John Hickenlooper Leads Senate Commerce Committee Hearing On Data Security
The Senate Commerce Committee holds a hearing on data security.
Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:
https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript
Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:
https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript
Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Category
🗞
NewsTranscript
00:00:00 We're at a pivotal moment in the age of technologies that rely on increasing amounts of consumer
00:00:07 data.
00:00:08 Obviously, artificial intelligence has gotten the lion's share of publicity, but that's
00:00:13 nowhere near the limit.
00:00:16 Businesses collect or process data ranging from personally identifiable information—name,
00:00:25 address, likeness, they say in college these days—obviously sensitive data, physical
00:00:32 locations, browsing history.
00:00:35 The threats to consumers' data that companies face is complex and in almost every way daunting.
00:00:44 As companies collect more data, they become more attractive targets for data breaches.
00:00:53 And by that I mean criminal activity.
00:00:56 Each breach costs companies nearly $4.2 million per incident, and consumers shoulder the financial
00:01:04 burden and the reputational harm of each incident.
00:01:08 How many more consumers need to be victims of identity theft for us to take action?
00:01:13 How much longer should we allow personal data to be sold on the dark web for profit?
00:01:18 When will cyber criminals be stopped, or at least deterred, from preying on our data?
00:01:26 These data breaches hurt small businesses, large corporations, and everything in between.
00:01:33 In 2023 alone, there were 3,205 data breaches in the U.S.
00:01:38 That's what we know of, that were reported.
00:01:41 353,000 individuals were severely impacted.
00:01:45 10% of public trade companies reported a data breach impacting in total 143 million individuals.
00:01:56 These data breaches could have devastating effects.
00:02:01 A nationwide wireless carriers data breach exposed the data of 70 million customers.
00:02:08 A large health insurer saw their system grind to a halt, which delayed important health
00:02:19 care payments and exposed critical health data.
00:02:22 This is why we need strong requirements for how companies collect and protect our data
00:02:28 by conducting routine risk assessments and establishing strong internal and external
00:02:33 safeguards for data.
00:02:36 We need a strong national privacy standard that includes data minimization and data security.
00:02:44 Data minimization establishes specific categories to turn off the spigot, as it were, of data
00:02:53 so that companies collect from consumers.
00:02:58 The companies aren't just collecting everything they can.
00:03:03 Data security establishes clear requirements for how companies should safeguard the data
00:03:07 that they do collect, so breaches are less common.
00:03:10 We need to give consumers meaningful control over how their data is used.
00:03:15 This will restore consumers' confidence in the technology that powers our economy.
00:03:19 I think states clearly are not waiting for the federal government to act.
00:03:25 Already 16 states, including Colorado, have passed or are in the process of passing their
00:03:29 own state privacy laws.
00:03:32 Other states are talking about it.
00:03:36 There are lessons we can learn from these state laws.
00:03:39 For example, Colorado's law has a temporary right to cure for businesses to comply or
00:03:44 adapt to privacy requirements.
00:03:46 There are also areas where the federal government has to step in to issue rules and apply enforcement.
00:03:53 Consistent definitions for key terms, like sensitive data, are to issue nationwide rules.
00:04:00 The draft American Privacy Rights Act is an important bipartisan compromise framework
00:04:05 for Congress to build upon.
00:04:07 I commend Chair Cantwell and Chair McMorris-Rogers in the House for their efforts to bring this
00:04:12 proposal forward.
00:04:15 We're committed here to listening to all perspectives on data minimization and data security.
00:04:21 Minimization and security are obviously interconnected, interrelated.
00:04:26 Together they represent the foundation of a strong data privacy framework on which we
00:04:30 can build.
00:04:31 We have an opportunity right now and an obligation right now to build meaningful bipartisan consensus
00:04:38 around these complex issues.
00:04:40 That's why I look forward to the hearing today with each of our witnesses.
00:04:45 I'd like to welcome each of our witnesses who are joining us today.
00:04:49 James Lee, Chief Operating Officer from Identity Theft Resource Center.
00:04:53 Sam Kaplan, who's the Assistant General Counsel of Palo Alto Networks.
00:04:59 Prem Trivedi, Policy Director for New America's Open Technology Institute.
00:05:06 And Jake Parker, Senior Director of Security Industry Association.
00:05:10 I now recognize our ranking member, our Vice Chair, Senator Blackburn, for her opening
00:05:19 remarks.
00:05:20 Thank you so much, Mr. Chairman, and welcome to each of you.
00:05:24 And apologies for people kind of coming and going.
00:05:27 We had a 2.30 vote that ended up getting called.
00:05:31 But I am so pleased.
00:05:33 I know Chair Cantwell and Ranking Member Cruz are on the floor right now, but I am appreciative
00:05:41 that Chair Cantwell has brought privacy back into focus.
00:05:46 And I've worked for over a decade for Congress to take an action in this area.
00:05:56 And when Senator Welch and I were each on the House Energy and Commerce Committee in
00:06:03 2012, we brought forward the Data Security and Breach Notification Bill.
00:06:08 It was the first of the privacy and data security bills, and it was bipartisan.
00:06:16 It would take steps to protect the security of data there from businesses.
00:06:24 It would have required consumer data breach notifications and allowed the FTC and State
00:06:31 Attorneys General to hold companies accountable for violations of the law.
00:06:38 So that is where we were in 2012.
00:06:43 And as we now know, this issue, since it hasn't been addressed and it hasn't been resolved,
00:06:51 it is growing more and more urgent every single day for an action to be taken.
00:06:58 The need for the swift adoption of smart and effective data privacy and security legislation
00:07:05 is pressing for several reasons.
00:07:08 First, China and other bad actors are not slowing down.
00:07:14 Now, FBI Director Christopher Wray was before us at a Judiciary Committee meeting, and he
00:07:23 said something pretty significant.
00:07:25 He said, "If you are an American adult, it is more likely than not that China has stolen
00:07:32 your personal data."
00:07:35 And he also said, "China's vast hacking program is the world's largest, and they have stolen
00:07:41 more Americans' personal and business data than every other country combined."
00:07:50 We need to be paying attention to this.
00:07:52 This threat is especially magnified as China seeks to become the world leader in artificial
00:07:59 intelligence by the time we get to 2030.
00:08:03 China plans for AI to power its vast surveillance state, and data collection and retention is
00:08:13 at the heart of their strategy.
00:08:16 At the same time as AI technology becomes increasingly intertwined in our daily lives
00:08:23 here in the U.S., consumers have valid questions about how their data is going to be used to
00:08:31 train these large language models and AI applications.
00:08:38 I hope today that we will discuss why we need federal privacy and security legislation to
00:08:46 combat these threats.
00:08:49 Second, Congress has passed the point where we risk ceding our authority to both states
00:08:55 and other countries.
00:08:57 As we all know, state governments are quickly enacting privacy laws, creating a patchwork
00:09:05 of regulatory headaches for our businesses.
00:09:09 Fifteen such laws exist, including Tennessee and Colorado.
00:09:16 And the Europeans have also beaten us to the punch.
00:09:19 Several years ago, they did GDPR.
00:09:22 They are now using GDPR as the foundation for regulating AI.
00:09:29 Yet we can use the EU as something of a cautionary tale about the need to make our regulation
00:09:36 smart and effective.
00:09:38 I visited the EU to work on this issue last year, and I heard stories from one of their
00:09:45 data protection authorities about how they've been asked to resolve disputes over bank accounts
00:09:53 after a couple divorced or to resolve a dispute between neighbors about the location of an
00:10:02 antenna.
00:10:03 So let's be smart.
00:10:04 Let's not make these same mistakes, and let's not overreach.
00:10:08 We know our friends, the Europeans, always have a heavier-handed approach, which makes
00:10:15 it even more imperative that we act in a thoughtful manner.
00:10:21 More without congressional action, the FTC will proceed ahead with its commercial surveillance
00:10:29 and data security rulemaking, which it launched in 2022 without congressional authority and
00:10:37 directive.
