[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
DATA SECURITY: THE DISCUSSION DRAFT OF DATA PROTECTION LEGISLATION
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
COMMERCE, TRADE, AND CONSUMER PROTECTION
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
__________
JULY 28, 2005
__________
Serial No. 109-48
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
__________
U.S. GOVERNMENT PRINTING OFFICE
22-989PDF WASHINGTON : 2005
_________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government
Printing Office Internet: bookstore.gpo.gov Phone: toll free
(866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail:
Stop SSOP, Washington, DC 20402-0001
------------------------------
COMMITTEE ON ENERGY AND COMMERCE
JOE BARTON, Texas, Chairman
RALPH M. HALL, Texas JOHN D. DINGELL, Michigan
MICHAEL BILIRAKIS, Florida Ranking Member
Vice Chairman HENRY A. WAXMAN, California
FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida RICK BOUCHER, Virginia
PAUL E. GILLMOR, Ohio EDOLPHUS TOWNS, New York
NATHAN DEAL, Georgia FRANK PALLONE, Jr., New Jersey
ED WHITFIELD, Kentucky SHERROD BROWN, Ohio
CHARLIE NORWOOD, Georgia BART GORDON, Tennessee
BARBARA CUBIN, Wyoming BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois ANNA G. ESHOO, California
HEATHER WILSON, New Mexico BART STUPAK, Michigan
JOHN B. SHADEGG, Arizona ELIOT L. ENGEL, New York
CHARLES W. ``CHIP'' PICKERING, ALBERT R. WYNN, Maryland
Mississippi, Vice Chairman GENE GREEN, Texas
VITO FOSSELLA, New York TED STRICKLAND, Ohio
ROY BLUNT, Missouri DIANA DeGETTE, Colorado
STEVE BUYER, Indiana LOIS CAPPS, California
GEORGE RADANOVICH, California MIKE DOYLE, Pennsylvania
CHARLES F. BASS, New Hampshire TOM ALLEN, Maine
JOSEPH R. PITTS, Pennsylvania JIM DAVIS, Florida
MARY BONO, California JAN SCHAKOWSKY, Illinois
GREG WALDEN, Oregon HILDA L. SOLIS, California
LEE TERRY, Nebraska CHARLES A. GONZALEZ, Texas
MIKE FERGUSON, New Jersey JAY INSLEE, Washington
MIKE ROGERS, Michigan TAMMY BALDWIN, Wisconsin
C.L. ``BUTCH'' OTTER, Idaho MIKE ROSS, Arkansas
SUE MYRICK, North Carolina
JOHN SULLIVAN, Oklahoma
TIM MURPHY, Pennsylvania
MICHAEL C. BURGESS, Texas
MARSHA BLACKBURN, Tennessee
Bud Albright, Staff Director
David Cavicke, Deputy Staff Director and General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Commerce, Trade, and Consumer Protection
CLIFF STEARNS, Florida, Chairman
FRED UPTON, Michigan JAN SCHAKOWSKY, Illinois
NATHAN DEAL, Georgia Ranking Member
BARBARA CUBIN, Wyoming MIKE ROSS, Arkansas
GEORGE RADANOVICH, California EDWARD J. MARKEY, Massachusetts
CHARLES F. BASS, New Hampshire EDOLPHUS TOWNS, New York
JOSEPH R. PITTS, Pennsylvania SHERROD BROWN, Ohio
MARY BONO, California BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska GENE GREEN, Texas
MIKE FERGUSON, New Jersey TED STRICKLAND, Ohio
MIKE ROGERS, Michigan DIANA DeGETTE, Colorado
C.L. ``BUTCH'' OTTER, Idaho JIM DAVIS, Florida
SUE MYRICK, North Carolina CHARLES A. GONZALEZ, Texas
TIM MURPHY, Pennsylvania TAMMY BALDWIN, Wisconsin
MARSHA BLACKBURN, Tennessee JOHN D. DINGELL, Michigan,
JOE BARTON, Texas, (Ex Officio)
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Burton, Daniel, Vice President of Government Affairs,
Entrust, Inc............................................... 35
Hintze, Michael, Senior Attorney, Microsoft Corporation...... 19
Hoofnagle, Chris, Senior Counsel and Director, Electronic
Privacy Information Center, West Coast Office.............. 27
Maier, Fran, Executive Director and President, TRUSTe........ 13
Additional material submitted for the record:
Retail Industry Leaders Association, statement for the record 53
(iii)
DATA SECURITY: THE DISCUSSION DRAFT OF DATA PROTECTION LEGISLATION
----------
THURSDAY, JULY 28, 2005
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Commerce, Trade,
and Consumer Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:07 a.m., in
room 2123, Rayburn House Office Building, Hon. Cliff Stearns
(chairman) presiding.
Members present: Representatives Stearns, Pitts, Terry,
Blackburn, Barton (ex officio), Towns, Green, Gonzalez, and
Baldwin.
Staff present: David Cavicke, general counsel; Chris Leahy,
policy coordinator; Shannon Jacquot, counsel; Will Carty,
professional staff; Billy Harvard, clerk; Chad Grant, clerk;
Kevin Schweers, communications director; Terry Lane, deputy
communications director; Consuela Washington, senior minority
counsel; Jessica McNiece, minority research assistant; and
Edith Holleman, minority counsel.
Mr. Stearns. Good morning. I would like to thank, first of
all, the witnesses for coming before us today and to offer
their comments and suggestions and helping us to craft a better
bill and a workable data protection bill that will greatly
improve the protection and security for all consumers and their
data.
Data security breaches are an alarming trend that seems to
be increasing hand in hand with the cases of identity theft and
financial fraud in the United States. Identity theft and
financial fraud represents the fastest growing criminal
enterprise in the United States. As we learned from the Federal
Trade Commission in several previous hearings, a recent survey
showed that almost 10 million people in the United States
discovered that they were involved in some sort of identity
theft. That figure translates into almost $50 billion in losses
for businesses and of course $5 billion for consumers.
Consumer data breaches and related identity theft crimes
threaten not only the financial and personal security of every
consumer in the United States, but also have the potential to
disrupt and impede commercial activity in every sector of our
economy.
Now, not surprisingly, there are now indications that
consumer confidence in Internet-based and electronic
transactions is starting to wane as reports mount about
breaches potentially affecting millions of Americans.
Regardless of statistics and trends, I would bet that a
significant percentage of us in the committee room today have
been touched personally by this problem. I also believe that we
can not rely solely on law enforcement and existing law for
protection against breaches and related criminal activity in
this area.
The Congress, and this committee in particular, is charged
with the responsibility to ensure that the entities possessing
and dealing in sensitive consumer data keep the doors locked
and the alarm on. We intend to live up to that responsibility.
The health of our modern network system of commerce demands
this and all consumers deserve this.
Data, especially personal data, is the currency of the
digital world. Given the sheer scope and interconnectivity of
our fast-moving commercial environment, one simple mistake or
oversight can leave all of us vulnerable to the lone criminal
with the ability to victimize millions in an instant.
Unfortunately, the crooks have discovered a lucrative new
enterprise exploiting such vulnerabilities. And it is up to us
to shut them down before they destroy the integrity of the
data-driven commercial system that so many of us rely on.
I believe consumers, businesses, and other important
stakeholders must be empowered with adequate information to
assess data security risk and provide sufficient incentives to
encourage the most appropriate means, technical or otherwise,
to enhance data security.
My colleagues, at the most basic level, our bill would
create a uniform national data breach notification regime based
on risk of potential harm from identity theft. The bill also
incorporates a number of provisions related to my earlier
privacy bill that are intended to provide security guidelines
for entities that keep personal data. I believe that once these
practices are embraced, renewed consumer confidence in e-
commerce and its multitude of applications will lead to even
better data security in the marketplace. We need to promote the
notion that security sells.
Specifically, our bill contains three major elements. The
first major element of the bill directs the Federal Trade
Commission to develop rules for data security, including
requirements that entities in possession of personal data have
a security policy, have someone designated as responsible for
that policy, and have a process for taking preventive and
corrective action to ensure that policy is as robust as
required.
Two, the second main element of the bill relates to the
special case of information brokers, which are defined in the
draft as ``companies whose primary business is to compile and
sell consumer data to third parties''. The bill requires these
entities to submit their security policy to the Federal Trade
Commission for audit and approval on an annual basis. In
addition, any information broker is required to provide those
who ask a free report of what information the entity holds on
that individual.
And last, the last element establishes a national uniform
standard for consumer notification when there is a security
breach. A security breach is defined using a risk-based
standard that relates to the probability that the security
breach results in a reasonable basis to conclude that identity
theft may occur. The bill requires timely notification, both
electronic and through the mail, of consumers affected.
There are also a number of provisions relating to
substitute notices in cases where there is a requirement of
unduly burdensome to a business given its financial conditions.
I look forward to the comments on our draft bill and would
like to emphasize that the committee intends to develop this
legislation through a bipartisan and open process that allows
for constructive debate and discussion. We will solicit at
least one or more rounds of comments and work hard to continue
to refine the bill to best achieve effectiveness with this
balance.
So I look forward to our testimony by our witnesses today
and working together with them on this important piece of
legislation.
[The prepared statement of Hon. Clifford Stearns follows;]
Prepared Statement of Hon. Clifford Stearns, Chairman, Subcommittee on
Commerce, Trade, and Consumer Protection
Good morning. I first would like to thank the witnesses before us
today as well as all who have offered comments and suggestions
assisting our important work in crafting a robust and workable data
protection bill that will improve greatly the protection and security
of consumer data.
Data security breaches are an alarming trend that seems to be
increasing hand-in-hand with the cases of identity theft and financial
fraud in the United States. Identity theft and financial fraud
represent the fastest growing criminal enterprise in America. As we
learned from the Federal Trade Commission in several previous hearings,
a recent survey showed that almost 10 million people in the United
States discovered that they are involved in some sort of identity
theft. That figure translates into almost $50 billion in losses for
business and $5 billion for consumers. Consumer data breaches and
related identity theft crimes threaten not only the financial and
personal security of every consumer in America but also have the
potential to disrupt and impede commercial activity in every sector of
the U.S. economy. Not surprisingly, there are now indications that
consumer confidence in Internet-based and other electronic transactions
is starting to wane as reports mount about breaches potentially
affecting millions.
Regardless of statistics and trends, I'd bet that a significant
percentage of us in the committee room today have been touched
personally by this menace. I also believe that we cannot rely solely on
law enforcement and existing law for protection against breaches and
related criminal activity in this area. The Congress and this great
Committee, in particular, are charged with the responsibility to ensure
that the entities possessing and dealing in sensitive consumer data
keep the doors locked and the alarm on. We intend to live up to that
responsibility. The health of our modern networked system of commerce
demands this, and all consumers deserve this. Data, especially personal
data, is the currency of the digital world. Given the sheer scope and
interconnectivity of our fast-moving commercial environment, one simple
mistake or oversight can leave all of us vulnerable to the lone
criminal with the ability to victimize millions in an instant.
Unfortunately, the crooks have discovered a lucrative new enterprise
exploiting such vulnerabilities, and it's up to us to shut them down
before they destroy the integrity of the data-driven commercial system
that so many rely on.
I believe consumers, business, and other important stakeholders
must be empowered with adequate information to assess data security
risk and provided sufficient incentive to encourage the most
appropriate means, technical or otherwise, to enhance data security. At
the most basic level, our bill will create a uniform, national data
breach notification regime based on risk of potential harm from
identity theft. The bill also incorporates a number of provisions
related to my earlier privacy bill that are intended to provide
security guidelines for entities that keep personal data. I believe
that once these practices are embraced, renewed consumer confidence in
e-commerce and its multitude of applications will lead to even better
data security in the marketplace. We need to promote the notion that
SECURITY SELLS.
Specifically, our bill contains three major elements:
� The first major element of the draft bill directs the Federal Trade
Commission to develop rules for data security, including
requirements that entities in possession of personal data have
a security policy, have someone designated as responsible for
that policy, and have a process for taking preventive and
corrective action to ensure that policy is as robust as needed.
� The second main element of the bill relates to the special case of
``information brokers'', which are defined in the draft as
companies whose primary business is to compile and sell
consumer data to third parties. The bill requires these
entities to submit their security policy to the Federal Trade
Commission for audit and approval on an annual basis. In
addition, any information broker is required to provide those
who ask a free report on what information the entity holds on
that individual.
� The last element establishes a national, uniform standard for
consumer notification when there is a security breach. A
security breach is defined using a risk-based standard that
relates to the probability that the security breach results in
``a reasonable basis to conclude'' that identity theft may
occur. The bill requires timely notification, both electronic
and through the mail, of consumers affected. There also are a
number of provisions relating to substitute notice in cases
where this requirement may be unduly burdensome to a business
given its financial condition.
I look forward to the comments on our draft bill and would like to
emphasize that the Committee intends to develop the legislation through
a bipartisan and open process that allows for constructive debate and
discussion. We will solicit at least one more round of comments and
will work hard to continue to refine the bill to best achieve
effectiveness with balance. I look forward to the testimony of our
witnesses and to working together on this very important piece of
legislation. Thank you.
Mr. Stearns. And with that, the distinguished member from
New York, Ranking Member Towns.
Thank you.
Mr. Towns. Thank you very much, Mr. Chairman.
Let me begin by first thanking you for holding this
hearing. And I would like to ask to place the 43 stakeholders'
comments in the record.
Mr. Stearns. By unanimous consent, so ordered.
[The list of industry comments follow:]
data security discussion draft--industry comments
1. American Bankers Association; 2. Business Software Alliance; 3.
Center for Democracy and Technology; 4. Consumers Union; 5. Cyber
Security Industry Alliance; 6. Direct Marketing Association; 7. Dun &
Bradstreet; 8. eBay Inc.; 9. Electronic Privacy Information Center; 10.
Entrust Inc.; 11. Experian; 12. Federal Reserve Board; 13. Federal
Trade Commission; 14. Financial Services Roundtable; 15. First Data
Corporation; 16. GC Services Limited Partnership ; 17. ID Analytics;
18. IdTheftAwareness--``The Real Danny Lents''; 19. Internet Commerce
Coalition; 20. Internet Security Alliance; 21. Intersections Inc.; 22.
MIB Group, Inc.; 23. Microsoft Corporation; 24. National Association
for Information Destruction, Inc.; 25. National Automobile Dealers
Association; 26. National Business Coalition; 27. National Council of
Investigation & Security Services, Inc.; 28. Peter Kiewit Institute; 29
The Progress & Freedom Foundation; 30. Reed Elsevier Inc.; 31. Retail
Industry Leaders Association; 32. Software & Information Industry
Association; 33. Prof. Daniel J. Solove/George Washington Univ. Law
School; 34. TALX; 35. Time Warner Inc.; 36. TRUSTe; 37. US Oncology,
Inc.; 38. U.S. PIRG; 39. Viacom; 40. VISA U.S.A.; 41. Vontu Inc.; 42.
Wexler & Walker PPA; and 43. Yahoo! Inc.
Mr. Towns. Since we last met, the privacy of our
constituencies have been compromised further, and their worries
have increased tenfold. I was encouraged by the feedback that
we received at our previous hearings. But there is much more
work that needs to be done.
The discussion draft that was recently circulated includes
important requirements relating to information security
programs and security breach notices, but recent security
breaches have revealed that consumers also care about the lack
of transparency as to how companies are using and to whom they
are disclosing their personal information.
I was pleased to see that the draft includes a trigger for
notification purposes. Chairman Stearns and Ranking Member
Schakowsky and the rest of my colleagues would agree that this
issue has haunted us for too long. It seems as though a new
data security breach happens bimonthly, resulting in destroyed
bank accounts and financial headaches.
As we begin to depend on technology more than ever, we must
put our citizens' privacy at the top of our priority list. I
hope the FTC is ready to help to stem the tide of identity
theft and end the financial destruction that has plagued our
constituents and web users worldwide.
I look forward, Mr. Chairman, to working with you and the
members of this committee to stem this very serious problem,
because the more I travel back and forth into my District on
the plane and wherever, you hear these horrible stories. I
think the time has come to put an end to it.
On that note, I yield back.
[The prepared statement of Hon. Edolphus Towns follows:]
Prepared Statement of Hon. Ed Towns, a Representative in Congress from
the State of New York
Thank you Mr. Chairman for holding this important hearing. Since we
last met, the privacy of our constituents have been compromised further
and their worries have increased ten-fold. I was encouraged by the
feedback that we received in our previous hearings, but there is much
more work to be done.
The Discussion Draft that was recently circulated includes
important requirements relating to information security programs and
security breach notices. But recent security breaches have revealed
that consumers also care about the lack of transparency as to how
companies are using and to whom they are disclosing their personal
information in the first place. I was pleased to see that the draft
includes a ``trigger'' for notification purposes. No one likes to be
inundated with dozens and dozens of risk-related notices, and I agree
that warnings should only be sent when there are severe breaches
capable of significant consumer burden.
I think that Chairman Stearns, Ranking Member Schakowsky and the
rest of my colleagues would agree that this issue has haunted us for
too long. It seems as though a new data security breach happens bi-
monthly, resulting in destroyed bank accounts and financial headaches.
As we begin to depend on technology more than ever before, we must
put our citizens' privacy at the top of the priority list. In July
18th's Wall Street Journal, Bill Hancock, Chief Security Officer of
Savis, Inc., a major internet service provider, is quoted as saying,
``What people can do on computer networks and what they can find has
increased ten-fold from a few years ago.'' He went on to state that
``Evil intent is easier than ever.''
I hope the FTC is ready to help to stem the tide of identity theft
and end the financial destruction that has plagued our constituents and
web users worldwide. I look forward to monitoring the positive
developments that are sure to stem from our committee draft.
Thank you.
Mr. Stearns. I thank my colleague.
The gentleman, Mr. Pitts, is recognized.
[No response.]
Mr. Stearns. The gentleman waives.
Mr. Gonzalez.
Mr. Gonzalez. Thank you very much, Mr. Chairman.
Again, I commend your continuous efforts. You have been on
this issue for some time, and I appreciate you calling this
particular hearing. I will be brief, but I will also request
that my written statement be submitted in its entirety by
unanimous consent.
Mr. Stearns. With the record's consent, so ordered.
Mr. Gonzalez. I guess what we are trying to find out today,
and I appreciate the presence of the witnesses. Many times I
feel that you all come here and give us the benefit of your
knowledge and experience, and then you feel that maybe we are
not listening, but the truth is, we have a record, we have your
statements, and we do make reference to them as we proceed with
this piece of legislation.
My only observation is that we deal with this in a
realistic framework and that is what is happening out there,
what is it possible that you bring to this. We need your
suggestions and recommendations. And that our policies will
affect the abilities that technology give us today, we can't go
out there and impose on what is going on out there in commerce
and such, conditions that could never be met, technologically
or otherwise. But I think that there can be certain compromises
that still address the chief concerns as expressed by my
constituents when we have town hall meetings.
The greatest attendance that I have had in any town hall
meeting, I guess second to Social Security, has been ID theft.
It is out there. It is tremendous. And working together,
hopefully we will come up again with a feasible, viable answer.
The problem with technology, and I have said this before about
technology, I guess it is the old proverbial key that opens the
gates to paradise, but it is the same key that can open the
gates to hell. And so somehow, we avoid that and do the best
that we can.
And again, thank you very much for your participation, and
I yield back.
[The prepared statement of Hon. Charles A. Gonzalez
follows:]
Prepared Statement of Hon. Charles A. Gonzalez, a Representative in
Congress from the State of Texas
Mr. Chairman, thank you for holding today's hearing on the
discussion draft data protection bill that this subcommittee is
developing. I would particularly like to thank both the majority and
minority staff for their work on this. I know that they have been
called upon in recent days and weeks to put many hours into other
legislative items related to the Energy and Commerce Committee, so I
especially appreciate their attention to this legislation. This
discussion draft provides us with an excellent starting point for
addressing the rash of data breaches that have been threatening the
privacy and financial standing of consumers across America. I look
forward to working with you, Mr. Chairman, the Ranking Member, and
other members of this subcommittee to further build on the draft before
us today.
The problem of data security, and the risk of identity theft that
it carries, is a serious concern to people. I know that in my own
district in San Antonio, public attention is strong. I held a town hall
meeting in my district in May, which brought together the Federal Trade
Commission and federal and local law enforcement. The turnout from the
public was impressive. And despite being in an auditorium without air-
conditioning for over two hours, almost the entire audience stayed to
the very end and asked many questions. The bottom line is that people
want assurances that their private information is handled securely and
that breaches in data security are handled swiftly and effectively.
As we move forward with this legislation, I hope that we can have
an end-product that adheres, as much as realistically possible, to the
principle of ``don't collect it if you can't protect it.'' In other
words, companies and organizations should not be collecting personal
information from individuals if they are not going to be able to
reasonably ensure the security of that information.
In addition to the provisions already in the discussion draft, I
would like to also consider several related issues. First: how we deal
with paper records. ``Dumpster diving'' is a prevalent practice in
which identity thieves go through dumpsters to find documents with
individuals' personal information. San Antonio local law enforcement
has cited this practice as one of the most prevalent forms of identity
theft. We should explore the feasibility of including provisions in
this bill to require companies to shred or otherwise destroy documents
with individuals' personal information before throwing them away.
