[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]






             THE THREAT OF DATA THEFT TO AMERICAN CONSUMERS

=======================================================================

                                HEARING

                               BEFORE THE

           SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 4, 2011

                               __________

                           Serial No. 112-44










      Printed for the use of the Committee on Energy and Commerce
                        energycommerce.house.gov



                                _____

                  U.S. GOVERNMENT PRINTING OFFICE
70-740 PDF                WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001









                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman

JOE BARTON, Texas                    HENRY A. WAXMAN, California
  Chairman Emeritus                    Ranking Member
CLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky                 Chairman Emeritus
JOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania        EDOLPHUS TOWNS, New York
MARY BONO MACK, California           FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska                  MICHAEL F. DOYLE, Pennsylvania
MIKE ROGERS, Michigan                ANNA G. ESHOO, California
SUE WILKINS MYRICK, North Carolina   ELIOT L. ENGEL, New York
  Vice Chair                         GENE GREEN, Texas
JOHN SULLIVAN, Oklahoma              DIANA DeGETTE, Colorado
TIM MURPHY, Pennsylvania             LOIS CAPPS, California
MICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee          CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California         JAY INSLEE, Washington
CHARLES F. BASS, New Hampshire       TAMMY BALDWIN, Wisconsin
PHIL GINGREY, Georgia                MIKE ROSS, Arkansas
STEVE SCALISE, Louisiana             ANTHONY D. WEINER, New York
ROBERT E. LATTA, Ohio                JIM MATHESON, Utah
CATHY McMORRIS RODGERS, Washington   G.K. BUTTERFIELD, North Carolina
GREGG HARPER, Mississippi            JOHN BARROW, Georgia
LEONARD LANCE, New Jersey            DORIS O. MATSUI, California
BILL CASSIDY, Louisiana              DONNA M. CHRISTENSEN, Virgin 
BRETT GUTHRIE, Kentucky              Islands
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia

                                 _____

           Subcommittee on Commerce, Manufacturing and Trade

                       MARY BONO MACK, California
                                 Chairman
MARSHA BLACKBURN, Tennessee          G.K. BUTTERFIELD, North Carolina
  Vice Chairman                        Ranking Member
CLIFF STEARNS, Florida               CHARLES A. GONZALEZ, Texas
CHARLES F. BASS, New Hampshire       JIM MATHESON, Utah
GREGG HARPER, Mississippi            JOHN D. DINGELL, Michigan
LEONARD LANCE, New Jersey            EDOLPHUS TOWNS, New York
BILL CASSIDY, Louisiana              BOBBY L. RUSH, Illinois
BRETT GUTHRIE, Kentucky              JANICE D. SCHAKOWSKY, Illinois
PETE OLSON, Texas                    MIKE ROSS, Arkansas
DAVID B. McKINLEY, West Virginia     HENRY A. WAXMAN, California (ex 
MIKE POMPEO, Kansas                      officio)
ADAM KINZINGER, Illinois
JOE BARTON, Texas
FRED UPTON, Michigan (ex officio)

                                  (ii)













                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Mary Bono Mack, a Representative in Congress from the State 
  of California, opening statement...............................     1
    Prepared statement...........................................     4
Hon. Henry A. Waxman, a Representative in Congress from the State 
  of California, opening statement...............................     6
Hon. G.K. Butterfield, a Representative in Congress from the 
  State of North Carolina, opening statement.....................     7
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, opening statement..................................     7
    Prepared statement...........................................     9

                               Witnesses

David Vladeck, Director, Bureau of Consumer Protection, Federal 
  Trade Commission...............................................    10
    Prepared statement...........................................    13
    Answers to submitted questions...............................   114
Pablo Martinez, Deputy Special Agent in Charge, Criminal 
  Investigation Division, U.S. Secret Service....................    26
    Prepared statement...........................................    28
    Answers to submitted questions...............................   119
Eugene H. Spafford, Professor and Executive Director, Purdue 
  University Center for Education and Research in Information 
  Assurance and Security.........................................    37
    Prepared statement...........................................    39
    Answers to submitted questions...............................   120
Justin Brookman, Director, Consumer Privacy Project, Center for 
  Democracy and Technology.......................................    59
    Prepared statement...........................................    61
    Answers to submitted questions...............................   124

                           Submitted Material

Letter, dated April 6, 2011, from subcommittee leadership to Ed 
  Hefferman, President and Chief Executive Officer, Alliance Data 
  Systems, Inc., submitted by Mrs. Bono Mack.....................    96
Letter, dated April 18, 2011, from Jeanette Fitzgerald, General 
  Counsel, Epsilon Data Management, LLC, to subcommittee 
  leadership, submitted by Mrs. Bono Mack........................    98
Letter, dated April 29, 2011, from subcommittee leadership to 
  Kazuo Hirai, Chairman, Sony Computer Entertainment America LLC, 
  submitted by Mrs. Bono Mack....................................   103
Letter, dated May 3, 2011, from Kazuo Hirai, Chairman, Sony 
  Computer Entertainment America LLC, to subcommittee leadership, 
  submitted by Mrs. Bono Mack....................................   105

 
             THE THREAT OF DATA THEFT TO AMERICAN CONSUMERS

                              ----------                              


                         WEDNESDAY, MAY 4, 2011

                  House of Representatives,
 Subcommittee on Commerce, Manufacturing and Trade,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 9:30 a.m., in 
room 2322, Rayburn House Office Building, Hon. Mary Bono Mack 
(chairwoman of the subcommittee) presiding.
    Present: Representatives Bono Mack, Blackburn, Stearns, 
Harper, Lance, Cassidy, Guthrie, McKinley, Kinzinger, 
Butterfield, Dingell, Schakowsky and Waxman (ex officio).
    Staff Present: Paul Cancienne, Policy Coordinator, CMT; 
Brian McCullough, Senior Professional Staff Member, CMT; Carly 
McWilliams, Legislative Clerk; Gib Mullan, Chief Counsel, CMT; 
Andrew Powaleny, Press Assistant; Shannon Weinberg, Counsel, 
CMT; Michelle Ash, Democratic Chief Counsel; Felipe Mendoza, 
Democratic Counsel; and Will Wallace, Democratic Policy 
Analyst.
    Mrs. Bono Mack. Good morning. The subcommittee is now in 
order. And I would like to start by saying that a wise person 
once said great challenges create great opportunities. As we 
begin looking into the pervasive problems of cyber attacks and 
data breaches, this is our subcommittee's great opportunity to 
come up with new safeguards against identity theft.
    The chair now recognizes herself for an opening statement.

 OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Today American consumers are under constant assault. As 
quickly and quietly as a wallet can be stolen by a skilled pick 
pocket, your personal identity can be highjacked without you 
knowing it by online hackers. The Federal Trade Commission 
estimates that nearly 9 million Americans fall victims to 
identity theft every year, costing consumers and businesses 
billions of dollars annually. And those numbers are growing 
steadily and alarmingly. In recent years, sophisticated and 
carefully orchestrated cyber attacks designed to obtain 
personal information about consumers, especially when it comes 
to their credit cards, have become one of the fastest growing 
criminal enterprises here in the U.S. and across the world.
    The boldness of these attacks and the threat that they 
present to unsuspecting Americans was underscored recently by 
massive data breaches at Epsilon and Sony. With 77 million 
accounts stolen, including some 10 million credit card numbers, 
the data breach involving Sony's PlayStation network has the 
potential to become the Great Brinks Robbery of cyber attacks, 
and the take just keeps going up.
    While the FBI and Secret Service, along with other law 
enforcement agencies, work around the clock to try and crack 
the sensational case, we now learn that a second Sony online 
service was also compromised during the same time period.
    Computer hackers obtained access to personal information 
relating to an additional 25 million customer accounts. That is 
more than 100 million accounts now in jeopardy. Like their 
customers, both Sony and Epsilon are victims, too. But they 
also must shoulder some of the responsibility for the stunning 
thefts, which shake the confidence of everyone who types in a 
credit card number and simply hits enter. E-commerce is a vital 
and growing part of our economy. We should take steps to 
embrace and protect it, and that starts with robust 
cybersecurity.
    As chairman of this subcommittee, I am deeply troubled by 
these latest data breaches and the decision by both Epsilon and 
Sony not to testify today. This is unacceptable. According to 
Epsilon, the company did not have time to prepare for our 
hearing, even though its data breach occurred more than a month 
ago. Sony meanwhile says it was too busy with its ongoing 
investigation to appear.
    Well, what about the millions of American consumers who are 
still twisting in the wind because of the breaches? They 
deserve some straight answers, and I am determined to get them.
    For instance, how did the breaches occur? What steps are 
being taken to prevent future breaches? And what is being done 
to mitigate the affects of these breaches on American 
consumers? Yet for me the single most important question is 
simply this: Why weren't Sony's customers notified sooner of 
the cyber attack? I fundamentally believe that all consumers 
have a right to know when their personal information has been 
compromised, and Sony as well as all other companies have an 
overriding responsibility to promptly alert them.
    In Sony's case, company officials first revealed 
information about the data breach on their blog. That is right, 
a blog. I hate to pile on, but in essence, Sony put the burden 
on consumers to search for information instead of accepting the 
burden of notifying them. If I have anything to do with it, 
that kind of halfhearted, half-baked response is not going to 
not fly in the future. This ongoing mess only reinforces my 
long-held belief that much more needs to be done to protect 
sensitive consumer information. Americans need additional 
safeguards to prevent identity theft. And I will soon enter 
legislation designed to accomplish this goal. My legislation 
will be crafted around the guiding principle consumers should 
be promptly informed when their personal information has been 
jeopardized.
    Clearly, as I have said, cyber attacks on the rise. 
According to the Privacy Rights Clearinghouse, over 2,500 data 
breaches, involving some 600 million records, have been made 
public since 2005. In fact, last month alone, some 30 data 
breaches at hospitals, insurance companies, universities, 
banks, airlines and governmental agencies impacted nearly 100 
million records. And that is in addition to the massive 
breaches at Epsilon and Sony.
    The time has come for Congress to take decisive action. We 
need a universal national standard for data security and data 
breach notification, and we need it now.
    While I remain hopeful that law enforcement officials will 
quickly determine the extent of these latest cyber attacks, 
they serve as a reminder as well as a wake up call that all 
companies have a responsibility to protect personal information 
and to promptly notify customers when their information has 
been put at risk. We have the responsibility as lawmakers to 
make certain that this happens.
    [The prepared statement of Mrs. Bono Mack follows:]



    Mrs. Bono Mack. And now I would like to recognize the 
gentleman from North Carolina, the ranking member of the 
subcommittee, Mr. Butterfield, for 5 minutes for an opening 
statement.
    Mr. Butterfield. Let me thank the chairman for convening 
this important hearing today and particularly thank the 
witnesses for coming forward with your testimony. Before giving 
my opening statements, I would yield such time as he may 
consume to the former chairman of this committee, of the full 
committee and now the ranking member, the gentleman from 
California.
    Mr. Waxman. Thank you very much, Mr. Butterfield. I 
appreciate your courtesy in allowing me to go ahead of you in 
an opening statement. I must go to another committee that is 
meeting at the same time.

OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    I would like to thank Chairman Bono Mack for holding this 
timely and important hearing. In the last month, we have seen 
some serious private-sector data breaches that have affected 
millions of Americans. Just last week, Sony revealed that 
information connected to 77 million customer accounts had been 
compromised. And then, on Monday, Sony announced that even more 
consumer information was breached. Data breaches threaten the 
financial well-being of individuals whose personal information 
is exploited to commit identify theft or fraud. There is no one 
solution to these threats. Criminal hackers are targeting us 
every minute.
    Today we will hear from Federal law enforcement and how 
they are attacking this problem. However, the private sector 
also must step up to the plate. The private sector can and must 
do a better job of safeguarding sensitive personal information.
    Information is the currency of the digital economy, and it 
must be secured. Just as a bank would not leave its vault 
unlocked and open to thieves, companies must secure information 
and keep it out of the hands of identify thieves and other 
criminals. And when personal information is compromised, 
companies have an obligation to inform those individuals whose 
information was lost or stolen so that they can take steps to 
detect and prevent identity theft or other harm.
    I am hopeful this committee can again in a bipartisan 
fashion pass the Data Accountability and Trust Act, and work as 
a team to get the Senate to follow suit. The DATA bill that was 
passed by last Congress creates two major security 
requirements: One, an entity holding data containing personal 
information must adopt reasonable and appropriate security 
measures to protect such data; and two, that same entity must 
notify affected consumers in the event of breach, unless the 
entity determines there is no reasonable risk of identity 
theft, fraud or other unlawful conduct.
    I look forward to today's hearings and working together to 
quickly repass the Data Accountability and Trust Act.
    I yield back the balance of my time.

