own and consumers' best interests. We believe that the desire to minimize a potential negative publicity, brand damage, and embarrassment often resulting from the disclosure of a data breach has been proven to motivate companies to prioritize security much more highly than they otherwise would. We wish to focus on a couple provisions of the bill today. First of all, in terms of the scope of the legislation and the trigger for security breach. We appreciate, first, that the committee has put focus on the jurisdiction for the industry under which it has jurisdiction. However, from a consumer's perspective, when their information is breached, the particular industry or organization involved is irrelevant to them. We believe that consumers should enjoy the same level of protection regardless of the industry involved. So we would recommend that the jurisdiction extends to the financial services especially. In a related way, we would like to express concern about the scope and the definition of person under Section 5 Subsection 6 of the bill. We would urge the committee to expand the definition so that the scope of the legislation covers local, State, and Federal law. As you know, in California, it does cover the State government, which is really where the legislation in California came from. The second point that we would like to talk about is the definition and notice of breach of security. The current draft includes a trigger requirement for notice as a result in or there is a reasonable basis to conclude has resulted in the acquisition of personal information by an unauthorized person that may result in identity theft. The qualifier language ``that may result in identity theft'' we believe is subjective. Whether something may result in ID theft depends, in a large part, on the sophistication of the wrongful acquirer of the data. It is not feasible for the potential provider of the breach notice to definitively assess the skill level and sophistication of the wrongdoer and certainly not an intermediate aftermath of a breach, which is when such an assessment would have to be made. We would recommend the committee to consider altering this definition with a qualifier that is a bit more broad, one that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such personal information. There has been a question of whether or not a broader definition or a broader trigger may result in too many notices to consumers. We believe that the experience in the State of California, which the law has been in effect for over 2 years, seems to have struck the right balance. Consumers are receiving appropriately useful notices, and based on our own observations as well as our consultations with the staff of the California Office of Privacy Protection, that the law has not resulted in a---- Mr. Stearns. Ms. Maier, if you could, just sum up. Ms. Maier. That is great, sir. Thank you. Again, I very much appreciate being here. We look forward to working with you and hopefully discussing the creation of a safe harbor. And we thank you. [The prepared statement of Fran Maier follows:] Prepared Statement of Fran Maier, Executive Director and President of TRUSTe Chairman Stearns, Chairman Barton, Ranking Member Schakowsky, and members of the Subcommittee, I am Fran Maier, Executive Director and President of TRUSTe. I thank you for the opportunity to address the Subcommittee on this important proposed legislation and to tell you about TRUSTe's Security Guidelines, which we released earlier this year. TRUSTe is an independent, nonprofit organization with the mission to enable individuals and organizations to establish trusting relationships based on respect for personal identity and information in the evolving networked world. Through long-term supportive relationships with our licensees, extensive interactions with consumers in our Watchdog Dispute Resolution program, and with the support and guidance of many established companies and industry experts, TRUSTe has earned a reputation as the leader in promoting privacy policy disclosure, informed user consent, and consumer education. TRUSTe was founded in 1997 to act as an independent, unbiased trust entity, and we have earned our reputation as the leading builder of trusting relationships between companies and consumers. The TRUSTe privacy program--based on a branded online seal, the TRUSTe ``trustmark''ridges the gap between users' concerns over privacy and Web sites' needs for self-regulated information disclosure standards. In May 2001, the Federal Trade Commission approved TRUSTe's Children's Privacy Seal Program as a safe harbor under the Children's Online Privacy Protection Act. We are proud to have received that designation. Hundreds of thousands of young children who are active online are protected by our program, which currently includes some of the most popular Web sites, including www.disney.go.com, www.kids.msn.com, and www.epals.com. TRUSTe is also certified as a safe harbor program under the Safe Harbor Framework administered by the U.S. Department of Commerce for U.S. companies wishing to receive personal data from countries in the European Union (``EU''). Our EU Safe Harbor Seal Program gives companies assurance that they are in compliance with the Framework and, therefore, with national data protection laws in all EU member states. In addition to these efforts, TRUSTe is deeply involved in fostering best practices for email. We have just launched our permission-based Email Privacy Seal Program, which allows companies who agree to our strict standards to post a TRUSTe ``We Don't Spam'' seal on online and offline forms where they collect email addresses. We also serve as the email certification authority for senders of legitimate email who are members of the Bonded Sender Program. Finally, we are a California company, and we closely follow developments in California law, including the data breach notification law, to keep our licensees informed about compliance issues. We also work closely with the California Office of Privacy Protection in its ongoing efforts to provide guidance to businesses and consumers on privacy and security issues. truste's security guidelines In March of this year, TRUSTe issued our first version of Data Security Guidelines. As the Committee recognizes, privacy is very closely intertwined with security. We believe that security is necessary but not sufficient to giving consumers the privacy assurances they expect. In developing the Guidelines, we aimed to expand the reach of our expertise in privacy by providing our licensees and other members of the public a resource they can use as a foundation of responsible data security practices. The Guidelines are divided into three categories of safeguards: administrative, technical, and physical controls. This structure echoes that of the Federal Trade Commission (FTC's) Gramm Leach Bliley Safeguards Rule, which we discuss in further detail below. Administrative controls include, for example, drafting a written internal security policy, training employees, conducting ongoing security risk assessments, and establishing procedures in connection with external third parties (including vendors) with whom data is shared. Technical measures include controlling employee access to sensitive information on a need-to-know basis, establishing good password practices, ongoing monitoring to assess threats and vulnerabilities, and establishing incident response procedures. Finally, physical controls include practices such as monitoring legitimate access to data, establishing physical access controls, and securing one's data facilities. The Guidelines are drafted in checklist form so that companies can assess their own risk levels and adopt the corresponding appropriate level of recommended safeguard practices. Larger, more complex companies which handle data with the highest level of sensitivity will likely find it appropriate to adopt all the recommended practices, while a smaller company, collecting less sensitive information, may conclude that adopting only a subset of these controls will still enable it to have a security program appropriate to the nature of the data it collects and handles. We anticipate that our Guidelines will evolve over time to reflect emerging technologies and business issues that may impact the safety, security and quality of sensitive or confidential information used by TRUSTe's licensees. We have attached the Guidelines as an appendix to our testimony, for the Committee's review. The Guidelines are also posted on our Web site at http://www.truste.org/pdf/ SecurityGuidelines.pdf. the proposed data protection and breach notification legislation TRUSTe applauds the Committee on its work on the draft legislation to date. We believe the bill strikes the right balance by both mandating high standards and allowing for flexibility in their implementation. As a result, the bill provides the right incentives for companies to put meaningful security safeguards into place in their own, and consumers', best interests. In addition to imposing security standards directly, we believe the draft legislation will fundamentally empower consumers to take action to minimize the potential impact of ID theft. The desire to minimize the potential negative publicity, brand damage, and embarrassment often resulting from the disclosure of a data breach has been proven to motivate companies to prioritize security. The market-driven, non-prescriptive approach you have chosen will encourage companies to protect personal information. We wish to highlight a few specific provisions in the bill. scope of the legislation As the bill's jurisdictional limits are those of the Federal Trade Commission Act, it does not cover banks, unions, thrifts, and common carriers. We appreciate that the Committee has crafted a bill that applies to industries under its jurisdiction, and we understand that the House Financial Services Committee, and the Senate Banking Committee, are working on parallel legislation governing entities within their jurisdiction. We support these efforts. From a consumer's perspective, when a database is breached, the particular industry involved is irrelevant. We believe that consumers should enjoy the same level of protection, regardless of the industry involved. Thus, we believe that the legislation's requirements should extend across all industries. For instance, insurance institutions would not be reached by the scope of this bill. Those financial institutions that are regulated under the Gramm Leach Bliley Act have no requirement to provide breach notices; therefore it would be appropriate to exempt financial institutions from the requirements of section 2, but not from section 3. In fact, were this legislation to become law with the current preemption language, California residents would have less protection than they do now under the California data breach notification statute since it applies to financial institutions. In the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. 6501-6505, Congress gave enforcement authority to the appropriate regulatory agencies over industries not regulated under the FTC Act. Perhaps the COPPA model could be followed here. The Committee has doubtless considered the role of vendors or service providers in the context of breach notices. The Federal Trade Commission (FTC's) GLB Safeguards Rule expressly recognizes the responsibility which principals must take for the security practices of their service providers (section 314.4(d)), and we recommend that the Committee consider adhering to this philosophy in the context of this legislation, also. The California data breach notification statute imposes specific responsibilities on service providers (i.e., those not having a direct relationship with the consumer, and acting on someone else's behalf) to notify the party who does have the direct relationship. This allows the principal to maintain control of the notification process, and ensures that it has the right to be notified itself in case of a breach by a service provider. The California law defines service providers as those who do not ``own'' the data in question. Since in the customer's eyes their relationship is with the principal, from the customer's perspective, the principal is responsible for the service provider's breach. If the consumer has a relationship with the company (i.e., it's not a data broker situation), then it is proper for the consumer to hear about the breach from the principal, and not from an unknown third party service provider. Finally, we would like to express concern about the scope of the definition of ``Person'' under Section 5(6) of the bill. This definition as defined in 551(2) of title 5, United States Code, does not include any governmental agency. We would urge the Committee to expand that definition so that the scope of the legislation covers local, state and the Federal government. Again, enactment of the legislation as drafted with the current preemption provision would weaken consumer protections currently provided by the California breach notification statute, which extends to governmental agencies. definition of ``breach of security'' Section 3 of the bill would impose certain notice requirements upon companies that discover there has been a ``breach of security'' affecting their databases. Although the specific facts and circumstances that constitute a ``breach of security'' are left to rulemaking by the Federal Trade Commission, the legislation requires, at a minimum, that a breach triggering the notice requirement ``result . . . in, or there is a reasonable basis to conclude has resulted in, the acquisition of personal information by an unauthorized person that may result in identity theft.'' Section 3(b) (emphasis added). The qualifier language ``that may result in identity theft'' in the proposed legislation is subjective in nature. Whether something may result in ID theft depends in large part on the sophistication of the wrongful acquirer of the data. It is not feasible for the potential provider of the breach notice to definitively assess the skill level and sophistication of a wrongdoer, and certainly not in the immediate aftermath of a breach--which is when such an assessment would have to be made. We think the Committee should consider altering this definition with the qualifier ``that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such [personal] information.'' This would mirror the approach taken in the FTC's Guidelines. If this approach is taken, the standard could become a ceiling for the level of protection granted, eliminating the need for the FTC to revise the standard through future rulemaking. Rather the FTC could develop guidelines that would be instructive in their nature and perhaps fit into a safe harbor program which we address later in our testimony. TRUSTe believes that this approach provides strong protection for consumers and would not likely lead to an overload of notifications. It also provides certainty for businesses who may be concerned about the standard changing in the future. The parameters of the California security breach notification law are instructive in this regard. California Civil Code Sections 1798.29 and 1798.82-.84. This law, in effect for over two years, seems to have struck the right balance in this area. Consumers are receiving appropriate and useful notices; and it is our understanding, based upon our consultations with staff of the California Office of Privacy Protection, that the law has not resulted in an unmanageable deluge of notices to consumers. Although anecdotal, the fact that the California statute to a large extent has been followed as a nationwide standard makes it a good indicator of the potential impact of a nationwide bill such as this one. We also note that the marketplace approach taken by the California statute (as well as the Committee draft) prompts a positive cause-and- effect dynamic. A broad nationwide breach notice requirement will incent companies to improve their practices, thereby, in the long run, resulting in fewer breaches and therefore fewer notices. TRUSTe believes that this generates a much better outcome than setting the initial threshold so high that few breaches generate notice requirements, thereby decreasing the motivation to prioritize security. minimum requirements for a security policy and statement Section 2(a)(1) of the bill would authorize the Federal Trade Commission to promulgate rules requiring companies to implement a ``security policy and statement concerning the collection, use, disclosure, and security of personal information.'' We believe the Committee should consider adopting relevant provisions of the Commission's Security Guidelines for financial institutions provided under Gramm-Leach-Bliley as required components of the security statement provided for in Section 2(a)(1). Standards for Insuring the Security, Confidentiality, Integrity and Protection of Customer Records and Information, 16 C.F.R. Part 314. We refer specifically to the following provisions in the Guidelines: 314.3 Standards for safeguarding customer information. (a) Information security program. You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. Such safeguards shall include the elements set forth in 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section. (b) Objectives. The objectives of section 501(b) of the Act, and of this part, are to: (1) Insure the security and confidentiality of customer information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. 314.4 Elements. In order to develop, implement, and maintain your information security program, you shall: (a) Designate an employee or employees to coordinate your information security program. (b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including: (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures. (c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures. (d) Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and (2) Requiring your service providers by contract to implement and maintain such safeguards. (e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program. These Guidelines provisions reflect a non-prescriptive approach to crafting security policies that we believe is best, given the changing nature of the overall environment, technology and threats. TRUSTe has particular expertise in the area of drafting sound consumer-facing privacy statements. We believe that the following elements, drawn from guidance set out in recent Federal Trade Commission settlements involving security breaches, should be required of companies' security statements: 1. The kinds of personal information collected and how it is used, disclosed, or otherwise handled in the regular course of business. 2. How consumers can access their information and have it corrected or updated. 