Second, the draft bill gives the individual the right to get a free
report on what data the information broker companies hold on that
individual. If individuals feel the information in the broker's
database is inaccurate, they should be able to add supplementary
information to their file to clarify the existing information.
Third. Under the draft bill's data breach notification
requirements, a ``substitute notice'' system is established for
companies that cannot afford to send a letter to every individual
affected by a breach, or if they do not have complete addresses for
those individuals. Substitute notification consists of the company
alerting the media and posting a message on their website. We may want
to consider whether the bill should also require that these companies
notify the FTC and that the FTC maintain a central public website
listing all data breaches, along with information for consumers on how
to contact those companies and determine if their own personal data was
compromised. I know that private websites with a similar intent have
been established, but it may strengthen consumers' confidence to have
such a function permanently and reliably carried out by the FTC.
Finally, as I represent a district with a sizable population of
Spanish-speakers, I would like to explore how we can ensure that these
consumers and other language minorities, who are heavily targeted by
companies for their business, are able to access notices sent to
consumers about data breaches. We need to ensure that these notices are
available in a language that these consumers can understand.
Thank you Mr. Chairman. I look forward to hearing from our
witnesses today, and to working with you on this subject.
Mr. Stearns. The gentleman yields back.
The gentlelady from Tennessee is recognized.
Ms. Blackburn. Thank you, Mr. Chairman.
I want to thank the chairman for holding this hearing and
for the witnesses for taking your time and being here with us
today.
Many constituents in my District have expressed to me their
concerns about identity theft, and we recently held a workshop,
an identity theft workshop, in our District. It was
enlightening. It was well attended. And it was something that
we gained some information from, so we are looking forward to
hearing what you have to say. And as this committee examines
steps to prevent identity theft, we must ensure that companies
and individuals are not burdened with unnecessary regulations,
but that they have opportunities for privacy protection.
Congress should focus on reasonable security measures that
will protect personal information and provide enforcement
mechanisms to penalize companies that readily buy and sell
information on us to unscrupulous entities who will exploit our
identities for their personal gain.
Today, this committee looks at draft legislation on data
security, which I believe is a good step, a good first step, in
addressing the problem. I commend Chairman Barton and our
subcommittee chairman for their efforts on this issue.
And again, I thank you. We look forward to hearing your
input. Thank you.
Mr. Stearns. Thank you.
The gentlelady from Wisconsin.
Ms. Baldwin. Thank you, Mr. Chairman.
I am also pleased that we are having this hearing today,
Mr. Chairman, and our witnesses.
This is an increasingly important question how we protect
our sensitive personal information from theft and abuse. And
the statistics are staggering. The 10 million Americans who
were affected by identity theft in the year 2004, it is pretty
staggering. Access to the right data bases and the touch of a
button or two allows access to vast amounts of information
about a person, things like date of birth, Social Security
number, credit rating, debts, loans, insurance claims, magazine
subscriptions, even DNA.
American consumers deserve to have their personal
information protected. And I am pleased that our subcommittee
will act soon to address this. And I also agree that the
discussion draft before us is a good first step.
But as we consider next steps, changes, modifications,
there are a number of issues that we need to address and
questions we will need to answer, questions such as should we
preempt State laws, and if so, how broad a preemption is
appropriate. When should consumers be notified of data breaches
and who decides? Should the FTC maintain public notices, public
information about data breaches? Do we need to reach beyond our
committee's jurisdiction to adequately address this problem?
Should we exempt encrypted data? What role should States have
in prevention and enforcement?
So today, I hope our witnesses will articulate ways in
which we can protect consumers from identity theft and misuse
of their personal data and hopefully help us explore the
answers to those questions.
Thank you, Mr. Chairman, I yield back.
Mr. Stearns. I thank the gentlelady.
Mr. Green, the gentleman from Texas.
Mr. Green. Thank you, Mr. Chairman. I would like to thank
both you and our ranking member for taking lead on this issue
and holding this important hearing.
I would like to welcome our witnesses and thank you for
your cooperation and being here and sharing your knowledge and
experience. It is imperative for us when we begin drafting
legislation to combat identity theft and data theft that we
have the experience from the business community, so we make
sure we pass legislation that really will do the job and again
still allow us to enjoy the benefits of what we do.
The committee has held four hearings since the fall of
2004, and we have had a lot of discussions on passing a bill on
data security, and I believe the bill, as drafted, is a good
start.
I want to bring up a couple of issues, though, I have some
concern on. The preemption issue, special attention to that
provision. Currently, several States have stronger policies
when it comes to data security that we are proposing, and we
are proposing, furthermore, 18 States that have passed breach
notification laws, all of them, including my home State of
Texas, offer an encryption safe harbor.
And I believe you should look at issues such as encryption
and mask data to serve as a second form of defense. It is
frustrating, because in March we heard testimony from Choice
Point and Lexus Nexus, because both of these companies had a
recent experience of breach in their security, and at that
time, Lexus Nexus had almost 32,000 people affected. Well, then
a few weeks later, we really found out it was 300,000 that may
have been affected by the breach in security. And identity
theft is the No. 1 crime in our country. In fact, it is getting
worse all of the time.
In our District, we have done identity theft workshops for
our constituents, but you know, it is a very small group. We
have to do something more for the mass of people who have that
fear. And these workshops, even those only work when credit-
reporting agencies and financial institutions and data brokers
do their job to make sure information doesn't fall into the
wrong hands. We are all a number now, and most often, it is our
Social Security number, and every financial institution uses
that number, including when I had to rent a U-Haul truck, Mr.
Chairman, they wanted my Social Security number. And I said,
``Why?'' And they said, ``Well, we just require it.'' And I
said, ``Well, I don't want to rent the truck.'' And they said I
didn't have to. And that is what I suggest to my constituents.
If it doesn't have anything to do with taxes or payroll, then
just say no, or credit. And you can do that. But I still like
to get the credit to use some other identifying number. And I
know a lot of States are working on that.
Our current systems of laws addressing the problem are
piece meal. We have the Fair Credit Reporting Act. We have the
Federal Trade Commission that addresses unfair and deceptive
practices. We have separate laws and driver's license data. So
what we need to do, Mr. Chairman, I am glad you are taking the
lead in putting this together. And I would hope we would still
look at empowering the States and just an example, when
Congresswoman Heather Wilson and I worked on the stand for so
many years, we ended up the compromises that we wanted uniform
standards around the country, but we also still empowered the
State Attorney Generals to be able to do their job as consumer
representatives, but they had to use Federal law to do it. And
as long as we pass a strong law and still empower the States in
addition to whatever the FTC or whatever agency we give this
authority to.
But I look forward to participating and working on not only
the hearing today but also in the drafting of legislation.
Thank you.
Mr. Stearns. I thank the gentleman. And I thank him for
considering ways to do this in a bipartisan fashion.
I don't think there are any more members, so let me
welcome----
Mr. Towns. Mr. Chairman, will you yield for one moment?
Mr. Stearns. Yes. Yes.
Mr. Towns. I ask unanimous consent that we place the
statement of Ranking Member Jan Schakowsky in the record. She
has a family emergency.
Mr. Stearns. I heard that, and I am sorry to hear that. So
with unanimous consent, so ordered. I appreciate you doing
that.
[Additional statements submitted for the record follow:]
Prepared Statement of Hon. Joe Barton, Chairman, Committee on Energy
and Commerce
Thank you, Chairman Stearns, for holding this hearing today and for
your good leadership on data security issues. Millions of records in
other people's computers define and describe our lives. The recent rash
of security breaches has made us keenly aware of just how vulnerable
our records are to release through inept data security practices or,
worse, intentional theft. Past hearings at this Subcommittee have
explored those breaches and exposed the gaps in protection. Today, the
Committee puts forth a bipartisan draft that aims to fill the gaps in
protection. I want to thank Chairman Stearns, Ranking Member Schakowsky
of the subcommittee, Ranking Member Dingell of the full committee, and
all of the staffs for their work on this bipartisan discussion draft.
I am pleased with the careful consideration this Committee is
giving to this important issue. Our goal is to work with industry and
consumer groups in developing this legislation to encourage a culture
of strong data security. Data security has not been the priority it
ought to be and must become. I hope that the testimony we receive here
today will help us to perfect the draft bill.
There are two critical components to the draft bill:
� One, a legal requirement for establishing and implementing
information security practices; and
� Two, notification requirements in the event of a security breach.
In mandating information security policies, we hope to strike the
right balance between ensuring real protection for consumers without
halting the evolution of technology and best practices. We would be
remiss not to mandate robust security for personal information, but
we'll do it in a way that allows companies to implement the security
measures most effective for the types of information they maintain.
I would like to point out that the draft bill does not yet include
guidelines for what companies must include in their information
security policies. I believe guidelines similar to those of the FTC's
Gramm-Leach-Bliley Safeguards Rule are a good place to start. I request
that our panel of experts provide the Committee with some guidance on
this issue. Over the August recess, we will be perfecting the draft and
readying it for introduction, and your guidance will be an important
part of that preparation.
We have also been careful in crafting the notification requirements
of the bill. While consumers ought to be notified when a breach of
their information puts them at risk for identity theft, they should not
be showered with warnings when there is no risk. The notification
requirement of the bill has a trigger to avoid both ``over-
notification'' and ``under-notification''. The bill provides that
notice should be prompt and meaningful so that consumers can best
shield themselves from identity theft.
The draft bill also places additional requirements on information
brokers, those who trade in non-customer data. Because the normal
market incentives for protecting customer information are absent or
diminished with this business model, the draft imposes federally
supervised security audit requirements for these entities.
I plan to move data security legislation though this Committee in
September, and I hope that we can get a bill signed into law this
Congress. I would also like to mention that I support Congressman Clay
Shaw's bill protecting individual Social Security numbers. I will do my
part to quickly move the portions of the bill that are within our
Committee's jurisdiction, once we get a referral of the bill.
I thank the witnesses for participating in the hearing today and
look forward to your testimony on the draft legislation. Thank you Mr.
Chairman, I yield back the balance of my time.
______
Prepared Statement of Hon. Jan Schakowsky, a Representative in Congress
from the State of Illinois
Thank you, Chairman Stearns, for holding today's hearing on our
draft legislation to address the recent spate of security breaches of
personal information. I would also like to thank Chairman Barton and
Ranking Member Dingell for working with us to protect consumers'
personal information where current business practices and data security
laws have failed to do so. The time has come for us to ensure that
personally-identifiable information is protected and that consumers are
notified when their information has been compromised.
In the last five months alone, over 50 million consumers have had
their personal information lost, stolen, hacked into, exposed online,
or sold by corrupt insiders--and through no fault of their own.
Personal information is being collected, transferred, and sold
everyday. Consumers are told that if they want to rent an apartment,
buy a pair of shoes, or contribute to a university, they have to
divulge their name, address, Social Security number, credit card
number, mother's maiden name--and more--just to do so.
So many consumers are willing to provide the key facts of their
lives because they believe that since they are dealing with a well-
known retailer, their alma mater, or an established bank, their
personal information will be treated as just that--personal--and that
it will be secure. Until recently, most people had no idea that the
teenage hacker looking for some kicks and the most sophisticated crime
rings alike were raiding the virtual treasure troves of personal
information at businesses, universities, and information brokers. But,
news of the breaches at DSW, Bank of America, and Boston College, to
name a few, has made consumers and Congress alike realize that more
needs to be done to protect consumers' personal information.
The bill we have been working on seeks to stop the pillaging of
personal information by raising the bar for the handling and security
of consumers' data. It seeks to make information brokers--those whose
business is to turn your name into a commodity--more accountable to
consumers. The bill would also take California's groundbreaking idea--
that consumers have a right to know when their information has been
compromised--and turn it into the standard for our country.
The draft at hand is a good start, but we have to do more to make
sure that we provide the best protection for consumers that we can.
When we consider the scope of the information our bill covers, we need
to remember that it does not matter to the victim of identity theft
where their information was stolen from -a small business or a massive
data broker, and it does not matter what form it was in--paper or
electronic. It does not matter if access was gained by an outsider who
was not authorized to do so or an insider who had the key to the
encryption code. It does not matter if their file was the only one
compromised or if it was one of thousands. We also must keep in mind
that identity theft is not the only threat with which we should be
concerned. Information in the wrong hands could put domestic violence
and stalkers' victims' lives at risk.
Additionally, consumers need to know more than that their
information is secure. Since data brokers sell personal information to
those who will decide whether consumers will get jobs, roofs over their
heads, and even whether they have the legal right to vote, consumers
must have the right to make sure that the information that is meant to
represent what kind of risk they are to employers, landlords, and the
local government is correct.
We have heard claims from information brokers that allowing
consumers to correct their files would be difficult to do because much
of the data they have is from public records and the brokers do not
have the legal authority to correct them. However, I believe we should
not throw up our hands and say that nothing can be done. I believe that
if consumers question the accuracy of their files, data brokers could--
at a minimum--``flag'' that information to let those using the files
know that there is a question of the accuracy of the file. And, a
common problem with inaccurate reports is not that the original record
is incorrect, but that one person's file has been mixed with another's.
For instance, my file may be mixed with a Jean Schakowsky's or Jan
Stockowski--or both. I believe that data brokers should be compelled to
fix those ``mixed files.'' Consumers must have every opportunity
possible to set the record straight because of the impact incorrect
information can have on their lives.
Finally, I believe it is important that we establish a strong
federal standard so that we do not have to worry about preempting 50
state laws. While I can understand the desire to see one federal
standard, I believe that if we set the floor high enough, states will
not have to go beyond our requirements. Because so many states have
beat us to protecting consumers--including Illinois, Florida, and
Texas-- I believe we must exercise great caution when we consider how
we will contend with state laws on data security and breach
notification.
Once again, Mr. Chairman, I look forward to working with you on our
common goal of protecting consumers. Although there are many issues
that are still on the table, I think that using consumers' rights and
safety as our guiding principles, we will be in good shape. Thank you.
______
Prepared Statement of Hon. Edward J. Markey, a Representative in
Congress from the State of Massachusetts
Mr. Chairman, thank you for holding this important hearing today.
Mr. Chairman, on March 15th, following massive breaches of personal
information at ChoicePoint, Bank of America and LexisNexis, you wisely
convened a hearing in this Subcommittee to question executives from
major data profiling firms. This hearing provided important momentum
for ongoing efforts to strengthen privacy protections for the millions
of Americans whose private information is gathered by data merchants
who view our Social Security numbers, credit records and other
sensitive personal information as commodities to be bought and sold for
a profit.
Since the Subcommittee hearing, a tidal wave of personal data has
gushed from a long list of data brokers, public companies,
universities, financial institutions, high schools, hospitals and other
organizations. The Privacy Rights Clearinghouse has reported that more
than 48 million personal records have been lost or stolen over the past
four months alone.
Mr. Chairman, today's hearing on draft legislation you are
preparing in collaboration with the Democrats on the Committee is
another step towards providing Americans with increased control over
their most precious and private personal information. I commend you for
your efforts to date.As you know, Mr. Chairman, the draft bill defines
personal information as ``an individual's first and last name in
combination with any 1 or more of the following data elements for that
individual: Social Security account number, driver's license number or
other State identification number, financial account number, or credit
or debit card number' that would enable access to an individual's
financial account. [Sec. 5. Definitions, Page 9]. The bill also permits
the Federal Trade Commission to modify this definition. [Sec.5.
Definitions, Page 11].
Last week, the full Energy and Commerce Committee marked up H.R.
1132, legislation to provide grants to states for building or enhancing
state-run prescription drug databases. These databases will contain
personal information about patients--their name, address and phone
number--along with the type of prescription, quantity dispensed, the
number of refills and related data about the drugs they are prescribed
that are subject to the bill's reporting requirement.
I appreciate the Chairman's comments during last week's mark-up
about the importance of securing this health information and notifying
patients in the event that their electronic medical records are lost,
stolen or used for an unauthorized purpose. As the data security bill
before this Subcommittee evolves, I look forward to working with the
Chairman to ensure that consumers' medical information is covered by
the protections contained in this bill.
I would also like to point out a few other areas of this draft
legislation that deserve further review and adjustment.
1. The scope of the bill: As noted in the testimony provided by
Fran Maier of Trust-e (TRUST-E), it appears that the bill, in its
current form, does not cover personal information held by banks,
unions, thrifts and government entities like the state-run databases
that maintain records on patients and the prescription drugs they take.
I agree with the Mr./Ms. Maier that when a consumer's personal
information is leaked from a database, it matters not whether the
information was leaked from a bank or a university or a state's
department of health. This bill's privacy protections should be brought
to bear whenever a consumer's personally-identifiable information is
lost, stolen or divulged for an unauthorized purpose.
2. Pre-emption of state law: I am concerned that this bill would
pre-empt stronger state laws. For example, because California has a law
that requires consumer notification in the event of data breaches at
financial firms and government institutions, consumers in California
would be denied this protection if this bill were to become law, since
it contains no such coverage and would pre-empt the California statute.
3. The trigger for notification: While the method and content of
the consumer notification requirement in the bill is specific and
detailed [Page 5], the conditions that trigger this notification are
murky. For consumers to be notified of a breach that affects their
personal information there must be a compromise of security that
results in ``the acquisition of personal information by an unauthorized
person that may result in identity theft.'' [Page 5] I would suggest
that this trigger be expanded so that notification would occur if the
information were lost, stolen or used for an unauthorized purpose. The
``identity theft test'' is too difficult to determine, particularly in
the immediate aftermath of a breach, and there is other damage--beyond
identity theft--that can be inflicted upon consumers by the misuse of
their personal information. Consumers should be notified in these
instances too, even if the breach may not result in someone stealing
their entire identity.
I commend the gentleman from Florida, Chairman Stearns, for holding
today's hearing, and I look forward to working with you to refine this
bill. I appreciate the witnesses appearing before us this morning and
look forward to their testimony.
Thank you.
Mr. Stearns. We will ask the witnesses to come forward. We
have Ms. Fran Maier, Executive Director and President of
TRUSTe, San Francisco, California; Mr. Michael Hintze, Senior
Attorney, Microsoft Corporation, Redmond, Washington; Mr. Chris
Hoofnagle, Electronic Privacy Information Center, Senior
Counsel and Director, West Coast office in San Francisco; and
Mr. Daniel Burton, Vice President of Government Affairs,
Entrust, Inc., McLean, Virginia.
Ms. Maier, we welcome your opening statement.
STATEMENTS OF FRAN MAIER, EXECUTIVE DIRECTOR AND PRESIDENT,
TRUSTe; MICHAEL HINTZE, SENIOR ATTORNEY, MICROSOFT CORPORATION;
CHRIS HOOFNAGLE, SENIOR COUNSEL AND DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER, WEST COAST OFFICE; AND DANIEL
BURTON, VICE PRESIDENT OF GOVERNMENT AFFAIRS, ENTRUST, INC.
Ms. Maier. Mr. Chairman----
Mr. Stearns. Yes, there is a little switch there.
Ms. Maier. Hello.
Mr. Stearns. Yes.
Ms. Maier. Thank you.
Mr. Stearns. Yes, that is good.
Ms. Maier. Mr. Chairman, and members of the subcommittee,
Ranking Member Towns, I want to thank you for the opportunity
to address you today on this important proposed legislation and
to tell you about TRUSTe's security guidelines, which we
released earlier this year.
TRUSTe is an online privacy leader. We have been around
since 1997 as an independent, non-profit organization. As you
mentioned, we come from San Francisco, adjacent to Silicon
Valley, and we have been very close to the issues related to
California's State Bill 1386.
Our mission is to enable individuals and organizations to
establish trusting relationships based on respect for their
personal identity and information in the ever-evolving
networked world. We are very concerned about Internet, and we
are very concerned about trust and e-commerce.
We have over 1,500 companies, their websites, who have been
certified by TRUSTe's process and carry the TRUSTe trustmark,
the green and black symbol you have seen. We are also approved
as a safe harbor for Children's Online Privacy Protection Act
with the FTC and by the U.S. Department of Commerce for the EU
Safe Harbor.
We are also deeply involved in e-mail practices. For
example, we just launched a new e-mail privacy seal for
websites, which is based on permission from consumers and
allows a company to post a seal that says, ``We don't spam,''
if they meet the strict standards that we require. We also
serve as an e-mail accreditation authority for Bonded Sender,
one of the leading legitimate e-mail sender programs. Again,
this is to address another issue that faces consumers in terms
of spam.
My remarks today will be brief and will focus first on
TRUSTe's security guidelines and then specific thoughts on the
proposed legislation.
Our security guidelines were released in March of this year
in consultation with many of our shareholders and others in
industry. As you well know, privacy is closely intertwined with
security. You can't really deliver privacy unless you have
security. Security is necessary but not sufficient to deliver
acceptable privacy to consumers. So we felt that it was very
important for us to address security and to provide some
guidelines for our members who are obviously engaged in and
value privacy.