OPENING STATEMENT OF HON. G.K. BUTTERFIELD, A REPRESENTATIVE IN 
           CONGRESS FROM THE STATE OF NORTH CAROLINA

    Mr. Butterfield. Let me thank you, Mr. Waxman, for your 
leadership on this issue and your leadership on this committee.
    In preparing for this hearing today, I was told by my staff 
that well over 100 million consumer records have been 
compromised as a result of breaches at Epsilon Data Management, 
an e-mail marketer, and at Sony's PlayStation and online 
entertainment networks. If that is indeed a fact, this is very, 
very alarming. And so this hearing today is certainly very 
important.
    I want to you know, Madam Chairman, that I stand ready to 
work with you and our colleagues to pass strong bipartisan data 
security legislation like the DATA bill that will prevent this 
from reoccurring.
    I ask unanimous consent that my full statement be included 
in the record.
    I yield back.
    Mrs. Bono Mack. I thank the gentleman.
    The chair recognizes Mr. Stearns from Florida for 3 
minutes.

 OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    Mr. Stearns. Thank you, Madam Chair. And let me also 
compliment you on having this hearing.
    I share your disappointment that Epsilon and Sony have not 
shown up. Obviously, they could provide us a lot of information 
that perhaps some of our witnesses could not, and I think it 
ultimately is their responsibility to explain it.
    Madam Chair, as the chairman of the Oversight and 
Investigation Committee I certainly would want to work with you 
to find out perhaps what really happened and perhaps to extend 
a hearing on this on my subcommittee.
    Let me also say to you, this is an issue that, in the 109th 
Congress, when I was chair of this subcommittee, I had a bill, 
a data security bill, and this bill was H.R. 4127. It passed 
out of the subcommittee, bipartisan support. It passed out of 
the full committee, bipartisan support. It did not pass the 
House, unfortunately, and so with your leadership, perhaps we 
can get this through the House.
    So I am very anxious to support you and help you in your 
endeavors to actually get a bill through the House and to the 
Senate. This is so important. If the data security bill that I 
had in the 109th Congress had actually passed, which required 
entities which hold personal information to establish and 
maintain appropriate security policies to prevent unauthorized 
acquisition of that data, so companies would have a data 
security officer, and that officer would have the mandate and 
the requirement to protect the information.
    It was interesting that the issue is so important that 
bipartisan support in the 109th Congress was available. So 
surely, I would think we could get bipartisan support again. I 
know Mr. Rush, when he was chairman, he took the bill that we 
had, and he offered it again. And I cosponsored that bill with 
him. And now with a new majority and you, Madam Chair, the 
chairwoman, I think this is really a very important issue for 
you and this subcommittee to make a stand, get the bill through 
the subcommittee, through the full committee and try and get it 
through the House.
    I think a lot of people are just staggered by what has 
happened. And we should not delay. I think this hearing is 
important. I look forward to participating and also hearing 
their comments, but in the end, I think both parties agree that 
this is something that should be answered with a bill that is 
substantive and bring in the jurisdiction of the Federal Trade 
Commission and others to help us out.
    So, thank you, I yield back.
    [The prepared statement of Mr. Stearns follows:]



    
    Mrs. Bono Mack. I thank the gentleman. And we would like to 
say that we have one panel of witnesses joining us today. Each 
of our witnesses has prepared an opening statement that will be 
placed into the record. Each of you will be given 5 minutes to 
summarize the statement with your remarks.
    On our panel, we have David Vladeck, director of the Bureau 
of Consumer Protection at the Federal Trade Commission. Also 
testifying, we have Pablo Martinez, deputy special agent in 
charge of the Criminal Investigative Unit for the U.S. Secret 
Service. We have Dr. Gene Spafford, professor and executive 
director from Purdue University, Center for Education and 
Research and Information Assurance and Security. And last but 
not least, we have Justin Brookman, director of the Consumer 
Privacy Project at Center for Democracy and Technology.
    Good morning to each of you, and we welcome you. We are 
very grateful that you are here with us this morning. If you 
can keep track of the time by the time clocks that are on the 
table, I am assuming.
    Staff?
    Oh, that is a new improvement, technology. OK, well, green, 
yellow and red, much like a stoplight. If you could keep your 
eye on it, we would appreciate it.

   STATEMENTS OF DAVID VLADECK, DIRECTOR, BUREAU OF CONSUMER 
 PROTECTION, FEDERAL TRADE COMMISSION; PABLO MARTINEZ, DEPUTY 
SPECIAL AGENT IN CHARGE, CRIMINAL INVESTIGATIVE DIVISION, U.S. 
  SECRET SERVICE; JUSTIN BROOKMAN, DIRECTOR, CONSUMER PRIVACY 
  PROJECT, CENTER FOR DEMOCRACY AND TECHNOLOGY; AND EUGENE H. 
 SPAFFORD, PROFESSOR AND EXECUTIVE DIRECTOR, PURDUE UNIVERSITY 
CENTER FOR EDUCATION AND RESEARCH IN INFORMATION ASSURANCE AND 
                            SECURITY

    Mrs. Bono Mack. Mr. Vladeck, we recognize you for 5 
minutes.

                   STATEMENT OF DAVID VLADECK

    Mr. Vladeck. Good morning, Chairman Bono Mack, Ranking 
Member Butterfield, and Members of the Subcommittee. I am David 
Vladeck, director of the Federal Trade Commission's Bureau of 
Consumer Protection.
    We appreciate the opportunity to present testimony here 
this morning. The written statement is submitted on behalf of 
the commission. This statement and my responses to questions 
represent my views.
    As the Nation's consumer protection agency, the FTC is 
committed to protecting consumer privacy and promoting data 
security in the private sector. We all know that data security 
is critically important to consumers. If companies do not 
safeguard the personal information they collect and store, that 
information could fall into the wrong hands, resulting in fraud 
and other harm to consumers. And as more and more breaches take 
place, there is a risk that consumers could lose confidence in 
the marketplace.
    As the commission's testimony makes clear, the commission 
unanimously supports legislation that would require companies 
to implement reasonable security policies and procedures. The 
commission also supports legislation that would require 
companies to notify consumers in appropriate circumstances when 
there is a security breach so that consumers can take steps to 
protect themselves.
    By enacting legislation, Congress would also send a clear 
message that all companies that hold consumer information, 
including common carriers and nonprofit organizations, must 
take responsible and appropriate measures to safeguard that 
information and must notify consumers if their information has 
been exposed in a breach.
    A data security statute would establish the standards that 
companies must adhere to and, by empowering the Federal Trade 
Commission to seek civil penalties for violations, would deter 
poor security practices. These statutory provisions would 
reduce the incidence of identity theft and other financial 
harms, saving consumers from the hardships that ensue when 
there is a breach.
    The commission's testimony also describes our efforts to 
promote data security, which focuses on three activities: 
Enforcement cases against companies that fail to provide 
adequate security; education for consumers and businesses; and 
policy initiatives to promote better data security.
    Enforcement: We have brought more than 30 law enforcement 
actions against businesses that fail to protect consumers' 
personal information, including two actions we announced just 
yesterday. In the first case, Ceridian, a large payroll 
processing company that maintains highly sensitive payroll 
information, failed to take reasonable measures to prevent an 
intruder from hacking into Ceridian's payroll processing 
system. The hacker compromised personal information, including 
Social Security numbers and financial account information of 
approximately 28,000 employees of Ceridian's small business 
customers.
    In the second case, Lookout Services a company offering a 
Web-based application to assist employers in verifying their 
employees' eligibility to work in the United States had weak 
practices in Web application vulnerabilities. As a result, an 
employee of a Lookout customer was able to gain unauthorized 
access to Lookout's entire customer database, which includes 
highly sensitive information, including Social Security 
numbers, dates of birth, passport numbers, alien registration 
numbers, drivers licenses, military identification numbers and 
so forth.
    The orders entered in both cases require the companies to 
implement comprehensive data security programs and obtain 
independent audits for 20 years. Orders of this kind are 
standard in our data breach cases, and I underscore, we are not 
authorized to seek civil penalties in these cases, so we rely 
on injunctive relief.
    The commission also promotes data security practices 
through extensive use of consumer and business education. For 
example, our Web sites designed to educate consumers about 
basic security, computer security, have recorded more than 14 
million unique visits. And our business education touches on a 
wide range of issues, from P2P file sharing, which I know is of 
particular interest to the chair and to copier data security.
    We also engage in policy actions. We published a staff 
report in December proposing a new framework for privacy which 
calls on companies to build privacy and data security into the 
design of goods and services, to maintain reasonable safeguards 
for consumer data, to limit the data they collect, to retain 
data for only so long as they have a legitimate business need 
to do so.
    In closing, we thank the chair for holding this important 
hearing, and we look forward to working with you and your 
colleagues on data security. Of course, we would be happy to 
answer any questions, thank you.
    [The prepared statement of Mr. Vladeck follows:]



    Mrs. Bono Mack. Thank you very much, Mr. Vladeck.
    Mr. Martinez, you are recognized for 5 minutes.

                  STATEMENT OF PABLO MARTINEZ

    Mr. Martinez. Good morning.
    Mrs. Bono Mack. And would you please, excuse me, turn on 
your microphone?
    Mr. Martinez. Good morning, Madam Chair.
    Good morning, Madam Chair, Ranking Member Butterfield and 
distinguished members of the subcommittee. Thank you for the 
opportunity to testify on the role of the Secret Service in 
cyber investigations.
    In February 2010, the Department of Homeland Security 
delivered a Quadrennial Homeland Security Review which 
established a framework for Homeland Security missions and 
goals and underscored the need for safe and secure cyberspace.
    As a vital component of DHS, we work to support the 
department's mission to safeguard cyberspace. Through a greater 
understanding of how the criminal world operates, the Secret 
Service has developed strategies that have a tremendous impact 
in terms of disrupting and dismantling underground networks. We 
use this knowledge of criminal networks to adapt our response 
to the challenges posed by financial crimes in the 21st 
century.
    Breaking up criminal networks requires a highly coordinated 
law enforcement approach focused on constant innovation and 
tactics to meet these emerging threats. The Secret Service 
continually develops the technical expertise to track down and 
successfully infiltrate, investigate and prosecute with our 
partners cyber criminals who pride themselves on their 
knowledge and technical prowess. In many cases, law enforcement 
has learned the tricks and techniques that cyber criminals use 
to hide their identities and their crimes and in turn develop 
countermeasures that allow the perpetrators to be apprehended 
and prosecuted.
    A central component of our approach is the training 
provided through our Electronic Crimes Special Agent Program, 
which gives our special agents the tools they need to conduct 
computer forensic examinations on electronic evidence obtained 
from computers, personal data assistance and other electronic 
devices.
    To date, more than 1,400 special agents are ECSAP trained. 
In fact, the Secret Service values this training so highly that 
the basic level is now incorporated as a part of the curriculum 
that all special agent trainees receive at our James J. Riley 
training center.
    The training we provide, however, extends past our agents 
to others in the public sector. To further address cyber crime, 
we continue to train State and local law enforcement through 
our National Computer Forensic Institute initiative.
    Since 2008 the, Secret Service has provided training to 932 
State and local law enforcement officials, prosecutors and 
judges. The Secret Service's commitment to sharing information 
and best practices is perhaps best reflected through the work 
of our 31 electronic crime task forces, two of which are 
located overseas in Rome, Italy, and London, England.
    Our domestic and foreign partners benefit from the 
resources, information, expertise and advance research provided 
by our international network of members. The Secret Service 
continues to undertake complex cases that require a large 
investment of time and actively targets individuals who take 
part in criminal activities regardless of where they are 
physically located. To coordinate these investigations at the 
headquarters level, the Secret Service has enhanced our cyber 
intelligence section to identify transnational cyber criminals 
involved in network intrusions, identity theft, credit card 
fraud, bank fraud and our computer-related crimes.
    In the past 2 years, CIS has directly contributed to the 
arrest of 41 transnational cyber criminals who were responsible 
for the largest network intrusion cases ever prosecuted in the 
United States. These intrusions resulted in the theft of 
hundreds of millions of credit card numbers and the financial 
loss of approximately $600 million to financial and retail 
institutions. These cases are complicated and directly impact 
the lives of millions of American citizens.
    At all levels, law enforcement is also having some success 
in getting the legal system to recognize the seriousness of 
losses stemming from online financial crime. And this fact is 
reflected in the lengths of some of the prison sentences levied 
against these defendants. As a result of Secret Service's 
successful investigation into the network intrusion of 
Heartland Payment Systems, which I describe in more detail in 
my written remarks, the three suspects in the case were 
indicted for various computer-related crimes. The lead 
defendant in the indictment plead guilty and was sentenced to 
20 years in Federal prison.
    There is little doubt that the possibility of serving 20 
years in prison will provide a much greater deterrent than 
sentences typically seen in such cases a decade ago.
    Madam Chair, Ranking Member Butterfield, and distinguished 
members of the subcommittee, the Secret Service is committed to 
our mission of safeguarding the Nation's cyber infrastructure 
and will continue to aggressively investigate cyber- and 
computer-related crimes to protect American consumers and 
institutions from harm.
    This concludes my prepared statement. Thank you again for 
this opportunity to testify on behalf of the Secret Service.
    [The prepared statement of Mr. Martinez follows:]



    Mrs. Bono Mack. Thank you, Mr. Martinez.
    Dr. Spafford, you are recognized for 5 minutes.