3. How company will notify consumers in the event of a security breach, and what redress will be provided to them. 4. Where consumers can learn more about their rights in the event of a breach. creation of a safe harbor program As I mentioned earlier, TRUSTe has particular expertise in administering safe harbor programs for industry participants who comply with our guidelines. We recommend that the Committee add to your legislation a safe harbor that (1) allows businesses to comply with a set of guidelines that are approved by the FTC and administered by a third party certification organization; and (2) limits a company's liability, should a breach of security occur, if that company is in full compliance with such guidelines. We believe this is a better approach than simply locking in guidelines through an FTC rulemaking. Through a safe harbor, your legislation could set a floor of protections, and industry self-regulation would then drive even greater levels of protection for consumers, while providing businesses the flexibility they need to develop marketplace solutions to data protection. conclusion TRUSTe welcomes this opportunity to share our thoughts on the proposed data protection legislation, and to make the Committee aware of our efforts to serve as the model for industry best practices in information security through our Data Security Guidelines. We look forward to working with the Committee as it continues its efforts to protect the security of personal information in the twenty-first century marketplace. Mr. Stearns. And thank you. Mr. Hintze. STATEMENT OF MICHAEL HINTZE Mr. Hintze. Thank you, Chairman Stearns, Congressman Towns, Chairman Barton, and members of the subcommittee. My name is Michael Hintze. I am a senior attorney at Microsoft. I want to commend the members of this committee for their attention to data security and identity theft issues. Microsoft shares your concerns. I also want to thank you for the opportunity to provide our views on the discussion draft. Microsoft firmly believes that now is the appropriate time for Congress to adopt Federal data security legislation. It would be an effective complement to Microsoft's and industry's efforts to develop technological solutions, to educate consumers, to adopt best practices, and to help enforce existing laws. Today, I want to highlight some of the key issues raised by the discussion draft. First, any required information security program should give organizations the discretion to implement the most appropriate technologies and procedures for their respective environments. Microsoft urges the subcommittee to revise the discussion draft to reflect the general framework set forth in the Gramm-Leach-Bliley Act. It should also direct the FTC to allow organizations to adopt the security programs appropriate to their size and complexity, the nature and scope of their activities, and the amount and sensitivity of information that they collect. Second, any required information security program should apply to all personal information, whether electronic or paper. The consequences of a loss or misuse of personal information on paper can be just as devastating to the affected individual as the loss of that same data in electronic form. Likewise, the programs should not be limited just to sensitive financial information. A single, flexible framework for all information will create a broader protection for consumers and enable companies to comply with one set of security requirements. Third, a security breach standard should focus on whether the misuse of unencrypted sensitive personal information is reasonably possible. This will ensure that consumers receive notification regarding breaches of information that could lead to identity theft, like Social Security numbers and credit card information with associated passwords. This should also incorporate a materiality threshold like the Federal banking regulators have implied on their guidance on GLB, namely notification is required where there is a reasonable possibility of misuse. Such an approach will prevent notifications from becoming so frequent that consumers disregard them or find themselves unable to differentiate between those that indicate a significant risk and those that do not. Fourth, different methods of notification should be permitted. The appropriate method for notice will turn on the size and type of entity providing it, the number of people required to receive it, and the relative cost for different methods of providing it. The ways in which an entity typically communicates with its customers should also be considered. For these reasons, the interagency guidance interpreting GLB gives discretion to covered entities to provide notice in any manner designed to ensure that a consumer can reasonably be expected to receive it. Microsoft urges the subcommittee to follow this approach. Finally, the Federal legislation in this area should create a uniform standard. Security breaches are a national problem, and all consumers should be protected by the same high level of protection. This will also allow responsible businesses to operate without the unnecessary burdens of inconsistent security and notification requirements. For these reasons, we support the preemption provision in the discussion draft. At the same time, we recognize the State Attorney Generals play a vital role in ensuring the companies adhere to sound information security practices. Microsoft therefore supports any clarification that enables State Attorney Generals to enforce the provisions of this legislation. Thank you for asking us to share our views on data security legislation and the discussion draft. We are committed to helping create a safe and trusted environment for consumers, and we look forward to working with you and your staff toward this common goal. [The prepared statement of Michael Hintze follows:] Prepared Statement of Michael Hintze, Senior Attorney, Microsoft Corporation Chairman Stearns, Ranking Member Schakowsky, and Members of the Subcommittee: My name is Michael Hintze, and I am a Senior Attorney at Microsoft Corporation. I want to thank you for the opportunity to share with the Subcommittee our views on data security legislation. In light of the number of recent serious security breaches, the increasing concern nationwide over identity theft, and the ever-rising but often inconsistent number of state laws imposing security and customer notification requirements, Microsoft firmly believes that now is an appropriate time for Congress to adopt federal data security legislation. Microsoft applauds Congress and the members of this Subcommittee for their attention to data security and identity theft issues. As the Federal Trade Commission has reported, in 2003 alone, roughly 10 million Americans suffered from identity theft, costing businesses $47.6 billion and consumers almost $5 billion.1 As a leading provider of software and online services, Microsoft is particularly concerned that identity theft threatens to erode trust on the Internet, and we are deeply committed to working with you, law enforcement, and others in the industry to maximize deterrence and minimize the opportunities for identity thieves. --------------------------------------------------------------------------- \1\ Federal Trade Commission--Identity Theft Survey Report 7 (Sept. 2003), available at http://www.consumer.gov/idtheft/stats.html [hereinafter ``Identity Theft Survey Report'']. --------------------------------------------------------------------------- Today, I want to address the focus of this hearing--data security legislation. Microsoft generally supports the draft legislation before this Subcommittee, dated June 30, 2005 (the ``Discussion Draft''), that would require companies both to adopt an information security program and to notify consumers in the case of a security breach. This legislative approach would be an effective complement to Microsoft's own multi-faceted strategy for protecting individuals' personal information, which includes developing and implementing technological solutions, educating consumers about ways to protect themselves while online, meeting or exceeding industry best practices on privacy and security, and enforcing existing laws. My testimony today highlights some of the key issues raised by federal data security legislation and by the Discussion Draft in particular, and recommends ways to proceed toward the goal of creating a trusted environment for Internet users. businesses should be required to adopt an information security program. Microsoft supports legislation that would require companies engaged in interstate commerce to adopt an information security program. But in order to be effective, while avoiding unnecessary burdens on responsible businesses, such legislative requirements should be both broadly applicable and sufficiently flexible to meet the security challenges across a wide variety of business environments and scenarios. (1) Federal Legislation Should Enable Companies to Implement Security Measures Best Suited for Their Environments. First, any such legislative requirement should recognize that security is an ongoing process, that the threats to data security are constantly changing, and that the degree and type of risk can vary from one situation to another. An appropriate and effective information security program will depend on a number of factors, including, but not limited to, an entity's size, the nature of its business, the amount and type of information it collects, and the number of employees that it has. In short, federal legislation must provide flexibility to enable companies to adopt security policies and procedures that are responsive to their risk level. With this in mind, the framework for an information security program set forth in the Gramm-Leach-Bliley Act (``GLB'') is preferable to that outlined in section 2(a) of the Discussion Draft. In GLB, Congress directed the relevant agencies to provide for the establishment of ``appropriate . . . administrative, technical, and physical safeguards-- (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which would result in substantial harm or inconvenience to any customer.'' 2 --------------------------------------------------------------------------- \2\ 15 U.S.C. 6801(b). --------------------------------------------------------------------------- In response to this directive, the FTC implemented regulations that require the development of information security programs ``appropriate to the [subject entity's] size and complexity, nature and scope of . . . activities, and sensitivity of the customer information at issue.'' 3 --------------------------------------------------------------------------- \3\ 16 C.F.R. 314.3. --------------------------------------------------------------------------- Microsoft believes a flexible framework such as that established by GLB and the FTC's implementing regulations makes sense. It gives individual organizations--which are in the best position to understand the particular security measures that are best suited to the different types and forms of personal information they maintain--the discretion to implement the most appropriate technologies and procedures for their respective environments. In contrast, a set of federally-mandated technical specifications would inevitably impose too high of a burden on some organizations for some information, but not adequately protect some personal information held by other organizations. And, because security measures are constantly changing and improving as technology advances and engineers respond to evolving threats to information security, a one-size-fits-all regime would likely and rapidly become obsolete.4 --------------------------------------------------------------------------- \4\ We also note that as currently drafted, the Discussion Draft could create different regimes for entities that are subject both to GLB and to the reach of new data security legislation. That said, excluding entities covered under GLB from new data security legislation, and then adopting a different standard for other entities, would subject companies that house the exact same information to different regulatory frameworks--e.g., a retailer would be subject to a different information security framework than a bank. For this reason, we support creating uniformity to facilitate both the development of best practices and the development of service-related expertise--such as that provided by auditors--in the area of information security. --------------------------------------------------------------------------- For these reasons, Microsoft urges the Subcommittee to replace its current section 2(a) with language modeled on the framework set forth in GLB and the FTC's implementing regulations. In addition, in light of the importance of ensuring that implementing regulations give companies the discretion to adopt programs that best suit their respective needs, Microsoft encourages Congress to direct the FTC to allow entities to develop information security programs consistent with the following: (1) the entities' size and complexity, (2) the nature and scope of their activities, (3) the sensitivity of the personal information at issue, (4) the current state of the art in administrative, technical, and physical safeguards for protecting information, and (5) the cost of implementing such safeguards. Microsoft believes such a flexible approach is the best way to protect individuals' personal information now and into the future.5 --------------------------------------------------------------------------- \5\ This testimony focuses on subsection (a) of Section 2. With respect to subsection (b)--which applies special requirements to information brokers--Microsoft has only two brief observations. First, the definition of ``information broker'' requires a slight revision to make clear that it applies strictly to those entities whose primary business is selling consumer data. Second, while Microsoft generally supports giving individuals access to personal information collected about them, we think that certain reasonable exceptions must accompany such a legislative requirement for it to make sense. For example, access should not be required where the individual requesting access cannot reasonably verify his name or identity as the person to whom the personal information relates; the rights of other persons would be violated; the burden of providing access would be disproportionate to the risk of harm to the individual; revealing the information would compromise proprietary or confidential information, technology, or business processes; or revealing the information would be unlawful or affect litigation or a judicial proceeding in which the business or individual has an interest. --------------------------------------------------------------------------- (2) Federal Security Requirements Should Apply to All Personal Information. If federal data security legislation includes sufficient flexibility to enable companies to develop security practices and procedures that are tailored to the situation based on these factors, Microsoft believes that federal information security requirements should apply to all personal information housed by an organization in any form, whether electronic or paper. There is no reason to limit the requirements to protect personal information to its electronic form: The consequences of a loss or misuse of personal information in paper form can be just as serious and devastating to the affected individuals as a loss of that same data in electronic form. Likewise, the federal security requirements should not be limited only to sensitive information that, if exposed, could lead to identity theft.6 Although a breach of non-sensitive personal information may not expose individuals to identity theft, it can have other negative consequences.7 Again, as long as the federal legislation avoids mandating a one-size-fits-all approach to this data and instead provides flexibility, the security requirements can reasonably be applied to all personal information.8 The creation of such a single, flexible framework for all personal information will create broader protection for consumers as well as increase efficiency for businesses that otherwise could be faced with having to comply with additional and inconsistent security requirements imposed by other state or federal laws. --------------------------------------------------------------------------- \6\ By ``sensitive information'' we mean the kinds of data that is included in the Discussion Draft's definition of ``personal information.'' Although we advocate for a broader scope for security requirements, as we note later, this narrower definition remains relevant for the purposes defining the scope of information that should trigger a notification obligation. \7\ For example, if a number of e-mail addresses wind up in the wrong hands, those individual recipients could be deluged with unwanted spam that renders their e-mail account virtually unusable--or even subjects them to harmful phishing scams that trick them into disclosing sensitive financial information to would-be identity thieves. The exposure of other non-sensitive personal information can have similarly invasive consequences on an individual's privacy. \8\ It is worth noting that the FTC Consent Orders on security have required businesses to implement security programs for all personal information, not just sensitive personal information. --------------------------------------------------------------------------- With this background in mind, Microsoft respectfully suggests that the Subcommittee reconsider the approach taken in section 2(a) of the Discussion Draft. This section appropriately directs the Federal Trade Commission to adopt implementing regulations governing information security programs, but only with respect to a narrow class of sensitive personal information and only with respect to any such information maintained in electronic form. For the reasons stated above, Microsoft urges Congress to expand the scope of this provision. (3) Providing Flexibility in the Information Security Requirement is Essential to Avoid Unnecessary Burdens on Small Businesses and Those That Handle Minimal Amounts of Personal Information. Finally, we note that a flexible approach to security, such as the one outlined above, also is essential to alleviate the potential burden that a national information security requirement could impose on small businesses. However, if the Committee believes that the potential costs of a national information security requirement necessitates some sort of small business exemption even with the flexible approach that we recommend, Microsoft believes that such an exemption should be triggered by the number of individuals whose personal information an entity handles and not by the size of the business. For example, given the costs of compliance relative to the risks of exposure, it might make sense to exempt from at least section 2(a) an entity that collects, stores, uses or discloses personal information from fewer than 5,000 individuals in any twelve (12) month period. businesses should be required to notify consumers when there is a material risk of harm. Microsoft recognizes that notifying individuals of security breaches can be an effective element in the effort to reduce the costs and other harms associated with identity theft. But we believe that for a notification requirement to provide effective warning to consumers, and to be reasonable and fair for all business entities engaged in interstate commerce, it must be triggered only when there is a material risk of harm to an individual. As recent reports have indicated, an overly broad notification requirement could have negative effects.9 For example, consumers may begin to receive so many notices that they become accustomed to such notices and/or become unable to differentiate between those breaches that represent a serious risk and those that do not. One likely result is that some consumers will do nothing in response; as a result, the costs of the notice will be incurred in vain, and consumers will continue to bear the risk of any resulting identity theft. Other consumers may err on the side of over-reaction, responding to even harmless breaches by imposing credit freezes, fraud alerts or changing or closing accounts--all of which impose significant and unnecessary costs.10 For these reasons, Congress should proceed carefully when articulating the standard that triggers notification. We believe that the best standard is one that incorporates a materiality threshold like the federal banking regulators have applied in the Interagency Guidance on GLB-- namely, notification is required when there is a reasonable possibility of misuse. --------------------------------------------------------------------------- \9\ See, e.g., Henry Fountain, ``Worry. But Don't Stress Out,'' Wall Street Journal, June 26, 2005, Section 4, p.1. \10\ See Thomas M. Lenard & Paul H. Rubin, ``An Economic Analysis of Notification Requirements for Data Security Breaches,'' The Progress & Freedom Foundation 10-11 (July 2005). --------------------------------------------------------------------------- (1) Notification Obligations Should Be Triggered When Misuse Is Reasonably Possible. Microsoft believes that the Interagency Guidance on GLB provides a workable framework for a national notification standard. That guidance focuses on whether, as a result of unauthorized access, ``misuse of . . . information . . . has occurred or is reasonably possible.'' 