The guidelines, of course, are expected to evolve, much as
we expect this legislation to evolve, to address new
technologies, new threats, and new consumer concerns. The
guidelines are drafted in checklist form, and the reason why
that is important is because small companies and large
companies, depending on the size, depending on the kind of
information they collect, might have different reasons or
different expectations for the kind of security that they
should abide by. Larger, more complex companies which handle
data with the highest level of sensitivity will likely find it
appropriate to adopt all of the recommended practices. However,
smaller companies collecting less sensitive information may
conclude that adopting only some set of these controls will
still enable it to have a security program appropriate to the
nature of data it collects and its consumers.
The guidelines like the FTC's guidelines and others echo
the structure that you could find at those other pieces of
rules. For example, we have administrative rules. This includes
drafting an internal security policy and appointing someone to
be the executive in charge of security, which is similar to
what you have proposed in the legislation before us.
Administrative controls also include training of employees and
other items such as procedures internally. Of course, a big
part of security guidelines includes tentacle measures. This
includes password practices, controlling employee access to
sensitive information, ongoing monitoring, firewalls,
vulnerability testing, and the like, and then finally physical
controls which include monitoring access to data, securing
one's data facilities, and those kinds of physical things,
covering not only electronic data but also paper-based data.
All of these guidelines can be found within TRUSTe's
testimony that we submitted, and of course, on our website.
Now let us turn to the proposed data protection breach
notification legislation. We, of course, would like to applaud
the committee on its hard work on the draft legislation. We
believe that this is the right balance and mandates high
standards and allows for flexibility in their implementation.
And we think it also provides the right incentives for
companies to put meaningful security safeguards into place in
their own and consumers' best interests. We believe that the
desire to minimize a potential negative publicity, brand
damage, and embarrassment often resulting from the disclosure
of a data breach has been proven to motivate companies to
prioritize security much more highly than they otherwise would.
We wish to focus on a couple provisions of the bill today.
First of all, in terms of the scope of the legislation and
the trigger for security breach. We appreciate, first, that the
committee has put focus on the jurisdiction for the industry
under which it has jurisdiction. However, from a consumer's
perspective, when their information is breached, the particular
industry or organization involved is irrelevant to them. We
believe that consumers should enjoy the same level of
protection regardless of the industry involved. So we would
recommend that the jurisdiction extends to the financial
services especially.
In a related way, we would like to express concern about
the scope and the definition of person under Section 5
Subsection 6 of the bill. We would urge the committee to expand
the definition so that the scope of the legislation covers
local, State, and Federal law. As you know, in California, it
does cover the State government, which is really where the
legislation in California came from.
The second point that we would like to talk about is the
definition and notice of breach of security. The current draft
includes a trigger requirement for notice as a result in or
there is a reasonable basis to conclude has resulted in the
acquisition of personal information by an unauthorized person
that may result in identity theft. The qualifier language
``that may result in identity theft'' we believe is subjective.
Whether something may result in ID theft depends, in a large
part, on the sophistication of the wrongful acquirer of the
data. It is not feasible for the potential provider of the
breach notice to definitively assess the skill level and
sophistication of the wrongdoer and certainly not an
intermediate aftermath of a breach, which is when such an
assessment would have to be made.
We would recommend the committee to consider altering this
definition with a qualifier that is a bit more broad, one that
could result in the unauthorized disclosure, misuse,
alteration, destruction, or other compromise of such personal
information.
There has been a question of whether or not a broader
definition or a broader trigger may result in too many notices
to consumers. We believe that the experience in the State of
California, which the law has been in effect for over 2 years,
seems to have struck the right balance. Consumers are receiving
appropriately useful notices, and based on our own observations
as well as our consultations with the staff of the California
Office of Privacy Protection, that the law has not resulted in
a----
Mr. Stearns. Ms. Maier, if you could, just sum up.
Ms. Maier. That is great, sir. Thank you.
Again, I very much appreciate being here. We look forward
to working with you and hopefully discussing the creation of a
safe harbor. And we thank you.
[The prepared statement of Fran Maier follows:]
Prepared Statement of Fran Maier, Executive Director and President of
TRUSTe
Chairman Stearns, Chairman Barton, Ranking Member Schakowsky, and
members of the Subcommittee, I am Fran Maier, Executive Director and
President of TRUSTe. I thank you for the opportunity to address the
Subcommittee on this important proposed legislation and to tell you
about TRUSTe's Security Guidelines, which we released earlier this
year. TRUSTe is an independent, nonprofit organization with the mission
to enable individuals and organizations to establish trusting
relationships based on respect for personal identity and information in
the evolving networked world. Through long-term supportive
relationships with our licensees, extensive interactions with consumers
in our Watchdog Dispute Resolution program, and with the support and
guidance of many established companies and industry experts, TRUSTe has
earned a reputation as the leader in promoting privacy policy
disclosure, informed user consent, and consumer education.
TRUSTe was founded in 1997 to act as an independent, unbiased trust
entity, and we have earned our reputation as the leading builder of
trusting relationships between companies and consumers. The TRUSTe
privacy program--based on a branded online seal, the TRUSTe
``trustmark''ridges the gap between users' concerns over privacy and
Web sites' needs for self-regulated information disclosure standards.
In May 2001, the Federal Trade Commission approved TRUSTe's Children's
Privacy Seal Program as a safe harbor under the Children's Online
Privacy Protection Act. We are proud to have received that designation.
Hundreds of thousands of young children who are active online are
protected by our program, which currently includes some of the most
popular Web sites, including www.disney.go.com, www.kids.msn.com, and
www.epals.com. TRUSTe is also certified as a safe harbor program under
the Safe Harbor Framework administered by the U.S. Department of
Commerce for U.S. companies wishing to receive personal data from
countries in the European Union (``EU''). Our EU Safe Harbor Seal
Program gives companies assurance that they are in compliance with the
Framework and, therefore, with national data protection laws in all EU
member states.
In addition to these efforts, TRUSTe is deeply involved in
fostering best practices for email. We have just launched our
permission-based Email Privacy Seal Program, which allows companies who
agree to our strict standards to post a TRUSTe ``We Don't Spam'' seal
on online and offline forms where they collect email addresses. We also
serve as the email certification authority for senders of legitimate
email who are members of the Bonded Sender Program.
Finally, we are a California company, and we closely follow
developments in California law, including the data breach notification
law, to keep our licensees informed about compliance issues. We also
work closely with the California Office of Privacy Protection in its
ongoing efforts to provide guidance to businesses and consumers on
privacy and security issues.
truste's security guidelines
In March of this year, TRUSTe issued our first version of Data
Security Guidelines. As the Committee recognizes, privacy is very
closely intertwined with security. We believe that security is
necessary but not sufficient to giving consumers the privacy assurances
they expect. In developing the Guidelines, we aimed to expand the reach
of our expertise in privacy by providing our licensees and other
members of the public a resource they can use as a foundation of
responsible data security practices.
The Guidelines are divided into three categories of safeguards:
administrative, technical, and physical controls. This structure echoes
that of the Federal Trade Commission (FTC's) Gramm Leach Bliley
Safeguards Rule, which we discuss in further detail below.
Administrative controls include, for example, drafting a written
internal security policy, training employees, conducting ongoing
security risk assessments, and establishing procedures in connection
with external third parties (including vendors) with whom data is
shared. Technical measures include controlling employee access to
sensitive information on a need-to-know basis, establishing good
password practices, ongoing monitoring to assess threats and
vulnerabilities, and establishing incident response procedures.
Finally, physical controls include practices such as monitoring
legitimate access to data, establishing physical access controls, and
securing one's data facilities.
The Guidelines are drafted in checklist form so that companies can
assess their own risk levels and adopt the corresponding appropriate
level of recommended safeguard practices. Larger, more complex
companies which handle data with the highest level of sensitivity will
likely find it appropriate to adopt all the recommended practices,
while a smaller company, collecting less sensitive information, may
conclude that adopting only a subset of these controls will still
enable it to have a security program appropriate to the nature of the
data it collects and handles.
We anticipate that our Guidelines will evolve over time to reflect
emerging technologies and business issues that may impact the safety,
security and quality of sensitive or confidential information used by
TRUSTe's licensees. We have attached the Guidelines as an appendix to
our testimony, for the Committee's review. The Guidelines are also
posted on our Web site at http://www.truste.org/pdf/
SecurityGuidelines.pdf.
the proposed data protection and breach notification legislation
TRUSTe applauds the Committee on its work on the draft legislation
to date. We believe the bill strikes the right balance by both
mandating high standards and allowing for flexibility in their
implementation. As a result, the bill provides the right incentives for
companies to put meaningful security safeguards into place in their
own, and consumers', best interests. In addition to imposing security
standards directly, we believe the draft legislation will fundamentally
empower consumers to take action to minimize the potential impact of ID
theft. The desire to minimize the potential negative publicity, brand
damage, and embarrassment often resulting from the disclosure of a data
breach has been proven to motivate companies to prioritize security.
The market-driven, non-prescriptive approach you have chosen will
encourage companies to protect personal information.
We wish to highlight a few specific provisions in the bill.
scope of the legislation
As the bill's jurisdictional limits are those of the Federal Trade
Commission Act, it does not cover banks, unions, thrifts, and common
carriers. We appreciate that the Committee has crafted a bill that
applies to industries under its jurisdiction, and we understand that
the House Financial Services Committee, and the Senate Banking
Committee, are working on parallel legislation governing entities
within their jurisdiction. We support these efforts. From a consumer's
perspective, when a database is breached, the particular industry
involved is irrelevant. We believe that consumers should enjoy the same
level of protection, regardless of the industry involved.
Thus, we believe that the legislation's requirements should extend
across all industries. For instance, insurance institutions would not
be reached by the scope of this bill. Those financial institutions that
are regulated under the Gramm Leach Bliley Act have no requirement to
provide breach notices; therefore it would be appropriate to exempt
financial institutions from the requirements of section 2, but not from
section 3. In fact, were this legislation to become law with the
current preemption language, California residents would have less
protection than they do now under the California data breach
notification statute since it applies to financial institutions. In the
Children's Online Privacy Protection Act (COPPA), 15 U.S.C. 6501-6505,
Congress gave enforcement authority to the appropriate regulatory
agencies over industries not regulated under the FTC Act. Perhaps the
COPPA model could be followed here.
The Committee has doubtless considered the role of vendors or
service providers in the context of breach notices. The Federal Trade
Commission (FTC's) GLB Safeguards Rule expressly recognizes the
responsibility which principals must take for the security practices of
their service providers (section 314.4(d)), and we recommend that the
Committee consider adhering to this philosophy in the context of this
legislation, also.
The California data breach notification statute imposes specific
responsibilities on service providers (i.e., those not having a direct
relationship with the consumer, and acting on someone else's behalf) to
notify the party who does have the direct relationship. This allows the
principal to maintain control of the notification process, and ensures
that it has the right to be notified itself in case of a breach by a
service provider. The California law defines service providers as those
who do not ``own'' the data in question. Since in the customer's eyes
their relationship is with the principal, from the customer's
perspective, the principal is responsible for the service provider's
breach. If the consumer has a relationship with the company (i.e., it's
not a data broker situation), then it is proper for the consumer to
hear about the breach from the principal, and not from an unknown third
party service provider.
Finally, we would like to express concern about the scope of the
definition of ``Person'' under Section 5(6) of the bill. This
definition as defined in 551(2) of title 5, United States Code, does
not include any governmental agency. We would urge the Committee to
expand that definition so that the scope of the legislation covers
local, state and the Federal government. Again, enactment of the
legislation as drafted with the current preemption provision would
weaken consumer protections currently provided by the California breach
notification statute, which extends to governmental agencies.
definition of ``breach of security''
Section 3 of the bill would impose certain notice requirements upon
companies that discover there has been a ``breach of security''
affecting their databases. Although the specific facts and
circumstances that constitute a ``breach of security'' are left to
rulemaking by the Federal Trade Commission, the legislation requires,
at a minimum, that a breach triggering the notice requirement ``result
. . . in, or there is a reasonable basis to conclude has resulted in,
the acquisition of personal information by an unauthorized person that
may result in identity theft.'' Section 3(b) (emphasis added). The
qualifier language ``that may result in identity theft'' in the
proposed legislation is subjective in nature. Whether something may
result in ID theft depends in large part on the sophistication of the
wrongful acquirer of the data. It is not feasible for the potential
provider of the breach notice to definitively assess the skill level
and sophistication of a wrongdoer, and certainly not in the immediate
aftermath of a breach--which is when such an assessment would have to
be made.
We think the Committee should consider altering this definition
with the qualifier ``that could result in the unauthorized disclosure,
misuse, alteration, destruction, or other compromise of such [personal]
information.'' This would mirror the approach taken in the FTC's
Guidelines. If this approach is taken, the standard could become a
ceiling for the level of protection granted, eliminating the need for
the FTC to revise the standard through future rulemaking. Rather the
FTC could develop guidelines that would be instructive in their nature
and perhaps fit into a safe harbor program which we address later in
our testimony. TRUSTe believes that this approach provides strong
protection for consumers and would not likely lead to an overload of
notifications. It also provides certainty for businesses who may be
concerned about the standard changing in the future.
The parameters of the California security breach notification law
are instructive in this regard. California Civil Code Sections 1798.29
and 1798.82-.84. This law, in effect for over two years, seems to have
struck the right balance in this area. Consumers are receiving
appropriate and useful notices; and it is our understanding, based upon
our consultations with staff of the California Office of Privacy
Protection, that the law has not resulted in an unmanageable deluge of
notices to consumers. Although anecdotal, the fact that the California
statute to a large extent has been followed as a nationwide standard
makes it a good indicator of the potential impact of a nationwide bill
such as this one.
We also note that the marketplace approach taken by the California
statute (as well as the Committee draft) prompts a positive cause-and-
effect dynamic. A broad nationwide breach notice requirement will
incent companies to improve their practices, thereby, in the long run,
resulting in fewer breaches and therefore fewer notices. TRUSTe
believes that this generates a much better outcome than setting the
initial threshold so high that few breaches generate notice
requirements, thereby decreasing the motivation to prioritize security.
minimum requirements for a security policy and statement
Section 2(a)(1) of the bill would authorize the Federal Trade
Commission to promulgate rules requiring companies to implement a
``security policy and statement concerning the collection, use,
disclosure, and security of personal information.'' We believe the
Committee should consider adopting relevant provisions of the
Commission's Security Guidelines for financial institutions provided
under Gramm-Leach-Bliley as required components of the security
statement provided for in Section 2(a)(1). Standards for Insuring the
Security, Confidentiality, Integrity and Protection of Customer Records
and Information, 16 C.F.R. Part 314. We refer specifically to the
following provisions in the Guidelines:
� 314.3 Standards for safeguarding customer information.
(a) Information security program. You shall develop,
implement, and maintain a comprehensive information security
program that is written in one or more readily accessible parts
and contains administrative, technical, and physical safeguards
that are appropriate to your size and complexity, the nature
and scope of your activities, and the sensitivity of any
customer information at issue. Such safeguards shall include
the elements set forth in � 314.4 and shall be reasonably
designed to achieve the objectives of this part, as set forth
in paragraph (b) of this section.
(b) Objectives. The objectives of section 501(b) of the Act,
and of this part, are to:
(1) Insure the security and confidentiality of customer
information;
(2) Protect against any anticipated threats or hazards to the
security or integrity of such information; and (3) Protect
against unauthorized access to or use of such information that
could result in substantial harm or inconvenience to any
customer.
� 314.4 Elements.
In order to develop, implement, and maintain your information
security program, you shall:
(a) Designate an employee or employees to coordinate your
information security program.
(b) Identify reasonably foreseeable internal and external
risks to the security, confidentiality, and integrity of
customer information that could result in the unauthorized
disclosure, misuse, alteration, destruction or other compromise
of such information, and assess the sufficiency of any
safeguards in place to control these risks. At a minimum, such
a risk assessment should include consideration of risks in each
relevant area of your operations, including:
(1) Employee training and management;
(2) Information systems, including network and software
design, as well as information processing, storage,
transmission and disposal; and
(3) Detecting, preventing and responding to attacks,
intrusions, or other systems failures.
(c) Design and implement information safeguards to control
the risks you identify through risk assessment, and regularly
test or otherwise monitor the effectiveness of the safeguards'
key controls, systems, and procedures.
(d) Oversee service providers, by:
(1) Taking reasonable steps to select and retain service
providers that are capable of maintaining appropriate
safeguards for the customer information at issue; and
(2) Requiring your service providers by contract to implement
and maintain such safeguards.
(e) Evaluate and adjust your information security program in
light of the results of the testing and monitoring required by
paragraph (c) of this section; any material changes to your
operations or business arrangements; or any other circumstances
that you know or have reason to know may have a material impact
on your information security program.
These Guidelines provisions reflect a non-prescriptive approach to
crafting security policies that we believe is best, given the changing
nature of the overall environment, technology and threats.
TRUSTe has particular expertise in the area of drafting sound
consumer-facing privacy statements. We believe that the following
elements, drawn from guidance set out in recent Federal Trade
Commission settlements involving security breaches, should be required
of companies' security statements:
1. The kinds of personal information collected and how it is used,
disclosed, or otherwise handled in the regular course of
business.
2. How consumers can access their information and have it corrected or
updated.
3. How company will notify consumers in the event of a security breach,
and what redress will be provided to them.
4. Where consumers can learn more about their rights in the event of a
breach.
creation of a safe harbor program
As I mentioned earlier, TRUSTe has particular expertise in
administering safe harbor programs for industry participants who comply
with our guidelines. We recommend that the Committee add to your
legislation a safe harbor that (1) allows businesses to comply with a
set of guidelines that are approved by the FTC and administered by a
third party certification organization; and (2) limits a company's
liability, should a breach of security occur, if that company is in
full compliance with such guidelines. We believe this is a better
approach than simply locking in guidelines through an FTC rulemaking.
Through a safe harbor, your legislation could set a floor of
protections, and industry self-regulation would then drive even greater
levels of protection for consumers, while providing businesses the
flexibility they need to develop marketplace solutions to data
protection.
conclusion
TRUSTe welcomes this opportunity to share our thoughts on the
proposed data protection legislation, and to make the Committee aware
of our efforts to serve as the model for industry best practices in
information security through our Data Security Guidelines. We look
forward to working with the Committee as it continues its efforts to
protect the security of personal information in the twenty-first
century marketplace.
Mr. Stearns. And thank you.
Mr. Hintze.
STATEMENT OF MICHAEL HINTZE
Mr. Hintze. Thank you, Chairman Stearns, Congressman Towns,
Chairman Barton, and members of the subcommittee.
My name is Michael Hintze. I am a senior attorney at
Microsoft. I want to commend the members of this committee for
their attention to data security and identity theft issues.
Microsoft shares your concerns.
I also want to thank you for the opportunity to provide our
views on the discussion draft. Microsoft firmly believes that
now is the appropriate time for Congress to adopt Federal data
security legislation. It would be an effective complement to
Microsoft's and industry's efforts to develop technological
solutions, to educate consumers, to adopt best practices, and
to help enforce existing laws.
Today, I want to highlight some of the key issues raised by
the discussion draft.
First, any required information security program should
give organizations the discretion to implement the most
appropriate technologies and procedures for their respective
environments. Microsoft urges the subcommittee to revise the
discussion draft to reflect the general framework set forth in
the Gramm-Leach-Bliley Act. It should also direct the FTC to
allow organizations to adopt the security programs appropriate
to their size and complexity, the nature and scope of their
activities, and the amount and sensitivity of information that
they collect.
Second, any required information security program should
apply to all personal information, whether electronic or paper.
The consequences of a loss or misuse of personal information on
paper can be just as devastating to the affected individual as
the loss of that same data in electronic form. Likewise, the
programs should not be limited just to sensitive financial
information. A single, flexible framework for all information
will create a broader protection for consumers and enable
companies to comply with one set of security requirements.
Third, a security breach standard should focus on whether
the misuse of unencrypted sensitive personal information is
reasonably possible. This will ensure that consumers receive
notification regarding breaches of information that could lead
to identity theft, like Social Security numbers and credit card
information with associated passwords. This should also
incorporate a materiality threshold like the Federal banking
regulators have implied on their guidance on GLB, namely
notification is required where there is a reasonable
possibility of misuse. Such an approach will prevent
notifications from becoming so frequent that consumers
disregard them or find themselves unable to differentiate
between those that indicate a significant risk and those that
do not.
Fourth, different methods of notification should be
permitted. The appropriate method for notice will turn on the
size and type of entity providing it, the number of people
required to receive it, and the relative cost for different
methods of providing it. The ways in which an entity typically
communicates with its customers should also be considered. For
these reasons, the interagency guidance interpreting GLB gives
discretion to covered entities to provide notice in any manner
designed to ensure that a consumer can reasonably be expected
to receive it. Microsoft urges the subcommittee to follow this
approach.
Finally, the Federal legislation in this area should create
a uniform standard. Security breaches are a national problem,
and all consumers should be protected by the same high level of
protection. This will also allow responsible businesses to
operate without the unnecessary burdens of inconsistent
security and notification requirements. For these reasons, we
support the preemption provision in the discussion draft. At
the same time, we recognize the State Attorney Generals play a
vital role in ensuring the companies adhere to sound
information security practices. Microsoft therefore supports
any clarification that enables State Attorney Generals to
enforce the provisions of this legislation.