                STATEMENT OF EUGENE H. SPAFFORD

    Mr. Spafford. Madam Chair, Ranking Member Butterfield, 
Members of the Committee, I have been working in the field of 
information security for about 30 years, and I am speaking with 
that background and also as chairman of USACM, which is the 
Public Policy Council of the ACM, which is the world's largest 
educational and scientific computing society. And we have a 
number of members who work in security, privacy, and electronic 
data. So we have a great deal of expertise in this arena.
    And our knowledge of this is that this is a very 
significant problem. We have seen this as a growing area of 
concern over a number of decades, and certainly the data that 
has been presented, what you have heard, what you have seen, 
indicates that the problem is getting worse. It is not only a 
national problem but, as Mr. Martinez just said, an 
international problem.
    We would like to point out that it is a problem not only 
for private firms but also for government agencies. There is 
data that is held by government agencies and databases, and 
some of it is privileged information because government is in a 
position to collect particularly sensitive data, and that is 
often compromised and released.
    The Privacy Rights Clearinghouse maintains a database where 
they track various forms of data breaches and releases. And 
according to their figures, it is averaged approximately 100 
million records per year for the last 6 years running have been 
released. Interestingly, the Sony breaches this year have 
totaled 100 million all on their own. So we are well ahead of 
that record just based on those releases by themselves.
    If we combine that with a study that was done by the 
Ponemon Institute, it indicates that for companies having these 
breaches, they cost approximately $214 per record to clean up 
after the breaches. We come up with a figure of $21 billion per 
year in costs to clean up after the breaches on average. And 
those costs are being passed on to the consumers.
    Along with that, we then have all of the costs for the 
various fraud, law enforcement investigation, other kinds of 
losses piled onto that and all of the losses for unreported 
breaches and other losses that are unreported.
    So it is possible that the losses to the American public 
and the American economy could be as high as $100 billion per 
year from these breaches.
    I will note that there was a story in the New York Times 
today that some of the credit card fraud underground bulletin 
board groups are worried that the massive loss of credit cards 
from the Sony breach may be depressing the price, the 
underground price, for credit cards by a factor of 5 or 10 
because it will reduce the cost on the black market trading 
price of credit card numbers. So perhaps there is some good to 
be had from the Sony breach.
    Looking at the problem realistically, disclosure 
notification laws help at some level after the fact because it 
does help victims take some action to protect their identity 
and to protect against some of their information being used 
illegally. However, it does not solve all of the problem.
    Law enforcement has made some gains, but they are not 
adequately resourced. We certainly do not have enough in the 
way of forensic tools. There is more need for research there, 
and there certainly is a need for more law enforcement agents 
and resources for prosecution.
    But more importantly, there are the preventative aspects. 
We don't have enough in the way of requirements on companies to 
take the preventative measures to prevent the kinds of 
disclosures that are occurring. In large part, that is because 
security is not viewed as something that returns a value. It is 
not something that adds to the bottom line. It takes away from 
the bottom line. Companies don't like to invest in security. 
They don't understand the risk involved by not investing in 
security. And those that do understand some of the risk in 
tight economic times are willing to play the risk. They believe 
they may not be hit by the problem. So when they are and they 
have to pay the cost, they pass that along to their customers 
and to the rest of society. That is where all of this large 
expense comes from.
    So among the recommendations we have are, first of all, 
minimize the amount of data that is kept by these companies. 
Second, age the data. They shouldn't keep the data any longer 
than they absolutely need to. Many companies keep a great deal 
of data simply because they think it might be useful some day. 
They should have sound security practices in place, and there 
are a number that are known that companies don't apply. We urge 
you to make sure that government databases are covered equally, 
the same as private databases, in any regulations, so that all 
are covered by any appropriate regulations.
    And there are a number of others that are in my written 
testimony. I would be happy to answer any questions, and USACM 
and our experts would be happy to help you in any way.
    [The prepared statement of Mr. Spafford follows:]



    Mrs. Bono Mack. Thank you, Dr. Spafford.
    Mr. Brookman, you are recognized for 5 minutes.

                  STATEMENT OF JUSTIN BROOKMAN

    Mr. Brookman. Thank you, Madam Chair, in today's hearing. 
The Center for Democracy and Technology is extremely pleased--
--
    Mrs. Bono Mack. Is your microphone on?
    Mr. Brookman. Is it on now?
    Mrs. Bono Mack. Very good, thank you. A little closer, it 
helps.
    Mr. Brookman. CDT is extremely pleased to see the 
subcommittee is placing such a high priority on protecting 
consumers' personal information in an increasingly complex data 
economy. We very much appreciate the chair's leadership in this 
area.
    Data security breaches are, sadly, nothing new for most 
consumers, but as more and more industry players get access to 
more and more consumer data and storage costs continue to get 
lower and lower, consumers, it is clear, are increasingly at 
risk for loss of their personal data.
    Now, fortunately or unfortunately, depending on how you 
look at it, strong law already does exist to require companies 
to put into place reasonable security measures and to notify 
consumers in the event of a breach.
    The FTC, as Director Vladeck, explained has applied its 
unfairness authority to require companies to adopt reasonable 
security measures, not just for financial information but for 
nonfinancial information as well. And a considerable majority 
of States require notification to consumers in the event of a 
breach that could result in a monetary loss.
    I understand the subcommittee is considering legislative 
solutions in order to address the issues of data security and 
data breach. From our perspective and from a consumer 
perspective, we believe that Federal legislation should not 
merely replicate the existing protections that are out there 
for consumers but should be significantly strengthened to offer 
greater protections.
    For example, the FTC's authority to get--for enforcing in 
poor data security practices could be put specifically into law 
to be more clear, but they would be stronger if the FTC were 
given greater resources to bring more cases and the ability to 
get civil penalties for persons who violate section 5 of the 
FTC Act.
    Similarly, we believe that data breach notification laws 
would be improved if they were to enact the full range of full, 
fair information practice principles, not merely security and 
notification after the fact.
    As an initial matter considering legislative solutions, our 
first advice would be do no harm. While it is clear that the 
existing legal framework is insufficient to protecting 
consumers, they do offer strong protections, without which we 
think consumers would be worse off. CDT has testified 
previously positively about the DATA act referenced by 
Representative Stearns. We did so because we believed it was a 
strong bill and, with some minor revisions, could be as strong 
as the best State laws, but it also offered consumers something 
they didn't already have, which is the rights of access to data 
stored by data brokers, so we thought it would be a net 
positive for consumers.
    We believe also that whatever law is passed should allow 
States to continue to innovate and to bring--to pass new 
consumer protections for consumers. It is important to remember 
that it was in the laboratories of the States that the idea of 
data breach notification came up, because the relatively narrow 
precise preemption language in Gramm-Leach-Bliley, and CDT 
would be skeptical of any law that prohibited similar State 
innovations for consumer protection.
    But fundamentally, we believe the most effective way to 
safeguard consumer data would be to enact the comprehensive 
privacy protection legislation that implements the full range 
of fair information practice principles. These do not 
necessarily prevent data breaches from occurring, but they 
would, I believe, significantly mitigate their effects. And one 
idea--one of these principles is the idea of data minimization. 
Companies should only collect the data they need to accomplish 
a specific purpose, and they should get rid of it when it is no 
longer valuable. And I think it is fair to say, as Dr. Spafford 
pointed out, this is really honored in the breach today. 
Companies request and retain data without notice to the 
consumers on the chance it may become valuable to them one day.
    One example from the recent data breaches is I think 
indicative. Walgreens was hit by a data breach in 2010, in 
December. They had to send notices not just to current 
customers but also folks who have had previously unsubscribed 
from receiving their e-mails, and they didn't explain why they 
retained those e-mail addresses in the first place.
    And then, just last month, as part of the Epsilon data 
breach, Walgreens was again hit by a data breach incident. 
Again, previous customers who had previously unsubscribed had 
their information exposed to the hackers.
    Similarly, it was reported just last night that as part of 
the Sony online data breach incident, 10,000 credit card 
numbers were accessed from ``an outdated database going back to 
2007.'' I guess the good news from that is that only 900 of 
those credit cards numbers were still active, but it remains a 
legitimate question why those numbers were being stored in the 
first place.
    And I know as a result of Epsilon data breach, I got notice 
from at least one company who I had not done business with in 
almost 6 years and who I had unsubscribed from as well.
    We believe that a comprehensive privacy law that requires 
reasonable data minimization, that requires companies to 
actually tell consumers what they are doing with their data, 
and gives consumers meaningful choice about how that data is 
shared and transferred would be the most effective policy means 
to limit the consequences of data security breaches.
    We look forward to continuing to engage with the members of 
the subcommittee on appropriate legislative solutions, and I 
look forward to your questions.
    [The prepared statement of Mr. Brookman follows:]