11 Although the Discussion Draft contains a relatively flexible standard, we have some concern that the ``may result in identify theft'' formulation is vague, and in any event, that the formulation would establish a slightly different standard than GLB has been interpreted to apply to financial institutions. This Interagency standard provides clear guidance to industry and consumers: it appropriately requires an organization to investigate the circumstances of any unauthorized access, and to analyze the risks posed to affected individuals before any notification is required. Microsoft believes it is critical to make companies responsible for determining the details of an unauthorized access to sensitive financial information and the level of threat resulting from the specific circumstances. If an investigation concludes that misuse of a consumer's information has occurred or is reasonably possible in light of the facts surrounding the security breach and the exposure of the information, then notification must be provided. Thus, this standard ensures that only those consumers who are reasonably at risk receive notification, and in so doing, it mitigates against both the risk of over-notification and the risk of consumer over- and under-reaction. --------------------------------------------------------------------------- \11\ Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 70 Fed. Reg. 15736, 15752 (Mar. 29, 2005) (emphasis added) [hereinafter ``Interagency Guidance'']. --------------------------------------------------------------------------- (2) Notification Obligations Should Cover Only Unencrypted Sensitive Personal Information. The purpose of notifying an individual of a security breach is to enable that person to prevent two potential types of identity theft: (1) the misuse of his or her existing credit card or other account, and (2) the fraud that is perpetrated when a thief opens a new account in his or her name.12 The scope of any notification obligation should be limited to the class of personal information that could lead to such misuse. This information should include Social Security numbers, and it should include credit card information associated with other information that could enable someone to access an account or make a credit card purchase. This information should not include basic personal information--such as name, address or telephone number--that alone or in combination with one another presents virtually no increased risk of identity theft. --------------------------------------------------------------------------- \12\ See Identity Theft Survey Report, supra note 1, at 4. --------------------------------------------------------------------------- The Discussion Draft applies its notification requirements to a narrow class of personal information, which is appropriate. To clarify that this information is particularly sensitive, Microsoft recommends that the Discussion Draft rename this class of information ``sensitive financial information.'' It should then include a broader definition of ``personal information'' to which the obligations set forth in section 2(a), as described above, apply. However, within this class of so-called ``sensitive financial information,'' Microsoft believes that encrypted information should be excluded. Data encrypted using standard methods is either impossible or impracticable to decipher. Therefore, there is no reasonable possibility of its misuse if it is accessed without authorization. In addition, by specifically exempting such encrypted information from the standard for notification, Congress will be creating an explicit incentive for companies to adopt encryption technology, thereby reducing the risk of a security breach in the first instance. If Congress has concerns that a general encryption exception is too vague and could be abused,13 Microsoft would support allowing the exception to apply only to certain levels of encryption--e.g., the encryption level set forth in the Federal Information Processing Standards issued by the National Institute of Standards and Technology--or more generally to encryption adopted by an established standard setting body combined with an appropriate key management mechanism to protect the confidentiality and integrity of associated cryptographic keys in storage or in transit. --------------------------------------------------------------------------- \13\ We think that, if Congress explicitly exempted encrypted information from the notification requirement, there would be little risk of abuse--after all, as a general matter, it is just as easy to use readily available good encryption technology as it is to use readily available weak encryption technology, so there would be little incentive to use a lower standard. --------------------------------------------------------------------------- (3) Notification Obligations Should Capture Data Maintained In Any Form. Microsoft believes that the public policy interest in protecting sensitive financial information against malicious use by third parties extends to all forms of data, regardless of whether it is housed in electronic or paper form. For this reason, we believe the notification requirements set forth in section 3 of the Discussion Draft (like the general security obligations set forth in section 2(a)) should not be limited to electronic or computerized data. This is the approach followed in the Interagency Guidance on GLB. Although expanding the requirement beyond data in electronic form would potentially heighten the compliance costs associated with this federal legislation, the public policy supports such an expansion. Identity theft can be committed using information obtained offline and in a form other than just computerized data. Simply put, an identity thief can defraud a consumer using sensitive personal information maintained in paper form just as easily as the thief can using computerized data. To adequately protect consumers, the notification requirements of the legislation should therefore apply to all sensitive financial information--regardless of the form in which the information is maintained. congress should give companies discretion to determine the most appropriate and effective method for notification. Microsoft believes that for a nationwide notification requirement to be administratively workable, business entities subject to the requirement should have flexibility in how notice is provided. This is because the appropriate method for notice will turn on the size and type of the entity providing the notice, the number of people required to receive notice, the methods by which the entity typically communicates with its customers or other individuals, and the relative costs for different methods of providing notice. For these reasons, the Interagency Guidance on GLB provides discretion to covered entities to provide notice ``in any manner designed to ensure that a customer can reasonably be expected to receive [the notice.]'' 14 --------------------------------------------------------------------------- \14\ Interagency Guidance, supra note 11, at 15753. --------------------------------------------------------------------------- Microsoft urges Congress to follow the model of the Interagency Guidance by giving companies discretion to issue notice in various ways, so long as the notice is reasonably expected to reach the affected individuals. The Discussion Draft, which would obligate an entity to provide notice to an individual in writing and by email and through the entity's website, is too restrictive, and there is a real risk that it could lead to less effective notifications and/or be too costly for many entities to implement. Rather, federal legislation should enable entities to provide notice via telephone, regular mail, or electronic mail, depending on the circumstance. Indeed, many individuals who have received notices of security breaches report that they appreciate getting them by telephone, which personalizes the process, makes the notice less intimidating, and provides an immediate forum for the individual to ask questions.15 While telephone notice may not be feasible in cases requiring mass notification, it is an option that should be permissible consistent with the interpretation of GLB. --------------------------------------------------------------------------- \15\ Larry Ponemon, ``Opinion: After a Privacy Breach, How Should You Break the News,'' Computerworld, July 5, 2005. --------------------------------------------------------------------------- Microsoft also believes that entities should be required to try to reach individuals directly, unless certain cost or quantity thresholds are present or there is no known number, mailing address, or electronic mail address for an individual. Accordingly, Microsoft would propose using mass media notice and Internet postings only in exceptional circumstances requiring substitute notice. congress should consider internal and law enforcement investigations when analyzing the appropriate timeliness of notification. Microsoft is pleased that the Discussion Draft accounts for the immediate obligations of a company in the aftermath of a breach by allowing reasonable time for a company to determine the scope of the breach and to restore any compromised systems before issuing notice of the breach. Microsoft also believes, however, that federal legislation should account for the needs of law enforcement in investigating the breach. It is often the case that immediate notification to the public can interfere with a criminal investigation of the underlying incident. If, for example, law enforcement officials are in the process of identifying or apprehending potential suspects, a public announcement may cause the suspects to flee, destroy evidence, or otherwise obstruct these efforts to bring the perpetrators to justice. The existing GLB guidelines regulating financial institutions, as well as most state breach notification laws, have accounted for these concerns by allowing for delayed notification, consistent with the legitimate needs of law enforcement. The risk of any abuse with this delay in notification is easily addressed by vesting the authority for any such determination in law enforcement, rather than the company itself. As the Interagency Guidance on GLB provides, ``notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay.'' 16 By accounting for these contingencies in imposing a notification requirement, Congress can balance the interests of consumers, the legitimate needs of law enforcement, and the immediate responsibilities of companies suffering data security breaches. --------------------------------------------------------------------------- \16\ Interagency Guidance, supra note 11, at 15752. --------------------------------------------------------------------------- strong federal preemption is warranted. Microsoft believes that for federal legislation to be meaningful in this area, it must address the problem of state laws imposing potentially inconsistent security and notification requirements. In other words, we strongly feel that federal legislation requiring entities to implement an information security program and to notify individuals of security breaches must ``occupy the field.'' As we have seen with the rash of major security breaches over the past several months, information security is a national problem that affects all Americans. Federal legislation that preempts inconsistent state laws is therefore crucial to protect consumers while allowing responsible businesses to operate without unnecessary burdens. Over the past several months, more than a dozen states have enacted breach notification laws, with a few of these states also requiring entities to adopt security procedures. Although these statutes generally have been patterned after the California law, which pioneered breach-related legislation, the statutes are not uniform, and their differences can be striking. For one, the statutes sometimes differ on the very definition of ``personal information,'' with some states broadly covering any account information, some requiring a name coupled with other identifying information, and some including a Social Security number alone. Similarly, the statutes differ in their jurisdictional scope, with most applying to entities conducting business within the state, but others applying to anyone who possesses information about residents of the state. The statutes are also inconsistent as to when notification is required, with some states providing an exception when the breach is reasonably believed to be harmless. In addition to these disparities, provisions regarding notification period, notification method, and available remedies often vary from state to state. Although some have argued that the federal provision should create a ``floor,'' above which states are free to impose additional requirements, this would not solve the problem caused by the existing patchwork of state regulation. In such an environment, any company that participates broadly in the national economy must either abide by the strictest applicable standard, or otherwise take measures to compartmentalize its transactions on a state-by-state basis. Under the former approach, any federal legislation would be rendered meaningless absent preemption. And given the realities of today's virtual economy, the latter option is largely impracticable; or, for those companies that tried to comply with requirements on a state-by-state basis, it would potentially cause a harmful distraction from what is important-- protecting the security of consumers' personal information and promptly notifying any affected consumers in the event of a security breach that is reasonably possible to lead to the misuse of unencrypted sensitive financial information. Therefore, the only realistic solution that protects consumers while minimizing the operational burdens in responsible businesses is to adopt a nationwide standard for security and notification. That standard should certainly be robust, but, once adopted, should apply uniformly. Hence, any federal legislation on this topic should specifically preempt state security and notification laws. The Discussion Draft includes an appropriate preemption provision. That said, Microsoft supports adding language to the preemption provision to make clear that only State Attorneys General can bring a civil action under state law that is premised on a violation of the federal legislation. At the same time, we recognize that State Attorneys General can play a vital role in ensuring that companies adhere to sound information security practices. Accordingly, Microsoft also supports any clarification that enables State AGs to directly enforce the provisions of the legislation and also ensures they can continue to rely on their enforcement authority under state consumer protection laws. congress should consider additional provisions in data security legislation. Requiring entities to implement security procedures that apply to personal information and to notify individuals of security breaches, where the misuse of unencrypted sensitive financial information is reasonably possible, makes sense. But these approaches do not fully address a key concern raised in response to recent security breaches--a lack of transparency as to how companies are using and disclosing personal information in the first place. Individuals want to understand better the entities that maintain their personal information, the types of information they maintain, how they use that information, and the third parties with whom they share such information. For this reason, in addition to supporting reasonable security precautions and notification requirements, Microsoft looks forward to working with the Subcommittee on appropriate legislation that addresses these broader concerns. Microsoft believes that adopting a tailored but more complete approach to data security legislation at the federal level will better inform consumers about who is using their personal information and how, and thereby empower consumers to exercise meaningful control over their personal information both before and after any security breach occurs. In addition, a national standard will give consumers and organizations that are facing a patchwork of privacy and data security requirements at the state level clarity about the standards for collecting, using, disclosing, and storing personal information. We commend the Subcommittee for holding this hearing today and appreciate your determination to seek strong legislation to help curb identity theft. Thank you for extending us an invitation to share our recommendations on the Discussion Draft, and we look forward to working with you on additional means to help inform and empower consumers both before and after a security breach occurs. Microsoft is committed to creating a trusted environment for Internet users, and looks forward to working with you toward this common goal. Mr. Stearns. I thank the gentleman. Mr. Hoofnagle, welcome. STATEMENT OF CHRIS JAY HOOFNAGLE Mr. Hoofnagle. Good morning, Chairman Stearns, Ranking Member Towns, and good morning, Chairman Barton. My name is Chris Hoofnagle. I am senior counsel with the Electronic Privacy Information Center. We are a not-for-profit research center that focuses on privacy founded in 1994 here in Washington. I run the organization's West Coast office in San Francisco. There are many different consumer protection issues that need the attention in this committee, and we thank you for focusing your attention on privacy and security. Ranking Member Towns, in your introduction, you discussed about how there are new security breaches, it seems, bimonthly. It is actually more than that. The Privacy Rights Clearinghouse has a chronology of data breaches online, and there have been 60 known such breaches since ChoicePoint, the commercial data broker, announced their breach back in February. And when you look at this chronology, you see that it has been a diverse array of businesses. They are in the financial services sector. They are in the retail sector. You also see that there is a diverse number of attackers. There is a diverse number of threats to personal information. Sometimes these breaches are caused by insiders. Sometimes they are caused by outsiders. Sometimes it is just a mistake. And then sometimes it is willful. So your committee is charged with dealing with a very difficult situation of writing a law that addresses all of these different types of data risks and risks to identity theft and other misuse of information. With that said, let me focus on just some parts of my testimony. We were very happy to see the discussion draft. I think it is an important first step in addressing security breach issues. But there are several issues that we wanted to tweak. We have already heard testimony this morning regarding the standard for providing notice. And under this bill, there has to be a risk of identity theft. We really want to emphasize that identity theft is not the only risk to data security. There have been cases involving stalking. One of the things we work at at EPIC is the problem of investigators who operate online who break security of other companies to get information and sell that information to other people, including stalkers. Data might be accessed by other businesses that are engaged in the attempt to locate people. So, for instance, in New Jersey, there was a major security breach involving 600,000 records at Bank of America and Wachovia. And the people obtaining that information weren't trying to steal anybody's identity. What they were trying to do was sell that data to debt collectors so that the debt collectors could locate them. Data might be accessed for corporate espionage purposes. It might even be access for extortion. There was a case out in California where a hospital had outsourced sensitive medical information to Pakistan. The person in Pakistan handling the data was never paid, and so she took the data and she put it online saying if you don't pay me, I am going to post the rest of this medical data. And finally, sometimes data is stolen for spam purposes. There was a case here on the east coast where a Time Warner employee was caught with 92 e-mail addresses of AOL subscribers, and he broke the system in order to sell that data for direct marketing purposes. I also wanted to amplify Ms. Maier's point that it is also very difficult to determine whether or not identity theft is the intent of an attacker and whether or not the attacker is even competent enough to commit that crime. We really need to focus on misuse of data rather than identity theft. We were also pleased to see that this is a discussion draft on data protection. To us, data