Thank you for asking us to share our views on data security
legislation and the discussion draft. We are committed to
helping create a safe and trusted environment for consumers,
and we look forward to working with you and your staff toward
this common goal.
[The prepared statement of Michael Hintze follows:]
Prepared Statement of Michael Hintze, Senior Attorney, Microsoft
Corporation
Chairman Stearns, Ranking Member Schakowsky, and Members of the
Subcommittee: My name is Michael Hintze, and I am a Senior Attorney at
Microsoft Corporation. I want to thank you for the opportunity to share
with the Subcommittee our views on data security legislation. In light
of the number of recent serious security breaches, the increasing
concern nationwide over identity theft, and the ever-rising but often
inconsistent number of state laws imposing security and customer
notification requirements, Microsoft firmly believes that now is an
appropriate time for Congress to adopt federal data security
legislation.
Microsoft applauds Congress and the members of this Subcommittee
for their attention to data security and identity theft issues. As the
Federal Trade Commission has reported, in 2003 alone, roughly 10
million Americans suffered from identity theft, costing businesses
$47.6 billion and consumers almost $5 billion.1 As a leading
provider of software and online services, Microsoft is particularly
concerned that identity theft threatens to erode trust on the Internet,
and we are deeply committed to working with you, law enforcement, and
others in the industry to maximize deterrence and minimize the
opportunities for identity thieves.
---------------------------------------------------------------------------
\1\ Federal Trade Commission--Identity Theft Survey Report 7 (Sept.
2003), available at http://www.consumer.gov/idtheft/stats.html
[hereinafter ``Identity Theft Survey Report''].
---------------------------------------------------------------------------
Today, I want to address the focus of this hearing--data security
legislation. Microsoft generally supports the draft legislation before
this Subcommittee, dated June 30, 2005 (the ``Discussion Draft''), that
would require companies both to adopt an information security program
and to notify consumers in the case of a security breach. This
legislative approach would be an effective complement to Microsoft's
own multi-faceted strategy for protecting individuals' personal
information, which includes developing and implementing technological
solutions, educating consumers about ways to protect themselves while
online, meeting or exceeding industry best practices on privacy and
security, and enforcing existing laws. My testimony today highlights
some of the key issues raised by federal data security legislation and
by the Discussion Draft in particular, and recommends ways to proceed
toward the goal of creating a trusted environment for Internet users.
businesses should be required to adopt an information security program.
Microsoft supports legislation that would require companies engaged
in interstate commerce to adopt an information security program. But in
order to be effective, while avoiding unnecessary burdens on
responsible businesses, such legislative requirements should be both
broadly applicable and sufficiently flexible to meet the security
challenges across a wide variety of business environments and
scenarios.
(1) Federal Legislation Should Enable Companies to Implement Security
Measures Best Suited for Their Environments.
First, any such legislative requirement should recognize that
security is an ongoing process, that the threats to data security are
constantly changing, and that the degree and type of risk can vary from
one situation to another. An appropriate and effective information
security program will depend on a number of factors, including, but not
limited to, an entity's size, the nature of its business, the amount
and type of information it collects, and the number of employees that
it has. In short, federal legislation must provide flexibility to
enable companies to adopt security policies and procedures that are
responsive to their risk level.
With this in mind, the framework for an information security
program set forth in the Gramm-Leach-Bliley Act (``GLB'') is preferable
to that outlined in section 2(a) of the Discussion Draft. In GLB,
Congress directed the relevant agencies to provide for the
establishment of ``appropriate . . . administrative, technical, and
physical safeguards--
(1) to insure the security and confidentiality of customer
records and information;
(2) to protect against any anticipated threats or hazards to
the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such
records or information which would result in substantial harm
or inconvenience to any customer.'' 2
---------------------------------------------------------------------------
\2\ 15 U.S.C. � 6801(b).
---------------------------------------------------------------------------
In response to this directive, the FTC implemented regulations that
require the development of information security programs ``appropriate
to the [subject entity's] size and complexity, nature and scope of . .
. activities, and sensitivity of the customer information at issue.''
3
---------------------------------------------------------------------------
\3\ 16 C.F.R. � 314.3.
---------------------------------------------------------------------------
Microsoft believes a flexible framework such as that established by
GLB and the FTC's implementing regulations makes sense. It gives
individual organizations--which are in the best position to understand
the particular security measures that are best suited to the different
types and forms of personal information they maintain--the discretion
to implement the most appropriate technologies and procedures for their
respective environments. In contrast, a set of federally-mandated
technical specifications would inevitably impose too high of a burden
on some organizations for some information, but not adequately protect
some personal information held by other organizations. And, because
security measures are constantly changing and improving as technology
advances and engineers respond to evolving threats to information
security, a one-size-fits-all regime would likely and rapidly become
obsolete.4
---------------------------------------------------------------------------
\4\ We also note that as currently drafted, the Discussion Draft
could create different regimes for entities that are subject both to
GLB and to the reach of new data security legislation. That said,
excluding entities covered under GLB from new data security
legislation, and then adopting a different standard for other entities,
would subject companies that house the exact same information to
different regulatory frameworks--e.g., a retailer would be subject to a
different information security framework than a bank. For this reason,
we support creating uniformity to facilitate both the development of
best practices and the development of service-related expertise--such
as that provided by auditors--in the area of information security.
---------------------------------------------------------------------------
For these reasons, Microsoft urges the Subcommittee to replace its
current section 2(a) with language modeled on the framework set forth
in GLB and the FTC's implementing regulations. In addition, in light of
the importance of ensuring that implementing regulations give companies
the discretion to adopt programs that best suit their respective needs,
Microsoft encourages Congress to direct the FTC to allow entities to
develop information security programs consistent with the following:
(1) the entities' size and complexity, (2) the nature and scope of
their activities, (3) the sensitivity of the personal information at
issue, (4) the current state of the art in administrative, technical,
and physical safeguards for protecting information, and (5) the cost of
implementing such safeguards. Microsoft believes such a flexible
approach is the best way to protect individuals' personal information
now and into the future.5
---------------------------------------------------------------------------
\5\ This testimony focuses on subsection (a) of Section 2. With
respect to subsection (b)--which applies special requirements to
information brokers--Microsoft has only two brief observations. First,
the definition of ``information broker'' requires a slight revision to
make clear that it applies strictly to those entities whose primary
business is selling consumer data. Second, while Microsoft generally
supports giving individuals access to personal information collected
about them, we think that certain reasonable exceptions must accompany
such a legislative requirement for it to make sense. For example,
access should not be required where the individual requesting access
cannot reasonably verify his name or identity as the person to whom the
personal information relates; the rights of other persons would be
violated; the burden of providing access would be disproportionate to
the risk of harm to the individual; revealing the information would
compromise proprietary or confidential information, technology, or
business processes; or revealing the information would be unlawful or
affect litigation or a judicial proceeding in which the business or
individual has an interest.
---------------------------------------------------------------------------
(2) Federal Security Requirements Should Apply to All Personal
Information.
If federal data security legislation includes sufficient
flexibility to enable companies to develop security practices and
procedures that are tailored to the situation based on these factors,
Microsoft believes that federal information security requirements
should apply to all personal information housed by an organization in
any form, whether electronic or paper. There is no reason to limit the
requirements to protect personal information to its electronic form:
The consequences of a loss or misuse of personal information in paper
form can be just as serious and devastating to the affected individuals
as a loss of that same data in electronic form. Likewise, the federal
security requirements should not be limited only to sensitive
information that, if exposed, could lead to identity theft.6
Although a breach of non-sensitive personal information may not expose
individuals to identity theft, it can have other negative
consequences.7 Again, as long as the federal legislation
avoids mandating a one-size-fits-all approach to this data and instead
provides flexibility, the security requirements can reasonably be
applied to all personal information.8 The creation of such a
single, flexible framework for all personal information will create
broader protection for consumers as well as increase efficiency for
businesses that otherwise could be faced with having to comply with
additional and inconsistent security requirements imposed by other
state or federal laws.
---------------------------------------------------------------------------
\6\ By ``sensitive information'' we mean the kinds of data that is
included in the Discussion Draft's definition of ``personal
information.'' Although we advocate for a broader scope for security
requirements, as we note later, this narrower definition remains
relevant for the purposes defining the scope of information that should
trigger a notification obligation.
\7\ For example, if a number of e-mail addresses wind up in the
wrong hands, those individual recipients could be deluged with unwanted
spam that renders their e-mail account virtually unusable--or even
subjects them to harmful phishing scams that trick them into disclosing
sensitive financial information to would-be identity thieves. The
exposure of other non-sensitive personal information can have similarly
invasive consequences on an individual's privacy.
\8\ It is worth noting that the FTC Consent Orders on security have
required businesses to implement security programs for all personal
information, not just sensitive personal information.
---------------------------------------------------------------------------
With this background in mind, Microsoft respectfully suggests that
the Subcommittee reconsider the approach taken in section 2(a) of the
Discussion Draft. This section appropriately directs the Federal Trade
Commission to adopt implementing regulations governing information
security programs, but only with respect to a narrow class of sensitive
personal information and only with respect to any such information
maintained in electronic form. For the reasons stated above, Microsoft
urges Congress to expand the scope of this provision.
(3) Providing Flexibility in the Information Security Requirement is
Essential to Avoid Unnecessary Burdens on Small Businesses and
Those That Handle Minimal Amounts of Personal Information.
Finally, we note that a flexible approach to security, such as the
one outlined above, also is essential to alleviate the potential burden
that a national information security requirement could impose on small
businesses. However, if the Committee believes that the potential costs
of a national information security requirement necessitates some sort
of small business exemption even with the flexible approach that we
recommend, Microsoft believes that such an exemption should be
triggered by the number of individuals whose personal information an
entity handles and not by the size of the business. For example, given
the costs of compliance relative to the risks of exposure, it might
make sense to exempt from at least section 2(a) an entity that
collects, stores, uses or discloses personal information from fewer
than 5,000 individuals in any twelve (12) month period.
businesses should be required to notify consumers when there is a
material risk of harm.
Microsoft recognizes that notifying individuals of security
breaches can be an effective element in the effort to reduce the costs
and other harms associated with identity theft. But we believe that for
a notification requirement to provide effective warning to consumers,
and to be reasonable and fair for all business entities engaged in
interstate commerce, it must be triggered only when there is a material
risk of harm to an individual. As recent reports have indicated, an
overly broad notification requirement could have negative
effects.9 For example, consumers may begin to receive so
many notices that they become accustomed to such notices and/or become
unable to differentiate between those breaches that represent a serious
risk and those that do not. One likely result is that some consumers
will do nothing in response; as a result, the costs of the notice will
be incurred in vain, and consumers will continue to bear the risk of
any resulting identity theft. Other consumers may err on the side of
over-reaction, responding to even harmless breaches by imposing credit
freezes, fraud alerts or changing or closing accounts--all of which
impose significant and unnecessary costs.10 For these
reasons, Congress should proceed carefully when articulating the
standard that triggers notification. We believe that the best standard
is one that incorporates a materiality threshold like the federal
banking regulators have applied in the Interagency Guidance on GLB--
namely, notification is required when there is a reasonable possibility
of misuse.
---------------------------------------------------------------------------
\9\ See, e.g., Henry Fountain, ``Worry. But Don't Stress Out,''
Wall Street Journal, June 26, 2005, Section 4, p.1.
\10\ See Thomas M. Lenard & Paul H. Rubin, ``An Economic Analysis
of Notification Requirements for Data Security Breaches,'' The Progress
& Freedom Foundation 10-11 (July 2005).
---------------------------------------------------------------------------
(1) Notification Obligations Should Be Triggered When Misuse Is
Reasonably Possible.
Microsoft believes that the Interagency Guidance on GLB provides a
workable framework for a national notification standard. That guidance
focuses on whether, as a result of unauthorized access, ``misuse of . .
. information . . . has occurred or is reasonably possible.''
11 Although the Discussion Draft contains a relatively
flexible standard, we have some concern that the ``may result in
identify theft'' formulation is vague, and in any event, that the
formulation would establish a slightly different standard than GLB has
been interpreted to apply to financial institutions. This Interagency
standard provides clear guidance to industry and consumers: it
appropriately requires an organization to investigate the circumstances
of any unauthorized access, and to analyze the risks posed to affected
individuals before any notification is required. Microsoft believes it
is critical to make companies responsible for determining the details
of an unauthorized access to sensitive financial information and the
level of threat resulting from the specific circumstances. If an
investigation concludes that misuse of a consumer's information has
occurred or is reasonably possible in light of the facts surrounding
the security breach and the exposure of the information, then
notification must be provided. Thus, this standard ensures that only
those consumers who are reasonably at risk receive notification, and in
so doing, it mitigates against both the risk of over-notification and
the risk of consumer over- and under-reaction.
---------------------------------------------------------------------------
\11\ Interagency Guidance on Response Programs for Unauthorized
Access to Customer Information and Customer Notice, 70 Fed. Reg. 15736,
15752 (Mar. 29, 2005) (emphasis added) [hereinafter ``Interagency
Guidance''].
---------------------------------------------------------------------------
(2) Notification Obligations Should Cover Only Unencrypted Sensitive
Personal Information.
The purpose of notifying an individual of a security breach is to
enable that person to prevent two potential types of identity theft:
(1) the misuse of his or her existing credit card or other account, and
(2) the fraud that is perpetrated when a thief opens a new account in
his or her name.12 The scope of any notification obligation
should be limited to the class of personal information that could lead
to such misuse. This information should include Social Security
numbers, and it should include credit card information associated with
other information that could enable someone to access an account or
make a credit card purchase. This information should not include basic
personal information--such as name, address or telephone number--that
alone or in combination with one another presents virtually no
increased risk of identity theft.
---------------------------------------------------------------------------
\12\ See Identity Theft Survey Report, supra note 1, at 4.
---------------------------------------------------------------------------
The Discussion Draft applies its notification requirements to a
narrow class of personal information, which is appropriate. To clarify
that this information is particularly sensitive, Microsoft recommends
that the Discussion Draft rename this class of information ``sensitive
financial information.'' It should then include a broader definition of
``personal information'' to which the obligations set forth in section
2(a), as described above, apply.
However, within this class of so-called ``sensitive financial
information,'' Microsoft believes that encrypted information should be
excluded. Data encrypted using standard methods is either impossible or
impracticable to decipher. Therefore, there is no reasonable
possibility of its misuse if it is accessed without authorization. In
addition, by specifically exempting such encrypted information from the
standard for notification, Congress will be creating an explicit
incentive for companies to adopt encryption technology, thereby
reducing the risk of a security breach in the first instance. If
Congress has concerns that a general encryption exception is too vague
and could be abused,13 Microsoft would support allowing the
exception to apply only to certain levels of encryption--e.g., the
encryption level set forth in the Federal Information Processing
Standards issued by the National Institute of Standards and
Technology--or more generally to encryption adopted by an established
standard setting body combined with an appropriate key management
mechanism to protect the confidentiality and integrity of associated
cryptographic keys in storage or in transit.
---------------------------------------------------------------------------
\13\ We think that, if Congress explicitly exempted encrypted
information from the notification requirement, there would be little
risk of abuse--after all, as a general matter, it is just as easy to
use readily available good encryption technology as it is to use
readily available weak encryption technology, so there would be little
incentive to use a lower standard.
---------------------------------------------------------------------------
(3) Notification Obligations Should Capture Data Maintained In Any
Form.
Microsoft believes that the public policy interest in protecting
sensitive financial information against malicious use by third parties
extends to all forms of data, regardless of whether it is housed in
electronic or paper form. For this reason, we believe the notification
requirements set forth in section 3 of the Discussion Draft (like the
general security obligations set forth in section 2(a)) should not be
limited to electronic or computerized data. This is the approach
followed in the Interagency Guidance on GLB.
Although expanding the requirement beyond data in electronic form
would potentially heighten the compliance costs associated with this
federal legislation, the public policy supports such an expansion.
Identity theft can be committed using information obtained offline and
in a form other than just computerized data. Simply put, an identity
thief can defraud a consumer using sensitive personal information
maintained in paper form just as easily as the thief can using
computerized data. To adequately protect consumers, the notification
requirements of the legislation should therefore apply to all sensitive
financial information--regardless of the form in which the information
is maintained.
congress should give companies discretion to determine the most
appropriate and effective method for notification.
Microsoft believes that for a nationwide notification requirement
to be administratively workable, business entities subject to the
requirement should have flexibility in how notice is provided. This is
because the appropriate method for notice will turn on the size and
type of the entity providing the notice, the number of people required
to receive notice, the methods by which the entity typically
communicates with its customers or other individuals, and the relative
costs for different methods of providing notice. For these reasons, the
Interagency Guidance on GLB provides discretion to covered entities to
provide notice ``in any manner designed to ensure that a customer can
reasonably be expected to receive [the notice.]'' 14
---------------------------------------------------------------------------
\14\ Interagency Guidance, supra note 11, at 15753.
---------------------------------------------------------------------------
Microsoft urges Congress to follow the model of the Interagency
Guidance by giving companies discretion to issue notice in various
ways, so long as the notice is reasonably expected to reach the
affected individuals. The Discussion Draft, which would obligate an
entity to provide notice to an individual in writing and by email and
through the entity's website, is too restrictive, and there is a real
risk that it could lead to less effective notifications and/or be too
costly for many entities to implement. Rather, federal legislation
should enable entities to provide notice via telephone, regular mail,
or electronic mail, depending on the circumstance. Indeed, many
individuals who have received notices of security breaches report that
they appreciate getting them by telephone, which personalizes the
process, makes the notice less intimidating, and provides an immediate
forum for the individual to ask questions.15 While telephone
notice may not be feasible in cases requiring mass notification, it is
an option that should be permissible consistent with the interpretation
of GLB.
---------------------------------------------------------------------------
\15\ Larry Ponemon, ``Opinion: After a Privacy Breach, How Should
You Break the News,'' Computerworld, July 5, 2005.
---------------------------------------------------------------------------
Microsoft also believes that entities should be required to try to
reach individuals directly, unless certain cost or quantity thresholds
are present or there is no known number, mailing address, or electronic
mail address for an individual. Accordingly, Microsoft would propose
using mass media notice and Internet postings only in exceptional
circumstances requiring substitute notice.
congress should consider internal and law enforcement investigations
when analyzing the appropriate timeliness of notification.
Microsoft is pleased that the Discussion Draft accounts for the
immediate obligations of a company in the aftermath of a breach by
allowing reasonable time for a company to determine the scope of the
breach and to restore any compromised systems before issuing notice of
the breach. Microsoft also believes, however, that federal legislation
should account for the needs of law enforcement in investigating the
breach. It is often the case that immediate notification to the public
can interfere with a criminal investigation of the underlying incident.
If, for example, law enforcement officials are in the process of
identifying or apprehending potential suspects, a public announcement
may cause the suspects to flee, destroy evidence, or otherwise obstruct
these efforts to bring the perpetrators to justice. The existing GLB
guidelines regulating financial institutions, as well as most state
breach notification laws, have accounted for these concerns by allowing
for delayed notification, consistent with the legitimate needs of law
enforcement.
The risk of any abuse with this delay in notification is easily
addressed by vesting the authority for any such determination in law
enforcement, rather than the company itself. As the Interagency
Guidance on GLB provides, ``notice may be delayed if an appropriate law
enforcement agency determines that notification will interfere with a
criminal investigation and provides the institution with a written
request for the delay.'' 16 By accounting for these
contingencies in imposing a notification requirement, Congress can
balance the interests of consumers, the legitimate needs of law
enforcement, and the immediate responsibilities of companies suffering
data security breaches.
---------------------------------------------------------------------------
\16\ Interagency Guidance, supra note 11, at 15752.
---------------------------------------------------------------------------
strong federal preemption is warranted.
Microsoft believes that for federal legislation to be meaningful in
this area, it must address the problem of state laws imposing
potentially inconsistent security and notification requirements. In
other words, we strongly feel that federal legislation requiring
entities to implement an information security program and to notify
individuals of security breaches must ``occupy the field.'' As we have
seen with the rash of major security breaches over the past several
months, information security is a national problem that affects all
Americans. Federal legislation that preempts inconsistent state laws is
therefore crucial to protect consumers while allowing responsible
businesses to operate without unnecessary burdens.
Over the past several months, more than a dozen states have enacted
breach notification laws, with a few of these states also requiring
entities to adopt security procedures. Although these statutes
generally have been patterned after the California law, which pioneered
breach-related legislation, the statutes are not uniform, and their
differences can be striking. For one, the statutes sometimes differ on
the very definition of ``personal information,'' with some states
broadly covering any account information, some requiring a name coupled
with other identifying information, and some including a Social
Security number alone. Similarly, the statutes differ in their
jurisdictional scope, with most applying to entities conducting
business within the state, but others applying to anyone who possesses
information about residents of the state. The statutes are also
inconsistent as to when notification is required, with some states
providing an exception when the breach is reasonably believed to be
harmless. In addition to these disparities, provisions regarding
notification period, notification method, and available remedies often
vary from state to state.