00:10:38 Congress should be setting these rules, not unelected bureaucrats.
00:10:44 Finally, while this hearing will likely feature much discussion on concepts like data minimization
00:10:50 and other data security practices, we must not forget about the cybersecurity threats
00:10:56 posed by new and emerging technologies.
00:11:00 One area of great interest to Tennessee are quantum technologies.
00:11:05 Through methods like Harvest Now and Decrypt Later, once bad actors steal encrypted data
00:11:13 today, nothing can stop them from decrypting your data tomorrow with quantum technology.
00:11:21 That is why this committee must move quickly to examine this technology and reauthorize
00:11:28 the National Quantum Initiative Act.
00:11:31 I would love to work on this with our chairwoman and the team here at the committee.
00:11:39 Tennessee is a leader in financial innovation in technologies like quantum computing, and
00:11:45 the Oak Ridge National Lab is at the forefront of basic and applied science research.
00:11:52 When I speak with people in this state, they ask me how we can best tackle privacy and
00:12:00 data security issues while also continuing to allow innovation to flourish.
00:12:07 This committee must be thoughtful in our approach, but also mindful of the realities the congressional
00:12:15 calendar imposes.
00:12:17 I look forward to our discussion today, and I so appreciate the testimony from each of
00:12:22 you.
00:12:23 Thank you, Mr. Chairman.
00:12:24 Great.
00:12:25 Now we'll hear the opening remarks from each of our witnesses.
00:12:31 The term "witness" gives a false sense of, I don't know, insecurity, perhaps, these days.
00:12:41 Anyway, we'll start with James Lee, who's Chief Operating Officer, Identity Theft Resource
00:12:45 Center.
00:12:46 Thank you, Mr. Chairman, Ranking Member Blackburn.
00:12:48 I am James Lee.
00:12:49 I am the Chief Operating Officer of the Identity Theft Resource Center.
00:12:53 I'll refer you to our full written remarks to find out more about the ITRC, but just
00:12:58 so everybody knows, the core of our business is to provide free assistance to victims of
00:13:03 identity crimes, and we also do research and analysis on identity crime trends, which we
00:13:08 make available to both the public and private sector.
00:13:12 So a lot has happened since we were in this room back in 2021 to talk about this very
00:13:16 same subject.
00:13:18 We've seen bad actors shift their focus.
00:13:20 We've seen them expand their reach, and we've seen them accelerate their innovation attempts.
00:13:26 We may, in fact, be at the very beginning of what is a golden age of identity crime.
00:13:32 It's fueled by stolen personal data, made highly effective and efficient by AI, with
00:13:38 individuals and many businesses all but helpless to defend themselves.
00:13:42 So why do I say that?
00:13:44 I'll give you some scope of the problem.
00:13:47 So data breaches are the fuel for identity crimes, all identity crimes, and a fair portion
00:13:53 of cyber attacks thanks to stolen login and passwords.
00:13:57 In 2023, the total number of data compromises was 3,205, as the Chairman pointed out.
00:14:03 That impacted an estimated 353 million people, because some people were hit more than once.
00:14:09 That's a 78% increase from the year before.
00:14:13 That's a 72% increase from the previous high, which happened the last time we had this hearing.
00:14:19 From a financial standpoint, more than two-thirds of the people who contact the ITRC are losing
00:14:27 more than $500.
00:14:29 Within that subset, 30% of them are losing more than $10,000, and we are now routinely
00:14:35 hearing from people who are losing six and seven figures in financial losses due to identity
00:14:41 scams.
00:14:42 The most troubling trend, though, is the number of people who have decided that their
00:14:46 only way out is self-harm.
00:14:48 16% of the people who contacted us in 2023 said they contemplated taking their own life.
00:14:58 For the decades before that, that number had never been higher than 2 to 4%, and now 16%
00:15:05 doubled in one year, and we do not see it slowing down.
00:15:09 And also, unlike past years, we now hear routinely from grieving families who are still being
00:15:15 attacked by the identity criminals who are trying to keep the scam going.
00:15:20 We don't advocate one way or the other for legislation or regulation for the most part,
00:15:24 but we do provide objective information.
00:15:26 So with that in mind, we're still the same place we were last time.
00:15:30 The best way to help identity crime victims is to prevent victimization in the first place.
00:15:37 An important part of preventing identity crimes is through uniform minimum standards for data
00:15:41 protection and use.
00:15:44 Minimum technical and non-technical standards are essential in our world that's driven by
00:15:48 software and fueled by data.
00:15:52 Compliance with comprehensive but not necessarily prescriptive minimum standards can reduce
00:15:58 the risk of exploitation.
00:16:00 Minimum standards are more than just metrics, though, which is what we tend to think of
00:16:04 a lot of times.
00:16:05 They are practices like data minimization, which is a concept that is predicated on a
00:16:09 very simple truth.
00:16:11 If you do not have the data, you cannot lose it.
00:16:15 And if it's secure, it cannot be misused until we get to quantum computing, and that's a
00:16:20 different discussion.
00:16:24 Routine risk assessments also help ensure information systems are secured in a manner
00:16:29 equal to the risk.
00:16:30 That's very important.
00:16:32 Equal to the risk that an organization faces.
00:16:34 You add two other complementary concepts, privacy by design and security by default,
00:16:40 and you have all the tools needed to keep privacy and security at the forefront of a
00:16:44 company's culture and in every stage of a product's life.
00:16:48 To be effective in reducing identity crimes, uniform standards also need strong enforcement.
00:16:55 Defenders must continually measure their progress and constantly adjust to the new tasks, and
00:17:00 you do that through audits.
00:17:02 There's also the need for strong enforcement actions when it comes to data breach notices,
00:17:07 which are increasingly ineffective, even if a notice is issued.
00:17:11 Let me give you two examples.
00:17:13 In the first three months of this year, 32 percent, 32 percent of data breach notices
00:17:20 had some information about what caused the data breach, if it was linked to a cyber attack.
00:17:26 Reverse that number, and that tells you how many didn't include information about what
00:17:31 happened.
00:17:33 That number was 100 percent of data breach notices until the fourth quarter of 2021.
00:17:41 The average number of new data breach notices in the U.S. is nine per day.
00:17:46 In the European Union, one of the things they do get right, 335 every day.
00:17:52 We are missing data breach notices, and there are plenty of examples to prove that.
00:17:56 Let me leave you with one final thought.
00:17:57 If we adopt data minimization, and we should, and if we give consumers more access and control
00:18:03 over their personal information, that is a vital part of data protection.
00:18:07 They can significantly reduce the amount of personal information at risk of a data breach
00:18:12 and misuse by criminals, but, because you knew there was going to be one, but personal
00:18:17 information used responsibly and transparently is important for proving a person is who they
00:18:22 claim to be in a variety of transactions, from opening a bank account to applying for
00:18:27 a government benefit, et cetera.
00:18:29 They also effectively prevent someone from becoming a victim of identity fraud because
00:18:34 of stolen personal information.
00:18:37 Restricting the use of personal information for identity verification and fraud prevention
00:18:39 as part of consumer control or data minimization could have the unintended effect of actually
00:18:45 aiding identity criminals and negatively impacting communities that are already disproportionately
00:18:49 affected by identity crimes.
00:18:51 Thank you for your time and attention.
00:18:52 I look forward to answering your questions.
00:18:55 Thank you very much.
00:18:58 Now Mr. Sam Kaplan, who is the Assistant General Counsel of Palo Alto Networks and has spent
00:19:04 a considerable amount of time in Colorado.
00:19:09 Thank you, Senator.
00:19:10 Chairman Hickenlooper, Ranking Member Blackburn, and distinguished members of the committee,
00:19:14 thank you for the opportunity to testify on how cybersecurity is a critical and foundational
00:19:20 element of data security and consumer protection.