protection is an issue that is much broader than security. Data protection includes privacy, the idea that a minimum amount of information should be transferred when entering into a transaction, the idea that people should have access to their information. They should be able to correct it. However, those rights aren't all encompassed in this discussion draft. And we urge you in future drafts to include other privacy rights, because some of the problem here is not just insecurity. The problem is that even if this data were sold securely, there is a problem with the sale that, in some cases, this information should never be sold. We also emphasize you to include audit trails in the bills. While encryption is a great tool for protecting data from outsiders, encryption does not do a good job when insiders are stealing data and selling it to other people. And it is at that point where audit trails are really important. And what audit trails do essentially is track who accesses data, for what purpose, and whether they disclose it to anyone. And it is the best way to not only deter insiders, but also to catch them once they have broken the security. I see that I have run out of time, so I want to conclude by saying thank you for holding this hearing and for considering this legislation. And if I can be of help to the committee, please feel free to contact me. [The prepared statement of Chris Jay Hoofnagle follows:] Prepared Statement of Chris Jay Hoofnagle, Director and Senior Counsel, Electronic Privacy Information Center West Coast Office introduction Chairman Stearns, Ranking Member Schakowsky, and Members of the Subcommittee, thank you for extending the opportunity to testify on data security legislation. My name is Chris Hoofnagle and I am Senior Counsel to the Electronic Privacy Information Center, and director of the group's West Coast office, located in San Francisco. Founded in 1994, EPIC is a not- for-profit research center established to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. EPIC has been on the forefront of the issues being considered in today's hearing. For instance, ``commercial data brokers,'' companies that extract sensitive information from many sources and sell it as a ``dossier'' to others, have long been a matter of public concern.1 EPIC has engaged in extensive use of the Freedom of Information Act to determine the extent of interaction between the government and data brokers such as Lexis-Nexis, Acxiom, InfoUSA, and Merlin.2 --------------------------------------------------------------------------- \1\ See Chris Jay Hoofnagle, Big Brother's Little Helpers: How ChoicePoint and Other Commercial Data Brokers Collect, Process, and Package Your Data for Law Enforcement, 29 N.C.J. Int'l L. & Com. Reg. 595 (Summer 2004), available at http://www.epic.org/privacy/ choicepoint/cp--article.pdf. \2\ EPIC Choicepoint Page, available at http://www.epic.org/ privacy/choicepoint/. --------------------------------------------------------------------------- We applaud the Members of the Committee and others who have crafted legislation to address security standards for companies that maintain personal information. In my testimony today, I will provide comment on the Discussion Draft of Data Protection Legislation. The Discussion Draft is a good first step in addressing the security risks presented by companies with personal information, but fails to fully confer upon individuals the tools they need to avoid misuse of personal information. I therefore recommend that the Committee move this legislation, with reasonable enhancements including: an option for credit freeze, a requirement that security measures include audit trails, and public reporting of security breaches to the Federal Trade Commission. I further recommend that the Committee go beyond security issues and consider the privacy risks raised by data brokers. data insecurity Well before the recent news of the Choicepoint debacle became public, EPIC had been pursuing the company and had written to the FTC to express deep concern about its business practices. On December 16, 2004, EPIC urged the Federal Trade Commission to investigate Choicepoint and other data brokers for compliance with the Fair Credit Reporting Act (FCRA), the federal privacy law that helps ensure personal financial information is not used improperly.3 The EPIC letter said that Choicepoint and its clients had performed an end- run around the FCRA and were selling personal information to law enforcement agencies, private investigators, and businesses without adequate privacy protection. --------------------------------------------------------------------------- \3\ Letter from Chris Jay Hoofnagle, Associate Director, EPIC, and Daniel J. Solove, Associate Professor, George Washington University Law School, to Federal Trade Commission, Dec. 16, 2004, available at http:/ /www.epic.org/privacy/choicepoint/fcraltr12.16.04.html. --------------------------------------------------------------------------- Since the Choicepoint breach, there has been a steady stream of news articles and public announcements concerning other companies that have failed to secure the personal information of individuals. The Privacy Rights Clearinghouse, a San Diego-based group, has posted a Chronology of these data breaches.4 As of this writing, this Chronology notes 60 different incidents where a company or government entity reported a security breach involving the Social Security number, drivers license number or financial account number. The Privacy Rights Clearinghouse estimates that 50,000,000 individuals have been affected by these known breaches. --------------------------------------------------------------------------- \4\ Privacy Rights Clearinghouse, A Chronology of Data Breaches Reported Since the ChoicePoint Incident, available at http:// www.privacyrights.org/ar/ChronDataBreaches.htm (last visited Jul. 24, 2005). --------------------------------------------------------------------------- This Chronology is worth revisiting for at least three reasons. First, it demonstrates the diversity of entities that store sensitive personal information and yet have experienced a security incident. While there have been major security breaches at commercial data brokers such as Lexis-Nexis and Merlin, there have also been security problems at banks, schools, government entities such as motor vehicle administrations, and retailers. This demonstrates the need for intervention across a broad array of entities. A privacy-friendly approach would first emphasize the need for reducing the amount of personal information collected and maintained. Where retention of personal information is necessary, these entities should be subject to a framework of ``Fair Information Practices.'' Fair Information Practices, or ``FIPs,'' constitute a framework of rights and responsibilities that require entities to minimize the amount of information they collect, to use it only for purposes specified by the individual, to hold it in a secure manner, and to provide the individual access to and of the ability to correct their personal data. Second, the Chronology demonstrates that security breaches may occur for reasons other than to commit identity theft. For instance, insiders at Bank of America, Wachovia, PNC Bank and Commerce Bank sold customers' personal information to attorneys and others who were engaged in debt collection efforts.5 That breach affected the records of over 600,000 accountholders. Sometimes systems are compromised for voyeuristic purposes, such as obtaining the contact information or communications data of celebrities or law enforcement officials.6 Security breaches may be motivated by a company attempting to obtain information about a competitor. Finally, extortion may motivate someone to obtain and disclose an individual's personal information. For instance, in 2003, a Pakistani clerical worker performing transcription services for an American hospital threatened to release medical records if she was not paid for her services.7 Accordingly, Congress' approach should recognize that identity theft is not the only harm to be avoided. Legislation passed by Congress should recognize that security breaches may be motivated by a number of crimes unrelated to attempted identity theft. --------------------------------------------------------------------------- \5\ Jonathan Krim, Banks Alert Customers of Data Theft, Washington Post, May 26, 2005, available at http://www.washingtonpost.com/wp-dyn/ content/article/2005/05/25/AR2005052501777. html \6\ Kelly Martin, Hacker breaches T-Mobile systems, reads US Secret Service email and downloads candid shots of celebrities, SecurityFocus, Jan. 12, 2005 \7\ David Lazarus, A tough lesson on medical privacy Pakistani transcriber threatens UCSF over back pay, Oct. 22, 2003, available at http://www.sfgate.com/article.cgi?file=/c/a/2003/10/22/MNGCO2FN8G1.DTL. --------------------------------------------------------------------------- Third, the Chronology demonstrates that entities that maintain personal information are subject to many different security risks. While we typically think of outsiders, such as malicious computer hackers, as the prime security risk, the Chronology shows that dishonest employees are a major security problem. Accordingly, Congress' approach should include measures likely to catch insiders who sell information. Audit trails--a requirement that entities record who accesses and discloses personal information--would go far in deterring and detecting dishonest insiders. the draft should contain credit freeze language In the Senate, Members are considering legislation that will prevent identity theft by allowing individuals to ``freeze'' their credit. Under these proposals, individuals can opt to erect a strong shield against identity theft by preventing the release of their credit report to certain businesses. Because a credit report is always pulled before a business issues a new line of credit, a freeze will make it very difficult for an impostor to obtain credit in the name of another person.8 --------------------------------------------------------------------------- \8\ Chris Hoofnagle, Putting Identity Theft on Ice: Freezing Credit Reports to Prevent Lending to Impostors, Securing Privacy in the Internet Age, Stanford University Press (forthcoming 2006) available at http://ssrn.com/abstract=650162 --------------------------------------------------------------------------- According to US PIRG, 10 states have credit freeze laws enacted.9 The New Jersey law offers consumers the most benefit--any resident may freeze their credit report at minimal cost, and consumer reporting agencies must make the thaw mechanism work quickly, so that individuals can take advantage of instant credit offers. --------------------------------------------------------------------------- \9\ US PIRG, State Breach and Freeze Laws, available at http:// www.pirg.org/consumer/credit/statelaws.htm. --------------------------------------------------------------------------- We believe that a credit freeze is a good approach that will minimize security risks and reduce the risk of identity theft. Simply stated, this provision will make it more difficult for others to use a consumer's credit report without their consent. Consumers will always have the ability to provide their credit reports in those transactions that they initiate. the need to consider general privacy protections The Discussion Draft would establish important security safeguards for all businesses with personal information, and heightened duties on information brokers. But while the Discussion Draft addresses security concerns, it does not contemplate whether general privacy restrictions are appropriate. Information brokers have operated under a self-regulatory schema, known as the Individual Reference Service Group (``IRSG'') Principles. Through these principles, the industry conferred upon itself the authority to sell detailed dossiers to almost anyone for almost any purpose. It was the promiscuity of these principles that led to the most recent Choicepoint breach, because the principles allowed data brokers to choose who is ``qualified'' buyer of personal information, and allowed sale to anyone with a ``legitimate'' business purpose. A serious inquiry should be made into the purposes for which these dossiers are being sold. Congress should set limits on the contexts in which personal information can be sold, and when data is sold, limit the secondary uses of personal information. the discussion draft of data protection legislation Section 2 Requirements for Information Security: All Companies This section directs the Federal Trade Commission (``Commission'') to promulgate regulations to require companies to implement policies and procedures to protect personal information. Companies would have to develop a security policy and statement on use of personal information. Companies would have to identify an employee as being responsible for information security. Finally, companies would have to develop processes to take preventive and corrective action to address security vulnerabilities, including the use of encryption. We applaud the Members for encouraging the use of encryption to protect personal information. However, we wish to emphasize that once data is encrypted, it may still be vulnerable. For instance, the company may choose a poor encryption method that can be decoded easily. There is also the risk that a malicious actor, especially when he is an insider, will have the key or password to decode the encryption. Accordingly, an entity that uses encryption should not automatically be exempt from other data security responsibilities, such as the requirement to provide security breach notices. We suggest three improvements to this section: First, this section could be significantly enhanced by a requirement that companies employ audit trails to deter and detect insider misuse of personal information. An audit trail would record who accessed individuals' information, the purposes for which it was accessed, whether it was disclosed, and to whom it was disclosed. Simply put, encryption will be most effective at protecting data from outsiders; auditing will be a strong deterrent to insiders. Second, where possible, companies should require customers to establish a password system for access to their file. Currently, many entities with sensitive personal information will give access to files based on the provision of simple biographical information, such as billing address, phone number, date of birth, or Social Security number. The problem is that these biographical identifiers often are found in publicly-available databases, such as phone books, public records, or the Internet. Passwords have some disadvantages. Sometimes people choose poor passwords, but an institution can correct this by requiring the password to be a certain length. Sometimes individuals forget passwords, and in cases where that is a concern, a ``shared secrets'' password system could be employed. In such a system, the customer and business agrees upon a series of questions that can be asked to verify identity. They could include asking the customer what street they lived on as a child, the name of their first pet, or their favorite book or sports team. The questions are periodically rotated to prevent an impostor from learning these secrets. Third, some companies are using automatic number identification (``ANI''), a form of caller ID, to identify or authenticate customers. ANI offers additional security over caller ID, but it now appears that ANI too can easily be ``spoofed,'' or falsified, through the use of VOIP telephony. In crafting security guidelines, the Commission will have to consider that new technologies may pose new risks to security systems. Accordingly, we recommend that the Commission be directed to periodically review security requirements, and new threats to personal data. Section 2 Requirements for Information Security: Special Requirements for Data Brokers This section would require information brokers to be audited by the Commission. It would also require data brokers to allow individuals to obtain their dossier annually at no cost. We applaud these requirements. Individuals should be able to obtain personal information held by data brokers at no charge. Currently, industry practice on providing individuals access to their personal information varies widely. For instance, it is not clear whether information brokers provide the complete file of personal information when an individual makes a request for access. Choicepoint provides free access, and in a recent study where 11 people requested their files, the company provided individuals with their dossiers in a timely fashion. However, the study showed the many errors were found in the Choicepoint dossiers.10 Acxiom charges $20 for access, but in the study, the company only fulfilled half of the requests made and took an average of 89 days to comply. A legal mandate for free and timely access is needed. --------------------------------------------------------------------------- \10\ PrivacyActivism, Data Aggregators: A Study of Data Quality and Responsiveness, May 18, 2005, available at http:// www.privacyactivism.org/Item/222. --------------------------------------------------------------------------- Section 3 Notification of Database Security Breach This section specifies the instances when a company must disclose to individuals that their personal information has been obtained by an unauthorized person. It defines breach of security as ``the compromise of the security, confidentiality, or integrity of data that results in, or there is a reasonable basis to conclude has resulted in, the acquisition of personal information by an unauthorized person that may result in identity theft.'' It specifies how a company must give notice, and what the notice must contain. It specifies that a company with a security breach must provide three credit reports and a year of credit monitoring service to victims. There are several critical aspects to this portion of the legislation. First, of course, is the severity of events that constitute a ``breach of security.'' The language in the Discussion Draft tracks the California standard, except that the Discussion Draft includes the requirement that the security breach ``may result in identity theft.'' As we explained above, identity theft is only one risk from unauthorized access to personal information. Unauthorized access may be gained for other purposes that cause harm to the individual, such as stalking, obtaining information for debt collectors, corporate espionage, extortion, or mere voyeurism. The purpose of data security breach legislation is not just to warn individuals of a risk of identity theft; it is also designed to shine a light on poor data practices. More importantly, as identity theft expert Beth Givens has argued, companies often cannot tell whether a security breach may result in identity theft. The motives of a person who gained access are not always clear. Identity theft can also occur months or even years after a security breach. There has been much discussion of whether to give companies discretion to determine whether notice to the public is justified. No such discretion is given by the California law, and Congress should carefully consider the consequences of extending discretion at the federal level. It is already the case that one information broker, Acxiom, engaged in acrobatics to avoid giving notice of a 2003 security breach that reportedly involved 20 million records.11 --------------------------------------------------------------------------- \11\ Robert O' Harrow, Jr., No Place to Hide 71-72, Free Press (2005). DOJ, Milford Man Pleads Guilty to Hacking Intrusion and Theft of Data Cost Company $5.8 Million, Dec. 18, 2003, available at http:// www.usdoj.gov/criminal/cybercrime/baasPlea.htm; DOJ, Florida Man Charged with Breaking Into Acxiom Computer Records, Jul. 21, 2004, available at http://www.usdoj.gov/opa/pr/2004/July/04_crm_501.htm. --------------------------------------------------------------------------- Because it is difficult to gauge the risk of identity theft, because there are harms other than identity theft which may result from security breaches, and because there is already evidence that companies will go to great lengths to avoid giving security breach notices, we recommend eliminating the language that gives companies discretion not to give notice based on a determination whether the breach ``may result in identity theft.'' If Congress chooses to give some measure of discretion, it should set a standard that requires notice where there is a ``reasonable risk or reasonable basis to believe that such access could lead to misuse of personal information.'' This standard recognizes that security breaches should focus on ``misuse'' of personal information instead of just identity theft, and would allow companies not to give notice where there is no reasonable risk of harm. There should also be a duty to thoroughly investigate suspected breaches. The standard set should not give data holders incentives to ignore these incidents. The second critical factor is the scope of businesses that will be subject to the notification requirement. We think the standard set forth by the bill--any company that owns or possesses data--is the appropriate one. The California standard--any company that owns or licenses data--misses the mark in that some companies merely process data for others, but may still experience a breach. A third critical factor is the form of notice. The California security notice legislation was in effect a type of ``Freedom of Information Act'' for security standards. Consumers and policymakers have benefited from learning more about security standards and breaches, but there have also been significant limitations--in many cases, only the victims learn of the breach. Consumers and policymakers would benefit from hearing of all breaches through a website that could be operated by the Commission. We would recommend that the following language be added to the legislation, so that there will be public reporting of security breaches: ``Information submitted to the Commission under sections 2(b)(1) and 3(a)(2) shall be posted at a publicly available website operated by the Commission.'' Section 4 Enforcement by the Federal Trade Commission This section specifies that the Commission will enforce the law, under its authority to address unfair and deceptive trade practices. We recommend adding enforcement powers so that state Attorneys General can also enforce the law. We further recommend that the Commission's authorization and appropriation be increased to account for the burdens associated with enforcing this law. The Commission must oversee a plethora of business practices--from deception in funeral businesses to ``power output claims for amplifiers utilized in home entertainment products.'' 