    Mrs. Bono Mack. Thank you very much, Mr. Brookman.
    The chair now recognizes herself for 5 minutes for the 
first round of questions.
    I would like to start with Mr. Vladeck. According to 
reports, Sony took nearly a week before notifying consumers--
customers about the cyber attack. How long does a typical 
company that has been subjected to a data breach need before it 
notifies its customers? And what is the average time that is 
necessary to make a determination and to inform consumers that 
their information may have been breached?
    Mr. Vladeck. We share the concern I think of everyone in 
this room; the consumers need to be notified as promptly as 
possible. There are two practical exigencies that sometimes 
delay notification. One, there is a need that the company patch 
whatever hole there is in their system before the breach is 
made public. And second, it sometimes takes the company some 
time to understand what information has been accessed and who 
needs to be notified of the breach. We think this should happen 
as soon as practical, and in the prior legislation, for 
example, there was an outer limit set at 60 days. I don't know 
whether that is the right date or not.
    I can't answer your question about common practices. Data 
breaches vary so much that it is hard to extract a general 
rule. The smaller the breach, typically the quicker the 
notification can go out. But in a massive breach where the 
company may still be trying to patch up its system if it is 
still operating--and Sony, one of the systems was not--you do 
worry about notification before the company has had an 
opportunity to plug the hole. But I think that we all would 
agree that consumers need to be notified as swiftly as possible 
so that they can take action to protect themselves.
    Mrs. Bono Mack. Thank you.
    Mr. Martinez, a couple of questions, can you briefly 
explain to me the difference from why the FBI might be involved 
as opposed to your agency?
    Mr. Martinez. Yes. The statute most used to prosecute cyber 
criminals is 18 U.S.C. 1030, which is a computer fraud statute. 
The Secret Service shares concurrent jurisdiction with the FBI 
on those types of investigations.
    However, with investigations that deal with national 
security or terrorism that are cyber-related, the FBI is the 
lead agency in those efforts. And for the NCIJTF, they lead the 
government or law enforcement's efforts in state-sponsored or 
national security type investigations. We have a representative 
there.
    When it comes to criminal matters, we have concurrent 
jurisdiction, so it is--a lot of times it depends on the 
relationship that either the specific company might have with 
either law enforcement agency, whether it is through some type 
of working group or task force or cyber task force where that 
company might reside. So, for example, the Secret Service has 
29 domestic electronic crime task forces, and one of the things 
we ask our people to do is develop those relationships with 
these private-sector companies so that that relationship is 
there prior to the incident happening. The last thing we want 
is for that sort of when the fire goes off, that is the first 
time you meet the firemen. We want there to be a relationship, 
and there are a lot of things that we both, us and the FBI, do 
with private-sector companies to try to develop those points of 
contacts prior to an intrusion happening.
    Mrs. Bono Mack. As I understand it, though, you are 
involved with Epsilon but not with Sony. Can you explain that 
to us briefly?
    Mr. Martinez. Yes. Unfortunately, we can't comment on 
ongoing investigations. I can't comment on the Sony 
investigation because that is being lead by the FBI.
    All I can say with regard to the Epsilon investigation, 
because it is still ongoing, is that they did notify us early 
on in the investigation and have cooperated so far with the 
Secret Service in that investigation.
    Mrs. Bono Mack. Thank you, Mr. Spafford--excuse me, Doctor. 
Can you speak a little bit to Mr. Vladeck's answer about 
notification for consumers within--I think we are puzzled with 
the 60-day time line. To me it seems reasonable that the 
consumer should know immediately, that there is no greater 
protector of one's own identity than the person himself. Can 
you speak a little bit to the 60-day time line?
    Mr. Spafford. Well, after an intrusion or breach has 
occurred, it is necessary to find out--after an incident has 
occurred, it is necessary to determine what records have been 
accessed to determine who needs to be contacted and what 
information was possibly taken to be able to inform the 
individuals what information might be at risk and perhaps give 
them information as to how to protect that.
    Unfortunately, not every organization keeps the kinds of 
records that would allow them to determine that. It is also 
often the case that when evidence has been found that some kind 
of incident has occurred, that doesn't necessarily tell them 
how long that incident has been ongoing. They just detect that 
it has happened, but they don't know how far back it goes. So 
they have to very often pull records, do so forensic 
investigation. It may take a while to determine how many 
people, how far back the records go, how much data it takes, 
and that is not something that can occur instantaneously.
    Mrs. Bono Mack. Excuse me, Doctor, I am sorry to cut you 
off, but I have run out of time, so we will come back to a 
second round of question.
    The chair recognizes Mr. Butterfield for 5 minutes.
    Mr. Butterfield. I thank the chairman.
    In the last Congress, the House passed H.R. 2221, the Data 
Accountability and Trust Act. We all know that. This bipartisan 
bill has built up widespread support across Congress for its 
goal of reducing the number of data breaches and providing new 
rights to individuals whose personal information is compromised 
when a breach occurs.
    First question to Mr. Vladeck: Sir, if H.R. 2221, if it is 
passed into law and it gives the FTC new authority and 
responsibility, can you talk for a minute about the limitations 
you are under now with regard to information security and how 
such a law, if enacted, could strengthen FTC's hand with regard 
to breaches?
    Mr. Vladeck. Thank you, yes.
    It would strengthen our hand in at least three ways. First, 
I think the key insight in the proposed legislation is that it 
would for the first time erect a national standard requiring 
businesses that hold sensitive personal information to take 
reasonable and rigorous safeguards to protect it. And so, for 
one thing, there would be a congressionally dictated standard 
by which we could judge the performance of companies that hold 
onto personal information.
    Second, there would be a national breach notification 
standard, which would encompass a broad range of companies who 
may not be subject to all State and other laws. It would cover 
a broader range of activities.
    And third, we would have civil penalty authority. At the 
moment, we can place companies that have failed to protect 
consumer information under order to ensure that they don't 
violate consumer privacy again. But that doesn't involve 
general deterrence. It doesn't send a signal to other companies 
that they have to step up to the plate and protect consumer 
information.
    Mr. Butterfield. Thank you.
    Let me direct it to Mr. Brookman.
    Mr. Brookman, I agree with you that we need more front-end 
data security measures, so that the need for breach 
notification actually diminishes. Your written testimony 
discusses support for 2221 for that model and the need for 
proper incentives for industry to take data security seriously. 
Can you elaborate more for me? Are you suggesting that the 
incentive be fear of enforcement?
    Mr. Brookman. Yes, I think that is a very important 
incentive. I think in Dr. Spafford's testimony, he talks about 
how companies just don't----
    Mrs. Bono Mack. Excuse me, Mr. Brookman. Would you please--
--
    Mr. Brookman. I apologize. Companies don't think about this 
very seriously in advance. The FTC has somewhat on an ad hoc 
basis said that their prohibition on unfair practices means 
that it is the case that companies must exercise reasonable 
security. I am not entirely sure how well that has sunk into 
corporate America. Even more recently, they have expanded their 
concept of data security, not just to financial information but 
to things like e-mail addresses instead. And that was in their 
what I think was a very strong and important settlement with 
the Twitter case.
    I would like to see H.R. 2221 or whatever it looks like in 
the next iteration to expand their concept of personal 
information, not just to financial information but to other 
potentially personal information as well, such as e-mail 
addresses or else things like the Epsilon breach actually 
wouldn't be affected by it. Companies should have to have 
reasonable security measures in place to do that. I think the 
FTC is getting there. I think with sporadic enforcement just 
merely because of limited resources is not entirely clear to 
the rest of the world that is in fact the law. Putting it into 
law I think would be an important thing, especially with the 
threat of civil penalties behind it to give it a punch.
    Mr. Butterfield. Well, let me ask you this, how do we 
ensure that a company is holding on to personal data as long as 
necessary? Each company has different needs; how can we measure 
that?
    Mr. Brookman. Yes, it is a very tricky issue. This is one 
of the criticisms of the Boucher-Stearns privacy bill--draft 
privacy bill that came out last year. It prescribed a hard 180-
day or maybe an 18-month cap on holding all personal data. And 
some companies were like, that makes sense for us; maybe in 
behavorial advertising, that is a good idea. Data brokers, 
maybe not; maybe they should have to maintain the data for 
longer. So we have supported a safe harbor model for 
legislation such that companies who have similar business 
interests can get together and propose for our industry, hey, 
let's all agree to hold onto data for 180 days, 6 months, 
couple weeks, depending on the scenario, so they don't feel at 
a competitive disadvantage to hold onto data just because their 
competitors might be doing the same thing.
    Mr. Butterfield. All right. Let me go back to the other 
end. What about Hill Newspaper CQ Today reported earlier this 
week that the White House proposal on cyber security will be 
circulated later this month. The article explains that it calls 
for a Federal standard for notification about data breaches and 
a stronger role for the Department of Homeland Security. 
Special Agent Martinez, what role would the Secret Service 
have, if you know, and what other agencies at DHS would have a 
role?
    Mr. Martinez. Sir, the Secret Service, along with other 
executive agencies, has been working with the administration on 
a comprehensive cybersecurity legislation. And specifically in 
the area of data breach, I think a couple of things that that 
legislation needs to have is notice to consumers but also 
notice to the government, so that we can take appropriate 
actions. And also some type of safe harbor provision for 
companies that are adhering to the right practices.
    In addition to the enforcement part, which would be handled 
by the Secret Service as part of the Department of Homeland 
Security, the National Protection and Programs Directorate of 
DHS where US-CERT and the NCSD and some of the other cyber 
entities sit, like the national cyber security division, they 
would also be involved in cyber intrusions in part with respect 
to the----
    Mr. Butterfield. Five seconds left.
    Mr. Vladeck, what role would FTC have, if you know?
    Mr. Vladeck. Well, we would hope we would have authority to 
enforce data breaches as we currently do, to enforce failures 
to inform consumers promptly of data breaches, and we would 
hope we would get civil penalty authority----
    Mr. Butterfield. Thank you.
    I yield back.
    Mrs. Bono Mack. I thank the gentleman.
    And the chair recognizes the vice chair of the 
subcommittee, Ms. Blackburn, for 5 minutes.
    Mrs. Blackburn. Thank you.
    And thank you all for being here I appreciate that we are 
having this hearing today. I think one of the things we can all 
agree on is that giving consumers the tools that are necessary 
to protect their virtual you, if you will, their virtual online 
presence, is going to be an imperative.
    Mr. Brookman, you just spoke to this in your brief 
comments.
    I want to go to Dr. Spafford, if I could. I appreciate that 
you start with recommendations to us and basically summarize 
things. I think that the thing that is of concern to me is when 
it comes to notification, it basically looks as if what is 
happening is a culture of damage control by not doing these 
expediently. And I think we all realize that the technology is 
there for almost instant notification and allowing individuals 
to know.
    Now I am one of those that would prefer to see the industry 
move forward with some best practices and some standards on how 
to deal with not only the data security issue but also the 
privacy issue. And whether you are looking at the Epsilon case 
or the Sony case or the Android aps, the Skype case this week, 
what we see is an intrusion and an invasion into an 
individual's privacy because of a breach that has taken place 
in a relationship that they have.
    Dr. Spafford, moving to your recommendations on page 16 of 
your presentation, basically what you are saying is minimize 
the data, age the data, provide anonymity to the consumer, and 
then you get down to talking about consent. Let's move to that 
and talk about that for just a second. When you have consumer 
consent, should you also allow a consumer an eraser switch so 
that if the company does not eliminate the data, then the 
consumer has the ability to go in and say, you know, whether it 
is 90 days or 180 days, that they can remove their data? 
Where--is that a recommendation that you all would consider 
workable or plausible?
    Mr. Spafford. It depends upon the organization. There are 
some circumstances where the information may need to be kept 
and the user may not be able to remove it because of--there may 
be other reasons, for health reasons for instance, or there may 
be contractual reasons that it really needs to be kept, but 
that certainly could be something that--for commercial reasons, 
marketing reasons, the user may have that right or should have 
that right to have that removed.
    Mrs. Blackburn. OK, all right.
    Mr. Martinez, we have--we continue to talk about companies 
being breached. And I find it so interesting that we don't talk 
as much about penalties for the hackers and those that are 
actually the cyber snoops in committing these crimes. And it 
seems like that is what gets moved to the bottom of the 
conversation. And I would like to--for you just to talk a 
little bit about that. You mentioned the computer fraud 
statute, but it seems as if the perpetrators of the crimes, the 
hackers themselves, is where we should put more of our 
emphasis.
    Mr. Martinez. Thank you. In recent years, we have really 
seen an increase in the amount of sentencing that these hackers 
are getting. For example, in the TJ or the Heartland Payment 
Systems case, TJX, we saw a sentence of 20 years for that 
individual. Recently, in another case that we recently did, an 
individual was sentenced to 25 years.
