Majority Statement

• Senator John D. (Jay) Rockefeller IV

  Chairman

  U.S. Senate Committee on Commerce, Science, and Transportation
  Read statement

  Majority Statement

  Senator John D. (Jay) Rockefeller IV

  We now live in the era of “Big Data”. Whether we like it or not, companies are regularly collecting reams of information about us as we go about our daily lives. They are tracking us as we visit Web sites, as we are walking around stores, and as we purchasing products. While some of the information may be mundane, some of it can be highly sensitive, including very specific details about our finances and our health status.
  
  I think we can all agree that if Target – or any other company – is going to collect detailed information about its customers, they need to do everything possible to protect it from identity thieves. It is now well known that Target fell far short of doing this.  Last November and December, cyber thieves were able to infect their credit card payment terminals with malicious software, loot their computer servers, and access a staggering amount of consumer information, which they could pick and choose from, and sell for a profit. 

  There has been a lot anxiety lately about what kind of information the federal government may be collecting about American citizens, as part of the efforts to protect our country from the ongoing terrorist threat. But the truth is that private companies like Target hold vastly larger amounts of sensitive information about us than the government does. And they spend much less time and money protecting their sensitive data than the government does. We learned yesterday that Federal agents notified more than 3,000 companies last year that their computer systems had been hacked. I am certain there are many more breaches we never hear about.       

  Target is going to tell us today that they take data security very seriously, and that they followed their industry’s data security standards – but the fact remains, it wasn’t enough. The credit card numbers of 40 million people, and the email addresses of nearly 70 million people, were potentially stolen under their watch. My staff has carefully analyzed what we know at this point about the Target breach. In a new report, they identify many precise opportunities Target had to prevent this cyberattack.  I ask unanimous consent to insert this staff report in the record of this hearing.

  It is increasingly frustrating to me that organizations are resisting the need to invest in their security systems. Target must be a clarion call to businesses, both large and small, that it’s time to invest in some changes.

  While I am disappointed that many companies have failed to take responsibility for their data security weaknesses, I am just as disappointed by Congress’s failure to create federal standards for protecting consumer information. Recently, I put forth legislation that builds on the long, well-established history of the Federal Trade Commission and state attorneys general in protecting consumers from data breaches. The bill would set forth strong, federal consumer data security and breach notification standards by: 

  • Directing the FTC to circulate rules requiring companies to adopt reasonable, but strong, security protocols.
  • Requiring companies to notify affected consumers in the wake of a breach. 

  • Authorizing both the FTC and state attorneys general to seek civil penalties for violations of the law.

  
  For nearly a decade, we’ve had major data breaches at companies both large and small. Millions of consumers have suffered the consequences. While Congress deserves its share of the blame for inaction, I am increasingly frustrated by industry’s disingenuous attempts at negotiations.
  
  This is my message to industry today. It’s time to come to the table. Be willing to compromise. While I’m willing to hear their concerns about my legislation – or any other legislation – I’m not willing to forfeit the basic protections American consumers have a right to count on. 

  Finally, I would be remiss if I did not publicly note that representatives from the company Snapchat declined my invitation to testify today. When people refuse to testify in front of this Committee, instinct tells me they are hiding something. In this instance, on this subject, I think it warrants closer scrutiny.

  ###

Minority Statement

• Senator John R Thune

  Ranking Member

  U.S. Senate Committee on Commerce, Science, and Transportation
  Read statement

  Minority Statement

  Senator John R Thune

  WASHINGTON, D.C. — U.S. Senator John Thune (R-SD), Ranking Member of the Senate Committee on Commerce, Science, and Transportation, will submit for the record the following prepared remarks at today’s “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches” full committee hearing:

  Thank you, Chairman Rockefeller, for holding this afternoon’s hearing on data breaches and protecting consumer information. Protecting consumers from identity theft, fraud, and financial harm is certainly a goal that all of us on this committee share.

  I am glad that representatives from Target and the University of Maryland accepted our invitation to be here today to tell us of their recent and well-publicized breaches. While the forensic investigations into these incidents are still ongoing, it is clear that millions of individuals have unfortunately been affected. I look forward to hearing about what lessons Target and the University of Maryland have learned from these breaches and what additional steps they are taking to prevent them in the future and to better safeguard individuals’ personal information.