12 This wide range of responsibility requires adequate funding. --------------------------------------------------------------------------- \12\ See generally Title 16 of the Code of Federal Regulations, available at http://www.access.gpo.gov/nara/cfr/waisidx_05/ 16cfrv1_05.html. --------------------------------------------------------------------------- Section 5 Definitions This section defines the many terms in the legislation, including identity theft and information broker. The definition of ``identity theft'' is narrow and does not encompass the full range of activities normally understood as identity theft. The current definition focuses on the use of others' personal information for the purpose of engaging in ``commercial transactions.'' This does not recognize the problem of ``criminal identity theft,'' where an individual uses the personal information of another in his interactions with law enforcement, leaving the victim with a criminal record. Accordingly, we recommend that if the law continues to include this term, that it be broadened to recognize other activities commonly understood to be ``identity theft.'' Defining ``information broker'' is a challenge. Many companies are engaged in the transmission of personal information to third parties. In some cases, this occurs within the individual's expectation, such as when information must be transferred to execute a transaction requested by a consumer. In others, the transfer of personal information raises unique privacy risks, and such businesses should be included in the definition of ``information broker.'' Further complicating this matter is the qualifier ``whose business is to collect, assemble, or maintain personal information.'' Information brokerage is just a small percentage of the business of a company like Lexis-Nexis or even Choicepoint. Lexis-Nexis is a huge company; most of its information products have no bearing on privacy, such as the company's legal and scholarly research databases. According to Choicepoint, only about 11% of its operations consist of information brokerage outside the Fair Credit Reporting Act. Can it be said that Lexis-Nexis and Choicepoint are entities ``whose business is to collect, assemble, or maintain personal information'' for provision to third parties? There have been many attempts to define an information broker, and thus far, we think the best is contained in S. 1332: The term `data broker' means a business entity which for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages, in whole or in part, in the practice of collecting, transmitting, or otherwise providing personally identifiable information on a nationwide basis on more than 5,000 individuals who are not the customers or employees of the business entity or affiliate. This definition limits the scope of the law to companies that regularly engage in maintaining large databases on non-customers for the purpose of providing them to a third party. It provides a good starting point for further discussion. Congress should also consider giving the Commission rulemaking authority to address circumvention of this definition through corporate restructuring or technological tweaks. In passing the Fair and Accurate Credit Transactions Act, Congress included a provision that prohibits ``technological circumvention'' of the Fair Credit Reporting Act's provisions. The concern was that through database design or corporate reorganization, a consumer reporting agency may escape obligations to provide a free credit report. We think that a similar provision would be appropriate her to avoid a situation where a company simply reorganized to avoid security or privacy responsibilities. The definition of ``personal information'' in the Discussion Draft is narrower than the California law. Under the California law, personal information ``means an individual's first name or first initial and last name in combination with . . .'' a Social Security number, drivers license number, or account number. The Discussion Draft would require the individual's first and last name, instead of just the first initial. We think that the federal legislation should be as broad as the California definition in this regard. We further recommend that section 5(5)(A)(iii) should be modified. That section treats an account number in combination with an access code as ``personal information.'' As currently written, it gives credit card companies an out from giving notice by claiming that the three- digit security code on the card must be present for a breach to occur. That is, even though the three-digit code is not necessary to make charges, they will claim that a breach does not require notice unless that code is included in the compromised files. We accordingly recommend that this section be changed to: ``(iii) Financial account number, or a credit card number, or a debit card number in combination with any required security code.'' Section 6 Effect on Other Laws This section specifies that all state laws concerning breaches of security or notification to individuals of breaches of security would be preempted. The preemption language in the Discussion Draft is overly broad; it risks unintentionally preempting many different state laws that address security, but are not the target of this law. Data security needs are too varied to accommodate a nationwide uniform standard. Floor preemption is more appropriate here. In privacy and consumer protection law, federal ceiling preemption is an aberration. Historically, federal privacy laws have not preempted stronger state protections or enforcement efforts. Federal consumer protection and privacy laws, as a general matter, operate as regulatory baselines and do not prevent states from enacting and enforcing stronger state statutes. The Electronic Communications Privacy Act, the Right to Financial Privacy Act, the Cable Communications Privacy Act, the Video Privacy Protection Act, the Employee Polygraph Protection Act, the Telephone Consumer Protection Act, the Driver's Privacy Protection Act, and the Gramm-Leach-Bliley Act all allow states to craft protections that exceed federal law.13 Even the Fair Credit Reporting Act is largely not preemptive.14 --------------------------------------------------------------------------- \13\ Respectively at 18 U.S.C. 2510 et. seq., 12 U.S.C 3401, 47 USC 551(g), 18 USC 2710(f), 29 USC 2009, 47 USC 227(e), 18 U.S.C. 2721, and Pub. L. No. 106-102, 507, 524 (1999). \14\ See 15 USC 1681t. --------------------------------------------------------------------------- Although the federal government has enacted privacy laws, most privacy legislation in the United States is enacted at the state level. Many states have privacy legislation on employment privacy (drug testing, background checks, employment records), Social Security Numbers, video rental data, credit reporting, cable television records, arrest and conviction records, student records, tax records, wiretapping, video surveillance, identity theft, library records, financial records, insurance records, privileges (relationships between individuals that entitle their communications to privacy), and medical records.15 --------------------------------------------------------------------------- \15\ See generally, Robert Ellis Smith, Compilation of State and Federal Privacy Laws (Privacy Journal 2002). --------------------------------------------------------------------------- Finally, the data industry is in a weak position to argue that it cannot comply with state laws. This is an industry that ``segments'' or groups people by characteristics at the zip+4 level. They know where you live now, and where you lived ten years ago. No other industry is better equipped to use technology to comply with state law than the data brokers. Section 7 Effective Date and Sunset This section specifies that the act will take effect a year after enactment, and sunset 10 years from enactment. While Congress and the Commission should continue to revisit data security issues, security requirements and rights in personal information should not automatically sunset. We suggest striking the sunset provision. Section 8 Authorization of Appropriations This section would authorize a yet to be determined amount to the Commission. For reasons explained above, we support greater funding of the Commission. conclusion Mr. Chairman and Members of the Committee, thank you for inviting me to on the Discussion Draft of Data Protection Legislation. The Discussion Draft is a good first step in addressing security risks presented both by ordinary companies and information brokers. We recommend that the Committee move the legislation, with reasonable enhancements, including an option for credit freeze, requirements that security measures include audit trails, and public reporting of security breaches to the Federal Trade Commission. Mr. Stearns. Thank you. Mr. Burton, welcome. STATEMENT OF DANIEL BURTON Mr. Burton. Thank you, Chairman Stearns, Congressman Towns, distinguished members of the committee. My name is Daniel Burton. I am Vice President of Entrust, Inc., which is headquartered in Addison, Texas. And Entrust is proud to secure the digital identities and information of over 1,400 government agencies and enterprises and over 50 countries around the world. Let me start by underscoring two points. First, the data security threat you address today is very real, and your efforts are timely and critically needed. Second, there are effective market solutions readily available that can address most of today's threats and give your constituents greater peace of mind. Over the past few years, while the public's attention has been riveted on homeland security, old-fashioned crime has infiltrated the Internet. The terms we use to describe it: spyware, phishing, identity theft, were relatively unknown only a few years ago. These cybercrimes occur at the crossroads of privacy and security and are prevalent today. This committee's draft bill correctly embodies two critical principles necessary to combat cybercrime. First, it encourages enterprises to implement effective data protection programs to prevent the theft of digital information. Second, it encourages them to alert individuals when their personal information has been compromised. Since I last testified before this committee just 2 short months ago, 17 new data breaches have been made public. They cover a broad cross-section of organization, from a big data services company to a high school. In the aggregate, these notifications indicate that over 44 million identities may have been compromised in just the past 78 days. And these are just the breaches we know about. In response, 18 States, most of which are represented by distinguished members on this committee, have passed breach notification laws. In addition, we have seen private class action lawsuits, State lawsuits, shareholder lawsuits, an FTC enforcement action, and a major corporation assert that it will no longer tolerate lax data security from business partners. The fact is, many entities who hold sensitive personal data simply do not keep it safe, either by choice or because they do not understand how to protect it. If they are left to figure it out on their own without any guidance from Congress, many of them will continue to lose the battle against today's sophisticated cybercriminals, and your constituents will pay the price. Clearly, it is time for Congress to act. This committee's draft bill is an essential step in the right direction, and Entrust is proud to support it. This draft gets a lot of the key elements right. It focuses on electronic data. It covers all persons who hold personal data, and includes special requirements for data brokers. It encourages comprehensive information security policies and procedures. It establishes a national breach notification requirement that preempts State law. It gives regulatory authority to the Federal Trade Commission. It points to a reasonable notification standard. The committee is to be commended for including these elements in the draft bill. Given Entrust's experience, I would recommend three other critically important additions to make sure that this bill accomplishes what you want it to. No. 1, you must actively engage corporate executive management and boards of directors in the effort to secure sensitive digital information. Specifically, the bill should require regular information security risk assessments, audits, and progress reports to CEOs and boards of directors. These measures will assure that American board rooms begin to view information security as a key component of business plans, not just another burdensome technology issue. No. 2, just like the 18 States that have passed breach notification laws, you should create a safe harbor for companies who do the right thing and encrypt their data. All of the State breach notification laws that have been passed so far require consumer notification only in the event of a breach of unencrypted personal information. The reason is that even if thieves get access to encrypted data, they will not be able to make sense of it since it consists of an indecipherable jumble of symbols to anyone looking at it without the proper keys. If the members of this committee are going to preempt their own State laws, I would strongly encourage you to embrace their wisdom on this issue. Third, and finally, in order to create a safe harbor for strong encryption, you must define it. To assure that you define strong encryption without picking winners and losers or locking in a static technology, you should reference NIST's standards. NIST's standards are developed in close consultation with industry and are flexible enough to allow standards bodies to drop older encryption products and certify new ones as the technology evolves. Failure to define encryption in Federal legislation could lead to the emergence of conflicting requirements across the United States. In closing, I want to reaffirm that your draft data security bill makes a strong legislated statement. These additions will help make sure that it fully accomplishes your purposes of protecting sensitive personal information. Thank you. [The prepared statement of Daniel Burton follows:] Prepared Statement of Daniel Burton, Vice President of Government Affairs, Entrust, Inc. Good Morning. Chairman Stearns, Ranking Member Schakowsky and distinguished Members of the Subcommittee, thank you for holding this hearing and giving me the opportunity to provide testimony on this important subject. My name is Daniel Burton, and I am Vice President of Government Affairs for Entrust, Inc. We are headquartered in Addison, Texas and are proud to provide cybersecurity software solutions for over 1,400 government agencies and enterprises in more than 50 countries. In my testimony today, I will discuss data security and this Committee's draft legislation. As a global leader in securing digital identities and information, Entrust has insight into the severity of the risks and the nature of the threats that concern consumers, enterprises and policymakers alike. Our extensive international experience securing governments and enterprises around the globe, along with our policy experience co- chairing two national information security task forces, leads me to underscore two points. First, the threat you attempt to address today is very real and your efforts are timely and critically needed. Second, there are ready and effective market solutions available that can address most of today's threats, secure many of our most vulnerable digital assets and, more importantly, give your constituents a greater peace of mind. Over the past several years, while the public's attention has been riveted on homeland security, old fashioned crime has infiltrated the Internet. The terms we use to describe it--spyware, phishing and identity theft--were relatively unknown only a few years ago. These crimes occur at the cross-roads of privacy and security. Most of them involve gaining unauthorized access to sensitive personal data. Sometimes criminals gain this access through technological means; sometimes they trick users into revealing the data; sometimes they rely on insiders with privileged access; and sometimes they hack into data bases or steal the information outright. No matter how the crime is committed, however, the goal of public policy remains the same-- encouraging enterprises to implement effective data protection programs to prevent theft and to alert individuals when their personal information has been compromised. This Committee's draft bill correctly embodies these two important principles. Since I last testified before this committee two months ago, seventeen new data breaches have been made public. They cover a broad cross-section of organizations--data services companies, banks, corporations, universities, a high school, a community college and a travel agency. In the aggregate, these notifications indicate that over 44,600,000 identities may have been compromised since May of 2005. And these are just the breaches we know about. Many breaches are uncovered deep inside an organization, never brought to the attention of senior management and therefore never made public. Others, as we have learned from some recent announcements, tend to be minimized in initial public statements and only fully disclosed later under scrutiny. As the legal and market penalties for these breaches mount, organizations will be even more careful about what they reveal. In reaction to data breaches, 35 states have introduced data breach legislation, and 18 states have passed breach notification laws. The specifics of these laws vary from state to state, but they all require organizations to notify individuals whose personal information has been compromised. In doing so, they aim not only