Although some have argued that the federal provision should create
a ``floor,'' above which states are free to impose additional
requirements, this would not solve the problem caused by the existing
patchwork of state regulation. In such an environment, any company that
participates broadly in the national economy must either abide by the
strictest applicable standard, or otherwise take measures to
compartmentalize its transactions on a state-by-state basis. Under the
former approach, any federal legislation would be rendered meaningless
absent preemption. And given the realities of today's virtual economy,
the latter option is largely impracticable; or, for those companies
that tried to comply with requirements on a state-by-state basis, it
would potentially cause a harmful distraction from what is important--
protecting the security of consumers' personal information and promptly
notifying any affected consumers in the event of a security breach that
is reasonably possible to lead to the misuse of unencrypted sensitive
financial information. Therefore, the only realistic solution that
protects consumers while minimizing the operational burdens in
responsible businesses is to adopt a nationwide standard for security
and notification. That standard should certainly be robust, but, once
adopted, should apply uniformly. Hence, any federal legislation on this
topic should specifically preempt state security and notification laws.
The Discussion Draft includes an appropriate preemption provision.
That said, Microsoft supports adding language to the preemption
provision to make clear that only State Attorneys General can bring a
civil action under state law that is premised on a violation of the
federal legislation. At the same time, we recognize that State
Attorneys General can play a vital role in ensuring that companies
adhere to sound information security practices. Accordingly, Microsoft
also supports any clarification that enables State AGs to directly
enforce the provisions of the legislation and also ensures they can
continue to rely on their enforcement authority under state consumer
protection laws.
congress should consider additional provisions in data security
legislation.
Requiring entities to implement security procedures that apply to
personal information and to notify individuals of security breaches,
where the misuse of unencrypted sensitive financial information is
reasonably possible, makes sense. But these approaches do not fully
address a key concern raised in response to recent security breaches--a
lack of transparency as to how companies are using and disclosing
personal information in the first place. Individuals want to understand
better the entities that maintain their personal information, the types
of information they maintain, how they use that information, and the
third parties with whom they share such information. For this reason,
in addition to supporting reasonable security precautions and
notification requirements, Microsoft looks forward to working with the
Subcommittee on appropriate legislation that addresses these broader
concerns. Microsoft believes that adopting a tailored but more complete
approach to data security legislation at the federal level will better
inform consumers about who is using their personal information and how,
and thereby empower consumers to exercise meaningful control over their
personal information both before and after any security breach occurs.
In addition, a national standard will give consumers and organizations
that are facing a patchwork of privacy and data security requirements
at the state level clarity about the standards for collecting, using,
disclosing, and storing personal information.
We commend the Subcommittee for holding this hearing today and
appreciate your determination to seek strong legislation to help curb
identity theft. Thank you for extending us an invitation to share our
recommendations on the Discussion Draft, and we look forward to working
with you on additional means to help inform and empower consumers both
before and after a security breach occurs. Microsoft is committed to
creating a trusted environment for Internet users, and looks forward to
working with you toward this common goal.
Mr. Stearns. I thank the gentleman.
Mr. Hoofnagle, welcome.
STATEMENT OF CHRIS JAY HOOFNAGLE
Mr. Hoofnagle. Good morning, Chairman Stearns, Ranking
Member Towns, and good morning, Chairman Barton.
My name is Chris Hoofnagle. I am senior counsel with the
Electronic Privacy Information Center. We are a not-for-profit
research center that focuses on privacy founded in 1994 here in
Washington. I run the organization's West Coast office in San
Francisco.
There are many different consumer protection issues that
need the attention in this committee, and we thank you for
focusing your attention on privacy and security. Ranking Member
Towns, in your introduction, you discussed about how there are
new security breaches, it seems, bimonthly. It is actually more
than that. The Privacy Rights Clearinghouse has a chronology of
data breaches online, and there have been 60 known such
breaches since ChoicePoint, the commercial data broker,
announced their breach back in February. And when you look at
this chronology, you see that it has been a diverse array of
businesses. They are in the financial services sector. They are
in the retail sector. You also see that there is a diverse
number of attackers. There is a diverse number of threats to
personal information. Sometimes these breaches are caused by
insiders. Sometimes they are caused by outsiders. Sometimes it
is just a mistake. And then sometimes it is willful.
So your committee is charged with dealing with a very
difficult situation of writing a law that addresses all of
these different types of data risks and risks to identity theft
and other misuse of information.
With that said, let me focus on just some parts of my
testimony.
We were very happy to see the discussion draft. I think it
is an important first step in addressing security breach
issues. But there are several issues that we wanted to tweak.
We have already heard testimony this morning regarding the
standard for providing notice. And under this bill, there has
to be a risk of identity theft. We really want to emphasize
that identity theft is not the only risk to data security.
There have been cases involving stalking. One of the things
we work at at EPIC is the problem of investigators who operate
online who break security of other companies to get information
and sell that information to other people, including stalkers.
Data might be accessed by other businesses that are engaged in
the attempt to locate people. So, for instance, in New Jersey,
there was a major security breach involving 600,000 records at
Bank of America and Wachovia. And the people obtaining that
information weren't trying to steal anybody's identity. What
they were trying to do was sell that data to debt collectors so
that the debt collectors could locate them. Data might be
accessed for corporate espionage purposes. It might even be
access for extortion. There was a case out in California where
a hospital had outsourced sensitive medical information to
Pakistan. The person in Pakistan handling the data was never
paid, and so she took the data and she put it online saying if
you don't pay me, I am going to post the rest of this medical
data.
And finally, sometimes data is stolen for spam purposes.
There was a case here on the east coast where a Time Warner
employee was caught with 92 e-mail addresses of AOL
subscribers, and he broke the system in order to sell that data
for direct marketing purposes.
I also wanted to amplify Ms. Maier's point that it is also
very difficult to determine whether or not identity theft is
the intent of an attacker and whether or not the attacker is
even competent enough to commit that crime. We really need to
focus on misuse of data rather than identity theft.
We were also pleased to see that this is a discussion draft
on data protection. To us, data protection is an issue that is
much broader than security. Data protection includes privacy,
the idea that a minimum amount of information should be
transferred when entering into a transaction, the idea that
people should have access to their information. They should be
able to correct it. However, those rights aren't all
encompassed in this discussion draft. And we urge you in future
drafts to include other privacy rights, because some of the
problem here is not just insecurity. The problem is that even
if this data were sold securely, there is a problem with the
sale that, in some cases, this information should never be
sold.
We also emphasize you to include audit trails in the bills.
While encryption is a great tool for protecting data from
outsiders, encryption does not do a good job when insiders are
stealing data and selling it to other people. And it is at that
point where audit trails are really important. And what audit
trails do essentially is track who accesses data, for what
purpose, and whether they disclose it to anyone. And it is the
best way to not only deter insiders, but also to catch them
once they have broken the security.
I see that I have run out of time, so I want to conclude by
saying thank you for holding this hearing and for considering
this legislation. And if I can be of help to the committee,
please feel free to contact me.
[The prepared statement of Chris Jay Hoofnagle follows:]
Prepared Statement of Chris Jay Hoofnagle, Director and Senior Counsel,
Electronic Privacy Information Center West Coast Office
introduction
Chairman Stearns, Ranking Member Schakowsky, and Members of the
Subcommittee, thank you for extending the opportunity to testify on
data security legislation.
My name is Chris Hoofnagle and I am Senior Counsel to the
Electronic Privacy Information Center, and director of the group's West
Coast office, located in San Francisco. Founded in 1994, EPIC is a not-
for-profit research center established to focus public attention on
emerging civil liberties issues and to protect privacy, the First
Amendment, and constitutional values.
EPIC has been on the forefront of the issues being considered in
today's hearing. For instance, ``commercial data brokers,'' companies
that extract sensitive information from many sources and sell it as a
``dossier'' to others, have long been a matter of public
concern.1 EPIC has engaged in extensive use of the Freedom
of Information Act to determine the extent of interaction between the
government and data brokers such as Lexis-Nexis, Acxiom, InfoUSA, and
Merlin.2
---------------------------------------------------------------------------
\1\ See Chris Jay Hoofnagle, Big Brother's Little Helpers: How
ChoicePoint and Other Commercial Data Brokers Collect, Process, and
Package Your Data for Law Enforcement, 29 N.C.J. Int'l L. & Com. Reg.
595 (Summer 2004), available at http://www.epic.org/privacy/
choicepoint/cp--article.pdf.
\2\ EPIC Choicepoint Page, available at http://www.epic.org/
privacy/choicepoint/.
---------------------------------------------------------------------------
We applaud the Members of the Committee and others who have crafted
legislation to address security standards for companies that maintain
personal information. In my testimony today, I will provide comment on
the Discussion Draft of Data Protection Legislation. The Discussion
Draft is a good first step in addressing the security risks presented
by companies with personal information, but fails to fully confer upon
individuals the tools they need to avoid misuse of personal
information. I therefore recommend that the Committee move this
legislation, with reasonable enhancements including: an option for
credit freeze, a requirement that security measures include audit
trails, and public reporting of security breaches to the Federal Trade
Commission. I further recommend that the Committee go beyond security
issues and consider the privacy risks raised by data brokers.
data insecurity
Well before the recent news of the Choicepoint debacle became
public, EPIC had been pursuing the company and had written to the FTC
to express deep concern about its business practices. On December 16,
2004, EPIC urged the Federal Trade Commission to investigate
Choicepoint and other data brokers for compliance with the Fair Credit
Reporting Act (FCRA), the federal privacy law that helps ensure
personal financial information is not used improperly.3 The
EPIC letter said that Choicepoint and its clients had performed an end-
run around the FCRA and were selling personal information to law
enforcement agencies, private investigators, and businesses without
adequate privacy protection.
---------------------------------------------------------------------------
\3\ Letter from Chris Jay Hoofnagle, Associate Director, EPIC, and
Daniel J. Solove, Associate Professor, George Washington University Law
School, to Federal Trade Commission, Dec. 16, 2004, available at http:/
/www.epic.org/privacy/choicepoint/fcraltr12.16.04.html.
---------------------------------------------------------------------------
Since the Choicepoint breach, there has been a steady stream of
news articles and public announcements concerning other companies that
have failed to secure the personal information of individuals. The
Privacy Rights Clearinghouse, a San Diego-based group, has posted a
Chronology of these data breaches.4 As of this writing, this
Chronology notes 60 different incidents where a company or government
entity reported a security breach involving the Social Security number,
drivers license number or financial account number. The Privacy Rights
Clearinghouse estimates that 50,000,000 individuals have been affected
by these known breaches.
---------------------------------------------------------------------------
\4\ Privacy Rights Clearinghouse, A Chronology of Data Breaches
Reported Since the ChoicePoint Incident, available at http://
www.privacyrights.org/ar/ChronDataBreaches.htm (last visited Jul. 24,
2005).
---------------------------------------------------------------------------
This Chronology is worth revisiting for at least three reasons.
First, it demonstrates the diversity of entities that store sensitive
personal information and yet have experienced a security incident.
While there have been major security breaches at commercial data
brokers such as Lexis-Nexis and Merlin, there have also been security
problems at banks, schools, government entities such as motor vehicle
administrations, and retailers. This demonstrates the need for
intervention across a broad array of entities.
A privacy-friendly approach would first emphasize the need for
reducing the amount of personal information collected and maintained.
Where retention of personal information is necessary, these entities
should be subject to a framework of ``Fair Information Practices.''
Fair Information Practices, or ``FIPs,'' constitute a framework of
rights and responsibilities that require entities to minimize the
amount of information they collect, to use it only for purposes
specified by the individual, to hold it in a secure manner, and to
provide the individual access to and of the ability to correct their
personal data.
Second, the Chronology demonstrates that security breaches may
occur for reasons other than to commit identity theft. For instance,
insiders at Bank of America, Wachovia, PNC Bank and Commerce Bank sold
customers' personal information to attorneys and others who were
engaged in debt collection efforts.5 That breach affected
the records of over 600,000 accountholders. Sometimes systems are
compromised for voyeuristic purposes, such as obtaining the contact
information or communications data of celebrities or law enforcement
officials.6 Security breaches may be motivated by a company
attempting to obtain information about a competitor. Finally, extortion
may motivate someone to obtain and disclose an individual's personal
information. For instance, in 2003, a Pakistani clerical worker
performing transcription services for an American hospital threatened
to release medical records if she was not paid for her
services.7 Accordingly, Congress' approach should recognize
that identity theft is not the only harm to be avoided. Legislation
passed by Congress should recognize that security breaches may be
motivated by a number of crimes unrelated to attempted identity theft.
---------------------------------------------------------------------------
\5\ Jonathan Krim, Banks Alert Customers of Data Theft, Washington
Post, May 26, 2005, available at http://www.washingtonpost.com/wp-dyn/
content/article/2005/05/25/AR2005052501777.
html
\6\ Kelly Martin, Hacker breaches T-Mobile systems, reads US Secret
Service email and downloads candid shots of celebrities, SecurityFocus,
Jan. 12, 2005
\7\ David Lazarus, A tough lesson on medical privacy Pakistani
transcriber threatens UCSF over back pay, Oct. 22, 2003, available at
http://www.sfgate.com/article.cgi?file=/c/a/2003/10/22/MNGCO2FN8G1.DTL.
---------------------------------------------------------------------------
Third, the Chronology demonstrates that entities that maintain
personal information are subject to many different security risks.
While we typically think of outsiders, such as malicious computer
hackers, as the prime security risk, the Chronology shows that
dishonest employees are a major security problem. Accordingly,
Congress' approach should include measures likely to catch insiders who
sell information. Audit trails--a requirement that entities record who
accesses and discloses personal information--would go far in deterring
and detecting dishonest insiders.
the draft should contain credit freeze language
In the Senate, Members are considering legislation that will
prevent identity theft by allowing individuals to ``freeze'' their
credit. Under these proposals, individuals can opt to erect a strong
shield against identity theft by preventing the release of their credit
report to certain businesses. Because a credit report is always pulled
before a business issues a new line of credit, a freeze will make it
very difficult for an impostor to obtain credit in the name of another
person.8
---------------------------------------------------------------------------
\8\ Chris Hoofnagle, Putting Identity Theft on Ice: Freezing Credit
Reports to Prevent Lending to Impostors, Securing Privacy in the
Internet Age, Stanford University Press (forthcoming 2006) available at
http://ssrn.com/abstract=650162
---------------------------------------------------------------------------
According to US PIRG, 10 states have credit freeze laws
enacted.9 The New Jersey law offers consumers the most
benefit--any resident may freeze their credit report at minimal cost,
and consumer reporting agencies must make the thaw mechanism work
quickly, so that individuals can take advantage of instant credit
offers.
---------------------------------------------------------------------------
\9\ US PIRG, State Breach and Freeze Laws, available at http://
www.pirg.org/consumer/credit/statelaws.htm.
---------------------------------------------------------------------------
We believe that a credit freeze is a good approach that will
minimize security risks and reduce the risk of identity theft. Simply
stated, this provision will make it more difficult for others to use a
consumer's credit report without their consent. Consumers will always
have the ability to provide their credit reports in those transactions
that they initiate.
the need to consider general privacy protections
The Discussion Draft would establish important security safeguards
for all businesses with personal information, and heightened duties on
information brokers. But while the Discussion Draft addresses security
concerns, it does not contemplate whether general privacy restrictions
are appropriate.
Information brokers have operated under a self-regulatory schema,
known as the Individual Reference Service Group (``IRSG'') Principles.
Through these principles, the industry conferred upon itself the
authority to sell detailed dossiers to almost anyone for almost any
purpose. It was the promiscuity of these principles that led to the
most recent Choicepoint breach, because the principles allowed data
brokers to choose who is ``qualified'' buyer of personal information,
and allowed sale to anyone with a ``legitimate'' business purpose.
A serious inquiry should be made into the purposes for which these
dossiers are being sold. Congress should set limits on the contexts in
which personal information can be sold, and when data is sold, limit
the secondary uses of personal information.
the discussion draft of data protection legislation
Section 2 Requirements for Information Security: All Companies
This section directs the Federal Trade Commission (``Commission'')
to promulgate regulations to require companies to implement policies
and procedures to protect personal information. Companies would have to
develop a security policy and statement on use of personal information.
Companies would have to identify an employee as being responsible for
information security. Finally, companies would have to develop
processes to take preventive and corrective action to address security
vulnerabilities, including the use of encryption.
We applaud the Members for encouraging the use of encryption to
protect personal information. However, we wish to emphasize that once
data is encrypted, it may still be vulnerable. For instance, the
company may choose a poor encryption method that can be decoded easily.
There is also the risk that a malicious actor, especially when he is an
insider, will have the key or password to decode the encryption.
Accordingly, an entity that uses encryption should not automatically be
exempt from other data security responsibilities, such as the
requirement to provide security breach notices.
We suggest three improvements to this section:
First, this section could be significantly enhanced by a
requirement that companies employ audit trails to deter and detect
insider misuse of personal information. An audit trail would record who
accessed individuals' information, the purposes for which it was
accessed, whether it was disclosed, and to whom it was disclosed.
Simply put, encryption will be most effective at protecting data from
outsiders; auditing will be a strong deterrent to insiders.
Second, where possible, companies should require customers to
establish a password system for access to their file. Currently, many
entities with sensitive personal information will give access to files
based on the provision of simple biographical information, such as
billing address, phone number, date of birth, or Social Security
number. The problem is that these biographical identifiers often are
found in publicly-available databases, such as phone books, public
records, or the Internet.
Passwords have some disadvantages. Sometimes people choose poor
passwords, but an institution can correct this by requiring the
password to be a certain length. Sometimes individuals forget
passwords, and in cases where that is a concern, a ``shared secrets''
password system could be employed. In such a system, the customer and
business agrees upon a series of questions that can be asked to verify
identity. They could include asking the customer what street they lived
on as a child, the name of their first pet, or their favorite book or
sports team. The questions are periodically rotated to prevent an
impostor from learning these secrets.
Third, some companies are using automatic number identification
(``ANI''), a form of caller ID, to identify or authenticate customers.
ANI offers additional security over caller ID, but it now appears that
ANI too can easily be ``spoofed,'' or falsified, through the use of
VOIP telephony.
In crafting security guidelines, the Commission will have to
consider that new technologies may pose new risks to security systems.
Accordingly, we recommend that the Commission be directed to
periodically review security requirements, and new threats to personal
data.
Section 2 Requirements for Information Security: Special Requirements
for Data Brokers
This section would require information brokers to be audited by the
Commission. It would also require data brokers to allow individuals to
obtain their dossier annually at no cost.
We applaud these requirements. Individuals should be able to obtain
personal information held by data brokers at no charge. Currently,
industry practice on providing individuals access to their personal
information varies widely. For instance, it is not clear whether
information brokers provide the complete file of personal information
when an individual makes a request for access. Choicepoint provides
free access, and in a recent study where 11 people requested their
files, the company provided individuals with their dossiers in a timely
fashion. However, the study showed the many errors were found in the
Choicepoint dossiers.10 Acxiom charges $20 for access, but
in the study, the company only fulfilled half of the requests made and
took an average of 89 days to comply. A legal mandate for free and
timely access is needed.
---------------------------------------------------------------------------
\10\ PrivacyActivism, Data Aggregators: A Study of Data Quality and
Responsiveness, May 18, 2005, available at http://
www.privacyactivism.org/Item/222.
---------------------------------------------------------------------------
Section 3 Notification of Database Security Breach
This section specifies the instances when a company must disclose
to individuals that their personal information has been obtained by an
unauthorized person. It defines breach of security as ``the compromise
of the security, confidentiality, or integrity of data that results in,
or there is a reasonable basis to conclude has resulted in, the
acquisition of personal information by an unauthorized person that may
result in identity theft.'' It specifies how a company must give
notice, and what the notice must contain. It specifies that a company
with a security breach must provide three credit reports and a year of
credit monitoring service to victims.
There are several critical aspects to this portion of the
legislation. First, of course, is the severity of events that
constitute a ``breach of security.'' The language in the Discussion
Draft tracks the California standard, except that the Discussion Draft
includes the requirement that the security breach ``may result in
identity theft.''
As we explained above, identity theft is only one risk from
unauthorized access to personal information. Unauthorized access may be
gained for other purposes that cause harm to the individual, such as
stalking, obtaining information for debt collectors, corporate
espionage, extortion, or mere voyeurism. The purpose of data security
breach legislation is not just to warn individuals of a risk of
identity theft; it is also designed to shine a light on poor data
practices.
More importantly, as identity theft expert Beth Givens has argued,
companies often cannot tell whether a security breach may result in
identity theft. The motives of a person who gained access are not
always clear. Identity theft can also occur months or even years after
a security breach.