  Yet data breaches clearly are not unique to Target and the University of Maryland. A data breach report from Verizon found there were more than 600 confirmed data breach disclosures among private and government entities and at least 44 million compromised records in 2012 alone. 

  While we are here today primarily to discuss data breaches in the private sector, we can’t forget that the U.S. government also holds immense amounts of consumer financial data and personal information. It is estimated that the federal government spent more than $14.6 billion on IT security in fiscal year 2012, but it is not immune to cyber attacks and data breaches. In 2012, federal agencies reported more than 22,000 data breach incidents – a number that is more than double what was reported in 2009. 

  In addition, a recent report by the Government Accountability Office – the government’s watchdog – identified several instances where federal agencies failed to notify affected individuals, even when the breach was determined to have a high risk of harm.

  Breaches of personal information can affect individuals in many ways, ranging from the inconvenience of having a credit card replaced, to the harm of identity theft where a criminal runs up large debts or commits crimes in the victim’s name. When there is risk of real harm stemming from a breach, we need to make sure that consumers have the information they need to protect themselves.  

  That is why I support a uniform federal breach notification standard to replace the patchwork of laws in 46 states and the District of Columbia. A single federal standard would ensure all consumers are treated the same with regard to notification of data breaches that might cause them harm. Such a standard would also provide consistency and certainty regarding timely notification practices, which benefits both consumers and businesses.

  I also want to ensure that businesses appropriately secure information and are not burdened by outdated or ill-suited security requirements, but rather are provided with the flexibility to develop effective and innovative tools to secure the information they are entrusted to protect. 

  For these reasons, I cosponsored S. 1193, the Data Security and Breach Notification Act of 2013, with Senator Toomey and a number of my colleagues on the Committee. This bill would require companies possessing personal data to notify consumers in a timely manner if their information has been unlawfully taken. 

  Mr. Chairman, I know you have also introduced legislation on this topic, and I look forward to working with you and our colleagues as we consider how best to promote the security of personal consumer information and ensure appropriate breach notification. 

  Of course, we should acknowledge that this issue is not a new one. The committee reported data breach legislation in 2005, and again in 2007, but finding broad agreement on the path forward has proven difficult. We should heed the testimony of Mr. Wagner and not allow the perfect to become the enemy of the good. 

  Our recent experience advancing legislation on the role of the National Institute of Standards and Technology in the identification of voluntary best practices and standards for cybersecurity gives me reason for optimism. And I was pleased to see that several of the witnesses today have highlighted the good work done by the National Institute of Standards and Technology in this regard. 

  As we’ve noted in the past, legislation is also needed to enhance information sharing of cyber threats, with liability protections. While not every data breach occurs because of a cyber attack, timely information sharing of cyber threats is key to preventing and responding to cyber attacks – whether it is a breach of consumer data, theft of intellectual property, or an attack on critical infrastructure.

  So, I look forward to learning more about the new partnership between the merchant and financial associations that will focus on sharing more information on cyber threats and improving technology to protect consumers. I also hope Visa and Target can elaborate on the work they are doing to identify and prevent payment card fraud resulting from the recent breach, so that the payment system is more secure and consumers are better protected.

  I also look forward to hearing from Chairwoman Ramirez, of the Federal Trade Commission about the work the agency is doing on enforcement and education to protect consumers from identity theft and fraud. I also know that the Secret Service and the Federal Bureau of Investigation, in partnership with industry and government partners, are working hard to detect and prosecute cybercriminals and fraudsters. So, I hope our witnesses can share their experiences – good or bad – working with federal agencies on our shared goal of safeguarding consumers’ personal information.   

  Thank you again, Mr. Chairman, for holding this hearing, and I look forward to hearing from our witnesses.   

  ###

Testimony

• The Honorable Edith Ramirez

  Chairwoman

  Federal Trade Commission
  Download Testimony (152.40 KB)

• Mr. John J. Mulligan

  Vice President and Chief Financial Officer

  Target Corporation
  Download Testimony (100.32 KB)

• Dr. Wallace D. Loh

  President

  University of Maryland
  Download Testimony (215.73 KB)

• Mr. David Wagner

  President

  Entrust, Inc.
  Download Testimony (484.89 KB)

• Mr. Peter J. Beshar

  Executive Vice President and General Counsel

  Marsh & McLennan
  Download Testimony (38.85 KB)

• Ms. Ellen Richey

  Chief Enterprise Risk Officer

  Visa Inc.
  Download Testimony (42.85 KB)