to protect consumers, but also to encourage organizations to be more diligent in securing personal information. In the absence of Federal legislation, we're sure to see even more states pass data breach notification bills next year. State legislatures are not alone in responding to these breaches. In the past few months, we have seen private class action lawsuits, state lawsuits and shareholder lawsuits against organizations that have suffered breaches. As more and more breaches are made public, more lawsuits are sure to be filed. In addition, Federal regulators have engaged. The FTC recently settled an enforcement action against BJ's Wholesale Club that requires it to implement a comprehensive security program and undergo independent audits. Perhaps most importantly, the recent announcement of VISA that it may no longer do business with CardSystems Solutions, Inc., is a clear market signal that business partners will no longer tolerate lax data security. The public avalanche of data breaches is damaging consumer confidence and could endanger our economy. A January 2005 IDC Survey showed that close to 60% of US consumers are concerned about identity theft. A recent survey that Entrust conducted reaffirmed this concern. It found that 80% of individuals are worried about someone stealing their on-line identity and using it to access their on-line bank accounts. If consumers pull back from online transactions, the promise of e-commerce and the productivity gains of the past decade will be at risk. We should remember that it's no longer just your local bank and credit card company that hold your personal information. Numerous retailers, data brokers, on-line merchants, corporations and other vendors also have ready access to it. Many of these entities do not take adequate measures to keep this information safe, either by choice or simply because they do not understand how to protect it in a world of constantly evolving digital threats. If they are left to figure it out on their own, many of them will continue to lose the battle against today's sophisticated cyber-criminals. In fact, things may get worse before they get better because even when organizations do grasp the need for comprehensive data security, it still takes time to put effective programs in place. This delay is unfortunate because there are ready and effective solutions available to address most of today's threats. Given the substantial risks facing American consumers and the US economy, it is time for Congress to act. In doing so, it should take into account the needs of consumers, corporations and citizens, and embrace the protections embodied in the 18 state breach notification laws. Congress should encourage a program of security management that balances the need to protect personal information and notify consumers in the event of a breach with the need to grow the digital economy and encourage innovative technology solutions. This Committee's draft data security bill is an essential step in the right direction, and Entrust is proud to support it. This draft bill gets a lot of the key elements right: It focuses on electronic data. The bill correctly recognizes that the crux of the problem is the growing theft of computerized data. As you know, the electronic data targeted by cyber criminals contains the personal information that has become such a valuable commodity in today's world. Your draft bill, by resisting the temptation to create an overly expansive approach to data security that includes both paper and electronic records, strikes to very core of what must be protected. It covers all persons who hold personal data and includes special requirements for data brokers. Breach notification should apply to any agency, enterprise or person who owns or licenses computerized data containing the sensitive personal information of others. It should not be limited to data brokers. The goal should be to protect sensitive personal data, no matter who holds it, instead of focusing exclusively on a few specific sectors or industries. It encourages comprehensive information policies and procedures. This is a vital provision that is not yet included in many state breach notification bills. Reasonable security practices encompass a combination of technology, policy and management expertise. Organizations that own or license computerized data containing personal information should be required to develop, implement and maintain reasonable security measures based on widely accepted voluntary industry standards or existing Federal law. It establishes a national breach notification requirement that pre- empts state law. Since 18 states have already passed data breach notification laws and more are sure to do so, it is incumbent on Congress to create a consistent national standard. It gives regulatory authority to the Federal Trade Commission (FTC). Given the reality of widespread cyber crime and the fact that market forces have not resulted in adequate data security programs, it is appropriate for Congress to provide regulatory guidance. The FTC is the proper regulatory agency to undertake this responsibility. It points to a reasonable notification standard. The goal of legislation should be to make the notification standard as narrow yet as effective as possible in order to encourage notice of breaches that carry a significant risk and discourage over-notification. In crafting this trigger, Congress should bear in mind that in most cases it is difficult to determine what happens to the data after it is breached and therefore to calibrate precisely the risk to consumers. The inclusion of these important elements in the Draft Bill is to be commended. Given Entrust's experience, I would encourage this Committee to include three additional changes to the bill in the hope of further improving its efficacy and cost efficiency. These changes will appeal to governments, businesses and other entities that control critical data since they will help provide a meaningful road map to navigate the tricky and technical world of data management. 1. Require the Active Engagement of Executive Management--Whether Congress gives the FTC responsibility for providing regulatory guidance for reasonable security or leaves that responsibility with industry, it is imperative that corporate executive management and boards of directors be actively engaged. American board rooms must begin to view information security as a key component of business plans, not just another burdensome technology issue. Congress must realize that securing digital information is not simply a technical challenge, but one that begins with management embracing its responsibility to protect data in the first place. While it is essential to encourage such technologies as strong authentication and encryption, they cannot substitute for executive attention and corporate policy. In this respect, the draft bill's focus on appropriate policies and procedures is critical. Specifically, the bill should require regular risk assessments, audits, and progress reports to the CEO and Board of Directors. These types of actions will go a long way toward elevating information security in the corporate decision-making process. 2. Create an exemption for Encryption--The Committee's bill should also encourage the use of strong encryption, just as California and other states have done. All of the 18 state breach notification laws that have been passed so far (Arkansas, California, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana, Louisiana, Maine, Minnesota, Montana, Nevada, North Dakota, Rhode Island, Tennessee, Texas and Washington) require consumer notification only in the event of a breach of unencrypted personal information. The reason for this exemption is that even if thieves get access to encrypted data, they will not be able to make sense of it. Encrypted data consists of an undecipherable jumble of symbols to anyone looking at it without the proper keys. This provision is especially important for laptops and disks that are lost or stolen in transit. I should note that state legislatures included this exemption not because of any lobbying by the high tech industry, but because of the requests of organizations that hold significant amounts of personal data. These organizations view this technology as the final line of protection to ensure that even if criminals get past the gate they cannot access the real content. This provision also helps provide guidance to organizations that want to secure their digital information but are unsure what baseline measures to take. 3. Define Encryption--In order to define encryption without picking winners and losers or locking in a static technology, Congress should reference NIST standards. I would recommend the following definition for encryption, which has been adopted by the Cyber Security Industry Alliance: The protection of data in storage or in transit using an approved encryption algorithm implemented within a validated cryptographic module that has been approved by NIST or another recognized standards body, combined with the appropriate key management mechanism to protect the confidentiality and integrity of associated cryptographic keys in storage or in transit. This definition references standards that are developed in close consultation with industry, and does so in a flexible way that allows standards bodies to drop older encryption products and certify new ones as the technology evolves. It is important to note that it also requires that the cryptographic keys which can unlock this data be managed in an appropriate, secure manner since these keys are just as valuable and sensitive as the data they protect. The flexibility this definition allows is crucial since any definition that cannot accommodate evolving technology cannot help defend against evolving threats. Because this definition is not vendor or product specific, it will allow the market to drive choices about security solutions. Failure to include a definition in Federal legislation could lead to the emergence of conflicting encryption requirements across the United States. This Committee's draft Data Security Bill makes a strong legislative statement. These additional suggestions will better protect data, harmonize the Federal plan with laws that have been adopted by 18 states, and help show organizations how to secure the personal information in their possession. By including language that encourages organizations to consider information security at the highest levels of management, Congress can encourage appropriate data security practices at all levels of an organization. And by including language that encourages the use of encryption and defines it, Congress can create a formidable second line of defense against thieves and hackers. The stage is set for Federal legislation. The menace of cyber crime is undeniable. The cost to consumers and enterprises is enormous. And the multiplicity of state bills highlights the need for a consistent Federal regulatory framework. This draft bill gets a lot of the key elements right and provides an excellent platform for legislation. This Committee should be congratulated for its leadership. Mr. Stearns. Thank you, Mr. Burton. I will start with the questions. Mr. Hoofnagle, I think you read about these security breaches and its great headlines. And I guess of the 60 different breaches, 50 million American consumers have been affected. I think you mentioned that in your testimony. Do you know how many individuals were either victims of identity theft or information that was misused within this huge number? Mr. Hoofnagle. Mr. Chairman, that is a very difficult issue to determine. Mr. Stearns. Yes. Mr. Hoofnagle. In reference to the ChoicePoint breach where reportedly 144,000 records were stolen by a fraud ring, a Nigerian fraud ring in California, 750 of those cases have been associated, in some way, with identity theft. But it is very difficult to track down when or if identity theft occurs. There is also the difficulty that there might be major delay between the data security breach and the actual crime of identity theft since critical identifiers used by credit companies, such as your Social Security number and date of birth, do not change, if it is stolen today, there is really no reason why someone can't victimize you 2 years down the road. Mr. Stearns. You know, I read these in the newspaper, and you know, it is just so alarming. But as you point out, a very small number of that are affected by this identity theft. You testify that security breaches can occur for reasons other than identity theft, and so I mean, do we want to come back with this bill and put this overlay of the Federal Government on these people when we are trying to really pinhole a problem here? Should the bill require notification for risk of these other misuses? Mr. Hoofnagle. I think the Federal banking standards are set at reasonable risk of misuse of personal information, and I think misuse is the right term to use rather than identity theft. For instance, in this New Jersey case where bank officials were selling data to debt collectors, it did not involve---- Mr. Stearns. Identity theft, right. Mr. Hoofnagle. It did not involve identity theft. This was a case where, you know, the security was being breached for profit at these sophisticated financial institutions. It didn't have anything to do with identity theft. It had to do with this other type of privacy violation. And I think that the legislation should encompass that type of security breach. Mr. Stearns. Mr. Hintze, you state in your testimony that legislation should codify into law the FTC implementing regulations under the Gramm-Leach-Bliley. Should the FTC be given the authority to modify these provisions by rule to adapt to changing business and security concerns? Why or why not? Mr. Hintze. Yes, Mr. Chairman. We think that the FTC should have the authority to make rules in this space, however that authority should be guided by Congress in terms of directing the FTC to adopt a flexible standard around information security programs. Mr. Stearns. If the notification obligations are only applied to encrypted data, might that let some potential bad actors off the hook? Why or why not? Mr. Hintze. We don't think so. We think the standard around unencrypted data is a reasonable standard. It is the standard that the States have adopted. There have been questions raised about how you define encryption, and while we wouldn't support a specific mandate in the legislation itself, we could support something like a reference to the NIST standards or some other standard that could evolve over time to ensure that reasonable and strong encryption is used. Mr. Stearns. Mr. Burton, do you have a comment on that? Mr. Burton. Yes, I think that the encryption standard is very important. I think first, as I mentioned in my testimony, 18 States have that unencrypted information in the definition of their laws, and I would note that those include Florida, Texas, and Tennessee. And I think that encryption is perceived often as a complex issue. The way these States have mentioned it, it is not a mandate: it is a voluntary action, which provides a safe harbor. And I think this is especially important for mainstream companies who do not understand the world of cybercrime and protecting digital information, and it gives them a straightforward way to go in, protect their data, and know that they have some sort of safe harbor. And if that is associated with NIST standards, then Congress can rest assured that it is good, solid encryption. Mr. Stearns. So if you were writing the bill, would you mandate that we use the National Institute of Standards and Technology as a guide? Mr. Burton. I would. In my formal testimony to this committee, I included a definition of encryption, which references NIST standards, which has been endorsed, actually, by the Cybersecurity Industry Alliance. Mr. Stearns. Okay. Mr. Burton. And I think I would include that definition in the legislation, yes. Mr. Stearns. Ms. Maier, you suggest changing the definition of security breach, eliminating the need for an FTC rulemaking. But you also state in TRUSTe's guidelines that those guidelines are intended as a first draft and that security policies and procedures need to change and evolve as technologies and businesses do the same. By that logic, wouldn't it make sense to allow the FTC to do this by rule so that the FTC can modify the standard in the future if it is necessary? Ms. Maier. Chairman Stearns, yes, I agree that I think the FTC can find positive and good ways to provide the rulemaking that does provide for the flexibility and the evolution of the rules. So I would agree, yes. Mr. Stearns. Okay. Mr. Towns. Mr. Towns. Thank you very much, Mr. Chairman. Let me begin with you, Ms. Maier. You mentioned in your remarks that TRUSTe works closely with the California Office of Privacy Protection and its ongoing efforts to provide guidance to businesses and consumers on privacy and security issues. First of all, I want you to elaborate a little more on that, but how did these 1,500 companies become affiliated with you? Ms. Maier. Thank you for asking that question. TRUSTe has been around since 1997. Companies who want to show to their consumers as well as to others that they take privacy seriously voluntarily join the TRUSTe program and subject themselves to our standards. And our standards require a very good privacy statement, disclosure about their practices relating to the data that they collect on their website, that they abide by reasonable security standards, and provide provision and choice to consumers regarding the sharing of their information. And so it has been a successful program with 1,500 companies joining in and subjecting themselves to the standards. We developed the security guidelines to help them define what is reasonable security, and that has also been very successful. It makes sense for us to work with the California Office of Privacy Protection, because many times, as you well know, a lot of legislation comes out of the State of California and has very broad impact, and we have enjoyed a good relationship with them serving to help develop some guidelines, not rules, per se, but guidelines for businesses in terms of the practical implementation of these rules. And our experience in California in our relationship with the California Office of Privacy Protection suggests that the California law is working, and it is having a positive impact in two ways: one, in providing consumers with notice of breaches and some redrafts and information in terms of what to do under that notice; and two, providing a market incentive for companies to put into place better security. Mr. Towns. Thank you. Thank you very much. Mr. Hintze, what is your position on broader legislation that it would better inform consumers about who is using their personal information and how? Mr. Hintze. We recognize that as a result of the recent security breaches that have been publicized, there is an increasing concern among consumers that they simply don't understand how their data is collected and used and transferred among different entities, and there is a lack of transparency there. We believe there is an appropriate role for legislation to address those broader issues, and we look forward to working with the committee on developing the right rules around that. Mr. Towns. All right. State Attorney Generals have played an important role over the past few years on data security issues. Does Microsoft believe that State Attorney Generals should be able to enforce the Federal legislation? Mr. Hintze. Yes, we do. Similar to the approach that was taken in the Can Spam Act, we think that State Attorney Generals have an important enforcement role, and we would support an addition to the discussion draft that would make that clear. Mr. Towns. All right. Mr. Hoofnagle, regarding your concerns with our draft, what are your thoughts on the feasibility of general privacy restrictions? How can we work to structure the limit of the sale of information, which is a problem, as you indicated? Mr. Hoofnagle. Representative Towns, thanks for asking that question. It is very difficult to describe data protection in 5 minutes, but the common denominator for data protection are fair information practices. These are rights that limit the collection of information to the minimum necessary to engage in a transaction. They are rights to give you access to your data when they are held by companies, a right to correct your data when it is inaccurate, and a right to have your data deleted after a certain amount of time when it is no longer relevant or needed for business purposes. These rights are present in many nations' laws, but to this date, the United States has not adopted these types of restrictions in the private sector. They do apply to the Federal Government, however, and the Privacy Act itself has many of these fair information practices to stop the government from creating a data center on its citizens. Mr. Towns. All right. Thank you very much. Let me ask you, Mr. Burton. In your testimony, you state that you believe that if data is encrypted, companies should be provided a safe harbor and not be required to disclose when there has been a breach of security. Do you believe this should be the case when the compromise of information was due to an insider who has the key to the encryption? Couldn't an insider provide the key to the same people he or she is selling the data to? Or how should encryption protect against insiders who are accessing and perhaps selling personal information that they shouldn't be selling? Mr. Burton. That is a very good question, Congressman, and one which was alluded to earlier. I think the way that I would use the term encryption, and I think the way that all of the States use this term, is if you have a key, the data is not encrypted. Whether I am an insider or an outsider, if I have the encryption keys, I can, therefore, unlock the data, and then it is clear text. So the encryption safe harbor would only apply to data for which one did not have the keys and therefore it was still encrypted. And I will give you an example. Actually, I think it happened in the State of New York. Time Warner had disks. 