00:19:23 Again, my name is Sam Kaplan and I'm Senior Director and Assistant General Counsel for
00:19:28 Public Policy and Government Affairs at Palo Alto Networks.
00:19:31 I've spent the bulk of my career working at the intersection of cybersecurity, national
00:19:35 security, and data privacy.
00:19:38 Prior to joining the private sector, I was proud to serve in a number of positions across
00:19:42 the federal government, to include as the DHS Chief Privacy Officer, served on the Privacy
00:19:47 and Civil Liberties Oversight Board, and at the U.S. Department of Justice.
00:19:51 For those not familiar with Palo Alto Networks, we are an American headquartered company founded
00:19:57 in 2005 that has since become the leading cybersecurity company.
00:20:02 We proudly provide cyber defense capabilities to enterprises around the world, supporting
00:20:08 95 of the Fortune 100, critical infrastructure of all shapes and sizes, the U.S. federal
00:20:14 government, universities, educational institutions, and a wide range of state and local partners.
00:20:21 This means that we have a deep and broad visibility into the cyber threat landscape.
00:20:27 We are committed to being a good cyber citizen and a trusted security partner with the federal
00:20:32 government.
00:20:33 It's no secret that cyber attacks cause real impact to our daily lives, from disruptions
00:20:39 of public services, like health care or emergency services, to compromises of American sensitive
00:20:44 data.
00:20:46 With that backdrop, Palo Alto Networks strongly believes that deploying cutting-edge cybersecurity
00:20:52 defenses is a necessary and effective enabler of data security and privacy.
00:20:58 Bottom line, effective data security and data privacy requires cutting-edge cybersecurity
00:21:05 protections.
00:21:07 Cybersecurition should be encouraged to protect data by implementing robust data and network
00:21:13 security practices that can both help prevent incidents and data breaches before occurring
00:21:18 in the first place and mitigate the impact should an incident occur.
00:21:23 To stay ahead of this evolving threat landscape, cybersecurity professionals regularly leverage
00:21:28 security data, which is the network telemetry, the ones and the zeros, the malware analysis,
00:21:34 the IP addresses, the vulnerability enumeration that we must ingest and analyze in real time
00:21:40 to optimize cyber defenses.
00:21:43 To that end, we are heartened to see cybersecurity generally included in privacy frameworks as
00:21:48 a permitted purpose that companies like ours can use to collect, process, retain, and transfer
00:21:54 security data to in turn better protect those systems and data from compromise.
00:22:00 Today's cyber threat landscape requires that approach, and everyone's personal privacy
00:22:04 will benefit from that framing.
00:22:07 To that end, Palo Alto Networks recommends organizations focus on the following actions
00:22:12 to bolster their cyber resilience and increase their data security posture.
00:22:18 First, leverage the power of AI and automation.
00:22:22 For too long, cyber defenders have been inundated with alerts to triage manually, which can
00:22:28 lead to data breaches.
00:22:30 AI can help flip this paradigm.
00:22:33 Second, ensure complete visibility of attack surfaces to help identify and mitigate vulnerabilities
00:22:40 before they can be exploited.
00:22:42 Third, implement a zero-trust network architecture to prevent and limit an attacker from moving
00:22:49 laterally across the network.
00:22:52 Fourth, promote secure AI by design to assist with inventorying AI usage, applying policy
00:23:00 controls, and securing applications built with artificial intelligence.
00:23:05 Fifth, protect cloud infrastructure and applications.
00:23:09 As cloud adoption accelerates, cloud security cannot be an afterthought.
00:23:15 Six, maintain and test an incident response plan to prepare for and respond to cyber incidents.
00:23:23 Our team at Palo Alto Networks is dedicated to securing our digital way of life.
00:23:28 We enthusiastically participate in a number of forums like CISA's JCDC and share our situational
00:23:34 awareness and understanding of the threat landscape with those key partners.
00:23:39 Our collaboration in forums like these reinforces that cybersecurity is truly a team sport.
00:23:45 Thank you again for the opportunity to testify on how cybersecurity is a foundational requirement
00:23:49 of data privacy, and I look forward to your questions.
00:23:53 Thank you, Mr. Kaplan.
00:23:54 Now I'll introduce Prem Trivedi, who is the Policy Director for New America's Open Technology
00:24:01 Institute.
00:24:02 Chair Hickenlooper, Ranking Member Blackburn, members of the committee, thank you very much
00:24:07 for the opportunity to speak with you today.
00:24:09 I'm Prem Trivedi, the Policy Director of the Open Technology Institute at New America,
00:24:14 a nonprofit and nonpartisan organization dedicated to realizing the promise of America in an
00:24:19 era of rapid technological and social change.
00:24:22 Since 2009, the Open Technology Institute, or OTI, has worked to ensure every community
00:24:27 has equitable access to digital technology and its benefits.
00:24:31 OTI has long emphasized the need for a strong federal standard in privacy and data security
00:24:37 that protects consumers while retaining sufficient flexibility for innovation.
00:24:41 This takes me to my first point.
00:24:43 Data security and consumer privacy are two sides of the same coin.
00:24:47 Strong data security safeguards, including minimization, are vital to protecting consumers.
00:24:53 Data minimization, as you mentioned in your remarks, is a powerful principle that requires
00:24:56 collecting, using, sharing, and retaining only the data necessary to provide a service
00:25:01 or a product.
00:25:03 Strong data security safeguards are urgently needed in this era of AI.
00:25:08 Training many AI models requires ingesting huge data sets, and as companies race to acquire
00:25:13 more data, the pressures to adequately protect it keep increasing.
00:25:17 So a baseline federal standard on privacy and data security is essential to ethically
00:25:22 and effectively regulating AI development.
00:25:26 And I'll add cybersecurity practitioners also recognize minimization's benefits go beyond
00:25:30 consumer privacy because it can reduce threats posed by breaches and other security incidents.
00:25:35 In short, companies can't misuse data that they don't have, and hackers can't steal data
00:25:41 that companies don't have.
00:25:44 My next point is that research shows Americans want strong data security and minimization
00:25:48 protections.
00:25:49 There's no uniform national standard that protects all types of data, and Americans
00:25:53 know that online data collection and tracking of their activities is pervasive.
00:25:58 It's probably why 75% of Americans lack confidence that the government will hold a company accountable
00:26:03 if it misuses or compromises their data.
00:26:06 And all of this concern about data security and privacy is negatively impacting consumer
00:26:10 trust in AI and in leading AI companies, many of which are U.S. companies, small and large.
00:26:16 And the good news is that more than two-thirds of Republicans and Democrats support more
00:26:21 regulation of companies' data use.
00:26:22 And we've been heartened to see the recent reemergence of a credible bipartisan bicameral
00:26:28 legislative proposal on privacy and data security via the American Privacy Rights Act.
00:26:33 The next point I'd like to make is that a strong federal data minimization regime would
00:26:37 replace the broken approach in American privacy governance that relies on notice and consent
00:26:42 alone.
00:26:43 We know it would take people hundreds of hours to read all the privacy policies that they
00:26:48 encounter in just a year.
00:26:50 And most Americans, even most privacy professionals, respond to this unfair burden on consumers
00:26:55 by clicking "agree" without reading those policies.
00:26:58 This isn't meaningful notice.
00:26:59 It's not meaningful consent.
00:27:01 And it's not clear either is really achievable in most of our online activities.
00:27:06 Data minimization is so important because it shifts the responsibility onto companies
00:27:10 from consumers to use only what the companies need to provide products or services.
00:27:15 And I want to point out this is far from a new concept in law or corporate risk management
00:27:19 playbooks.
00:27:20 So I think we can get the benefits of data minimization without stifling innovation or
00:27:24 overburdening smaller companies.
00:27:27 The last main point I'd like to make is that a broad set of best practices in data security
00:27:31 should become baseline safeguards across all sectors of our economy.
00:27:35 And here's a short list of those best practices.