    We believe these actions are having a deterrent factor, and 
one of the reasons we believe so, for the last 2 years, we have 
collaborated with Verizon business on the data breach 
investigative report that talks about not only data breaches 
investigated by the Secret Service but also those that Verizon 
businesses responded to. One of the things we have seen and it 
is mentioned in the study is that we are now seeing these 
criminals--in the past, they had always attacked financial 
services type companies because of the large volume of 
financial information they had, like processors and financial 
institutions. What we see now as the main targets are the 
hospitality and the retail industry. And we believe the reason 
for that is because of the deterrent factor that some of the 
sentences are having.
    So, for example, instead of trying to breach into a system 
that has 150 million financial accounts, they are going now 
after 10 or 12 smaller ones that have smaller amounts because 
of the fact that they might face a higher sentence were they to 
be apprehended for the larger breach. So we believe that these 
sentences have increased and are having some form of a 
deterrence.
    Mrs. Blackburn. I know I am out of time. I will look 
forward to a second round.
    Mrs. Bono Mack. I thank the gentlelady.
    And the chair recognizes Ms. Schakowsky for 5 minutes.
    Ms. Schakowsky. Thank you, Madam Chairman.
    Dr. Vladeck, you mentioned the need for a civil penalty 
authority to protect consumers. I am wondering if you have seen 
a draft of a civil penalty authority. There was discussion 
earlier I think about the White House proposal on cybersecurity 
that is going to be circulated this month. Do you know if there 
is a draft of a civil penalty authority?
    Mr. Vladeck. I know there is a draft. I don't know how far 
along the drafting is. I know that at least in that draft there 
is authority for us to assess civil penalties of the 
appropriate cases, yes.
    Ms. Schakowsky. Have you any expectation on when you might 
see that draft?
    Mr. Vladeck. None.
    Ms. Schakowsky. OK. So you have just heard that that 
includes----
    Mr. Vladeck. We have been shown a draft, and that draft did 
contain a civil penalty provision.
    Ms. Schakowsky. So you have seen a draft.
    Mr. Vladeck. Yes, a draft, but the process is ongoing.
    Ms. Schakowsky. That was my question. OK.
    Let me also ask any of you this, I am a cochair of a House 
Democratic task force on seniors, senior citizens, and I am 
particularly concerned about cyber criminal attempts to prey on 
older Americans. And I wonder if any of you could speak to that 
threat and to any efforts that are being made to protect, 
particularly vulnerable people, like seniors.
    Mr. Vladeck. If I may, we have seen a spike in prize and 
sweepstake scams aimed at senior citizens. I was in Chicago on 
Monday. One of your staff members was at our hearing, and it is 
quite clear that scammers are targeting the elderly, defined as 
people over 60, which worries me a little.
    Ms. Schakowsky. Are you taking it personally?
    Mr. Vladeck. I am taking it very personally. Targeting 
people of that age group for particularly prize and sweepstake 
scams. This is all on the Internet, and increasingly there is a 
phishing element. There is a spear phishing element. They know 
something about that person that makes the scam particularly 
appealing. We are working with our colleague organizations to 
do both public information and to do enforcement work in this 
area.
    Ms. Schakowsky. Is it the scam itself that they are after, 
or are they looking for information about the individual? I 
mean, are they trying to get people to pay money to participate 
in a sweepstakes or both?
    Mr. Vladeck. Both. And what they often do is say you have 
won a million dollars; you just need to pay a penalty--you just 
need the taxes or a customs fee, and they will often send a 
fake check. It is cashed, and then the person who has been 
scammed sends, typically wires, money abroad. They never see 
obviously their winnings, but they are out whatever the value 
of the check was.
    Ms. Schakowsky. Thank you.
    Let me finally ask a bit about Sony and the security 
breach, the information breach there was.
    Professor Spafford, I know you don't have any specific 
knowledge about what Sony did or did not do to protect the 
personal information that it collected from consumers, but in 
your testimony, you say, ``Some news reports indicate that Sony 
was running software that was badly out of date and had been 
warned about that risk.'' And I have seen some news reports 
about the Sony breach, and truthfully, it seems like a lot of 
them come from blogs and press releases from Sony. So this is 
the first time I am really hearing about the potentially 
outdated software and ignored warnings.
    Sony was actually invited today but declined to appear, and 
Epsilon declined the subcommittee's invitation to testify as 
well. So I am just wondering if you can discuss the problems 
with that software and any of the information that lead to you 
make that statement?
    Mr. Spafford. On a few of the security mailing lists that I 
read, there were discussions that individuals who work in 
security and participate in the Sony network had discovered 
several months ago while they were examining the protocols on 
the Sony network to examine how the games worked, they had 
discovered that the network servers were hosted on Apache Web 
servers. That is a form of software. But they were running on 
very old versions of Apache software that were unpatched and 
had no firewall installed, and so these were potentially 
vulnerable, and that they reported these in an open forum that 
was monitored by Sony employees but had seen no response and no 
change or update to the software.
    Ms. Schakowsky. How long ago was that?
    Mr. Spafford. That was 2 or 3 months prior to the incident 
when the break-ins occurred.
    Ms. Schakowsky. Thank you. I yield back.
    Mrs. Bono Mack. The Chair recognizes Mr. Harper for 5 
minutes.
    Mr. Harper. Thank you, Madam Chair, and I certainly 
appreciate you holding this very timely hearing on this topic. 
And I certainly appreciate the witnesses being here to give 
their insight.
    And Dr. Vladeck, the first question I would have for you 
is, you know when you look at the expense that many companies 
go through to try to put in a system that is secure and works--
and let's say that it is--how long can we say that it will 
remain secure as technology improves and changes? And with 
that, is there a set time period that it would need to be 
updated, or is it just an as-needed. And what do you recommend 
in that situation?
    Mr. Vladeck. We provide a lot of advice to businesses on 
our Web site. And businesses use that, those resources, 
constantly. But our basic advice is inventory what you have, 
assess risks, don't collect information you don't need. For the 
information you do have--and this going to Sony-- protect 
against viruses, spyware, constantly be vigilant to make sure 
the patches you need to put in place are installed promptly, 
discard information when you are done, and put someone in 
charge. This is an ongoing, dynamic process.
    And one of the things I think, the key insights of the 
first piece of legislation, Mr. Stearns' legislation, was the 
need to start building an infrastructure to protect data. And 
that is an ongoing process. You can't check it every 6 months, 
like you might do the oil in your car. It is something you need 
to be vigilant about.
    Mr. Harper. As you look at what you are working on, how do 
you coordinate and keep in synch with all of the State 
attorneys general on what they are trying to do and what you 
are trying to do? How do you coordinate that?
    Mr. Vladeck. I think when there are data breaches, we 
generally take the lead on investigations. Many States have 
requirements that consumers be notified. But they don't 
investigate and then take action when the breach was the result 
of, in our view, truly substandard data security measures.
    But we do keep the States informed. We recently settled a 
case against Lifelock for data security violations, as well as 
others, and in that case we coordinated with 35 State attorneys 
general. But in terms of the hardcore investigation, I think 
the key is that we take the lead on those.
    Mr. Harper. Mr. Martinez, on both the Epsilon and Sony 
matters, I know you are limited on what you can tell us, but 
can you tell us how long it took from the time the breach was 
detected until the time consumers were notified? Is that 
something you can share?
    Mr. Martinez. I am not sure. Again, we didn't investigate 
the Sony intrusion or are not investing it. And on the Epsilon, 
I am not sure what that information is. I can get back to you.
    Mr. Harper. And when we are looking at all of the breaches, 
we certainly--the first thought we have is that it is going to 
be somebody who is there for financial gain, to access the 
account info, the personal info, or perhaps sell that data to 
someone. How much of it would you say is directly attributable 
to terrorist activity as opposed to what we consider the basic 
criminal?
    Mr. Martinez. Unfortunately, sir, all of those matters are 
handled by the FBI. So I think that would be a question better 
answered to by them.
    Mr. Harper. And certainly I know that it goes to the FBI, 
but you know there is the whole of all of the breaches, so what 
percentage do you think comes to you and what percentage goes 
to the FBI? I mean, that would be my question.
    Mr. Martinez. With regards to criminal?
    Mr. Harper. How much of it would you say of the overall pie 
is related to terrorist activity?
    Mr. Martinez. Again, I couldn't speak to what percentage is 
related to terrorist activities. I believe there are a lot of 
the intrusions and a lot of the ones that this committee has 
been talking about today are criminal in nature.
    Mr. Harper. Mr. Brookman, I know we are about out of my 
time here, but we talk about--we certainly hear in the news 
what has been detected. We know what we learn, what goes out in 
the press. What would you imagine--I know it is just 
speculation, but what would you imagine goes undetected?
    Mr. Brookman. I mean, most of the State data breach laws 
really only require notification in the event of a chance of 
financial breach. And the States vary. Some of them say notify, 
unless you can pretty much prove that nothing went wrong. Some 
of them require some thought that there might be harm. And if I 
lost my credit card, if I was a business and lost my credit 
card numbers, I really have no reason to know those were used. 
So I think those go undetected.
    I think a lot of the things like what happened with 
Epsilon, because it is personal information, it is not 
financial information, there is no requirement for those 
companies to come out and say, Hey, we lost your e-mail 
address; and, to the contrary, are intended not to do that. So 
I think a lot goes on under the radar that we don't know about.
    Mr. Harper. I yield back.
    Mrs. Bono Mack. The Chair recognizes Mr. Stearns for 5 
minutes.
    Mr. Stearns. Thank you, Madam Chair.
    Mr. Vladeck, when I did the bill in the 109th Congress, I 
think there were probably less than 30 States that had passed 
data security legislation and now there are 46, I am told. What 
I am curious, it would seem to me with almost the entire United 
States adopting--each State adopting legislation--wouldn't that 
be incentive enough for companies like Sony and Epsilon 
worrying about their reputation and the civil litigation--I 
mean, why would this occur, based upon 46 States already having 
legislation?
    Mr. Vladeck. Well, I think there are two reasons. One is 
the State laws do not do what you propose, which is to require 
good, underlying security. And to me, one of the key insights 
of your legislation was that we need to do that on a national 
basis. Congress needs to step in and say to people, holding 
companies, holding on to sensitive consumer legislation, Look, 
you need to take reasonable security measures.
    The second is, and as the statistics today have sort of 
driven home, there are an awful lot of data breaches that have 
been made public. I am not sure the reputational hit these 
companies take necessarily is strong enough general incentive 
to make them step up to the plate.
    Time and again, we investigate substantial companies and we 
find very outdated, outmoded, and insecure practices. And so I 
think the proof is in the marketplace. There are still, by my 
measure, way too many breaches, and breaches caused by the kind 
of failures that Dr. Spafford is talking about, failure to 
patch known vulnerabilities. In the Ceridian case, the 
vulnerability there was well known to the company, there were 
free patches available, and the company quickly acknowledged 
that it had been asleep at the switch.
    Mr. Stearns. We had in our legislation, Federal preemption. 
We worked out the language. Jan Schakowsky was the ranking 
member so it was bipartisan.
    How would you change that bill from the 109th Congress, 
coming out of this subcommittee? Would you have Federal 
preemption again in the bill and would you also change it in 
any dramatic way?
    Mr. Vladeck. Well, let me say two things. One is the 
Commission is generally supportive for preemption. That is, the 
Federal standard should be the floor, States should be free if 
they saw fit to provide----
    Mr. Stearns. Because right now in these 46 States, a 
company like Sony could be sued in 46 States.
    Mr. Vladeck. That would be true. I think regardless, but I 
would also point out that the civil cases involving security 
breaches have not fared particularly well.
    But in terms of the bill that emerged last year, we were 
generally supportive, but we would prefer, as Mr. Brookman has 
suggested, to expand the definition of ``harm.'' One concern 
was the definition of harm referred to financial loss or other 
unlawful acts. It would not have covered geolocation data, 
information about health status, or, for example, information 
about children. And we think that the concept of harm needs to 
be broadened to reflect the kinds of breaches that we have seen 
and the kinds of concerns that we think are broadly shared.
    Mr. Stearns. One of the things that I was struggling with 
is: So a corporation sets up a data security officer to do 
that. How do you make sure that that data security officer is 
complying, and is there a frequent way that you could do it? 
And I thought through the free market, you could have something 
like accounting firms that would just on their own, develop to 
say we will come in and do private audits.
    But the question is how much should the government get 
involved to make sure that that data security officer is 
actually complying with Federal Trade Commission requirements; 
because everybody will say--the janitor could be the national 
security officer, the elevator operator. Bingo, we are all 
done. But how do we as legislators and you as the jurisdiction 
ensure that that is actually happening?
    Mr. Vladeck. I mean your auditing illustration is a good 
one. When we put companies under order, we require them to 
develop a very detailed privacy policy to appoint a responsible 
official which we hope has the credentials of a Dr. Spafford 
and not a janitor. And we have outside firms that are qualified 
to do this audit every 2 years to make sure the company is 
living up to its promise.