600,000 of its employees were compromised. Those disks, had they been encrypted, you know, they were lost in transit. And that would not have had to have been reported, because the data would have been scrambled. Similarly, I think there are something like 50,000 laptops which are left in airports around the country today. It is very easy to encrypt the data on those laptops. It is not expensive. It is not complex technology. If those are encrypted and lost, the person who is going to find those will not have the keys, and therefore the data would be safe. Mr. Towns. Thank you very much. Mr. Stearns. I thank the gentleman. Ms. Blackburn. Ms. Blackburn. Thank you, Mr. Chairman, and thank you to the witnesses. You know, I find it really interesting we are sitting here having this discussion, and a decade ago, there was PGP and the troubles that surrounded that and the designer of that technology and application. And of course, we all know what happened with that. And the government didn't want that application taking place, and now we are sitting here talking about how government wants files encrypted and data protected, and it is for privacy concerns. And so it is an interesting debate and an interesting discussion. I do have several questions. I know I am not going to get through them, and I will not be here when we do a second round, so I am going to submit some questions to you all. Mr. Hoofnagle, I think I am going to begin with you. And let us talk about the misuse to which you spoke, because as we have worked on the identity theft issue and the piracy issue with our constituents, this misuse, as you mentioned, does come up regularly. And have you all noticed any attempts by foreign corporations or businesses or governments to try to buy data on Americans from any data brokers? Mr. Hoofnagle. We at EPIC have extensively used the Freedom of Information Act to determine how companies like ChoicePoint and Axiom and Lexus Nexus, which are where commercial data brokers buy and sell data. We do not have evidence that these entities are selling data to outside the country. I don't think that there would be any law restricting them from doing so, if they chose to. We do know that the companies have data on citizens of other nations, and sometimes the reverse happens. American companies, or American governments, buy data on citizens of other nations. Ms. Blackburn. Okay. Ms. Maier, do you have a comment on that, please? Ms. Maier. We have not been able to identify absolutely that foreign companies have been able to access or sell or misuse American data. That is not to say it hasn't happened. Ms. Blackburn. Okay. Ms. Maier, let me ask you one other thing. I noticed in the security guidelines paper that you submitted to us, you reference a couple of European countries in your footnoting there. Do you all work with any foreign governments? Ms. Maier. No, we do not have direct relationships with any foreign governments. We do sometimes look at some of the data protection trends happening. Ms. Blackburn. Okay. Great. Then let us talk to those trends for a minute. How are European countries handling their data security problems? Is there anything there that you all have noticed that would be a good lesson learned for us? Ms. Maier. My experience with the European data protection standards is that they have a very strict standard in terms of that individuals own their data and have control. And I think to the extent that this proposed legislation and some of the comments that I think EPIC has provided as well as TRUSTe suggest that we continue to provide individuals with access to their information and ability to change, update it, or redact it. That is a really important lesson that I think we can take from the EU experience. I also would say that the EU experience has demonstrated, to some extent, that a lack of enforcement hinders the implementation and the incentive to do some of the right things. And I think that we can do a better job here in the United States by actively enforcing and providing incentives for companies to really live up to a higher standard. Ms. Blackburn. Okay. Thank you. Mr. Burton, one quick question for you. I think it is fair to say that you and some of our witnesses may differ on how this legislation should apply to individuals who may store and use their personal information. And what I would like to ask you is would it or would it not, do you think, be a substantial economic burden to associations and organizations, like churches and private individuals, who have personal information to implement the requirements of the bill? Mr. Burton. I think that is a very good question. And I think in my comments I said that the committee was correct in applying this to all persons who hold sensitive data. Clearly, if you are a small business, if you are a small non-profit, if you do not have, sort of, a lot of administrative ability, then that is something that the committee should take into account. So I think in terms of size of the data set, size of the organization, those may be some limits that you want to consider. And Congresswoman, if I can beg your deference for one moment, I would like to go back to encryption, which is an issue that I am obviously focused on. And Congressman Towns, there is one important point that I just wanted to make in following up your question about the keys to encrypted data. And I would just like to alert the committee that if you think Social Security numbers are important, encryption keys are an extremely important part of personal data, because as you rightly pointed out, if you get those keys, you not only get Social Security numbers, you get whatever data is encrypted. And that is why when I submitted a definition of encryption, we very specifically took into account the need to protect those keys. There are lots of encryption schemes that leave the keys in the clear, they are easy to get, and easy to hack into. And so as this committee thinks through that issue, you should pay careful attention to making sure that those encryption keys are protected. Thank you, Congresswoman. Ms. Blackburn. Thank you. I yield back. Mr. Stearns. The gentlelady yields back. Mr. Gonzalez. Mr. Gonzalez. Thank you very much, Mr. Chairman. And I guess I am going to pose this question to all of the witnesses. You have already touched on it, and I think, Mr. Burton, in response to Congresswoman Blackburn's own question regarding about size and who would it apply to. As currently written, it would apply to each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information. And we do many things here with unintended consequences, but we are going to go ahead and delegate these duties to the FTC and such. And the first question that they are going to have is, you know, who comes under this jurisdiction of this particular law. And while I recognize that there may be problems in its application to everyone and everything, the way I would like this law to end up is something to the effect of, you know, don't collect it if you can't protect it. And that really should be driving this. And still be practical about it. And that is going to be a really hard balance, and I don't know how we are going to pull this thing off. So that is my question to each and every one of you, and I know that some of you may want to expand on earlier remarks. Do we have a problem in just defining who comes under this particular net or who we capture in this particular regulatory net, if each person engaged in interstate commerce that owns or possesses the data? We have made some distinction with information and data brokers, which we understand, and we can identify those people pretty easily. But there is a whole lot else happening out there, and we will get to this solution again. But let us start off with this basic concept on jurisdiction and who comes within it. And we will go with the first witness. Ms. Maier. Thank you very much. We do very much care about the definition of who is under the jurisdiction. As I mentioned in my testimony earlier today, consumers don't care. If your information is breached and it is your sensitive information or your Social Security number, your driver's license, your mother's maiden name, your health records, your financial accounts, it does not matter if it comes from your retailer online or off-line nor does it matter if it comes from, perhaps, the California Department of Motor Vehicles or some other State's motor vehicles or my employer records. So I think it is important that we try to keep the jurisdiction, at least for the notice and the implementation of security guidelines with incentives for security to be as broad as possible. And we recognize some other committees might be looking at their own jurisdiction, for example, or a financial institutions. We applaud those efforts. But to the extent that this committee can apply it broadly and extend it even to government, we think that that would be a very good place. And one reason for that is we think, again, consumers are going to feel violated no matter where it happens. They don't draw the lines as fine as we do. And the second thing is that you really want to provide incentives for everybody to put in proper security. Mr. Hintze. We agree that we think the legislation should apply to all entities that hold personal information. A couple of things that we would point out, though, in the position that we have taken on this that would alleviate some of the concerns that you have raised, we have advocated a similar approach under this legislation as is taken in Gramm-Leach-Bliley. As Ms. Maier said, consumers don't care about whether or not the data was breached by a bank, a retailer, or a small business. If the data is breached, the threat can potentially be as serious regardless of the source. And so we would urge the committee to look at adopting a consistent standard with what is currently imposed upon banks and financial institutions under the GLB. We have also suggested a flexible standard here. And some of the factors that should be considered in determining what the right kind of information security program that a business should adopt include the size and complexity of the business and the sensitivity of the personal information that they collect. And so that gives a great deal of flexibility to reduce the burden on smaller businesses and businesses that don't collect the most sensitive personal information. And if we still think that there is a concern around the burden on small businesses, we have suggested in our written testimony, I believe, that we could support an exception for businesses that handle small amounts of information rather than based on the size of the business itself. We think that a reasonable approach might be something like if a business handles less than 5,000 records over the course of a year that there could be a reasonable exception there or a reduction of the burdens there rather than just basing it on small businesses, because a very small business could hold enormous amounts of very sensitive personal information, and it just doesn't make sense to exempt them. Mr. Hoofnagle. Representative Gonzalez, we think that there needs to be very broad application of data security standards, because in previous laws where there have been limited jurisdiction or limited applicability of privacy laws, data brokers and other companies that sell data organize in such a fashion so that they do not have to comply with those Federal laws. And the standard example is the way ChoicePoint and other data brokers are organized to escape some provisions of the Fair Credit Reporting Act. And so unless there is broad application, we risk creating a new industry that fits into a loophole. Mr. Burton. Yes, Congressman Gonzalez. I think one could successfully run for political office on the slogan, ``Don't collect it if you can't protect it.'' And I think that you are absolutely right, and the Committee is absolutely right, to focus on the data, not who holds it. And what this legislation does, which tries, and I think in large extent, successfully gets at that question, it is not any data. It is sensitive private data commingled with public identifiers. And it is when you put those two data sets together that there is the possibility for harm. In response to the Congresswoman's question earlier, I would doubt that most churches hold Social Security number, but if my church is holding my Social Security number and they get hacked, I would sort of like to know about it. So I think there do have to be some limits, some size of data sets, but I think the basic principle embodied in this legislation to follow the data is the correct one. Mr. Gonzalez. Thank you very much. Mr. Stearns. I thank the gentleman. The gentleman from Nebraska, Mr. Terry. Mr. Terry. You would be surprised what churches have. Most churches now have financial records, because they want you to do direct deposits now, electronic transfers so they don't have to worry about whether you show up on Sunday and put your check in the basket, because it was automatically done on Friday. So we have got to worry about the little neighborhood vitamin store that may have personal information, including health information. So I do agree with the phrase you need to protect the data. So let us talk about that a little bit. And Mr. Burton, you have come here with the theme of encryption, and I believe that that is kind of the last defense. And I have had people show me how easy it is to unencrypt or decrypt, and in fact, at the University of Nebraska in Omaha, they went online for me and showed me all of the different downloads that you can get just online that will unencrypt the basic information. So to me, that is the last line of defense. At least you make it tougher, and it is only the real data-miners that are out there that are going to know where to get that technology. The casual user that finds a laptop in the airport probably isn't going to know which sites to go to to get their de-encryption software. But as I also understand, that is free on the Internet, too. So the issue then becomes the vulnerabilities, and this proposed legislation does talk about redacting. In fact, I think the language in is to mitigate and reduce all of the operating software vulnerabilities, which takes me back to part of a presentation I had by an IT professor to Microsoft that said that there are literally thousands of vulnerabilities in the operating software. So to Microsoft, let us talk a little bit about the vulnerabilities that are inherent in the operating software, not necessarily yours, but you do kind of dominate the market in operating software. As I understand there are inherent vulnerabilities that are absolutely necessary to the operation, and sometimes there aren't. How do we differentiate? Because I think the first line of attack is reducing the number of vulnerabilities that hackers or data-miners can use to penetrate the system. So what is Microsoft doing? What do you recommend to us by way of the proper language where we can realistically close those vulnerabilities but yet still have the vulnerabilities? And then my last question is who has the responsibility for us in the legislation? Who do we place the responsibility on? The Acme Data Corporation who has the responsibility of protecting the data directly, because they are the ones that own the data? Or is it somewhere that the owner or the makers of the operating software? So I will start with you, Mr. Hintze, and anyone else who wants to chime in on that issue. Mr. Hintze. Thank you, Congressman. I would first like to point out that Microsoft does take security very, very seriously. It is our No. 1 priority in software development now. We have invested hundreds of millions of dollars over the last couple of years in retraining our developers, fundamentally changing our development and release processes to make security the No. 1 priority, and those effects are paying off in the latest releases and security patches and updates that we make available free to users online. Having said that, I would also point out that the highly publicized issues of security breaches we have seen recently have not been results of software vulnerabilities. They have been failures of processes, they have been human error and the like. When software is hacked, and it is impossible to make perfect software. It is an enormously complex undertaking. Mr. Terry. Are you worried about the language in the bill that says that the operating software has to mitigate all vulnerabilities? Mr. Hintze. I am not familiar with that language in there. Mr. Terry. Well, I think that is the intention, and I think we need to work through that. Mr. Hintze. Yes, we will definitely work with the committee on those issues. The other point is that when there is a hacker attack, there is an intervening criminal act going on, and I think it is important to keep that in mind. As I said, Microsoft takes this issue very seriously, and we are working very, very hard with our partners, with law enforcement and others and our consumers to help reduce the problem, and we look forward to working with this committee further on that. Mr. Terry. And my last question is who has the responsibility to control the vulnerabilities of the software? Mr. Hintze. As I said, we will continue to work as hard as we can to reduce those vulnerabilities and make the software as safe as it possibly can be. And we think it is a joint responsibility among us, consumers, law enforcement, and Congress in helping to make the consumer safe. Mr. Burton. Yes, Mr. Congressman, if I could just comment briefly on your opening statement about encryption. And first of all, thank you for taking the time to have demonstrations and look seriously at it. If you look at encryption, there are sort of three pieces to it, and this is why we reference NIST. Are you using a strong algorithm? Is it implemented correctly? Are you protecting the keys? If you do those three things, you are left with a brute force attack in trying to decrypt the data, and that takes hundreds of years. You can't download software from the Internet to do that. And I think once you really get strong encryption in place, as you say, it is a second line of defense, and it is very important. Mr. Stearns. Maybe just for clarification, I asked counsel just about what the gentleman from Nebraska was talking about, and I think within the bill, I think what we are talking about is requiring the entity that