00:27:37 First, as I've emphasized so far, collect, use, share, and retain only data that's relevant.
00:27:44 Second, whenever possible, use encryption to securely store and process data.
00:27:48 Third, apply strong controls that ensure only the people who should be able to access data
00:27:54 can in fact access that data.
00:27:56 Fourth, use strong methods for authentication, including multi-factor authentication.
00:28:01 Fifth, further study and standardize over time uses of privacy enhancing technologies.
00:28:08 And sixth, routinely assess and mitigate against data security vulnerabilities, something you've
00:28:13 heard from other witnesses as well.
00:28:15 There's no such thing as perfect data security, but these common sense best practices should
00:28:20 be requirements in federal law that are applied flexibly enough to account for different companies'
00:28:25 sizes and technical capacity.
00:28:28 In conclusion, data protection is consumer protection, and we need a national legislative
00:28:33 framework that requires and incentivizes responsible data stewardship.
00:28:39 Continued U.S. leadership on AI requires Congress to address the consumer trust gap.
00:28:45 We appreciate the committee's bipartisan leadership on data security and privacy.
00:28:49 Thank you again for the opportunity to testify before the subcommittee.
00:28:51 I look forward to your questions.
00:28:55 Thank you very much.
00:28:56 I now go to Mr. Parker, or I forget what you're the director of, Senior Director of Security
00:29:03 Industry Association.
00:29:04 Thank you for being here.
00:29:05 Good afternoon, Chairman Hickenlooper, Ranking Member Blackburn.
00:29:06 Thank you for the opportunity to participate in today's hearing.
00:29:07 Again, I'm Jake Parker with the Security Industry Association.
00:29:08 This is a nonprofit trade association representing more than 1,500 companies that provide products
00:29:18 for protecting lives, property, businesses, schools, and critical infrastructure throughout
00:29:23 the nation.
00:29:24 The data security is essential to the operation of security systems and services, and our
00:29:28 members are committed to protecting personal data, whether it's consumer or operational
00:29:33 data.
00:29:34 Practices like data minimization and privacy by design enhance the end-to-end security
00:29:38 needed for successful implementation of many types of these products.
00:29:42 For example, when it comes to access control and video systems, features like data encryption,
00:29:46 which we talked a bit about here, permissions-based access, decentralized data storage, edge device
00:29:52 processing, audit capabilities, and data deletion schedules all serve to limit the availability
00:29:58 of data for potential misuse and limit the usefulness of data if it is compromised.
00:30:04 Another example, our members provide the multi-factor authentication and remote identity proofing
00:30:08 services that are becoming essential to preventing identity theft and fraud as attackers become
00:30:13 more sophisticated.
00:30:15 These advanced technologies provided by our industry, especially biometrics, are providing
00:30:19 higher assurance authentication while reducing exposure of passwords and other personal information
00:30:24 that is far more vulnerable to exploitation by identity thieves and cyber hackers.
00:30:29 As we've heard from the other witnesses, there are very serious and rapidly increasing threats
00:30:33 to data security that must be addressed.
00:30:36 And beyond technical standards, product features, best practices, and security tools, having
00:30:42 the right public policies in place will also address data privacy and security.
00:30:47 There's a key role for those.
00:30:48 So states like Colorado, Texas, Tennessee, and by my count, by the end of this month,
00:30:55 there will be a total of 19 states that have enacted comprehensive data privacy and security
00:30:59 laws which cover over 160 million Americans or almost half the population.
00:31:03 However, having a uniform national standard could provide more benefits to businesses
00:31:08 and consumers while further enhancing data security.
00:31:11 And a national standard is something our members support.
00:31:13 We've been following the renewed discussions here in Congress regarding the development
00:31:17 of such a standard, and we are encouraged by the progress.
00:31:20 In this, it's essential that data can continue to be utilized as needed for safety and security
00:31:25 purposes.
00:31:26 For example, our members and their customers are often the first to raise the alarm in
00:31:30 emergencies, where having the right data helps law enforcement and other responders get to
00:31:34 where they need to be as quickly as possible.
00:31:37 And also, I mentioned earlier, there's many technologies used for authentication that
00:31:42 will be essential to accomplishing the goals of the draft proposal that we are looking
00:31:47 at in Section 9, which I think was mentioned earlier.
00:31:50 So having a uniform and workable national standard requires strong state and local preemption
00:31:56 to avoid layering additional requirements.
00:31:59 This is really important to our industry.
00:32:01 It also needs to limit risk to businesses from opportunistic, abusive lawsuits, which
00:32:06 we've certainly seen in some jurisdictions over privacy matters, and need to make sure
00:32:11 that we accomplish those two objectives in what we put forward.
00:32:15 So I appreciate you holding this hearing and your leadership and putting a spotlight on
00:32:20 data security.
00:32:21 As an organization, we're doing what we can through our Data Privacy Advisory Board and
00:32:25 our Cybersecurity Advisory Board in particular to provide key resources and urge adoption
00:32:29 of best practices for data security in our industry, as I outlined in my written statement.
00:32:33 Again, thank you for the opportunity to participate.
00:32:36 And on behalf of SIA and our members, we look forward to continuing to working with you
00:32:38 on these issues.
00:32:39 Great.
00:32:40 Thank you all, again, for being here.
00:32:44 I realize how busy you all are, and it's some sacrifice you come and share your information,
00:32:51 your wisdom, your data with us.
00:32:53 Let me start off with you, Mr. Trivedi.
00:32:58 Lincoln famously said, "With public sentiment, nothing can fail.
00:33:01 Without it, nothing can succeed."
00:33:03 Various states have established their own laws, soon to be 19 states that will pass
00:33:10 their laws.
00:33:13 And this is all about what types of data businesses can collect, how consumers should be notified.
00:33:22 Consumers can be better protected.
00:33:24 I think businesses can more fairly compete when there are clear, consistent rules of
00:33:31 the road, especially for small businesses.
00:33:33 I think this is essentially important.
00:33:35 So Mr. Trivedi, how do you believe a national standard for data minimization and securing
00:33:41 data ultimately benefits customers and their privacy?
00:33:44 And maybe a thought about how we get the word out to them, to get that public sentiment
00:33:48 behind us.
00:33:51 Thanks so much for that question, Chair Hickenlooper.
00:33:53 I'd start by saying Americans know that their data represents the most sensitive aspect
00:33:59 of their lives, and that's why they're clamoring for strong protections for it.
00:34:03 And as you've said, a national standard would set equal protections for all Americans, but
00:34:08 also set uniform expectations for all companies, which is something that they have been clamoring
00:34:12 for as well.
00:34:14 And that kind of clarity in the regulatory environment is sorely needed, because the
00:34:18 U.S. legislative regime for data privacy and security is fragmented in ways that make consumers
00:34:23 more vulnerable and then require companies—this is particularly burdensome, I think, for smaller
00:34:28 companies—to develop complicated compliance programs in response to state patchworks and
00:34:33 in the absence of clear national rules of the road.
00:34:36 I think I would also add to your question about small business in particular, that many
00:34:41 of these small businesses do not want to be hoovering up as much data as possible to run
00:34:46 their business.
00:34:47 But because there aren't sort of credible, strong, flexible national standards, they
00:34:51 may feel as though there's a competitive disadvantage if they're not collecting as much data as
00:34:56 possible.
00:34:57 And that, as we've heard, puts consumers at risk.
00:34:59 It also puts those companies at risk.
00:35:01 And so I think that a data minimization approach and a data security approach that's common
00:35:05 at the federal level helps these companies do what they want to do, which is be responsible
00:35:09 data stewards.
00:35:10 Well, I agree, but certainly hope you're right.
00:35:15 Certainly AI has created a fascination with the value of all data, and there seems to
00:35:22 be a little bit of a race on.
00:35:25 Data minimization is not quite appearing as frequently as it had been since AI has gotten
00:35:32 more currency.