    And as an enforcement tool, if there is a chief privacy 
officer who is required to ensure the plan is being 
implemented, if there is another breach, I suspect that not 
only would we sue the company but we might sue the responsible 
official. In that case, it would be the chief privacy officer.
    So there are ways of holding people accountable. One of the 
insights of the bill is you need somebody responsible within 
the company. And we think that is very important.
    Mr. Stearns. My time has expired but, Madam Chair, if there 
is somebody else on the panel that would like to comment on my 
questions. Is that possible? Mr. Martinez, Dr. Spafford, Mr. 
Brookman.
    Mrs. Bono Mack. We are going to have a second round to be 
more fair to the more junior members to allow that in the 
second round.
    So the Chair recognizes Mr. Guthrie for 5 minutes.
    Mr. Guthrie. Thank you very much. Thank you for being here 
today on this important hearing and thank you, Madam 
Chairwoman, for holding this.
    This is really to both Mr. Vladeck and Mr. Martinez. The 
core of the problem, is it typically improperly secured 
information from people who are holding the data, or is it the 
criminal networks that are just a step ahead? They figure it 
out. Somebody could be vigilant in what they are doing and 
somebody just figures out a way around their system.
    What are you seeing? Is it just sloppy corporate side, or 
data holders, or is it the other? I know it is probably a 
combination of both. What do you see the most?
    Mr. Martinez. Yes, sir. It is a combination of both. I will 
just real quickly go through some of the statistics on this 
recent study that we just did with Verizon business. Ninety-two 
percent of the attacks were not highly difficult, and 96 
percent of their breaches were avoidable through simple or 
intermediate controls. I think our panel members here have told 
you--have brought up a lot of recommendations. So a lot of 
times it is that some of these security measures that should be 
in place just aren't fully implemented.
    And although we do have criminals that are highly 
sophisticated--and we have seen the amount of attacks due to 
hacking increase--a lot of these attacks, though, could have 
been avoidable had just best practices been applied.
    Mr. Guthrie. So you are saying that 96 percent I know 
essentially could have been avoided if it had been reasonable 
and rigorous?
    Mr. Martinez. Correct.
    Mr. Guthrie. Is that the same?
    Mr. Vladeck. I don't know that I would quantify it that 
way, but many of the breaches that we see are due to laxity or 
just foolishness. For example, we have sued both Rite Aid and 
CVS for taking patient employee records and throwing them into 
unsecured dumpsters. You don't need to be a smart criminal to 
go dumpster diving.
    But we have seen also sophisticated hacks of the kind Mr. 
Martinez is talking about. And in those cases, we do an 
investigation, but we don't pursue civil enforcement because, 
you know, we don't want to be playing ``gotcha.'' This is not a 
strict liability regime.
    Mr. Guthrie. I guess the question is, if you have a 
standard of reasonable and rigorous, and there is somebody 
always getting a step ahead through technology, then you always 
have to update your reasonable rigorous.
    But it sounds like you could eliminate over 90 percent of 
the problems we have had just by having a reasonable policy in 
place.
    I guess you are saying it is being stored. Obviously 
throwing stuff in a dumpster is not reasonable. But you are 
seeing clear differences.
    Mr. Vladeck. But also not applying the patches that the 
company is sending you to fix a known vulnerability, in our 
view that is not any different than leaving the door of the 
vault right open.
    Mr. Guthrie. FTC--and you are doing consumer education, I 
know, as a part of this. But this is a little outside of this, 
but it is a little bit within the realm of what we are talking 
about. The other day I got a phone call: ``This is your bank. 
We have had a problem with your account. Give us your account 
number'' and whatever. Of course, I hung up. But a lot of 
people don't. And this is what Ms. Schakowsky is talking about. 
And particularly I guess he is somebody that I know elderly 
that would--oh, I have got to fix my bank account, and all of a 
sudden there is something.
    Are you focusing on that area? Is that your area? What are 
you doing?
    Mr. Vladeck. Yes and yes.
    You know, we are principally the antifraud agency and that 
is the kind of classic fraud that we are fighting every day. 
And there are an awful lot of people who have taken advantage 
of the economic downturn. People are more vulnerable to fraud 
when they are in financial jeopardy. And there are fraudsters 
that are out in force taking advantage of the most vulnerable. 
And that is what we spend a lot of our time on.
    Mr. Guthrie. If I have a few seconds left, I will go back 
to Mr. Stearns.
    Dr. Spafford, in your testimony you are talking about the 
cost of the breach. I guess my question is, as a business, if 
the cost is going to be so expensive, why wouldn't I invest up 
front? Is the problem that the costs on the business are up 
front, but the cost of the breach is spread out like societal? 
Is that the issue? When you said $214 per breach, that is not 
borne by the company. Is that societal? I think you said $214. 
I didn't write it down.
    Mr. Spafford. The cost was a result of the study that was 
done. And that cost was per record, $214 per record.
    Mr. Guthrie. Cost in the company that allowed the breach to 
happen?
    Mr. Spafford. Yes. To the company. That cost was cost of 
notification, cost of cleanup, cost of outside auditors, legal 
costs.
    Mr. Guthrie. So businesses are not aware of these costs? 
Seems like if I was a business and that was my liability--I 
mean, I am wondering why they are not going in that direction.
    Mr. Spafford. That is correct. The businesses don't realize 
what it is going to cost them.
    Mr. Guthrie. Or they have a known cost here and hopefully 
not another cost there.
    Mr. Spafford. That is correct.
    Mr. Guthrie. Mr. Stearns, I don't know if you got time.
    Mr. Stearns. I thank the gentleman for his courtesy. I will 
wait for the second time around.
    Mrs. Bono Mack. I appreciate that, gentlemen.
    And the chair recognizes Mr. McKinley for 5 minutes.
    Mr. McKinley. Thank you, Madam Chairman.
    I am curious about this whole issue, because I have not 
been a victim that I know of. Have any of you four been victims 
of a breach?
    Mr. Vladeck. Yes.
    Mr. Brookman. Yes
    Mr. Spafford. Yes.
    Mr. Martinez. Yes.
    Mr. McKinley. All four of you.
    How does a company know that it has been breached? Do the 
lights go on?
    I mean, I had a real life before I came to Washington, and 
we had a firm with a hundred employees. Would our IT person 
have seen a breach? Would he have seen something flashing? How 
do we know we were breached? You all keep talking about these 
larger companies. What about the real America, the small 
businesses?
    Mr. Brookman. Before I joined CDT, I worked for the New 
York Attorney General's Office and I worked in the Internet 
Bureau. And in conjunction with the Consumer Fraud Bureau, we 
would get these notifications from smaller companies that said, 
oops, we lost a lot of data. In our experience, a lot of it was 
we lost a computer. Maybe even a half was like someone put 
their computer in their car, and this is not just small 
companies too, this is how the Veterans Affairs famous breach 
happened. Someone put a lot of data in the laptop, left it in 
the back seat of their car with the window open, and someone 
took it. And they don't know. There is a very strong chance in 
that scenario the person wouldn't look for the file and know 
what to do. But the fact of the matter is you have a large 
number of consumer records that are gone now to someone who 
does have access to it, and you don't know how they are being 
used.
    Mr. McKinley. Yes.
    Mr. Spafford. Another possibility is that someone comes in 
in the morning and they discover in the record on their system 
that it has been accessed from an account in Eastern Europe or 
China or South Africa. And that person has downloaded 
megabytes' worth of information off the system, including the 
entire customer database, and that is certainly not someone who 
has legitimate access to the system.
    Mr. McKinley. How do you know they have access?
    Mr. Spafford. Because there is a record of it. There is an 
audit trail of that information.
    Mr. McKinley. Every small company would have that?
    Mr. Spafford. Not every company, but some would. So there 
is a record, and the company, if they turned on that record-- 
or it is possible that a business partner or someone else would 
say we found a copy of your entire customer record on our 
machine, and how did it get here? Somebody must have left it 
here. And so you often discover this because it got out and 
somebody found a copy of it.
    Mr. McKinley. I am still not clear on that. I am going to 
have to live with this a little longer and maybe ask more 
questions every time. I still think what I have heard were a 
lot of larger firms, a lot more records; but smaller firms 
are--I am trying to understand what their point is, because I 
have never--not that I know of, knock on wood--have been 
breached, so I don't know what they are looking for and I don't 
know with our former firm what type of security we have for 
that.
    But I think it was at the end you said something about if 
you have been breached, and the notification that the consumers 
take appropriate action. What is appropriate action? It has 
happened. Are they supposed to get a new credit card or what 
are--what is appropriate action for the 70-year old lady on 
Main Street if somebody notifies her; what action is she 
supposed to take? Do they tell her.
    Mr. Vladeck. Generally the breach notifications do tell her 
what action to take. And our Web site and others provide that 
basic information.
    Mr. McKinley. They are not going to go to your Web site.
    Mr. Vladeck. The breach notification should tell her what 
action to take. So if someone has hacked e-mail addresses, she 
will be alerted that she may get these e-mails from her bank 
asking her to provide account information. These are phishing 
attacks. I don't think they would be described in those 
technical terms. But I think she would be warned if there was 
credit card information--she may be told to look at her account 
information, to engage in credit monitoring where they may be--
or the company might provide credit monitoring for her.
    There are steps people can take to minimize the risk of 
loss. And one point of data notification or breach notification 
is to provide individual notice to every consumer about what 
the appropriate steps that consumers should take to protect his 
or her interest.
    Mr. McKinley. Thank you. Whatever this bill comes out, I 
hope there are some ways to get down to the grassroots level 
how we can deal with this.
    Mrs. Bono Mack. Thank the gentleman.
    Round two, I recognize myself for 5 minutes.
    Dr. Spafford, your testimony supports legislation that 
would apply to all entities that collect personal information, 
including the government. Do you think the government is ahead, 
equal, or behind the private sector in data security practices, 
and what about universities and nonprofits also in that regard?
    Mr. Spafford. I think the government and many nonprofits 
have good security in some places and very poor security in 
others. I have testified at hearings in previous years for 
losses of information at the Veterans Affairs. There was an 
occasion there where it was just mentioned, laptops being lost. 
There have been occasions where databases have been breached, 
even in the military, and information taken. There have also 
been a number of cases where the systems are very well 
protected.
    At universities, some are very well protected, some are 
wide open, and student records are regularly disclosed. 
Charities, businesses, it is across the board. Some are very 
good; some, unfortunately, are not.
    Mrs. Bono Mack. Thank you.
    Mr. Brookman, as the subcommittee knows, we submitted a 
letter to Sony, and we have the responses as of late last 
night. And I looked at them this morning to share something 
with you that they do have in their letter to us.
    We asked them about new security measures. They responded 
they are implementing new security measures that include--they 
have added automated software monitoring and configuration 
management to help defend against new attacks; they have 
enhanced levels of data protection and encryption; they have 
enhanced ability to detect software intrusions in the network. 
And Mr. McKinley was asking, and they have also included in 
that, unauthorized access and unusual activity patterns. But if 
these are just a few of the new safety precautions, my question 
is, given how many consumer records were at risk, why weren't 
these measures in place before?
    Mr. Brookman. I think that is an excellent question. As I 
said in my testimony, it just boggles my mind that they are 
leaving open access to the 2007 database of credit card 
information that apparently they weren't even using. It just 
happened to be a legacy system. This is something the FTC said 
a lot of good things about. A lot of times, it is more 
expensive for a company to go in and erase data than leave it 
lying around.
    We, in talking to the companies, have tried to get them to 
use privacy by design and security by design to build these 
concepts into products from the ground up. But sadly, in so 
many places it is not someone's job to go up and delete legacy 
data.
    I was very interested in the suggestion of Vice Chair 
Blackburn about the idea of an eraser button. I think it is a 
very strong idea. If I have a direct relationship with a 
company and I want to end my relationship, I should be able to 
delete that data. I think it is a very strong idea, recognizing 
Ranking Member Butterfield's idea that it is hard for Congress 
to, say, keep data for so long because it really varies across 
industries. Giving consumers the power to say, Hey, go ahead 
and delete that now I think it is a very good idea.
    Mrs. Bono Mack. Dr. Spafford, you were speaking of the 
vulnerability that was known to many, I guess, via the 
blogosphere somewhere. I am assuming you are speaking about the 
San Diego facility, that some speculate there was a breach, or 
they are saying it was an AT&T service center in San Diego 
where there is a known vulnerability. But if there are known 
vulnerabilities, what do we do with the policy that minimizes 
these sort of physical locations and vulnerabilities?
    And I think my question would be better directed to Mr. 
Martinez or Mr. Vladeck about known vulnerabilities in a system 
and our ability to protect those physical locations that have--
again, known to the bad guys, but it seems we are always sort 
of behind the bad guys in our limits to stop them from what 
they are doing.
    Mr. Martinez. Like I stated earlier, a lot of times what we 
see when we do investigations. And again, this collaborative 
study that we have conducted, what it shows is that 96 percent 
could have been avoidable through simple intermediate controls 
meeting. If there were a hundred servers that the company 
owned, they possibly patched 99 of them but forgot to patch 