possesses the consumer data, personal data, to take administrative and technological actions to secure the data, but we are not asking you to restructure the software or restructure things like that. I am going to ask you, and every member is welcome to a second round here. I am going to go to the heart of where we are in this bill and ask--I am sorry, the gentlelady from Wisconsin. Yes. Sorry. Ms. Baldwin. Thank you, Mr. Chairman. Mr. Stearns. I apologize. Ms. Baldwin. I am going to try, if I can, to ask a series of questions and get all of your perspectives, hopefully with very brief answers so that I can get through a couple of questions, some of which you might have already dealt with in your testimony. I am wondering your opinion first on whether there should be State Attorney General enforcement added to the bill. And why don't we just go from my left to right, if you wouldn't mind, Ms. Maier? Ms. Maier. Yes, we would be in support of State Attorney General enforcement. Ms. Baldwin. Okay. Mr. Hintze. We are as well. Mr. Hoofnagle. Yes, the Federal Trade Commission has too much to do. Mr. Burton. Yes, we support that. Ms. Baldwin. Okay. Is there anyone in the panel who thinks that this legislation should be expanded to deal not only with electronic personal records but paper personal records? Ms. Maier. If I could comment, I think that, first of all, we are very happy to see that was expanded to all electronic data, not just data collected online. That is the most vulnerable, or that is the most useful, to a hacker. But we would be supportive of expanding it to paper-based data as well. Mr. Hintze. As we noted in our oral statement, we support that as well. We think whether data was breached in electronic or paper form, the effects can be just as devastating to the affected individual. Mr. Hoofnagle. Yes, we would agree. There are many cases were sensitive personal information has been on paper and then ends up in a dumpster, thus the phrase ``dumpster diving''. In California, there was an attempt to expand the security of the breach notification bill to cover paper, but that quest failed. Ms. Baldwin. Okay. Mr. Burton? Mr. Burton. Yes, we would prefer a focus on electronic data. If you look at the breaches which actually sparked this committee's interest in this issue, they were all electronic, and I think that that really gets at the bulk of the issue, and I think that that is the appropriate focus of the bill. Ms. Baldwin. Okay. What is each of your opinion on whether we should have a provision dealing with audit trails for the inside jobs? Ms. Maier. Our opinion is that as security policies are adopted, audit trails will probably become part of the internal policy. I am not sure if it is required for a broad Federal legislation. With that being said, I think there are some opportunities, through a safe harbor program, to allow for auditing or encourage it. Mr. Hintze. We think that that may not be the appropriate level of detail to get into in the bill itself, but certainly that is something that the FTC could look at in the implementing regulations around the development of an information security program. Mr. Hoofnagle. We support audit trails in part because it was clear in the California hearings concerning ChoicePoint that the company didn't know exactly what information was acquired by the criminals and in fact had to rerun the searches one by one to determine what data were actually obtained. An audit trail requirement would substantially reduce that problem. Mr. Burton. Yes, I think the audit feature that we would be in favor of is broader than that, and that is there needs to be an audit of an organization's information security programs and that that is really the most important, because that gets at prevention. And not only does there need to be an audit, that audit needs to be communicated to senior management and the board of directors, because ultimately that then changes the culture, which is responsible for better information security. Ms. Baldwin. Okay. What is your position on a provision in the bill that would focus on transparency, some sort requiring security breaches to be reported to the FTC and perhaps put on a public website or some additional transparency about these breaches? Ms. Maier. Our opinion is that, first of all, the consumers need to know who are affected, and that should be the No. 1 focus. However, I think that to the extent that any sort of notice, be it public-owned websites at the FTC, in sense companies have better security practices, then we are supportive. Mr. Hintze. We think that directly notifying consumers is clearly the best way to get the message to the people that need to know it the most. In terms of public posting through a website or through the press, that should be a provision that is in the alternative notice when direct notice is either feasible or impossible. Having said that, we would not oppose any provision that would require cases where notices are required to be reported to the FTC. Mr. Hoofnagle. Especially if companies are given discretion of whether or not to mail the consumers a notice, we think it is very important that the Federal Trade Commission be aware of all of the security breaches. It is a weakness in the California law that only those who are affected get notice, but the corresponding strength of that law is that all breaches have to be disclosed. So especially if there is going to be a discretion standard, and by the way I think there should be some level of discretion. There should be a check on that discretion by public reporting to the Federal Trade Commission. Mr. Burton. Consumers should clearly be notified of breaches. Sunshine is the best disinfectant, therefore public notices of breaches are also very important. Ms. Baldwin. Thank you. I see I have run out of time, so I yield back. Mr. Stearns. I thank the gentlelady for asking those questions. I would like to follow up a little bit on what she talked about. This idea of a State Attorney General enforcement of the Federal statute. This is an area that has probably has the most controversial aspect of our bill. Mr. Burton, your testimony states that Entrust agrees with the preemption provisions of the bill, but some have said that a Federal standard should create a statutory floor and not a ceiling, allowing States to go further, if they so desire. I guess please explain why Entrust believes that a more comprehensive preemption is appropriate. Mr. Burton. Well, the concern of much of the private sector is that you now have 18 different State breach notification bills that is multiplicity of standards, reporting mechanisms, penalties, and so what industry is looking to this committee for and the Congress for is sort of a baseline, and I think that is the reason that you will get so much support for your legislation and for preemption. I think given the active interest of States in this bill, you have to allow, and you should allow State Attorney Generals to enforce---- Mr. Stearns. The Federal statutes. Mr. Burton. Yes, the Federal statutes. Mr. Stearns. And State courts? Mr. Burton. Let us see. I am not a lawyer, and so I would have to take that under advisement and get back to you. Mr. Stearns. Well, I am going to ask each of you just to make a shot at it, because what the gentlelady from Wisconsin talked about, we had in the spam, but we did not have it in spyware, and we have taken, in this bill, the same language that was adopted in the spyware dealing with the preemption. And, in our opinion, this preemption is important, but we certainly think there are areas that it could be changed. And maybe I will just go to Mr. Hoofnagle. You might comment on this, too, about the preemption provisions in our bill. Mr. Hoofnagle. We think the preemption provisions should be a floor so that States can innovate new solutions, too. Mr. Stearns. So, for example, if California has a higher standard, there would be an exemption for California? Mr. Hoofnagle. No, more broadly, we think, that States should be able to pass new laws when new problems arise. We are here today---- Mr. Stearns. So we establish the floor of the bill, and then above that, the States. But then wouldn't you be back to having 50 States with 50 different---- Mr. Hoofnagle. In most privacy legislation, it preempts at the floor level. Mr. Stearns. Okay. Mr. Hoofnagle. And it has not created a 50-State set of laws, when Congress does a good job and passes a good law. The States tend not to try to pass conflicting responsibilities. Mr. Stearns. Okay. Mr. Hintze? Mr. Hintze. Yes. Mr. Stearns. Yes, what is your opinion about what the preemption in the bill is and do you support it? Mr. Hintze. We do support it. We also would support an addition that would permit State Attorney General enforcement in Federal court, much like is done in the spam---- Mr. Stearns. Okay. So you support what is in the spam language---- Mr. Hintze. Yes. Mr. Stearns. [continuing] more so than what is in the spyware? Mr. Hintze. In this case, we think that State Attorney General enforcement at Federal courts is appropriate. Mr. Stearns. Okay. Ms. Maier? Ms. Maier. We are in basic agreement with that as well. Coming from California, we certainly would like to see this law at least meet the standard that California has set. Mr. Stearns. Okay. Well, let me ask one last question. The definition of ``information broker'' that has been touched on a little bit by the gentleman from Nebraska. And Mr. Hoofnagle, is the definition of information broker in the draft legislation appropriate, in your opinion, and does it sweep in entities that are not information brokers, and does it cover all information brokers? That is another area that---- Mr. Hoofnagle. Information brokers are very difficult to define. We have worked---- Mr. Stearns. Yes, but you have all of the affiliates of American Express. I mean, how much should this bill apply to all of those? Mr. Hoofnagle. In some cases, information is traded in such a way that is consistent with the consumer's expectation. So, for instance, a check-cashing clearinghouse you wouldn't want to consider an information broker. They are affecting a transaction that you requested. Generally, information brokers are companies that obtain personal information, often from public records, but also from private sources, and they sell it to third parties, who are not affiliates. And I think if you craft a definition that applies to companies that are generally selling personal information to third parties and that are not initiated by the consumer, for purposes not initiated by the consumer, I think you limit the field substantially. But you are right. It is a very difficult thing to do, because there are many companies out there that are selling sensitive personal information without telling anyone and without the individual's consent. Mr. Stearns. I think we are going to complete our hearing today. I want to thank all four witnesses for their time. And I think it has been very educational and helpful to myself and our staff on both sides. And with that, the committee is adjourned. Ms. Maier. Thank you. Mr. Hoofnagle. Thank you. [Whereupon, at 11:32 a.m., the subcommittee was adjourned.] [Additional material submitted for the record follows:] Retail Industry Leaders Association Arlington, VA July 28, 2005 The Honorable Cliff Stearns Chairman Subcommittee on Commerce, Trade, and Consumer Protection Committee on Energy and Commerce 2123 Rayburn House Office Building U.S. House of Representatives Washington, D.C. 20515 RE: Statement for the Hearing Record on ``Data Security: The Discussion Draft of Data Protection Legislation.'' Dear Chairman Stearns: On behalf of the Retail Industry Leaders Association (RILA), I am submitting this letter for the record of the subcommittee's hearing entitled ``Data Security: The Discussion Draft of Data Protection Legislation.'' We appreciate the opportunity to submit these comments. The Retail Industry Leaders Association (RILA) is an alliance of the world's most successful and innovative retailer and supplier companies--the leaders of the retail industry. RILA members represent almost $1.4 trillion in sales annually and operate more than 100,000 stores, manufacturing facilities and distribution centers nationwide. Its member retailers and suppliers have facilities in all 50 states, as well as internationally, and employ millions of workers domestically and worldwide. Through RILA, leaders in the critical disciplines of the retail industry work together to improve their businesses and the industry as a whole. Retailers and their product and service suppliers value their relationship with their customers above all else. Consumers vote with their feet every day by purchasing goods and services from retailers and suppliers that they know and trust to provide the quality, prices and services that they expect. RILA members are committed to maintaining the security and confidentiality of consumer information. RILA supports a uniform federal standard should sensitive customer information be breached and there is a reasonable belief or actual knowledge that harm has been caused by a result of the breach. As the Judiciary Committee considers data security legislation RILA asks that the committee consider the following core principles: Preemption: RILA members are committed to policies and practices that safeguard personal data and records and are in full compliance with the current California data breech notification statute. However, other states and jurisdictions have also enacted or are considering similar laws. While these proposals similar, they are rarely consistent, making the potential for a conflicting and confusing regulatory and legal framework all too real. Complying with various and inconsistent state laws could, in fact, slow down the notification process, create unnecessarily complex internal systems, and add cost to the bottom line. Therefore, RILA supports a strong federal preemption that would create a uniform standard ``trigger'' for notification and for the type of notification that must occur. Trigger: RILA members believe that notification should only be ``triggered'' when it is determined that there is, or there is a reasonable belief that there is, a significant risk of harm to consumers. We would note that this is a similar standard supported by the Federal Trade Commission in testimony it has presented before Congress this year. RILA members have legitimate concerns about over notification and believe that clearly defining an appropriate trigger is fundamental to achieving meaningful consumer notice. Covered Data: Proposals should be limited to unencrypted computerized information. Notification: RILA members support a uniform notification standard through direct mail or email and are opposed to redundant and costly notification requirements that would do little to increase awareness. RILA also supports a substitute notification delivery method--email, website, local media, etc.--if notification costs would exceed $250,000 or the breach affects more than 500,000 consumers. Private Right of Action: RILA supports data security legislation that would prohibit individual private rights of action. Credit Freeze: RILA has concerns regarding the impact of so-called credit freeze proposals that would allow consumers to place a freeze on their credit report. While proposals of this nature have the biggest impact on the credit agencies, retailers, particularly those who provide instant credit, are concerned about the spill over effects of credit freeze requirements. When a customer freezes their credit file they are likely to forget to ``unfreeze'' their file before they apply for instant credit creating consumer frustration and confusion when instant credit cannot be issued. In addition, retailers are concerned that additional credit agency requirements could drive up the cost of credit reports. While the industry has concerns with credit freeze requirements, if provisions are adopted, there should be a uniform national standard. With regard to the draft document that the committee is considering at today's hearing, we have prepared the attached comments, which we have previously provided to the subcommittee staff. If you have any questions about this matter, please don't hesitate to contact me or my colleague Lori Denham, Senior Vice President, Policy and Planning. Sincerely, Paul T. Kelly Senior Vice President, Federal and State Government Affairs Attachment Retail Industry Leaders Association General Comments on Barton/Stearns Discussion Draft ``Data Security & Security Breach Notification'' july 28, 2005 Security Requirements for Data Section 2 Rules promulgated by the FTC may require specific policies and procedures that may or may not be appropriate for the protection of the personal information maintained by companies. While we support the idea that companies should have policies and procedures in place to protect personal information, we believe individual companies are in the best position to determine what form those policies and procedures should take. RILA supports an exemption for data that is encrypted. Nationwide Notification for Material Security Breaches Section 3 Breach of Security. We agree with the concept of risk assessment in determining whether a notice of breach to consumers is necessary. Inundating consumers with notices regarding a breach of information when there is no evidence that the breach has, or will, result in identity theft is counter-productive. There is a real danger that over notification will result in consumers becoming numb to the notices and they will, therefore, fail to take necessary steps to protect their information. Timeliness of Notification. Many of the state laws regarding security breach notification have included a provision that would allow for the delay of notification to consumers in cases where law enforcement requests a delay so they can complete an investigation. Method of Notification. Notification by mail and email and web site could prove burdensome. We would support a notification scheme whereby individuals could be notified by mail or email and by the posting of a notice on the company's web site. It is not necessary to notify consumers by both mail and email. Companies should be able to choose the method that is most practical and efficient depending on the circumstances. Providing notice on the company's web site would then be an appropriate and practical addition to the mail or email notification. If a company chose to send notice by email, it should be allowed to do so without having prior ``consent'' from the consumer to receive such messages. This would be an operational (not a commercial) email message and one that consumers would want and need to receive regardless of whether they had previously provided consent. Definitions Section 5 ``Personal Information''. The definition of personal information is consistent with the definitions established in California's (and other state's) security breach notification laws. If this definition is acceptable, why would the Commission be allowed to modify it in the rulemaking? Effect on Other Laws Section 6 The preemption language is limited to ``. . . breaches of security of data in electronic form.'' State laws have contemplated breaches in forms other than electronic. The preemption should be complete so that companies can implement one security breach notification process. Companies should not be put in a position whereby they have to follow specific state laws for information that is maintained in forms other than electronic. Banks, credit unions, thrifts and common carriers are exempt from coverage because they do not fall under the jurisdiction of the FTC. However, these entities would need/want to take advantage of the preemption provision. If these entities are not included in the preemption provision they will be subject to federal regulatory guidance and the myriad state laws that address security of information and notification in the event a security breach occurs. Effective Date and Sunset Section 7 What is the reason for attaching a sunset provision to this legislation? For more information, contact Lori Denham, Senior Vice President, Policy and Planning (703) 600-2012 or [email protected] or Paul T. Kelly, Senior Vice President, Federal and State Government Affairs (703) 600-2014 or [email protected].