00:35:33 Mr. Kaplan, on a bipartisan basis, Congress passed the Cyber Incident Reporting for Critical
00:35:42 Infrastructure Act a couple years ago to require critical infrastructure operators to quickly
00:35:48 report cyber incidents so we can understand the threat landscape as it changes.
00:35:55 The FTC has also investigated and issued penalties against companies it found were unfair or
00:36:00 deceptive in their data security practices after the consumer data was exposed.
00:36:07 Gathering and sharing information about specific ongoing attacks, as well as the broader industry
00:36:12 trends helps us establish the defenses to prevent future incidents, especially, obviously,
00:36:20 data breaches across sectors.
00:36:22 So in your experience, Mr. Kaplan, which vulnerabilities do you think are most important to address
00:36:28 in order to prevent criminals from accessing consumer data?
00:36:36 Thank you, Senator.
00:36:37 That's a very great question.
00:36:40 So in our experience, and conveniently, every year, Palo Alto Networks publishes an incident
00:36:46 response report, which provides an aggregated summary of the key trends that we've seen
00:36:51 and had and how adversaries are looking to break into systems across the country.
00:36:57 In this past year, we found that internet-facing software vulnerabilities actually surpassed
00:37:03 phishing attempts as the primary vector for attacks to take place.
00:37:09 These are essentially open doors that are available on public websites that haven't
00:37:13 been patched through updates or upgrades to software and systems.
00:37:20 As a result, the adversaries are able to leverage these vulnerabilities with relevant ease to
00:37:24 gain entree into these systems.
00:37:27 To that vein, all vulnerabilities should be taken seriously, but the one vulnerability
00:37:32 that we've noticed that is particularly troublesome is called a remote desktop protocol or an
00:37:37 RDP vulnerability.
00:37:39 This in particular, if exploded, these can provide threat actors and attackers easy access
00:37:46 to a deep level of administrative privilege into a victim system to better and quicker
00:37:51 exfiltrate data.
00:37:54 These RDP vulnerabilities will unlock the keys to the kingdom, if you will.
00:37:58 So they're a particular concern for our company.
00:38:01 With adversaries growing increasingly sophisticated, it's critical that we make it as difficult
00:38:07 as possible through layered defenses and some of the best practices that I identified in
00:38:12 my opening statement with regard to zero trust architecture to prevent attackers from moving
00:38:18 laterally across the system and to close those open doors and to have better understanding
00:38:23 and visibility into your relative attack surface.
00:38:26 And we'll get back to some of that.
00:38:30 The danger of any hearing like this is we do call attention to some of those open doors.
00:38:35 It increases your commercial activity in all of yours.
00:38:40 I'm going to turn it over to my vice chair, Senator Blackburn, for some questions.
00:38:45 And thank you all so much for your testimony.
00:38:52 And I appreciate getting your perspectives on this.
00:38:59 I want to start with GDPR.
00:39:02 I mentioned that in my opening remarks.
00:39:08 And let me ask you, are each of you involved in some way in the EU?
00:39:15 Are your companies involved in some way in the EU?
00:39:18 Show of hands is fine.
00:39:19 Okay, so two of you are.
00:39:22 Mr. Trivetti, you're trying to decide if you are or not.
00:39:27 Only to say that we're not a company, so no business in the EU, but we're a nonprofit
00:39:30 that's certainly tracking.
00:39:31 Mr. Lee, likewise.
00:39:36 As we look at this, and as I mentioned, our friends in the EU know they went a little
00:39:41 bit too far.
00:39:43 But companies already have these protocols in place to meet the GDPR standard.
00:39:49 So as you look at what they have done in the EU, and Canada has a law, and New Zealand
00:39:56 has a law, and Australia has a law, all protecting their citizens in the virtual space.
00:40:04 Mr. Lee, start with you and just go down the line.
00:40:06 What should be the lessons that we learned, and what should we take away from the GDPR
00:40:13 experience?
00:40:14 Go ahead and just very quickly so I can work on through my questions.
00:40:19 The things that I think they got right do deal with some of the more technical aspects
00:40:25 of making sure that you are having the programs that you need in place, and that they meet
00:40:31 the risk that you are facing.
00:40:33 So it's not a prescriptive necessarily standard, but it's you have to assess and report.
00:40:40 And then when there is a data breach, you have to report that to the data authority
00:40:44 for that country.
00:40:46 So their assessment reporting mechanism, you would say they got it right.
00:40:50 Mr. Kaplan?
00:40:51 Thank you, Senator.
00:40:54 That's a great question.
00:40:55 I would say from a macro level, the things that they got right are sort of a uniform
00:41:00 standard.
00:41:01 Regulatory complexity across multiple markets just increases costs.
00:41:06 And from a cybersecurity perspective, the sources and the resources that are dedicated
00:41:12 to responding to incidents should be operationally responding to incidents rather than looking
00:41:17 at regulatory compliance.
00:41:18 I would say we need one set of rules for the entire Internet ecosystem with one regulator.
00:41:25 Yeah.
00:41:28 Predictability and lessening regulatory complexity is one of the hallmarks.
00:41:31 Yes.
00:41:32 It's a good thing, isn't it?
00:41:33 Mr. Trivedi?
00:41:34 Thank you, Senator, for the question.
00:41:36 I think the first lesson is something you highlighted, which is moving swiftly to establish
00:41:41 that uniform standard.
00:41:42 That's something we should emulate.
00:41:45 I think it's worth saying GDPR has probably not been strong enough on data minimization
00:41:49 that I think the regime we're hopefully working towards here in the United States could do
00:41:52 it better.
00:41:53 I think GDPR arguably gives too much deference to companies to decide what minimization means.
00:41:59 And I think while we should have sort of a reasonableness thing and flexibility, meet
00:42:03 a strong and flexible approach, I think there's an opportunity for an American approach that's
00:42:07 different and that works for us.
00:42:09 Okay.
00:42:10 Mr. Parker?
00:42:11 I would say, I mean, the emphasis on reasonableness, proportionality, and consent is very similar
00:42:17 to what a lot of the states have done already.
00:42:19 The similarities between those two, which obviously was pointed out, is a little bit
00:42:23 different than what the proposal we're talking about now at the federal level is.
00:42:28 Just based on what I've also, some feedback from members we've had is there's definitely
00:42:32 been an issue with conflicting interpretations over time from the national data protection
00:42:38 authorities within the EU.
00:42:40 It's causing problems for businesses that are doing work across the EU, different jurisdictions.
00:42:47 But also there's the potential, and this is I think relevant for us here, that there's
00:42:51 overlap between the AI Act and the GDPR.
00:42:54 And in some cases, those areas of overlap are going to get resolved one way or another,
00:42:57 but it's causing some confusion.
00:42:59 And digital marketing and digital services and some other, the overlap there.
00:43:05 Let me, I want to go to the data minimization issue.
00:43:11 And again, just down the line, Mr. Lee, starting with you, what is your opinion of data minimization
00:43:23 as a security principle in this debate?
00:43:27 I think it has to be integral.
00:43:28 If we're going to reduce identity crimes, we're going to have fewer victims, we have
00:43:33 to reduce the supply of data that can be abused by individuals if it's stolen or even if it's
00:43:41 just accidentally exposed.
00:43:43 If you don't have it, you can't expose it.
00:43:47 So you tie the two?
00:43:48 I do.
00:43:49 Yeah.
00:43:50 Okay.
00:43:51 As you said, data breaches are the fuel.
00:43:52 So that ties in.
00:43:53 Mr. Kaplan?
00:43:55 Senator, from a macro perspective, I think data minimization is an increasingly useful
00:44:01 principle, especially in lessening the attack surface, particularly for those companies
00:44:05 that are doing business with consumer-focused data.
00:44:08 To that end, there's also where we think that, you know, legitimate and broad, not broad,
00:44:14 but targeted permissible purposes like protecting the information can be critical, but minimization
00:44:20 can be an important tool.
00:44:21 So you would segment it?