that last one. So an instance like that one could create the 
havoc that we see.
    Mrs. Bono Mack. So you are saying it is all corporate 
responsibility at that point, correct?
    Mr. Martinez. What I am saying is no matter the size of the 
company or who it is, you really have to be diligent in your 
systems. It is not about being compliant for that moment. You 
have to maintain that diligence and maintain and monitor your 
system on that constant basis.
    Mrs. Bono Mack. Mr. Vladeck, with my remaining 25 seconds, 
I think it is important you spoke to the concept of harm. And I 
think it is critical, and I think people don't understand what 
it means to have been hacked or have your personal information 
stolen until it has happened.
    You mentioned geolocation, your kids and health records. 
Can you speak a little bit more about the vulnerabilities 
beyond somebody might just buy something on my credit card? I 
think people need to understand what the crimes could be.
    Mr. Vladeck. I don't know whether these would be crimes, 
and that is why we are concerned about the definition that was 
in 221. One harm was other unlawful action. But, for example, 
Eli Lilly, in one of the first cases we did, sent out an e-mail 
blast which associated particular patients with Prozac. Now, 
that is a reputational harm that I think most people would like 
to avoid. They don't know whether Eli Lilly committed a crime. 
But people ought to be notified in those kinds of 
circumstances. It just struck us in CVS and Rite-Aid, they were 
dumping prescription records in dumpsters. People ought to know 
when that happens, even if the act of dumping them is not a 
crime.
    Geolocation data could be used for stalking. It could be 
used for other purposes.
    And so when the committee reexamines this legislation, we 
urge them to take a somewhat broader view of what constitutes 
harm in this area.
    Mrs. Bono Mack. Thank you.
    The chair recognizes Mr. Butterfield for 5 minutes.
    Mr. Butterfield. Thank you.
    Technology evolves rapidly, and what is cutting-edge 
technology today is obsolete tomorrow. The Sony press releases 
have stated that consumers' credit card information was 
encrypted. In addition, Sony stated yesterday in The Hill 
newspaper that passwords were protected using a hash function, 
and described as a shortened version of full encryption.
    The data breach provision in the bill that we passed last 
year established a presumption that no reasonable risk of harm 
exists following a breach if the data is encrypted.
    Dr. Spafford, do you agree or disagree with that?
    Mr. Spafford. Sir, I disagree, because it is possible that 
disclosure could also include the password necessary to decrypt 
those passwords, and that would mean that they could then be 
decrypted and read as well.
    Encryption all by itself is not a solution. It has to be 
such that encrypted material can also not be read.
    Mr. Butterfield. Are there any technologies that you 
believe can be given such a presumption?
    Mr. Spafford. Certainly there are. There are some forms of 
encryption that could be appropriately used if the key material 
is kept separate, for instance. But one has to look at the 
overall risk of whether or not the protected material would be 
disclosed if that material were breached.
    Mr. Butterfield. Of course, encryption has its downside, 
but do you still believe it is the gold standard?
    Mr. Spafford. Some kinds are. Some forms of encryption can 
be broken fairly trivially. Some forms of encryption are fairly 
good and some are not. And some previous versions--in some 
previous versions of legislation that were introduced in this 
committee, we have sent letters about problems with encryption. 
And I would be happy to provide copies of those to you later.
    Mr. Butterfield. Special Agent Martinez, in your testimony 
you describe a strong working relationship with the FBI which, 
you state, works through the National Cyber Investigative Joint 
Task Force to lead the Federal Government's response to online 
national security threats. Now, I imagine that there is some 
fuzziness around cyberthreats to businesses, and that some of 
these could also be threats to national security. That is 
probably part of the reason why there is a task force and why 
your agency is involved. I understand that businesses, not the 
government, own most of the network computer infrastructure. It 
is the private sector that controls and is responsible for vast 
swaths of the network, of the financial system, power 
generation, and our electricity grid.
    Given your experience in dealing with intrusions into 
private sector computing assets, is the private sector doing 
enough to guard the security and integrity of networked 
computers?
    Mr. Martinez. I think there is always more that we can do, 
sir. I think from what you've seen today, from some of the 
testimony today, and from some of the intrusions that we are 
actually discussing, there is still a lot more that needs to be 
done. And I think what is important is that the public sector 
needs to collaborate with the private sector in making sure 
that we improve our security.
    Mr. Butterfield. Would you extend that to the Federal 
Government?
    Mr. Martinez. Yes, and I believe there are already steps 
that have already been taken within the Federal Government to 
do that.
    Mr. Butterfield. Special Agent, in your testimony you also 
described your relationship with the United States Computer 
Emergency Readiness Team. According to your testimony, that 
group defends against cyber intrusions on the dot.gov domain 
and shares information and collaborates with State and local 
governments and industry.
    Insofar as you participate in partnerships and information 
sharing with businesses, can you please describe this 
relationship a bit more?
    Mr. Martinez. Yes. And I think it would be better explained 
by U.S. Serve. They have taken the role of remediation and 
mitigation, so when there is an incident that occurs, a lot of 
times what we will do is we will encourage the private sector 
partners to reach out to U.S. Serve so that they can come up 
with a mitigation plan or best practices and so forth.
    I would say in the last year or so, we have really improved 
our efforts trying to do that, working with U.S. Serve and 
having them take the lead in remediation and mitigation efforts 
after intrusion.
    Mr. Butterfield. All right. Thank you. I yield back.
    Mrs. Bono Mack. The chair recognizes Mr. Stearns for 5 
minutes.
    Mr. Stearns. The gentleman from North Carolina makes a good 
point. When you look across the Federal Government, it is 
almost a sector-by-sector approach in dealing with the 
government. I know serving on the Veterans Affairs, there were 
breaches of huge, in number of veterans, when a computer was 
taken home and the information was breached.
    The staff has pointed out that there are examples for the 
Veterans Affairs, they had the Veterans Affairs Information 
Security Act, but that just applies to the Veterans Affairs. 
You had the Federal Information Security Management Act which, 
again, is sector by sector. So a thing that this committee 
would have to struggle with is also how to go about deciding 
what would apply to the Federal Government.
    Mr. Vladeck, do you think there should be a small business 
exemption for this, because I heard from--a lot of small 
businesses say, I don't want the overlay of a data security 
officer; and how much is this going to cost me? It is more 
regulation.
    So the question is, is there a possibility that a small 
business of, let's say, less than a hundred employees, less 
than 50 employees, there would be sort of a modified approach, 
or do you think the whole thing should apply to them, too.
    Mr. Vladeck. I think we need to separate out the various 
requirements of the legislation. We did not support a small 
business exemption from the data security requirements. We 
thought that----
    Mr. Stearns. That was crucial.
    Mr. Vladeck. That was crucial. What we did support was 
rulemaking for the Commission to determine when small 
businesses should be granted waiver from the provisions 
relating to the payment for monitoring credit reports following 
a breach. And I think that was the objection raised by small 
business at the time. And we favored some flexibility that 
would be determined after a public rulemaking, and perhaps 
exemptions would be authorized pursuant to that rulemaking.
    Mr. Stearns. Dr. Spafford, there is some some talk about 
cloud computing here in the House, and we no longer have our 
servers and hard disks and so forth. If a company moves toward 
cloud computing storage, is that more safe or less safe, in 
your opinion, keeping the servers proprietary and protected?
    Mr. Spafford. It depends on where the cloud storage is and 
how well it is protected, because you are putting your records 
on computing resources that are stored somewhere else and 
protected by someone else. If you have a private cloud, then 
that is within your corporate domain or within Congress here, 
protected here. But if you are using it outsourced, you may not 
even know where it is and how it is protected.
    A concern that I mention in my testimony is that some cloud 
service providers may actually have their storage located 
outside the country. And so if that storage is compromised, we 
have a whole new set of problems, because now that storage is 
now outside----
    Mr. Stearns. We don't really have reciprocity laws with 
countries outside, so it gets more difficult.
    Mr. Spafford. It gets considerably more difficult.
    Mr. Stearns. So if the information is breached, then where 
do people go to sue? I guess you would still go to the holding 
company of the major corporation.
    Mr. Spafford. That is beyond my area of expertise. Mr. 
Brookman or Mr. Martinez or anyone else want to comment on this 
cloud computing?
    Mr. Martinez. Yes, sir. Think of it this way. The crime 
scene now, like Dr. Spafford just said, the crime scene now 
does not become the server farm located at a building in a 
crime scene. Now, part of it could be in the Philippines, part 
of it could be in Mexico, and part of it could be in Los 
Angeles. So it makes it much more difficult for law enforcement 
to take action and obtain that information. Specifically when 
we have to go overseas, now there is a whole other trigger of 
requirements or things we need to do, such as Mitchell legal 
assistance treaties, and the question then becomes do we have 
treaties with countries where some of this information resides?
    Mr. Brookman. I would just say in response to that, I think 
in many cases it may well be the case that a cloud computing 
server will offer better privacy and security for you. 
Especially in the case maybe of the small business who doesn't 
have a technical know-how of how to protect this data or what 
the latest cutting edge in encryption techniques are. I think 
in that scenario, it may well make sense, maybe some marginal 
significant security benefits from using a third-party service 
provider. On the other hand, in the recent news, the Epsilon 
was a third-party provider whose job was knowing how to do mass 
marketing, and obviously it is not a fail-safe.
    Mr. Stearns. Yes.
    Mr. Vladeck. I just wanted to say that we have encountered 
this issue already in our enforcement efforts. And our position 
is that U.S. companies, when they are storing data involving 
U.S. citizens or U.S. transactions, they are responsible to us 
even if the date is stored in a cloud computer offshore. And we 
have made that quite clear.
    We haven't tested in the courts. But we are quite confident 
that we would be able to assert our authority in those kinds of 
instances. I think Mr. Martinez' concerns may be more 
complicated than ours.
    Mr. Stearns. Thank you, Madam Chair.
    Mrs. Bono Mack. Thank you gentleman.
    The chair recognizes Mr. Lance for 5 minutes.
    Mr. Lance. Thank you, Madam Chair. And good morning to the 
panel.
    Dr. Spafford, in its letter to the subcommittee, Sony said 
that it acted with care and caution. And I am wondering if that 
is the case, why wouldn't Sony notify consumers as soon as it 
shut down its network.
    Mr. Spafford. Well, sir, I don't have full access to all of 
the details of what was required for them to gather the 
information as to what happened to determine what individuals 
were involved and what law enforcement needs were involved for 
them to gather evidence before notifying people.
    Certainly they also were in a state where they had to be 
sure that they had closed all of the vulnerabilities before 
notifying individuals, I would assume. And so those factors 
probably introduced a lag into the notification.
    Mr. Lance. Is there anyone else on the panel who might be 
willing to comment on that? I know it is speculative. Is there 
anybody else who would be interested in commenting on that?
    And another area. Agent Martinez, in its letter, Sony also 
says that it believes it has identified how the breach 
occurred. From your perspective and your expertise, why do law 
enforcement officials need a window of opportunity, so to 
speak, to investigate a data breach before consumers are 
notified?
    Mr. Martinez. Sir, I can't speak specifics to the Sony. I 
can tell you based on our experience in previous cases, there 
could be times where, through an operation that we are actually 
conducting an active investigation, we actually are the ones 
who find the breach and report it to the company. So in certain 
instances, we work with the company, and a lot of States have 
enacted the delay in notification for law enforcement purposes, 
because what we don't want to have happen is something the 
company does could impact the investigation and then possibly 
hurt the investigation and not allow us to apprehend the 
individual.
    But what we always do is work with these companies. And in 
instances where we do need some form of delay in notification, 
we try to minimize that as much as possible so the company can 
make the notification it needs.
    Mr. Lance. I yield back the balance of my time to you, 
Madam Chair.
    Mrs. Bono Mack. I thank the gentleman. I will graciously 
take you up on your 2-minute and 30-second offer.
    Mr. Dingell is on his way down here, and I would like to 
ask questions until he gets here, so he can participate.
    But I want to say this has been a very insightful hearing. 
And each member has brought up I think different complexities 
in understanding how they see these problems.
    Ms. Schakowsky, when she specifically brought up the threat 
to seniors, I hadn't thought about that. The Sony Play Station, 
we all thought about perhaps a little bit younger generation 
and the risks to them. And I want to reiterate, although she is 
not here, I will continue to work with her and explore the 
senior angle, and with the FTC as well.
    And I want the thank and congratulate the members who have 
worked on this legislation previously, and certainly we have 
come a long way. 2005, I don't know many people were talking 
about cloud computing, and yet we are today.
    So I think understanding briefly the cloud, the FTC will 
have the authority to go out at servers that are based 
offshore. But do we also risk over-legislating in sending more 
offshore if we are not careful?
    I will go to either Mr. Martinez or Mr. Vladeck.
    Mr. Vladeck. I don't think, frankly, this legislation is 
going to affect cloud computing. I think companies are 