There has been much discussion of whether to give companies
discretion to determine whether notice to the public is justified. No
such discretion is given by the California law, and Congress should
carefully consider the consequences of extending discretion at the
federal level. It is already the case that one information broker,
Acxiom, engaged in acrobatics to avoid giving notice of a 2003 security
breach that reportedly involved 20 million records.11
---------------------------------------------------------------------------
\11\ Robert O' Harrow, Jr., No Place to Hide 71-72, Free Press
(2005). DOJ, Milford Man Pleads Guilty to Hacking Intrusion and Theft
of Data Cost Company $5.8 Million, Dec. 18, 2003, available at http://
www.usdoj.gov/criminal/cybercrime/baasPlea.htm; DOJ, Florida Man
Charged with Breaking Into Acxiom Computer Records, Jul. 21, 2004,
available at http://www.usdoj.gov/opa/pr/2004/July/04_crm_501.htm.
---------------------------------------------------------------------------
Because it is difficult to gauge the risk of identity theft,
because there are harms other than identity theft which may result from
security breaches, and because there is already evidence that companies
will go to great lengths to avoid giving security breach notices, we
recommend eliminating the language that gives companies discretion not
to give notice based on a determination whether the breach ``may result
in identity theft.''
If Congress chooses to give some measure of discretion, it should
set a standard that requires notice where there is a ``reasonable risk
or reasonable basis to believe that such access could lead to misuse of
personal information.'' This standard recognizes that security breaches
should focus on ``misuse'' of personal information instead of just
identity theft, and would allow companies not to give notice where
there is no reasonable risk of harm. There should also be a duty to
thoroughly investigate suspected breaches. The standard set should not
give data holders incentives to ignore these incidents.
The second critical factor is the scope of businesses that will be
subject to the notification requirement. We think the standard set
forth by the bill--any company that owns or possesses data--is the
appropriate one. The California standard--any company that owns or
licenses data--misses the mark in that some companies merely process
data for others, but may still experience a breach.
A third critical factor is the form of notice. The California
security notice legislation was in effect a type of ``Freedom of
Information Act'' for security standards. Consumers and policymakers
have benefited from learning more about security standards and
breaches, but there have also been significant limitations--in many
cases, only the victims learn of the breach. Consumers and policymakers
would benefit from hearing of all breaches through a website that could
be operated by the Commission. We would recommend that the following
language be added to the legislation, so that there will be public
reporting of security breaches:
``Information submitted to the Commission under sections
2(b)(1) and 3(a)(2) shall be posted at a publicly available
website operated by the Commission.''
Section 4 Enforcement by the Federal Trade Commission
This section specifies that the Commission will enforce the law,
under its authority to address unfair and deceptive trade practices.
We recommend adding enforcement powers so that state Attorneys
General can also enforce the law.
We further recommend that the Commission's authorization and
appropriation be increased to account for the burdens associated with
enforcing this law. The Commission must oversee a plethora of business
practices--from deception in funeral businesses to ``power output
claims for amplifiers utilized in home entertainment products.''
12 This wide range of responsibility requires adequate
funding.
---------------------------------------------------------------------------
\12\ See generally Title 16 of the Code of Federal Regulations,
available at http://www.access.gpo.gov/nara/cfr/waisidx_05/
16cfrv1_05.html.
---------------------------------------------------------------------------
Section 5 Definitions
This section defines the many terms in the legislation, including
identity theft and information broker.
The definition of ``identity theft'' is narrow and does not
encompass the full range of activities normally understood as identity
theft. The current definition focuses on the use of others' personal
information for the purpose of engaging in ``commercial transactions.''
This does not recognize the problem of ``criminal identity theft,''
where an individual uses the personal information of another in his
interactions with law enforcement, leaving the victim with a criminal
record. Accordingly, we recommend that if the law continues to include
this term, that it be broadened to recognize other activities commonly
understood to be ``identity theft.''
Defining ``information broker'' is a challenge. Many companies are
engaged in the transmission of personal information to third parties.
In some cases, this occurs within the individual's expectation, such as
when information must be transferred to execute a transaction requested
by a consumer. In others, the transfer of personal information raises
unique privacy risks, and such businesses should be included in the
definition of ``information broker.''
Further complicating this matter is the qualifier ``whose business
is to collect, assemble, or maintain personal information.''
Information brokerage is just a small percentage of the business of a
company like Lexis-Nexis or even Choicepoint. Lexis-Nexis is a huge
company; most of its information products have no bearing on privacy,
such as the company's legal and scholarly research databases. According
to Choicepoint, only about 11% of its operations consist of information
brokerage outside the Fair Credit Reporting Act. Can it be said that
Lexis-Nexis and Choicepoint are entities ``whose business is to
collect, assemble, or maintain personal information'' for provision to
third parties?
There have been many attempts to define an information broker, and
thus far, we think the best is contained in S. 1332:
The term `data broker' means a business entity which for
monetary fees, dues, or on a cooperative nonprofit basis,
regularly engages, in whole or in part, in the practice of
collecting, transmitting, or otherwise providing personally
identifiable information on a nationwide basis on more than
5,000 individuals who are not the customers or employees of the
business entity or affiliate.
This definition limits the scope of the law to companies that
regularly engage in maintaining large databases on non-customers for
the purpose of providing them to a third party. It provides a good
starting point for further discussion.
Congress should also consider giving the Commission rulemaking
authority to address circumvention of this definition through corporate
restructuring or technological tweaks. In passing the Fair and Accurate
Credit Transactions Act, Congress included a provision that prohibits
``technological circumvention'' of the Fair Credit Reporting Act's
provisions. The concern was that through database design or corporate
reorganization, a consumer reporting agency may escape obligations to
provide a free credit report. We think that a similar provision would
be appropriate her to avoid a situation where a company simply
reorganized to avoid security or privacy responsibilities.
The definition of ``personal information'' in the Discussion Draft
is narrower than the California law. Under the California law, personal
information ``means an individual's first name or first initial and
last name in combination with . . .'' a Social Security number, drivers
license number, or account number. The Discussion Draft would require
the individual's first and last name, instead of just the first
initial. We think that the federal legislation should be as broad as
the California definition in this regard.
We further recommend that section 5(5)(A)(iii) should be modified.
That section treats an account number in combination with an access
code as ``personal information.'' As currently written, it gives credit
card companies an out from giving notice by claiming that the three-
digit security code on the card must be present for a breach to occur.
That is, even though the three-digit code is not necessary to make
charges, they will claim that a breach does not require notice unless
that code is included in the compromised files. We accordingly
recommend that this section be changed to:
``(iii) Financial account number, or a credit card number, or
a debit card number in combination with any required security
code.''
Section 6 Effect on Other Laws
This section specifies that all state laws concerning breaches of
security or notification to individuals of breaches of security would
be preempted.
The preemption language in the Discussion Draft is overly broad; it
risks unintentionally preempting many different state laws that address
security, but are not the target of this law. Data security needs are
too varied to accommodate a nationwide uniform standard. Floor
preemption is more appropriate here.
In privacy and consumer protection law, federal ceiling preemption
is an aberration. Historically, federal privacy laws have not preempted
stronger state protections or enforcement efforts. Federal consumer
protection and privacy laws, as a general matter, operate as regulatory
baselines and do not prevent states from enacting and enforcing
stronger state statutes. The Electronic Communications Privacy Act, the
Right to Financial Privacy Act, the Cable Communications Privacy Act,
the Video Privacy Protection Act, the Employee Polygraph Protection
Act, the Telephone Consumer Protection Act, the Driver's Privacy
Protection Act, and the Gramm-Leach-Bliley Act all allow states to
craft protections that exceed federal law.13 Even the Fair
Credit Reporting Act is largely not preemptive.14
---------------------------------------------------------------------------
\13\ Respectively at 18 U.S.C. � 2510 et. seq., 12 U.S.C � 3401, 47
USC � 551(g), 18 USC � 2710(f), 29 USC � 2009, 47 USC � 227(e), 18
U.S.C. � 2721, and Pub. L. No. 106-102, ��507, 524 (1999).
\14\ See 15 USC � 1681t.
---------------------------------------------------------------------------
Although the federal government has enacted privacy laws, most
privacy legislation in the United States is enacted at the state level.
Many states have privacy legislation on employment privacy (drug
testing, background checks, employment records), Social Security
Numbers, video rental data, credit reporting, cable television records,
arrest and conviction records, student records, tax records,
wiretapping, video surveillance, identity theft, library records,
financial records, insurance records, privileges (relationships between
individuals that entitle their communications to privacy), and medical
records.15
---------------------------------------------------------------------------
\15\ See generally, Robert Ellis Smith, Compilation of State and
Federal Privacy Laws (Privacy Journal 2002).
---------------------------------------------------------------------------
Finally, the data industry is in a weak position to argue that it
cannot comply with state laws. This is an industry that ``segments'' or
groups people by characteristics at the zip+4 level. They know where
you live now, and where you lived ten years ago. No other industry is
better equipped to use technology to comply with state law than the
data brokers.
Section 7 Effective Date and Sunset
This section specifies that the act will take effect a year after
enactment, and sunset 10 years from enactment.
While Congress and the Commission should continue to revisit data
security issues, security requirements and rights in personal
information should not automatically sunset. We suggest striking the
sunset provision.
Section 8 Authorization of Appropriations
This section would authorize a yet to be determined amount to the
Commission. For reasons explained above, we support greater funding of
the Commission.
conclusion
Mr. Chairman and Members of the Committee, thank you for inviting
me to on the Discussion Draft of Data Protection Legislation. The
Discussion Draft is a good first step in addressing security risks
presented both by ordinary companies and information brokers. We
recommend that the Committee move the legislation, with reasonable
enhancements, including an option for credit freeze, requirements that
security measures include audit trails, and public reporting of
security breaches to the Federal Trade Commission.
Mr. Stearns. Thank you.
Mr. Burton, welcome.
STATEMENT OF DANIEL BURTON
Mr. Burton. Thank you, Chairman Stearns, Congressman Towns,
distinguished members of the committee. My name is Daniel
Burton. I am Vice President of Entrust, Inc., which is
headquartered in Addison, Texas. And Entrust is proud to secure
the digital identities and information of over 1,400 government
agencies and enterprises and over 50 countries around the
world.
Let me start by underscoring two points. First, the data
security threat you address today is very real, and your
efforts are timely and critically needed.
Second, there are effective market solutions readily
available that can address most of today's threats and give
your constituents greater peace of mind.
Over the past few years, while the public's attention has
been riveted on homeland security, old-fashioned crime has
infiltrated the Internet. The terms we use to describe it:
spyware, phishing, identity theft, were relatively unknown only
a few years ago. These cybercrimes occur at the crossroads of
privacy and security and are prevalent today.
This committee's draft bill correctly embodies two critical
principles necessary to combat cybercrime.
First, it encourages enterprises to implement effective
data protection programs to prevent the theft of digital
information. Second, it encourages them to alert individuals
when their personal information has been compromised.
Since I last testified before this committee just 2 short
months ago, 17 new data breaches have been made public. They
cover a broad cross-section of organization, from a big data
services company to a high school. In the aggregate, these
notifications indicate that over 44 million identities may have
been compromised in just the past 78 days. And these are just
the breaches we know about.
In response, 18 States, most of which are represented by
distinguished members on this committee, have passed breach
notification laws. In addition, we have seen private class
action lawsuits, State lawsuits, shareholder lawsuits, an FTC
enforcement action, and a major corporation assert that it will
no longer tolerate lax data security from business partners.
The fact is, many entities who hold sensitive personal data
simply do not keep it safe, either by choice or because they do
not understand how to protect it. If they are left to figure it
out on their own without any guidance from Congress, many of
them will continue to lose the battle against today's
sophisticated cybercriminals, and your constituents will pay
the price.
Clearly, it is time for Congress to act. This committee's
draft bill is an essential step in the right direction, and
Entrust is proud to support it. This draft gets a lot of the
key elements right. It focuses on electronic data. It covers
all persons who hold personal data, and includes special
requirements for data brokers. It encourages comprehensive
information security policies and procedures. It establishes a
national breach notification requirement that preempts State
law. It gives regulatory authority to the Federal Trade
Commission. It points to a reasonable notification standard.
The committee is to be commended for including these elements
in the draft bill.
Given Entrust's experience, I would recommend three other
critically important additions to make sure that this bill
accomplishes what you want it to.
No. 1, you must actively engage corporate executive
management and boards of directors in the effort to secure
sensitive digital information. Specifically, the bill should
require regular information security risk assessments, audits,
and progress reports to CEOs and boards of directors. These
measures will assure that American board rooms begin to view
information security as a key component of business plans, not
just another burdensome technology issue.
No. 2, just like the 18 States that have passed breach
notification laws, you should create a safe harbor for
companies who do the right thing and encrypt their data. All of
the State breach notification laws that have been passed so far
require consumer notification only in the event of a breach of
unencrypted personal information. The reason is that even if
thieves get access to encrypted data, they will not be able to
make sense of it since it consists of an indecipherable jumble
of symbols to anyone looking at it without the proper keys. If
the members of this committee are going to preempt their own
State laws, I would strongly encourage you to embrace their
wisdom on this issue.
Third, and finally, in order to create a safe harbor for
strong encryption, you must define it. To assure that you
define strong encryption without picking winners and losers or
locking in a static technology, you should reference NIST's
standards. NIST's standards are developed in close consultation
with industry and are flexible enough to allow standards bodies
to drop older encryption products and certify new ones as the
technology evolves. Failure to define encryption in Federal
legislation could lead to the emergence of conflicting
requirements across the United States.
In closing, I want to reaffirm that your draft data
security bill makes a strong legislated statement. These
additions will help make sure that it fully accomplishes your
purposes of protecting sensitive personal information.
Thank you.
[The prepared statement of Daniel Burton follows:]
Prepared Statement of Daniel Burton, Vice President of Government
Affairs, Entrust, Inc.
Good Morning. Chairman Stearns, Ranking Member Schakowsky and
distinguished Members of the Subcommittee, thank you for holding this
hearing and giving me the opportunity to provide testimony on this
important subject. My name is Daniel Burton, and I am Vice President of
Government Affairs for Entrust, Inc. We are headquartered in Addison,
Texas and are proud to provide cybersecurity software solutions for
over 1,400 government agencies and enterprises in more than 50
countries. In my testimony today, I will discuss data security and this
Committee's draft legislation.
As a global leader in securing digital identities and information,
Entrust has insight into the severity of the risks and the nature of
the threats that concern consumers, enterprises and policymakers alike.
Our extensive international experience securing governments and
enterprises around the globe, along with our policy experience co-
chairing two national information security task forces, leads me to
underscore two points. First, the threat you attempt to address today
is very real and your efforts are timely and critically needed. Second,
there are ready and effective market solutions available that can
address most of today's threats, secure many of our most vulnerable
digital assets and, more importantly, give your constituents a greater
peace of mind.
Over the past several years, while the public's attention has been
riveted on homeland security, old fashioned crime has infiltrated the
Internet. The terms we use to describe it--spyware, phishing and
identity theft--were relatively unknown only a few years ago. These
crimes occur at the cross-roads of privacy and security. Most of them
involve gaining unauthorized access to sensitive personal data.
Sometimes criminals gain this access through technological means;
sometimes they trick users into revealing the data; sometimes they rely
on insiders with privileged access; and sometimes they hack into data
bases or steal the information outright. No matter how the crime is
committed, however, the goal of public policy remains the same--
encouraging enterprises to implement effective data protection programs
to prevent theft and to alert individuals when their personal
information has been compromised. This Committee's draft bill correctly
embodies these two important principles.
Since I last testified before this committee two months ago,
seventeen new data breaches have been made public. They cover a broad
cross-section of organizations--data services companies, banks,
corporations, universities, a high school, a community college and a
travel agency. In the aggregate, these notifications indicate that over
44,600,000 identities may have been compromised since May of 2005. And
these are just the breaches we know about. Many breaches are uncovered
deep inside an organization, never brought to the attention of senior
management and therefore never made public. Others, as we have learned
from some recent announcements, tend to be minimized in initial public
statements and only fully disclosed later under scrutiny. As the legal
and market penalties for these breaches mount, organizations will be
even more careful about what they reveal.
In reaction to data breaches, 35 states have introduced data breach
legislation, and 18 states have passed breach notification laws. The
specifics of these laws vary from state to state, but they all require
organizations to notify individuals whose personal information has been
compromised. In doing so, they aim not only to protect consumers, but
also to encourage organizations to be more diligent in securing
personal information. In the absence of Federal legislation, we're sure
to see even more states pass data breach notification bills next year.
State legislatures are not alone in responding to these breaches.
In the past few months, we have seen private class action lawsuits,
state lawsuits and shareholder lawsuits against organizations that have
suffered breaches. As more and more breaches are made public, more
lawsuits are sure to be filed. In addition, Federal regulators have
engaged. The FTC recently settled an enforcement action against BJ's
Wholesale Club that requires it to implement a comprehensive security
program and undergo independent audits. Perhaps most importantly, the
recent announcement of VISA that it may no longer do business with
CardSystems Solutions, Inc., is a clear market signal that business
partners will no longer tolerate lax data security.
The public avalanche of data breaches is damaging consumer
confidence and could endanger our economy. A January 2005 IDC Survey
showed that close to 60% of US consumers are concerned about identity
theft. A recent survey that Entrust conducted reaffirmed this concern.
It found that 80% of individuals are worried about someone stealing
their on-line identity and using it to access their on-line bank
accounts. If consumers pull back from online transactions, the promise
of e-commerce and the productivity gains of the past decade will be at
risk.
We should remember that it's no longer just your local bank and
credit card company that hold your personal information. Numerous
retailers, data brokers, on-line merchants, corporations and other
vendors also have ready access to it. Many of these entities do not
take adequate measures to keep this information safe, either by choice
or simply because they do not understand how to protect it in a world
of constantly evolving digital threats. If they are left to figure it
out on their own, many of them will continue to lose the battle against
today's sophisticated cyber-criminals. In fact, things may get worse
before they get better because even when organizations do grasp the
need for comprehensive data security, it still takes time to put
effective programs in place. This delay is unfortunate because there
are ready and effective solutions available to address most of today's
threats.
Given the substantial risks facing American consumers and the US
economy, it is time for Congress to act. In doing so, it should take
into account the needs of consumers, corporations and citizens, and
embrace the protections embodied in the 18 state breach notification
laws. Congress should encourage a program of security management that
balances the need to protect personal information and notify consumers
in the event of a breach with the need to grow the digital economy and
encourage innovative technology solutions. This Committee's draft data
security bill is an essential step in the right direction, and Entrust
is proud to support it.
This draft bill gets a lot of the key elements right:
� It focuses on electronic data. The bill correctly recognizes that the
crux of the problem is the growing theft of computerized data.
As you know, the electronic data targeted by cyber criminals
contains the personal information that has become such a
valuable commodity in today's world. Your draft bill, by
resisting the temptation to create an overly expansive approach
to data security that includes both paper and electronic
records, strikes to very core of what must be protected.
� It covers all persons who hold personal data and includes special
requirements for data brokers. Breach notification should apply
to any agency, enterprise or person who owns or licenses
computerized data containing the sensitive personal information
of others. It should not be limited to data brokers. The goal
should be to protect sensitive personal data, no matter who
holds it, instead of focusing exclusively on a few specific
sectors or industries.
� It encourages comprehensive information policies and procedures. This
is a vital provision that is not yet included in many state
breach notification bills. Reasonable security practices
encompass a combination of technology, policy and management
expertise. Organizations that own or license computerized data
containing personal information should be required to develop,
implement and maintain reasonable security measures based on
widely accepted voluntary industry standards or existing
Federal law.
� It establishes a national breach notification requirement that pre-
empts state law. Since 18 states have already passed data
breach notification laws and more are sure to do so, it is
incumbent on Congress to create a consistent national standard.
� It gives regulatory authority to the Federal Trade Commission (FTC).
Given the reality of widespread cyber crime and the fact that
market forces have not resulted in adequate data security
programs, it is appropriate for Congress to provide regulatory
guidance. The FTC is the proper regulatory agency to undertake
this responsibility.
� It points to a reasonable notification standard. The goal of
legislation should be to make the notification standard as
narrow yet as effective as possible in order to encourage
notice of breaches that carry a significant risk and discourage
over-notification. In crafting this trigger, Congress should
bear in mind that in most cases it is difficult to determine
what happens to the data after it is breached and therefore to
calibrate precisely the risk to consumers.
The inclusion of these important elements in the Draft Bill is to
be commended. Given Entrust's experience, I would encourage this
Committee to include three additional changes to the bill in the hope
of further improving its efficacy and cost efficiency. These changes
will appeal to governments, businesses and other entities that control
critical data since they will help provide a meaningful road map to
navigate the tricky and technical world of data management.
1. Require the Active Engagement of Executive Management--Whether
Congress gives the FTC responsibility for providing regulatory guidance
for reasonable security or leaves that responsibility with industry, it
is imperative that corporate executive management and boards of
directors be actively engaged. American board rooms must begin to view
information security as a key component of business plans, not just
another burdensome technology issue. Congress must realize that
securing digital information is not simply a technical challenge, but
one that begins with management embracing its responsibility to protect
data in the first place. While it is essential to encourage such
technologies as strong authentication and encryption, they cannot
substitute for executive attention and corporate policy. In this
respect, the draft bill's focus on appropriate policies and procedures
is critical. Specifically, the bill should require regular risk
assessments, audits, and progress reports to the CEO and Board of
Directors. These types of actions will go a long way toward elevating
information security in the corporate decision-making process.