00:44:22 Correct.
00:44:23 Okay.
00:44:24 Mr. Trivetti?
00:44:25 Thank you, Senator.
00:44:26 I would say data minimization is an essential part of data security safeguards, central
00:44:31 to it for the reasons that other witnesses have highlighted as well, which is to say
00:44:35 the attack surface is lessened when you sort of are intentional about collecting only what
00:44:39 you need.
00:44:41 You can't, again, you can't exfiltrate or hack what isn't there in the first place.
00:44:45 All right.
00:44:46 Mr. Parker?
00:44:47 Yeah, I would say there is a bit of a difference between data minimization as an operational
00:44:53 principle and a policy principle.
00:44:54 So certainly from an operational standpoint, you know, it definitely plays a big role in
00:44:59 data security.
00:45:00 From a policy perspective, I know there's, you know, the overall approach of having a
00:45:05 set number of permissible purposes for collecting and processing data, it certainly could work.
00:45:12 I know there's some questions out there about what about future proofing this so that in
00:45:16 the future, is that going to be too narrow?
00:45:17 Do they cover what they need to now?
00:45:19 Those are all legitimate questions, but certainly an interesting approach.
00:45:23 All right.
00:45:24 Can I ask?
00:45:25 Sure.
00:45:26 Oh, Peter's here.
00:45:27 So I didn't see him.
00:45:28 Go ahead and go to him.
00:45:29 I've got another question I want to ask.
00:45:30 I've got Senator Klobuchar on as well.
00:45:31 Do you want to ask a question?
00:45:32 I do.
00:45:33 I wanted to talk about China because we just enacted legislation to force ByteDance to
00:45:45 divest from TikTok.
00:45:47 And the data security threat from China is broader than just TikTok and a more holistic
00:45:55 approach rather than playing whack-a-mole is required on this.
00:46:00 The problem goes beyond apps.
00:46:03 And we know that China is using drones and cranes and potentially routers to spy on Americans.
00:46:12 So how should Congress approach the broader data security threat from China?
00:46:20 And what do you see as a good policy solution to this?
00:46:25 Mr. Lee?
00:46:28 I'm just a humble victim of advocate.
00:46:31 But we do have to recognize that nation states, maybe not for the same reason as professional
00:46:37 criminals, they want the information and it's important that it is protected from whomever
00:46:42 wants to misuse it for whatever reason they want to use it.
00:46:47 China is certainly a nation state that has great capabilities.
00:46:51 We know that they have a lot of data about individuals for intel purposes.
00:46:56 We have to assume there are other countries, friends and foes, that do the same.
00:46:59 So an approach for data protection needs to be universal in its approach to whomever is
00:47:09 acquiring the information.
00:47:11 Mr. Kaplan?
00:47:12 Senator, yeah.
00:47:14 The threat from China is something that we are tracking every day on a regular basis,
00:47:19 both the threat with exfiltrating information to China, but also other malign nation states
00:47:25 that are looking to leverage sort of data within the United States.
00:47:28 As a cybersecurity company, we're principally focused on the security of the networks and
00:47:32 information systems upon which that data relies.
00:47:36 So broader policy sort of questions about how to deal more holistically with a problem
00:47:41 may be outside of our purview.
00:47:43 To that end, we would encourage strong cyber protections with regard to those systems and
00:47:47 encourage information sharing with the federal government like we enjoy and we regularly
00:47:51 partner in with regard to that threat.
00:47:55 Thank you for the question.
00:47:56 I think you're importantly highlighting the ways in which data security and data protection
00:48:01 have a national security dimension.
00:48:02 We've been talking about consumer protection, which is vital.
00:48:04 We've been talking about people's privacy, but this is not all occurring just in the
00:48:08 context of what's happening with our own borders.
00:48:10 And as Mr. Kaplan mentioned, I think there are a number of nations in competition for
00:48:13 one another's data and there are costs to that.
00:48:16 I would say to answer your question about the right policy approach, at the top of the
00:48:20 list should be establishing a federal data security and privacy protection standard,
00:48:24 right?
00:48:25 I think that's essential because it does all the things we've talked about, but also confers
00:48:29 national security benefits on America as well.
00:48:33 And certainly what was just mentioned is establishing that standard in the federal privacy framework
00:48:38 we're talking about would go a long way to doing that.
00:48:41 Certainly anything that's internet connected devices is a target for exploitation by nation
00:48:48 state actors.
00:48:50 Implementing certain encryption protocols in our industry, as I'm aware, is pretty important
00:48:54 for detecting those specific kind of devices.
00:48:57 And I'd say though, as an additional side note, there's been also a large shift with
00:49:00 our industry away from manufacturers in China and sourcing equipment there that could possibly
00:49:06 have vulnerabilities.
00:49:07 I'd say especially in the commercial sector it's been near complete move away from those
00:49:12 sources.
00:49:13 Great.
00:49:14 Thank you.
00:49:15 Senator Welsh?
00:49:16 Thank you very much.
00:49:17 It's good to be here.
00:49:18 Senator Blackburn, it's always wonderful to see you continuing this pioneering work that
00:49:19 you began when you were in the House.
00:49:20 And it's only gotten more complicated, actually.
00:49:21 Let me ask you a few questions about the role of the federal government in the administration
00:49:22 of the United States.
00:49:23 I know that you've been a member of the House for a number of years.
00:49:24 I know that you've been a member of the House for a number of years.
00:49:25 I know that you've been a member of the House for a number of years.
00:49:26 I know that you've been a member of the House for a number of years.
00:49:27 I know that you've been a member of the House for a number of years.
00:49:28 I know that you've been a member of the House for a number of years.
00:49:54 I know that you've been a member of the House for a number of years.
00:50:01 I know that you've been a member of the House for a number of years.
00:50:02 I know that you've been a member of the House for a number of years.
00:50:03 I know that you've been a member of the House for a number of years.
00:50:04 I know that you've been a member of the House for a number of years.
00:50:05 I know that you've been a member of the House for a number of years.
00:50:06 I know that you've been a member of the House for a number of years.
00:50:07 I know that you've been a member of the House for a number of years.
00:50:08 I know that you've been a member of the House for a number of years.
00:50:09 I know that you've been a member of the House for a number of years.
00:50:10 I know that you've been a member of the House for a number of years.
00:50:11 I know that you've been a member of the House for a number of years.
00:50:37 I know that you've been a member of the House for a number of years.
00:50:44 I know that you've been a member of the House for a number of years.
00:50:45 I know that you've been a member of the House for a number of years.
00:50:46 I know that you've been a member of the House for a number of years.
00:50:47 I know that you've been a member of the House for a number of years.
00:50:48 I know that you've been a member of the House for a number of years.
00:50:49 I know that you've been a member of the House for a number of years.
00:50:50 I know that you've been a member of the House for a number of years.
00:50:51 I know that you've been a member of the House for a number of years.
00:50:52 I know that you've been a member of the House for a number of years.
00:50:53 I know that you've been a member of the House for a number of years.
00:50:54 I know that you've been a member of the House for a number of years.
00:51:20 I know that you've been a member of the House for a number of years.
00:51:27 I know that you've been a member of the House for a number of years.
00:51:28 I know that you've been a member of the House for a number of years.
00:51:29 I know that you've been a member of the House for a number of years.
00:51:30 I know that you've been a member of the House for a number of years.
00:51:31 I know that you've been a member of the House for a number of years.
00:51:32 I know that you've been a member of the House for a number of years.
00:51:33 I know that you've been a member of the House for a number of years.
00:51:34 I know that you've been a member of the House for a number of years.
00:51:35 I know that you've been a member of the House for a number of years.
00:51:36 I know that you've been a member of the House for a number of years.
00:51:37 I know that you've been a member of the House for a number of years.
00:52:02 I know that you've been a member of the House for a number of years.
00:52:09 I know that you've been a member of the House for a number of years.
00:52:10 I know that you've been a member of the House for a number of years.