migrating to the cloud. I think servers are networked to the 
point where the physical location of the server is much less 
important than the kind of security it provides. And the legal 
regimes I think will adapt.
    So we have not gotten pushback from companies that we have 
investigated where there was an issue about whether the data 
was physically within the United States territory or not.
    In Ciridian, Ciridian is a global company. And we ended up 
settling the case in a way that makes it crystal clear that its 
accounts for U.S. companies or for other companies that are 
employing people in the United States are covered, regardless 
of where physically the computer may be, where the server may 
be.
    Mrs. Bono Mack. Thank you. Briefly. I just had a great 
question.
    Dr. Cassidy, do you have a question immediately for the 
panel?
    Mr. Cassidy. I do.
    Mrs. Bono Mack. The chair recognizes Dr. Cassidy for 5 
minutes.
    Mr. Cassidy. I don't know quite who asked this. I was in 
another committee hearing, so I apologize if somebody has 
already answered this.
    Let me start with Mr. Brookman. Mr. Brookman, I am driving 
to my in-laws. There is a wreck; pop open my cell phone, and it 
tells me the congestion on the freeway. It is pretty 
impressive. Then I read an article--to show how broad-minded I 
am--on MSNBC's Web site about how this location data is 
apparently stored forever. I am sitting there thinking, well, 
that is great, I can see where I am at any given time, and if 
there is a red zone up ahead and I need to get off on a side 
road. On the other hand, why should whomever, Google or Apple, 
keep this forever? What thoughts do you have?
    Mr. Brookman. There are definitely wonderful secondary uses 
of location data that Google and Apple all use this for. I 
think the map example is a great example. There are ways to do 
that that are not privacy-invasive. They have to remember that 
it is me for a little bit, so they have to see it is my car 
stopped on the Beltway, moving 5 miles per hour. But they can 
forget that after an hour, and there are things they can do to 
not have to remember that it is me, my entire life.
    I think the recent Apple story about storing location 
information up to a year resident on your phone, for what seems 
to be a marginal performance improvement and to increase 
battery life, I think it is a great example of maybe not 
thinking through privacy by design. And the concept from the 
beginning, this engineer thought, Hey, it would be a great idea 
if you had all of the cell towers that are nearby you stored in 
the phone, so if--instead of checking back to Apple to say, 
Where am I, you can check back to your phone, not really 
thinking this is kind of a permanent log of everywhere I have 
been in the last year, that I might not want someone like a 
hacker or someone to get their hands on.
    I think a lot of companies have taken the idea of location 
permission seriously, so I am glad that Android and Google and 
Microsoft and RIM phones, they do ask, Hey, is it cool to use 
your location right now? I still think they are working through 
some of the secondary usage issues because you can create 
really detailed logs about people in ways they would not 
expect.
    Mr. Cassidy. OK. Now I am insensitive to it, and I am 
looking at my phone and I am logging onto a map, and there pops 
up that sort of, you know, ``Click here after you have read 
16,000 pages of legalese to proceed.'' But this time I actually 
read a little bit of it. And this is totally optional, and all 
I was doing was giving them permission to store my data. Sure, 
it gives them the patina, the fig leaf of being careful about 
my data, but in reality it was a trick. I was thinking that 
this is, you know-- I am not going to, whatever, rip-off their 
copyright, but indeed it was, no, we can sacrifice your 
privacy.
    So what kind of protections? Put it this way. I am just 
coming across this because I am driving in Mobile, Alabama. But 
I am assuming the people on the Commission have thought about 
this. What is the best way to address this?
    Mr. Vladeck. There are two responses. One, for the purposes 
of data security, we have already discussed what we think would 
be an important amendment to the prior legislation, which is to 
talk about geolocation data, the disclosure of geolocation data 
as a result of a breach, as a harm that would trigger the 
notification requirements. Because if your geolocation data 
where you have been for the last 2 years----
    Mr. Cassidy. Which, by the way, I am not defensive of, just 
to be sure of that.
    Mr. Vladeck. No implication at all. You ought to be 
notified of that.
    Mr. Cassidy. Do we need legislation that says, Thou shalt 
not keep this beyond X number days?
    Mr. Vladeck. The Commission is very concerned about 
geolocation data. We are engaged in it--for example, the review 
of the Children's On-Line Privacy Protection Act. And one 
question that we have asked is how should we treat geolocation 
data? In our private report issued in December, we made clear 
that we viewed geolocation data as sensitive data that requires 
heightened protections.
    Mr. Cassidy. But my specific question is, should we have a 
rule or a law that says, Thou shalt not keep this beyond X-
number of days?
    Mr. Vladeck. The Commission has not taken a formal position 
on that, other than to underscore the sensitivity of that data, 
and I can't--
    Mr. Cassidy. What would be an argument against? I was only 
aware of it because I stumbled across a Web site I don't 
normally read.
    Mr. Vladeck. Part of our concern of course is the notice 
and consent in ``scare quotes'' that is extracted in the kind 
of situation that you are talking about is not significant, is 
not substantial. We are worried about those.
    Mr. Cassidy. So, again, I guess, what is the argument 
against that? I am asking anybody.
    Mr. Vladeck. I think there would be two arguments. One is 
functionality. The data is being retained really to enhance the 
functionality----
    Mr. Cassidy. Although Mr. Brookman suggests that that is a 
short-term functionality benefit.
    Mr. Vladeck. That is correct. But I am making the arguments 
on the other side. Not my arguments.
    So the argument is, one is functionality. The other is it 
helps their analytics. They help to protect the kind of 
services----
    Mr. Cassidy. Precisely my point.
    Mr. Vladeck. I am not disagreeing with you. You asked that 
I at least rehearse the arguments that you will hear. And those 
are the two basic arguments that you will hear.
    Mr. Brookman. I think there are cases where it may be 
reasoned. I am always scared about proscribing a law, like you 
must delete after a certain period of time. But there are uses 
of data where it might be reasonable for it to be tied to me 
for a period of time. If I have a traffic program on my 
computer and I want my computer to--my phone to remember where 
I go, to give me the optimized directions, that could be a 
legitimate use of my data. People use these programs like 
foursquare and looped, and places to check into places to maybe 
overshare, but to create a very permanent log of all of the 
places they have been. Some people like that.
    I think I have used a similar Trip Advisor feature that 
says, Hey, I have been to this place and that place and I have 
checked in through my phone.
    I think it depends on the usage. If you really do want to 
create a Hey, this is where I have been, to tell the world, I 
don't necessarily want to get in the way of that and tell 
people they can't do it.
    Mr. Cassidy. So perhaps the solution is to be a little bit 
less tricky in terms of the do we have your permission, and so 
it is clear, to record your data for in perpetuity by clicking 
here.
    Mr. Brookman. I absolutely agree with that, that you should 
be very clear about the usage you are taking their data for. 
And before you share it to another person, you should be very 
clear in getting permission for that as well, and not just 
buried on paragraph 40, the terms of service, but up front in a 
clear way. FCC has done some great writing on what it means.
    Mrs. Bono Mack. The chair recognizes Mr. Dingell for 5 
minutes.
    Mr. Dingell. I thank you for your courtesy and commend you 
for holding this hearing. I particularly appreciate your 
keeping the hearing open for me.
    To all witnesses this will be a ``yes'' or ``no'' answer, 
starting on your right and on my left.
    First of all, sir, do you believe the current industry 
efforts with respect to ensuring data security are sufficient? 
Yes or no.
    Mr. Vladeck. I would say no.
    Mr. Martinez. I would say no.
    Mr. Spafford. No.
    Mr. Brookman. No.
    Mr. Dingell. Members of the panel, again to all witnesses, 
can such efforts be improved or do you believe that the 
Congress should pass comprehensive security legislation? First 
question is, can efforts be improved? And the second one is, 
should the Congress pass comprehensive security data, data 
security legislation?
    Mr. Vladeck. Yes, as to both parts of the question.
    Mr. Dingell. Sir?
    Mr. Martinez. Yes to both.
    Mr. Dingell. Sir?
    Mr. Spafford. Yes to both
    Mr. Dingell. Sir.
    Mr. Brookman. Yes to both, if legislation is strong enough.
    Mr. Dingell. Gentlemen, you are being very patient. We have 
a lot to get across in very limited amount of time so your 
courtesy is very much appreciated.
    Gentlemen, I understand that the comprehensive data 
security requirements do not at this time exist in the United 
States. Rather, there exists a patchwork of Federal and State 
law and regulations that impose varying requirements on 
different people. Should Federal data security requirements 
supersede State requirements; yes or no.
    Mr. Vladeck. I can't use a yes or no. Yes, to the extent 
they are not as substantial as Federal requirements, they 
should be at least the floor.
    Mr. Dingell. Sir?
    Mr. Martinez. Sir, I believe there should be a national 
standard for data breach reporting.
    Mr. Dingell. Sir?
    Mr. Spafford. Without knowing what the standards are, I 
can't answer.
    Mr. Dingell. Sir?
    Mr. Brookman. If they are strong enough to allow for State 
innovation, yes.
    Mr. Dingell. Would I be fair in assuming, however, that the 
panel thinks that we need a lot of work to assure that we 
achieve the standards needed of a national character? Am I 
correct on that, sir?
    Mr. Vladeck. Yes, sir.
    Mr. Dingell. Sir?
    Mr. Martinez. Sir, I think there has been a lot of work for 
several years on multiple different types of data breach on 
legislation introduced in all different types of committees, 
and I believe the administration is real close to presenting to 
Congress a package that was worked on by multiple executive 
agencies.
    Mr. Dingell. Thank you. I believe I have given you a little 
more friendly question this time, sir.
    Mr. Spafford. Yes.
    Mr. Dingell. Sir?
    Mr. Brookman. Yes.
    Mr. Dingell. Gentlemen, this is always a question we run 
into. Further, in the light of Federal fiscal constraints, 
should State attorneys general be allowed to enforce Federal 
data security requirements; yes or no?
    Mr. Vladeck. Yes.
    Mr. Martinez. Can you repeat the question?
    Mr. Dingell. Should Federal fiscal restraints be able to be 
enforced by State attorneys general?
    Mr. Martinez. I am not sure about if I am qualified to 
answer that.
    Mr. Dingell. I will not press you on it.
    Sir?
    Mr. Spafford. I am not sure if I am qualified to answer 
that, but I think so.
    Mr. Dingell. Sir?
    Mr. Brookman. Absolutely.
    Mr. Dingell. All again, gentlemen, do you believe that the 
Federal data security legislation should include the 
flexibility for the Federal Trade Commission to update 
requirements in order to keep pace with the advancements in 
threats to data security; yes or no?
    Mr. Vladeck. Yes.
    Mr. Dingell. Sir?
    Mr. Martinez. Yes.
    Mr. Dingell. Sir?
    Mr. Spafford. Yes.
    Mr. Dingell. Sir?
    Mr. Brookman. Yes.
    Mr. Dingell. This one to Mr. Vladeck. Do you believe the 
FTC's Magnuson-Moss rulemaking procedures would stifle the 
Commission's ability to write rules that keep pace with 
technical advancements in threats to data security; yes or no?
    Mr. Vladeck. Yes.
    Mr. Dingell. Again, Mr. Vladeck, do you want to give a 
comment? Do you believe that the FTC should be allowed to write 
data security regulations according to the Administrative 
Procedure Act? You will understand that there is quite a 
difference between the two standards for rule writing.
    Mr. Vladeck. Yes, I do. And yes, to the extent we are given 
rulemaking authority, we would ask strongly that it be 
conferred under the Administrative Procedure Act.
    Mr. Dingell. Thank you. To all witnesses, does the Federal 
Trade Commission currently have the resources with which to 
implement and enforce comprehensive data security requirements; 
yes or no?
    Mr. Vladeck, if you please.
    Mr. Vladeck. We always need more resources.
    Mr. Dingell. If you please, sir.
    Mr. Martinez. I would defer to the FTC regarding the 
resources.
    Mr. Dingell. A wise move.
    Mr. Spafford. I do not, no.
    Mr. Dingell. If you please, sir.
    Mr. Brookman. They could do it, but they could use more.
    Mr. Dingell. To all witnesses who have demonstrated 
extraordinary patience here, if you felt no, in that case what 
additional authorization would the FTC require to enforce such 
data security requirements? It would be perfectly appropriate 
if you were to submit this for the record at a future and 
comfortable time.
    Mr. Vladeck. We currently have a relatively small staff 
working on privacy issues relative to other agencies, but it is 
an important part of our mission, and we are a small agency 
which would benefit greatly from having enhanced resources in 
this area.
    Mr. Dingell. Mr. Martinez?
    Mr. Martinez. Again, I would defer to the FTC.
    Mr. Dingell. Doctor?
    Mr. Spafford. I would defer to the FTC.
    Mr. Dingell. And the last witness?
    Mr. Brookman. Larger staff and penalty authority and 
definitely APA rulemaking would be tempered.
    Mr. Dingell. Gentlemen, you have been most patient. Madam 
Chairman, you have given me a minute and 34 seconds more than I 
am entitled to.
    Mrs. Bono Mack. I thank the gentleman, and I am quite 
impressed with his ability to pack a wallop in 5 minutes with 
so many yeses and noes.
    I ask unanimous consent to include the Sony and Epsilon 
correspondence in the record of this hearing. Without 
objection, so ordered.
    [The information follows:]



    Mrs. Bono Mack. And I just want to sum up by saying that 
prior to 2005, we didn't spend a whole lot of time as a Nation 
talking about the dangers of data breaches. Things have sure 
changed in a hurry. We have gone from a stolen laptop 
containing 260,000 customers' records to a sophisticated 
criminal cyber attack on a worldwide network containing more 
than 100 million customer records. And this begs the important 
question, if we don't do something soon, what is next and where 
does it end?
    So I would like to remind members that they have 10 
business days to submit questions for the record and ask the 
witnesses to please respond promptly to any questions they 
receive.
    Mrs. Bono Mack. Again, I thank our witnesses very much for 
your help today. And the hearing is now adjourned.
    [Whereupon, at 11:30 a.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]