2. Create an exemption for Encryption--The Committee's bill should
also encourage the use of strong encryption, just as California and
other states have done. All of the 18 state breach notification laws
that have been passed so far (Arkansas, California, Connecticut,
Delaware, Florida, Georgia, Illinois, Indiana, Louisiana, Maine,
Minnesota, Montana, Nevada, North Dakota, Rhode Island, Tennessee,
Texas and Washington) require consumer notification only in the event
of a breach of unencrypted personal information.
The reason for this exemption is that even if thieves get access to
encrypted data, they will not be able to make sense of it. Encrypted
data consists of an undecipherable jumble of symbols to anyone looking
at it without the proper keys. This provision is especially important
for laptops and disks that are lost or stolen in transit. I should note
that state legislatures included this exemption not because of any
lobbying by the high tech industry, but because of the requests of
organizations that hold significant amounts of personal data. These
organizations view this technology as the final line of protection to
ensure that even if criminals get past the gate they cannot access the
real content. This provision also helps provide guidance to
organizations that want to secure their digital information but are
unsure what baseline measures to take.
3. Define Encryption--In order to define encryption without picking
winners and losers or locking in a static technology, Congress should
reference NIST standards. I would recommend the following definition
for encryption, which has been adopted by the Cyber Security Industry
Alliance:
The protection of data in storage or in transit using an
approved encryption algorithm implemented within a validated
cryptographic module that has been approved by NIST or another
recognized standards body, combined with the appropriate key
management mechanism to protect the confidentiality and
integrity of associated cryptographic keys in storage or in
transit.
This definition references standards that are developed in close
consultation with industry, and does so in a flexible way that allows
standards bodies to drop older encryption products and certify new ones
as the technology evolves. It is important to note that it also
requires that the cryptographic keys which can unlock this data be
managed in an appropriate, secure manner since these keys are just as
valuable and sensitive as the data they protect. The flexibility this
definition allows is crucial since any definition that cannot
accommodate evolving technology cannot help defend against evolving
threats. Because this definition is not vendor or product specific, it
will allow the market to drive choices about security solutions.
Failure to include a definition in Federal legislation could lead to
the emergence of conflicting encryption requirements across the United
States.
This Committee's draft Data Security Bill makes a strong
legislative statement. These additional suggestions will better protect
data, harmonize the Federal plan with laws that have been adopted by 18
states, and help show organizations how to secure the personal
information in their possession. By including language that encourages
organizations to consider information security at the highest levels of
management, Congress can encourage appropriate data security practices
at all levels of an organization. And by including language that
encourages the use of encryption and defines it, Congress can create a
formidable second line of defense against thieves and hackers.
The stage is set for Federal legislation. The menace of cyber crime
is undeniable. The cost to consumers and enterprises is enormous. And
the multiplicity of state bills highlights the need for a consistent
Federal regulatory framework. This draft bill gets a lot of the key
elements right and provides an excellent platform for legislation. This
Committee should be congratulated for its leadership.
Mr. Stearns. Thank you, Mr. Burton.
I will start with the questions.
Mr. Hoofnagle, I think you read about these security
breaches and its great headlines. And I guess of the 60
different breaches, 50 million American consumers have been
affected. I think you mentioned that in your testimony. Do you
know how many individuals were either victims of identity theft
or information that was misused within this huge number?
Mr. Hoofnagle. Mr. Chairman, that is a very difficult issue
to determine.
Mr. Stearns. Yes.
Mr. Hoofnagle. In reference to the ChoicePoint breach where
reportedly 144,000 records were stolen by a fraud ring, a
Nigerian fraud ring in California, 750 of those cases have been
associated, in some way, with identity theft. But it is very
difficult to track down when or if identity theft occurs. There
is also the difficulty that there might be major delay between
the data security breach and the actual crime of identity theft
since critical identifiers used by credit companies, such as
your Social Security number and date of birth, do not change,
if it is stolen today, there is really no reason why someone
can't victimize you 2 years down the road.
Mr. Stearns. You know, I read these in the newspaper, and
you know, it is just so alarming. But as you point out, a very
small number of that are affected by this identity theft. You
testify that security breaches can occur for reasons other than
identity theft, and so I mean, do we want to come back with
this bill and put this overlay of the Federal Government on
these people when we are trying to really pinhole a problem
here? Should the bill require notification for risk of these
other misuses?
Mr. Hoofnagle. I think the Federal banking standards are
set at reasonable risk of misuse of personal information, and I
think misuse is the right term to use rather than identity
theft. For instance, in this New Jersey case where bank
officials were selling data to debt collectors, it did not
involve----
Mr. Stearns. Identity theft, right.
Mr. Hoofnagle. It did not involve identity theft. This was
a case where, you know, the security was being breached for
profit at these sophisticated financial institutions. It didn't
have anything to do with identity theft. It had to do with this
other type of privacy violation. And I think that the
legislation should encompass that type of security breach.
Mr. Stearns. Mr. Hintze, you state in your testimony that
legislation should codify into law the FTC implementing
regulations under the Gramm-Leach-Bliley. Should the FTC be
given the authority to modify these provisions by rule to adapt
to changing business and security concerns? Why or why not?
Mr. Hintze. Yes, Mr. Chairman. We think that the FTC should
have the authority to make rules in this space, however that
authority should be guided by Congress in terms of directing
the FTC to adopt a flexible standard around information
security programs.
Mr. Stearns. If the notification obligations are only
applied to encrypted data, might that let some potential bad
actors off the hook? Why or why not?
Mr. Hintze. We don't think so. We think the standard around
unencrypted data is a reasonable standard. It is the standard
that the States have adopted. There have been questions raised
about how you define encryption, and while we wouldn't support
a specific mandate in the legislation itself, we could support
something like a reference to the NIST standards or some other
standard that could evolve over time to ensure that reasonable
and strong encryption is used.
Mr. Stearns. Mr. Burton, do you have a comment on that?
Mr. Burton. Yes, I think that the encryption standard is
very important. I think first, as I mentioned in my testimony,
18 States have that unencrypted information in the definition
of their laws, and I would note that those include Florida,
Texas, and Tennessee. And I think that encryption is perceived
often as a complex issue. The way these States have mentioned
it, it is not a mandate: it is a voluntary action, which
provides a safe harbor. And I think this is especially
important for mainstream companies who do not understand the
world of cybercrime and protecting digital information, and it
gives them a straightforward way to go in, protect their data,
and know that they have some sort of safe harbor. And if that
is associated with NIST standards, then Congress can rest
assured that it is good, solid encryption.
Mr. Stearns. So if you were writing the bill, would you
mandate that we use the National Institute of Standards and
Technology as a guide?
Mr. Burton. I would. In my formal testimony to this
committee, I included a definition of encryption, which
references NIST standards, which has been endorsed, actually,
by the Cybersecurity Industry Alliance.
Mr. Stearns. Okay.
Mr. Burton. And I think I would include that definition in
the legislation, yes.
Mr. Stearns. Ms. Maier, you suggest changing the definition
of security breach, eliminating the need for an FTC rulemaking.
But you also state in TRUSTe's guidelines that those guidelines
are intended as a first draft and that security policies and
procedures need to change and evolve as technologies and
businesses do the same. By that logic, wouldn't it make sense
to allow the FTC to do this by rule so that the FTC can modify
the standard in the future if it is necessary?
Ms. Maier. Chairman Stearns, yes, I agree that I think the
FTC can find positive and good ways to provide the rulemaking
that does provide for the flexibility and the evolution of the
rules. So I would agree, yes.
Mr. Stearns. Okay.
Mr. Towns.
Mr. Towns. Thank you very much, Mr. Chairman.
Let me begin with you, Ms. Maier.
You mentioned in your remarks that TRUSTe works closely
with the California Office of Privacy Protection and its
ongoing efforts to provide guidance to businesses and consumers
on privacy and security issues. First of all, I want you to
elaborate a little more on that, but how did these 1,500
companies become affiliated with you?
Ms. Maier. Thank you for asking that question.
TRUSTe has been around since 1997. Companies who want to
show to their consumers as well as to others that they take
privacy seriously voluntarily join the TRUSTe program and
subject themselves to our standards. And our standards require
a very good privacy statement, disclosure about their practices
relating to the data that they collect on their website, that
they abide by reasonable security standards, and provide
provision and choice to consumers regarding the sharing of
their information. And so it has been a successful program with
1,500 companies joining in and subjecting themselves to the
standards. We developed the security guidelines to help them
define what is reasonable security, and that has also been very
successful.
It makes sense for us to work with the California Office of
Privacy Protection, because many times, as you well know, a lot
of legislation comes out of the State of California and has
very broad impact, and we have enjoyed a good relationship with
them serving to help develop some guidelines, not rules, per
se, but guidelines for businesses in terms of the practical
implementation of these rules. And our experience in California
in our relationship with the California Office of Privacy
Protection suggests that the California law is working, and it
is having a positive impact in two ways: one, in providing
consumers with notice of breaches and some redrafts and
information in terms of what to do under that notice; and two,
providing a market incentive for companies to put into place
better security.
Mr. Towns. Thank you. Thank you very much.
Mr. Hintze, what is your position on broader legislation
that it would better inform consumers about who is using their
personal information and how?
Mr. Hintze. We recognize that as a result of the recent
security breaches that have been publicized, there is an
increasing concern among consumers that they simply don't
understand how their data is collected and used and transferred
among different entities, and there is a lack of transparency
there. We believe there is an appropriate role for legislation
to address those broader issues, and we look forward to working
with the committee on developing the right rules around that.
Mr. Towns. All right. State Attorney Generals have played
an important role over the past few years on data security
issues. Does Microsoft believe that State Attorney Generals
should be able to enforce the Federal legislation?
Mr. Hintze. Yes, we do. Similar to the approach that was
taken in the Can Spam Act, we think that State Attorney
Generals have an important enforcement role, and we would
support an addition to the discussion draft that would make
that clear.
Mr. Towns. All right.
Mr. Hoofnagle, regarding your concerns with our draft, what
are your thoughts on the feasibility of general privacy
restrictions? How can we work to structure the limit of the
sale of information, which is a problem, as you indicated?
Mr. Hoofnagle. Representative Towns, thanks for asking that
question. It is very difficult to describe data protection in 5
minutes, but the common denominator for data protection are
fair information practices. These are rights that limit the
collection of information to the minimum necessary to engage in
a transaction. They are rights to give you access to your data
when they are held by companies, a right to correct your data
when it is inaccurate, and a right to have your data deleted
after a certain amount of time when it is no longer relevant or
needed for business purposes. These rights are present in many
nations' laws, but to this date, the United States has not
adopted these types of restrictions in the private sector. They
do apply to the Federal Government, however, and the Privacy
Act itself has many of these fair information practices to stop
the government from creating a data center on its citizens.
Mr. Towns. All right. Thank you very much.
Let me ask you, Mr. Burton.
In your testimony, you state that you believe that if data
is encrypted, companies should be provided a safe harbor and
not be required to disclose when there has been a breach of
security. Do you believe this should be the case when the
compromise of information was due to an insider who has the key
to the encryption? Couldn't an insider provide the key to the
same people he or she is selling the data to? Or how should
encryption protect against insiders who are accessing and
perhaps selling personal information that they shouldn't be
selling?
Mr. Burton. That is a very good question, Congressman, and
one which was alluded to earlier.
I think the way that I would use the term encryption, and I
think the way that all of the States use this term, is if you
have a key, the data is not encrypted. Whether I am an insider
or an outsider, if I have the encryption keys, I can,
therefore, unlock the data, and then it is clear text. So the
encryption safe harbor would only apply to data for which one
did not have the keys and therefore it was still encrypted. And
I will give you an example. Actually, I think it happened in
the State of New York. Time Warner had disks. 600,000 of its
employees were compromised. Those disks, had they been
encrypted, you know, they were lost in transit. And that would
not have had to have been reported, because the data would have
been scrambled. Similarly, I think there are something like
50,000 laptops which are left in airports around the country
today. It is very easy to encrypt the data on those laptops. It
is not expensive. It is not complex technology. If those are
encrypted and lost, the person who is going to find those will
not have the keys, and therefore the data would be safe.
Mr. Towns. Thank you very much.
Mr. Stearns. I thank the gentleman.
Ms. Blackburn.
Ms. Blackburn. Thank you, Mr. Chairman, and thank you to
the witnesses.
You know, I find it really interesting we are sitting here
having this discussion, and a decade ago, there was PGP and the
troubles that surrounded that and the designer of that
technology and application. And of course, we all know what
happened with that. And the government didn't want that
application taking place, and now we are sitting here talking
about how government wants files encrypted and data protected,
and it is for privacy concerns. And so it is an interesting
debate and an interesting discussion.
I do have several questions. I know I am not going to get
through them, and I will not be here when we do a second round,
so I am going to submit some questions to you all.
Mr. Hoofnagle, I think I am going to begin with you.
And let us talk about the misuse to which you spoke,
because as we have worked on the identity theft issue and the
piracy issue with our constituents, this misuse, as you
mentioned, does come up regularly. And have you all noticed any
attempts by foreign corporations or businesses or governments
to try to buy data on Americans from any data brokers?
Mr. Hoofnagle. We at EPIC have extensively used the Freedom
of Information Act to determine how companies like ChoicePoint
and Axiom and Lexus Nexus, which are where commercial data
brokers buy and sell data. We do not have evidence that these
entities are selling data to outside the country. I don't think
that there would be any law restricting them from doing so, if
they chose to. We do know that the companies have data on
citizens of other nations, and sometimes the reverse happens.
American companies, or American governments, buy data on
citizens of other nations.
Ms. Blackburn. Okay.
Ms. Maier, do you have a comment on that, please?
Ms. Maier. We have not been able to identify absolutely
that foreign companies have been able to access or sell or
misuse American data. That is not to say it hasn't happened.
Ms. Blackburn. Okay. Ms. Maier, let me ask you one other
thing.
I noticed in the security guidelines paper that you
submitted to us, you reference a couple of European countries
in your footnoting there. Do you all work with any foreign
governments?
Ms. Maier. No, we do not have direct relationships with any
foreign governments. We do sometimes look at some of the data
protection trends happening.
Ms. Blackburn. Okay. Great. Then let us talk to those
trends for a minute.
How are European countries handling their data security
problems? Is there anything there that you all have noticed
that would be a good lesson learned for us?
Ms. Maier. My experience with the European data protection
standards is that they have a very strict standard in terms of
that individuals own their data and have control. And I think
to the extent that this proposed legislation and some of the
comments that I think EPIC has provided as well as TRUSTe
suggest that we continue to provide individuals with access to
their information and ability to change, update it, or redact
it. That is a really important lesson that I think we can take
from the EU experience.
I also would say that the EU experience has demonstrated,
to some extent, that a lack of enforcement hinders the
implementation and the incentive to do some of the right
things. And I think that we can do a better job here in the
United States by actively enforcing and providing incentives
for companies to really live up to a higher standard.
Ms. Blackburn. Okay. Thank you.
Mr. Burton, one quick question for you.
I think it is fair to say that you and some of our
witnesses may differ on how this legislation should apply to
individuals who may store and use their personal information.
And what I would like to ask you is would it or would it not,
do you think, be a substantial economic burden to associations
and organizations, like churches and private individuals, who
have personal information to implement the requirements of the
bill?
Mr. Burton. I think that is a very good question. And I
think in my comments I said that the committee was correct in
applying this to all persons who hold sensitive data. Clearly,
if you are a small business, if you are a small non-profit, if
you do not have, sort of, a lot of administrative ability, then
that is something that the committee should take into account.
So I think in terms of size of the data set, size of the
organization, those may be some limits that you want to
consider.
And Congresswoman, if I can beg your deference for one
moment, I would like to go back to encryption, which is an
issue that I am obviously focused on. And Congressman Towns,
there is one important point that I just wanted to make in
following up your question about the keys to encrypted data.
And I would just like to alert the committee that if you think
Social Security numbers are important, encryption keys are an
extremely important part of personal data, because as you
rightly pointed out, if you get those keys, you not only get
Social Security numbers, you get whatever data is encrypted.
And that is why when I submitted a definition of encryption, we
very specifically took into account the need to protect those
keys. There are lots of encryption schemes that leave the keys
in the clear, they are easy to get, and easy to hack into. And
so as this committee thinks through that issue, you should pay
careful attention to making sure that those encryption keys are
protected.
Thank you, Congresswoman.
Ms. Blackburn. Thank you.
I yield back.
Mr. Stearns. The gentlelady yields back.
Mr. Gonzalez.
Mr. Gonzalez. Thank you very much, Mr. Chairman.
And I guess I am going to pose this question to all of the
witnesses. You have already touched on it, and I think, Mr.
Burton, in response to Congresswoman Blackburn's own question
regarding about size and who would it apply to. As currently
written, it would apply to each person engaged in interstate
commerce that owns or possesses data in electronic form
containing personal information. And we do many things here
with unintended consequences, but we are going to go ahead and
delegate these duties to the FTC and such. And the first
question that they are going to have is, you know, who comes
under this jurisdiction of this particular law. And while I
recognize that there may be problems in its application to
everyone and everything, the way I would like this law to end
up is something to the effect of, you know, don't collect it if
you can't protect it. And that really should be driving this.
And still be practical about it. And that is going to be a
really hard balance, and I don't know how we are going to pull
this thing off.
So that is my question to each and every one of you, and I
know that some of you may want to expand on earlier remarks. Do
we have a problem in just defining who comes under this
particular net or who we capture in this particular regulatory
net, if each person engaged in interstate commerce that owns or
possesses the data? We have made some distinction with
information and data brokers, which we understand, and we can
identify those people pretty easily. But there is a whole lot
else happening out there, and we will get to this solution
again. But let us start off with this basic concept on
jurisdiction and who comes within it. And we will go with the
first witness.
Ms. Maier. Thank you very much.
We do very much care about the definition of who is under
the jurisdiction. As I mentioned in my testimony earlier today,
consumers don't care. If your information is breached and it is
your sensitive information or your Social Security number, your
driver's license, your mother's maiden name, your health
records, your financial accounts, it does not matter if it
comes from your retailer online or off-line nor does it matter
if it comes from, perhaps, the California Department of Motor
Vehicles or some other State's motor vehicles or my employer
records. So I think it is important that we try to keep the
jurisdiction, at least for the notice and the implementation of
security guidelines with incentives for security to be as broad
as possible. And we recognize some other committees might be
looking at their own jurisdiction, for example, or a financial
institutions. We applaud those efforts. But to the extent that
this committee can apply it broadly and extend it even to
government, we think that that would be a very good place. And
one reason for that is we think, again, consumers are going to
feel violated no matter where it happens. They don't draw the
lines as fine as we do. And the second thing is that you really
want to provide incentives for everybody to put in proper
security.
Mr. Hintze. We agree that we think the legislation should
apply to all entities that hold personal information. A couple
of things that we would point out, though, in the position that
we have taken on this that would alleviate some of the concerns
that you have raised, we have advocated a similar approach
under this legislation as is taken in Gramm-Leach-Bliley. As
Ms. Maier said, consumers don't care about whether or not the
data was breached by a bank, a retailer, or a small business.
If the data is breached, the threat can potentially be as
serious regardless of the source. And so we would urge the
committee to look at adopting a consistent standard with what
is currently imposed upon banks and financial institutions
under the GLB. We have also suggested a flexible standard here.
And some of the factors that should be considered in
determining what the right kind of information security program
that a business should adopt include the size and complexity of
the business and the sensitivity of the personal information
that they collect. And so that gives a great deal of
flexibility to reduce the burden on smaller businesses and
businesses that don't collect the most sensitive personal
information. And if we still think that there is a concern
around the burden on small businesses, we have suggested in our
written testimony, I believe, that we could support an
exception for businesses that handle small amounts of
information rather than based on the size of the business
itself. We think that a reasonable approach might be something
like if a business handles less than 5,000 records over the
course of a year that there could be a reasonable exception
there or a reduction of the burdens there rather than just
basing it on small businesses, because a very small business
could hold enormous amounts of very sensitive personal
information, and it just doesn't make sense to exempt them.
Mr. Hoofnagle. Representative Gonzalez, we think that there
needs to be very broad application of data security standards,
because in previous laws where there have been limited
jurisdiction or limited applicability of privacy laws, data
brokers and other companies that sell data organize in such a
fashion so that they do not have to comply with those Federal
laws. And the standard example is the way ChoicePoint and other
data brokers are organized to escape some provisions of the
Fair Credit Reporting Act. And so unless there is broad
application, we risk creating a new industry that fits into a
loophole.
Mr. Burton. Yes, Congressman Gonzalez. I think one could
successfully run for political office on the slogan, ``Don't
collect it if you can't protect it.'' And I think that you are
absolutely right, and the Committee is absolutely right, to
focus on the data, not who holds it. And what this legislation
does, which tries, and I think in large extent, successfully
gets at that question, it is not any data. It is sensitive
private data commingled with public identifiers. And it is when
you put those two data sets together that there is the
possibility for harm.