00:52:11 I know that you've been a member of the House for a number of years.
00:52:12 I know that you've been a member of the House for a number of years.
00:52:13 I know that you've been a member of the House for a number of years.
00:52:14 I know that you've been a member of the House for a number of years.
00:52:15 I know that you've been a member of the House for a number of years.
00:52:16 I know that you've been a member of the House for a number of years.
00:52:17 I know that you've been a member of the House for a number of years.
00:52:18 I know that you've been a member of the House for a number of years.
00:52:19 I know that you've been a member of the House for a number of years.
00:52:48 I would view that that's actually the foundational step. It's the one-size-fits-all approach,
00:52:54 which we have taken heretofore, is what burdens small businesses. But when you take a tailored
00:52:59 approach, where it's specific to their business and specific to their data, then you don't
00:53:04 have to do things which you know you're never going to end up.
00:53:07 No, that makes sense. But what's the expense associated with that?
00:53:11 It depends on which tool you're using. Give me a ballpark. I'm worried about the
00:53:15 small businesses having to deal with these massive impacts on their small business.
00:53:24 We've got representatives of the world's largest cybersecurity organization, but there are
00:53:29 small mom-and-pop managed services providers. That's what they do. There's, I'm sure,
00:53:35 hundreds of them even in the Nashville area. In every city, there are people who do that.
00:53:39 Mr. Parker, thanks. You mentioned future-proofing, which makes a lot of sense to me. But one
00:53:47 of the things that I've found frustrating as a member of the House and now in the Senate
00:53:52 is we can't keep up with all the changes and all the methodologies by which there is hacking.
00:53:59 Even those who are far more expert in Congress on technology issues, I don't think can keep
00:54:05 up with it. Senator Bennett and I think that the time has come where we actually need an
00:54:10 agency, a digital commission, much like, say, the FTC or the FCC, that is properly staffed,
00:54:19 properly resourced, and has the capacity to keep up. Because if it's a one-off bill that's
00:54:26 dealing with problem A or problem B, it's a very cumbersome and difficult process to
00:54:31 get it done in a timely way through Congress. Do you have any thoughts on the wisdom of
00:54:37 having such an entity that would have as its ongoing challenge protecting privacy and considering
00:54:46 other issues related to tech? That's a great question. I apologize. I don't have a great
00:54:55 answer, but I know that the, obviously, the state of California has done something like
00:54:58 that, having a privacy agency. I know the issue has been discussed here as far as creating
00:55:05 something like that. I know there's probably the opinion that most of the, that we have
00:55:10 existing agencies that are playing that role, but I understand what you're saying. I know
00:55:14 it's definitely bifurcated the way it is currently. Mr. Trivedi, you mentioned there should be
00:55:18 a national standard, right? Yes. That makes sense to me. Who determines what that national
00:55:27 standard is? I think that legislation would emerge from a number of stakeholders working
00:55:32 together, but I would emphasize that it should be both strong and flexible. To your point
00:55:36 about how smaller businesses are able to comply, we cannot expect a small record store, to
00:55:41 your point, collecting potentially far less digital data than a large tech company to
00:55:46 meet the same standards. What would a national standard look like? Strong and flexible makes
00:55:51 a lot of sense to me. What you're saying, I agree with, but I'm trying to think about
00:55:55 the practical way, A, to define it, B, to implement it, C, to change it. Sitting up
00:56:02 here, I know that's a tough ask for the folks in this job who are determined to do the best
00:56:08 they possibly can. Do your best to answer that question. Sure. Thank you, Senator. It's
00:56:13 a very good question. I think there are some best practices I listed out as near universal
00:56:18 that would apply. For example, even small businesses can think about and implement access
00:56:22 controls to make sure employees who don't need certain data can't access it. They can
00:56:27 engage in data minimization relative to their capacity, which is to say, think hard about
00:56:33 what they really need and what they don't need. They shouldn't keep because it's also
00:56:36 a risk to them. The legislation has to determine that. It's not like you're asking the individual
00:56:42 to determine that, right? That's right. I think legislation should establish a strong
00:56:47 set of practices, but that there should, of course, be flexibility in how businesses of
00:56:52 varying sizes comply with it. There should be some basic requirements that are common.
00:56:56 Do you have a template of what it is you think Congress should pass? I think we've seen
00:57:02 some credible bipartisan proposals. I think there's good progress being made via the discussion
00:57:07 draft of the American Privacy Rights Act. I do think that is a very promising proposal
00:57:12 on the table today. In terms of a template specifically for how small businesses can
00:57:16 operate, I think that's something that we could get back to you on and think more about.
00:57:21 Thank you. I yield back. Thank you. Now we have by remote Senator
00:57:27 Klobuchar.
00:57:28 [inaudible]
00:57:36 [inaudible]
00:57:45 [inaudible]
00:58:05 I do, Senator. Thank you. I think access and control rights are very important for consumers.
00:58:11 Okay. Thank you. Mr. Lee, and I'm having trouble hearing it. I'll just try my best here. Mr.
00:58:21 Lee, we also need to educate Americans on how to identify and react to cyber threats.
00:58:29 We know there's phishing schemes going on. Senator Thune and I have introduced the American
00:58:35 Cybersecurity Literacy Act to educate the public on cybersecurity risk by requiring
00:58:42 NIST to conduct a cybersecurity literacy campaign. Can you talk about the importance
00:58:47 of educating Americans on how to identify and avoid cybersecurity threats?
00:58:53 Well, education is the key to so many different things, and particularly in this case, it
00:58:57 is a part and parcel of keeping people safe. One of the things that we learn from talking
00:59:02 to victims every day is they are very curious about how to make sure it doesn't happen to
00:59:09 them again. So having a comprehensive approach that is led by the federal government would
00:59:17 be very helpful because we overall, identity crime victims don't get a lot of support anyway
00:59:22 because a lot of times people think of them as victimless crimes. And trying to avoid
00:59:27 that crime is even more difficult. So education is going to be a key part of making sure that
00:59:35 we are keeping people safe in this increasingly dangerous cyber world.
00:59:41 Agree. Mr. Kaplan, in just the past five months, we've seen significant data security breaches,
00:59:48 obviously UnitedHealth Group, AT&T, Microsoft, because these companies maintain large amounts
00:59:55 of data on huge swaths of the population. Hacks often can affect tens of millions of
01:00:01 people. In your testimony, you noted that large companies have twice the number of systems
01:00:06 exposed on the internet than what they were monitoring. What complications to protecting
01:00:12 consumer data arise from simply holding such vast amounts of it?
01:00:19 Thank you for that question, Senator. Yeah, holding that vast amount of data just increases
01:00:25 sort of your attack surface and your vulnerability and makes you a more likely target of sort
01:00:31 of the malign threat actors and nation states that are looking to sort of divine and exploit
01:00:35 and pull out that data to make strategic use of it. With regard to the attack surface,
01:00:40 this was one of the basic cyber principles that we also talked about. It's understanding
01:00:47 what your internet exposed attack surface looks like, understanding how many of the
01:00:52 portals into your system are open to the public internet and having visibility into existing
01:00:59 vulnerabilities, misconfigurations, you know, not updated pieces of equipment or software
01:01:04 that are exposed to the open internet that just give those malign actors entree into
01:01:09 the system. So having visibility into the ecosystem and what your attack surface looks
01:01:15 like to the attacker, we think is a critical piece of securing your infrastructure. That
01:01:21 combined with knowing what your data is, is all a critical element of maintaining customer
01:01:27 confidence.
01:01:28 You also noted in your testimony that the UnitedHealthcare change data breach is likely
01:01:34 to be the largest supply chain breach of this, Mr. Lee, the largest supply chain attack in
01:01:44 history because of how many organizations depend on change to process insurance payments.
01:01:51 And an entire industry relies on only one or two digital supply chain providers that
01:01:57 hold and process huge amounts of data. How does that affect the impact of a cyber attack?