In response to the Congresswoman's question earlier, I
would doubt that most churches hold Social Security number, but
if my church is holding my Social Security number and they get
hacked, I would sort of like to know about it. So I think there
do have to be some limits, some size of data sets, but I think
the basic principle embodied in this legislation to follow the
data is the correct one.
Mr. Gonzalez. Thank you very much.
Mr. Stearns. I thank the gentleman.
The gentleman from Nebraska, Mr. Terry.
Mr. Terry. You would be surprised what churches have. Most
churches now have financial records, because they want you to
do direct deposits now, electronic transfers so they don't have
to worry about whether you show up on Sunday and put your check
in the basket, because it was automatically done on Friday. So
we have got to worry about the little neighborhood vitamin
store that may have personal information, including health
information. So I do agree with the phrase you need to protect
the data.
So let us talk about that a little bit.
And Mr. Burton, you have come here with the theme of
encryption, and I believe that that is kind of the last
defense. And I have had people show me how easy it is to
unencrypt or decrypt, and in fact, at the University of
Nebraska in Omaha, they went online for me and showed me all of
the different downloads that you can get just online that will
unencrypt the basic information. So to me, that is the last
line of defense. At least you make it tougher, and it is only
the real data-miners that are out there that are going to know
where to get that technology. The casual user that finds a
laptop in the airport probably isn't going to know which sites
to go to to get their de-encryption software. But as I also
understand, that is free on the Internet, too.
So the issue then becomes the vulnerabilities, and this
proposed legislation does talk about redacting. In fact, I
think the language in is to mitigate and reduce all of the
operating software vulnerabilities, which takes me back to part
of a presentation I had by an IT professor to Microsoft that
said that there are literally thousands of vulnerabilities in
the operating software.
So to Microsoft, let us talk a little bit about the
vulnerabilities that are inherent in the operating software,
not necessarily yours, but you do kind of dominate the market
in operating software. As I understand there are inherent
vulnerabilities that are absolutely necessary to the operation,
and sometimes there aren't. How do we differentiate? Because I
think the first line of attack is reducing the number of
vulnerabilities that hackers or data-miners can use to
penetrate the system. So what is Microsoft doing? What do you
recommend to us by way of the proper language where we can
realistically close those vulnerabilities but yet still have
the vulnerabilities? And then my last question is who has the
responsibility for us in the legislation? Who do we place the
responsibility on? The Acme Data Corporation who has the
responsibility of protecting the data directly, because they
are the ones that own the data? Or is it somewhere that the
owner or the makers of the operating software?
So I will start with you, Mr. Hintze, and anyone else who
wants to chime in on that issue.
Mr. Hintze. Thank you, Congressman.
I would first like to point out that Microsoft does take
security very, very seriously. It is our No. 1 priority in
software development now. We have invested hundreds of millions
of dollars over the last couple of years in retraining our
developers, fundamentally changing our development and release
processes to make security the No. 1 priority, and those
effects are paying off in the latest releases and security
patches and updates that we make available free to users
online.
Having said that, I would also point out that the highly
publicized issues of security breaches we have seen recently
have not been results of software vulnerabilities. They have
been failures of processes, they have been human error and the
like. When software is hacked, and it is impossible to make
perfect software. It is an enormously complex undertaking.
Mr. Terry. Are you worried about the language in the bill
that says that the operating software has to mitigate all
vulnerabilities?
Mr. Hintze. I am not familiar with that language in there.
Mr. Terry. Well, I think that is the intention, and I think
we need to work through that.
Mr. Hintze. Yes, we will definitely work with the committee
on those issues.
The other point is that when there is a hacker attack,
there is an intervening criminal act going on, and I think it
is important to keep that in mind. As I said, Microsoft takes
this issue very seriously, and we are working very, very hard
with our partners, with law enforcement and others and our
consumers to help reduce the problem, and we look forward to
working with this committee further on that.
Mr. Terry. And my last question is who has the
responsibility to control the vulnerabilities of the software?
Mr. Hintze. As I said, we will continue to work as hard as
we can to reduce those vulnerabilities and make the software as
safe as it possibly can be. And we think it is a joint
responsibility among us, consumers, law enforcement, and
Congress in helping to make the consumer safe.
Mr. Burton. Yes, Mr. Congressman, if I could just comment
briefly on your opening statement about encryption.
And first of all, thank you for taking the time to have
demonstrations and look seriously at it.
If you look at encryption, there are sort of three pieces
to it, and this is why we reference NIST. Are you using a
strong algorithm? Is it implemented correctly? Are you
protecting the keys? If you do those three things, you are left
with a brute force attack in trying to decrypt the data, and
that takes hundreds of years. You can't download software from
the Internet to do that. And I think once you really get strong
encryption in place, as you say, it is a second line of
defense, and it is very important.
Mr. Stearns. Maybe just for clarification, I asked counsel
just about what the gentleman from Nebraska was talking about,
and I think within the bill, I think what we are talking about
is requiring the entity that possesses the consumer data,
personal data, to take administrative and technological actions
to secure the data, but we are not asking you to restructure
the software or restructure things like that.
I am going to ask you, and every member is welcome to a
second round here. I am going to go to the heart of where we
are in this bill and ask--I am sorry, the gentlelady from
Wisconsin. Yes. Sorry.
Ms. Baldwin. Thank you, Mr. Chairman.
Mr. Stearns. I apologize.
Ms. Baldwin. I am going to try, if I can, to ask a series
of questions and get all of your perspectives, hopefully with
very brief answers so that I can get through a couple of
questions, some of which you might have already dealt with in
your testimony.
I am wondering your opinion first on whether there should
be State Attorney General enforcement added to the bill. And
why don't we just go from my left to right, if you wouldn't
mind, Ms. Maier?
Ms. Maier. Yes, we would be in support of State Attorney
General enforcement.
Ms. Baldwin. Okay.
Mr. Hintze. We are as well.
Mr. Hoofnagle. Yes, the Federal Trade Commission has too
much to do.
Mr. Burton. Yes, we support that.
Ms. Baldwin. Okay. Is there anyone in the panel who thinks
that this legislation should be expanded to deal not only with
electronic personal records but paper personal records?
Ms. Maier. If I could comment, I think that, first of all,
we are very happy to see that was expanded to all electronic
data, not just data collected online. That is the most
vulnerable, or that is the most useful, to a hacker. But we
would be supportive of expanding it to paper-based data as
well.
Mr. Hintze. As we noted in our oral statement, we support
that as well. We think whether data was breached in electronic
or paper form, the effects can be just as devastating to the
affected individual.
Mr. Hoofnagle. Yes, we would agree. There are many cases
were sensitive personal information has been on paper and then
ends up in a dumpster, thus the phrase ``dumpster diving''. In
California, there was an attempt to expand the security of the
breach notification bill to cover paper, but that quest failed.
Ms. Baldwin. Okay. Mr. Burton?
Mr. Burton. Yes, we would prefer a focus on electronic
data. If you look at the breaches which actually sparked this
committee's interest in this issue, they were all electronic,
and I think that that really gets at the bulk of the issue, and
I think that that is the appropriate focus of the bill.
Ms. Baldwin. Okay. What is each of your opinion on whether
we should have a provision dealing with audit trails for the
inside jobs?
Ms. Maier. Our opinion is that as security policies are
adopted, audit trails will probably become part of the internal
policy. I am not sure if it is required for a broad Federal
legislation. With that being said, I think there are some
opportunities, through a safe harbor program, to allow for
auditing or encourage it.
Mr. Hintze. We think that that may not be the appropriate
level of detail to get into in the bill itself, but certainly
that is something that the FTC could look at in the
implementing regulations around the development of an
information security program.
Mr. Hoofnagle. We support audit trails in part because it
was clear in the California hearings concerning ChoicePoint
that the company didn't know exactly what information was
acquired by the criminals and in fact had to rerun the searches
one by one to determine what data were actually obtained. An
audit trail requirement would substantially reduce that
problem.
Mr. Burton. Yes, I think the audit feature that we would be
in favor of is broader than that, and that is there needs to be
an audit of an organization's information security programs and
that that is really the most important, because that gets at
prevention. And not only does there need to be an audit, that
audit needs to be communicated to senior management and the
board of directors, because ultimately that then changes the
culture, which is responsible for better information security.
Ms. Baldwin. Okay. What is your position on a provision in
the bill that would focus on transparency, some sort requiring
security breaches to be reported to the FTC and perhaps put on
a public website or some additional transparency about these
breaches?
Ms. Maier. Our opinion is that, first of all, the consumers
need to know who are affected, and that should be the No. 1
focus. However, I think that to the extent that any sort of
notice, be it public-owned websites at the FTC, in sense
companies have better security practices, then we are
supportive.
Mr. Hintze. We think that directly notifying consumers is
clearly the best way to get the message to the people that need
to know it the most. In terms of public posting through a
website or through the press, that should be a provision that
is in the alternative notice when direct notice is either
feasible or impossible. Having said that, we would not oppose
any provision that would require cases where notices are
required to be reported to the FTC.
Mr. Hoofnagle. Especially if companies are given discretion
of whether or not to mail the consumers a notice, we think it
is very important that the Federal Trade Commission be aware of
all of the security breaches. It is a weakness in the
California law that only those who are affected get notice, but
the corresponding strength of that law is that all breaches
have to be disclosed. So especially if there is going to be a
discretion standard, and by the way I think there should be
some level of discretion. There should be a check on that
discretion by public reporting to the Federal Trade Commission.
Mr. Burton. Consumers should clearly be notified of
breaches. Sunshine is the best disinfectant, therefore public
notices of breaches are also very important.
Ms. Baldwin. Thank you.
I see I have run out of time, so I yield back.
Mr. Stearns. I thank the gentlelady for asking those
questions.
I would like to follow up a little bit on what she talked
about. This idea of a State Attorney General enforcement of the
Federal statute. This is an area that has probably has the most
controversial aspect of our bill. Mr. Burton, your testimony
states that Entrust agrees with the preemption provisions of
the bill, but some have said that a Federal standard should
create a statutory floor and not a ceiling, allowing States to
go further, if they so desire. I guess please explain why
Entrust believes that a more comprehensive preemption is
appropriate.
Mr. Burton. Well, the concern of much of the private sector
is that you now have 18 different State breach notification
bills that is multiplicity of standards, reporting mechanisms,
penalties, and so what industry is looking to this committee
for and the Congress for is sort of a baseline, and I think
that is the reason that you will get so much support for your
legislation and for preemption. I think given the active
interest of States in this bill, you have to allow, and you
should allow State Attorney Generals to enforce----
Mr. Stearns. The Federal statutes.
Mr. Burton. Yes, the Federal statutes.
Mr. Stearns. And State courts?
Mr. Burton. Let us see. I am not a lawyer, and so I would
have to take that under advisement and get back to you.
Mr. Stearns. Well, I am going to ask each of you just to
make a shot at it, because what the gentlelady from Wisconsin
talked about, we had in the spam, but we did not have it in
spyware, and we have taken, in this bill, the same language
that was adopted in the spyware dealing with the preemption.
And, in our opinion, this preemption is important, but we
certainly think there are areas that it could be changed. And
maybe I will just go to Mr. Hoofnagle. You might comment on
this, too, about the preemption provisions in our bill.
Mr. Hoofnagle. We think the preemption provisions should be
a floor so that States can innovate new solutions, too.
Mr. Stearns. So, for example, if California has a higher
standard, there would be an exemption for California?
Mr. Hoofnagle. No, more broadly, we think, that States
should be able to pass new laws when new problems arise. We are
here today----
Mr. Stearns. So we establish the floor of the bill, and
then above that, the States. But then wouldn't you be back to
having 50 States with 50 different----
Mr. Hoofnagle. In most privacy legislation, it preempts at
the floor level.
Mr. Stearns. Okay.
Mr. Hoofnagle. And it has not created a 50-State set of
laws, when Congress does a good job and passes a good law. The
States tend not to try to pass conflicting responsibilities.
Mr. Stearns. Okay. Mr. Hintze?
Mr. Hintze. Yes.
Mr. Stearns. Yes, what is your opinion about what the
preemption in the bill is and do you support it?
Mr. Hintze. We do support it. We also would support an
addition that would permit State Attorney General enforcement
in Federal court, much like is done in the spam----
Mr. Stearns. Okay. So you support what is in the spam
language----
Mr. Hintze. Yes.
Mr. Stearns. [continuing] more so than what is in the
spyware?
Mr. Hintze. In this case, we think that State Attorney
General enforcement at Federal courts is appropriate.
Mr. Stearns. Okay. Ms. Maier?
Ms. Maier. We are in basic agreement with that as well.
Coming from California, we certainly would like to see this law
at least meet the standard that California has set.
Mr. Stearns. Okay. Well, let me ask one last question.
The definition of ``information broker'' that has been
touched on a little bit by the gentleman from Nebraska. And Mr.
Hoofnagle, is the definition of information broker in the draft
legislation appropriate, in your opinion, and does it sweep in
entities that are not information brokers, and does it cover
all information brokers? That is another area that----
Mr. Hoofnagle. Information brokers are very difficult to
define. We have worked----
Mr. Stearns. Yes, but you have all of the affiliates of
American Express. I mean, how much should this bill apply to
all of those?
Mr. Hoofnagle. In some cases, information is traded in such
a way that is consistent with the consumer's expectation. So,
for instance, a check-cashing clearinghouse you wouldn't want
to consider an information broker. They are affecting a
transaction that you requested. Generally, information brokers
are companies that obtain personal information, often from
public records, but also from private sources, and they sell it
to third parties, who are not affiliates. And I think if you
craft a definition that applies to companies that are generally
selling personal information to third parties and that are not
initiated by the consumer, for purposes not initiated by the
consumer, I think you limit the field substantially. But you
are right. It is a very difficult thing to do, because there
are many companies out there that are selling sensitive
personal information without telling anyone and without the
individual's consent.
Mr. Stearns. I think we are going to complete our hearing
today. I want to thank all four witnesses for their time. And I
think it has been very educational and helpful to myself and
our staff on both sides.
And with that, the committee is adjourned.
Ms. Maier. Thank you.
Mr. Hoofnagle. Thank you.
[Whereupon, at 11:32 a.m., the subcommittee was adjourned.]
[Additional material submitted for the record follows:]
Retail Industry Leaders Association
Arlington, VA
July 28, 2005
The Honorable Cliff Stearns
Chairman
Subcommittee on Commerce, Trade, and Consumer Protection
Committee on Energy and Commerce
2123 Rayburn House Office Building
U.S. House of Representatives
Washington, D.C. 20515
RE: Statement for the Hearing Record on ``Data Security: The Discussion
Draft of Data Protection Legislation.''
Dear Chairman Stearns: On behalf of the Retail Industry Leaders
Association (RILA), I am submitting this letter for the record of the
subcommittee's hearing entitled ``Data Security: The Discussion Draft
of Data Protection Legislation.'' We appreciate the opportunity to
submit these comments.
The Retail Industry Leaders Association (RILA) is an alliance of
the world's most successful and innovative retailer and supplier
companies--the leaders of the retail industry. RILA members represent
almost $1.4 trillion in sales annually and operate more than 100,000
stores, manufacturing facilities and distribution centers nationwide.
Its member retailers and suppliers have facilities in all 50 states, as
well as internationally, and employ millions of workers domestically
and worldwide. Through RILA, leaders in the critical disciplines of the
retail industry work together to improve their businesses and the
industry as a whole.
Retailers and their product and service suppliers value their
relationship with their customers above all else. Consumers vote with
their feet every day by purchasing goods and services from retailers
and suppliers that they know and trust to provide the quality, prices
and services that they expect.
RILA members are committed to maintaining the security and
confidentiality of consumer information. RILA supports a uniform
federal standard should sensitive customer information be breached and
there is a reasonable belief or actual knowledge that harm has been
caused by a result of the breach.
As the Judiciary Committee considers data security legislation RILA
asks that the committee consider the following core principles:
� Preemption: RILA members are committed to policies and practices that
safeguard personal data and records and are in full compliance
with the current California data breech notification statute.
However, other states and jurisdictions have also enacted or
are considering similar laws. While these proposals similar,
they are rarely consistent, making the potential for a
conflicting and confusing regulatory and legal framework all
too real. Complying with various and inconsistent state laws
could, in fact, slow down the notification process, create
unnecessarily complex internal systems, and add cost to the
bottom line. Therefore, RILA supports a strong federal
preemption that would create a uniform standard ``trigger'' for
notification and for the type of notification that must occur.
� Trigger: RILA members believe that notification should only be
``triggered'' when it is determined that there is, or there is
a reasonable belief that there is, a significant risk of harm
to consumers. We would note that this is a similar standard
supported by the Federal Trade Commission in testimony it has
presented before Congress this year. RILA members have
legitimate concerns about over notification and believe that
clearly defining an appropriate trigger is fundamental to
achieving meaningful consumer notice.
� Covered Data: Proposals should be limited to unencrypted computerized
information.
� Notification: RILA members support a uniform notification standard
through direct mail or email and are opposed to redundant and
costly notification requirements that would do little to
increase awareness. RILA also supports a substitute
notification delivery method--email, website, local media,
etc.--if notification costs would exceed $250,000 or the breach
affects more than 500,000 consumers.
� Private Right of Action: RILA supports data security legislation that
would prohibit individual private rights of action.
� Credit Freeze: RILA has concerns regarding the impact of so-called
credit freeze proposals that would allow consumers to place a
freeze on their credit report. While proposals of this nature
have the biggest impact on the credit agencies, retailers,
particularly those who provide instant credit, are concerned
about the spill over effects of credit freeze requirements.
When a customer freezes their credit file they are likely to
forget to ``unfreeze'' their file before they apply for instant
credit creating consumer frustration and confusion when instant
credit cannot be issued. In addition, retailers are concerned
that additional credit agency requirements could drive up the
cost of credit reports. While the industry has concerns with
credit freeze requirements, if provisions are adopted, there
should be a uniform national standard.
With regard to the draft document that the committee is considering
at today's hearing, we have prepared the attached comments, which we
have previously provided to the subcommittee staff.
If you have any questions about this matter, please don't hesitate
to contact me or my colleague Lori Denham, Senior Vice President,
Policy and Planning.
Sincerely,
Paul T. Kelly
Senior Vice President, Federal and State Government Affairs
Attachment
Retail Industry Leaders Association General Comments on Barton/Stearns
Discussion Draft ``Data Security & Security Breach Notification''
july 28, 2005
Security Requirements for Data
Section 2
� Rules promulgated by the FTC may require specific policies and
procedures that may or may not be appropriate for the
protection of the personal information maintained by companies.
While we support the idea that companies should have policies
and procedures in place to protect personal information, we
believe individual companies are in the best position to
determine what form those policies and procedures should take.
� RILA supports an exemption for data that is encrypted.
Nationwide Notification for Material Security Breaches
Section 3
� Breach of Security. We agree with the concept of risk assessment in
determining whether a notice of breach to consumers is
necessary. Inundating consumers with notices regarding a breach
of information when there is no evidence that the breach has,
or will, result in identity theft is counter-productive. There
is a real danger that over notification will result in
consumers becoming numb to the notices and they will,
therefore, fail to take necessary steps to protect their
information.
� Timeliness of Notification. Many of the state laws regarding security
breach notification have included a provision that would allow
for the delay of notification to consumers in cases where law
enforcement requests a delay so they can complete an
investigation.
� Method of Notification. Notification by mail and email and web site
could prove burdensome. We would support a notification scheme
whereby individuals could be notified by mail or email and by
the posting of a notice on the company's web site. It is not
necessary to notify consumers by both mail and email. Companies
should be able to choose the method that is most practical and
efficient depending on the circumstances. Providing notice on
the company's web site would then be an appropriate and
practical addition to the mail or email notification. If a
company chose to send notice by email, it should be allowed to
do so without having prior ``consent'' from the consumer to
receive such messages. This would be an operational (not a
commercial) email message and one that consumers would want and
need to receive regardless of whether they had previously
provided consent.
Definitions
Section 5
� ``Personal Information''. The definition of personal information is
consistent with the definitions established in California's
(and other state's) security breach notification laws. If this
definition is acceptable, why would the Commission be allowed
to modify it in the rulemaking?
Effect on Other Laws
Section 6
� The preemption language is limited to ``. . . breaches of security of
data in electronic form.'' State laws have contemplated
breaches in forms other than electronic. The preemption should
be complete so that companies can implement one security breach
notification process. Companies should not be put in a position
whereby they have to follow specific state laws for information
that is maintained in forms other than electronic.
� Banks, credit unions, thrifts and common carriers are exempt from
coverage because they do not fall under the jurisdiction of the
FTC. However, these entities would need/want to take advantage
of the preemption provision. If these entities are not included
in the preemption provision they will be subject to federal
regulatory guidance and the myriad state laws that address
security of information and notification in the event a
security breach occurs.
Effective Date and Sunset
Section 7
� What is the reason for attaching a sunset provision to this
legislation?
For more information, contact Lori Denham, Senior Vice President,
Policy and Planning (703) 600-2012 or [email protected] or
Paul T. Kelly, Senior Vice President, Federal and State Government
Affairs (703) 600-2014 or [email protected].