01:02:05 It's for a cyber criminal, it's a nirvana if you can find a supply chain, rather than
01:02:13 have to attack a series of companies one at a time. If you can find that one organization
01:02:17 that has weak cyber security, but lots of data from not just one company, but all of
01:02:22 their customers, all of the people they support, they're going to get massive amounts of data.
01:02:27 And we've seen at the ITRC, we've seen a 2600% increase in the number of organizations hit
01:02:33 by supply chain attacks. Not just that they were attacked, you may only have 100 companies
01:02:38 attacked last year, but you had 2600 companies that were impacted by it, their data was exposed.
01:02:46 So for a criminal, these things are incredibly profitable. And it's something that we, the
01:02:53 whole topic of this conversation is how can we bring these other organizations up to speed
01:02:58 so you do not have that risk from vendors to the larger organization?
01:03:03 Yeah, I mean, we have been helping dozens and dozens of hospitals and pharmacies and
01:03:10 other health care providers in our state to become whole and to be able to function ever
01:03:15 since this data breach. And clearly work has to be done here. So you have, you can't have
01:03:22 all this data in one place. And then they don't have backup systems. Is that, would
01:03:29 that be one of your suggestions? What would be your suggestions to protect this data?
01:03:35 And this will be my last question.
01:03:39 From a data protection standpoint, I mean, there's a lot to that. Only one part of which
01:03:44 would be backups. You know, there are just so many parts of the health care supply chain.
01:03:51 It has been the industry that is most attacked for the last six years running because there
01:03:55 are just so many different parts of it. So many members, you know, from mom and pop organizations
01:04:00 all the way up to a UnitedHealthcare. So while there are key things that need to be done,
01:04:07 a big part of it is just making sure that everybody in that supply chain is aware they
01:04:11 are a target. They are at risk and to act accordingly.
01:04:17 Exactly. Okay. Thank you very much. Thanks everyone. Appreciate it.
01:04:23 Thank you, Senator. I still got some questions and I think there's one or two people might
01:04:28 be on their way here. So I'll indulge myself. Mr. Parker, and I don't want to get you in
01:04:35 trouble with any of your members in any way, but you know, the requirements for reporting
01:04:42 a breach, whether it's ransomware or phishing or whatever it is, they're really the penalties,
01:04:51 unless someone pays a ransom, the penalties so far don't appear to be significant in almost
01:04:56 all cases. Does there need to be some sort of incentive or some way to reward some of
01:05:04 the smaller breaches that are happening more frequently that don't get the attention and
01:05:08 yet are, as I'm sure you're aware, costing us tens of hundreds of millions of dollars
01:05:14 as a country? Is that, I mean, how, within the framework of your membership, how do we
01:05:21 get everyone eager to make sure that they report each incident?
01:05:27 You know, that's a great question. I know, so it's been a little while since I've looked
01:05:31 at this. I know every, I think every state has a law on breach notification. They're
01:05:35 different in some ways. Some have a prior right of action applied to them. I think it's
01:05:41 definitely a--
01:05:42 Associate has some of those requirements as well, but there's just not a heavy hand. It's
01:05:47 fairly light.
01:05:49 I mean, I know for the others, witnesses may have a better idea here, but you know, certainly
01:05:54 something should be a priority for the AGs that are enforcing these rules.
01:05:58 Right. But again, they need, they'll need some penalty or there needs to be some incentive,
01:06:03 some way of moving people. Anybody else want to comment on that? Don't feel the obligation
01:06:09 because I have more questions.
01:06:10 Oh, I've got comments. To your point, we, it took from 2003 until 2018 to get all 50
01:06:21 states, the territories and the District of Columbia to have a data breach law. And they
01:06:25 are all different. They all have different triggers of what constitutes a breach. They
01:06:29 all have different requirements for what is in a data breach notice. And in every instance,
01:06:35 it is the organization that has lost control of the data that gets to decide if there is
01:06:39 a notice. Oregon will allow a consultation with law enforcement. But other than that,
01:06:45 the organization makes the determination. Where you live determines how much information
01:06:53 you have, if you have any information and what resources are made available to you.
01:06:58 So when we talk about national standards, that's why we mentioned data breach notifications
01:07:03 have to be part of that because those are both education opportunities for the individuals
01:07:08 and their opportunities to make sure that we don't have repeat occurrences.
01:07:13 Absolutely. Anyone else? You've all referred to at one point or another, I don't know whether
01:07:21 that serves a certain amount of irony in some of the comments, but the swiftness of response.
01:07:27 Would you all agree the swiftness needs to be a goal, something that we should find ways
01:07:33 of both within government, but also within the business community of accelerating responses
01:07:42 and making sure that swiftness becomes an important factor? Mr. Parker, we'll go up
01:07:52 this way just for a change of direction. Absolutely agree with that.
01:07:57 Yeah, I think both on cybersecurity incident response side, as well as on the pace at which
01:08:02 we should move on data security and privacy legislation, swiftness is essential.
01:08:06 Say that louder when you say that. I'm just kidding. We want to fill the room.
01:08:12 Senator, swiftness when responding to a cyber incident is critically important. One of the
01:08:17 things that we've seen from Palo Alto networks is the average incident response time for
01:08:22 companies as recently as 2021 was 44 days that it would take companies to address a
01:08:29 cyber incident when it occurred. And it was 44 days till they started seeing data exfiltrated
01:08:35 from those attackers. We've seen that exfiltration timeline decrease to just days and hours.
01:08:41 If you take that in context with the average time that it takes for a company to respond
01:08:45 to a cyber incident and mitigate it is six days. If attackers are starting to exfiltrate
01:08:51 data in one day in just a handful of hours, you're losing data. So swiftness is a critical
01:08:55 aspect. Absolutely.
01:08:58 I agree. Great. Thank you. I might have one more question. First, I'm going to turn to
01:09:09 Senator Budd.
01:09:10 Thank you, Mr. Chairman. And again, thank you all for being here today. So much commerce,
01:09:18 business, work and social interaction now takes place online, as you all know. And there's
01:09:22 a large volume of sensitive data that goes into those online interactions. In many ways,
01:09:27 that data has become the lifeblood of the digital economy, connecting small businesses
01:09:32 with customers and improving online services. So I know this first first hand as a small
01:09:37 business owner who has run digital advertising campaigns myself. I also know that the majority
01:09:43 of businesses take data security extremely seriously. Burdening customers with what may
01:09:48 feel like arbitrary, excessive or overly sensitive personal information disclosures, it's a poor
01:09:53 way to instill customer trust and protecting against devastating breaches. It's a must.
01:10:00 Mr. Parker, you mentioned how important uniform standards and laws are to the Security Industry
01:10:06 Association members. Is there an example that you could share where conflicting laws between
01:10:11 states have reduced business opportunities for any member of companies?
01:10:16 Sure, absolutely. So the the kind of prime example of this is the Illinois biometric
01:10:24 data privacy law known as BIPA, where it was formulated, I think, more than 15 years ago
01:10:32 when that technology was in its infancy. A lot of misunderstandings about it, but it's
01:10:35 certainly because of the way it was structured in the private right of action attached, it's
01:10:40 created a sue and settle environment where there's a tremendous litigation risk in fielding
01:10:46 technologies even if they're deemed to be compliant. And so as a result, there's a number
01:10:51 of our member companies who do not actually offer their products to customers in Illinois
01:10:55 anymore because of what's happened with that.
01:10:58 Any particular products that you can recall?
01:11:01 Well you know there's within biometrics there's many different types of products, but just
01:11:06 to give you an idea, 88% of the lawsuits under that law have been on regarding biometric
01:11:12 time clocks, so basically a way to authenticate your identity for punching in and out of work.
01:11:18 No allegations that harm actually occurred to anyone. There was some, you know, misstep
01:11:22 in the collecting consent and things like that that were found and that was a basis
01:11:27 for class action lawsuits. That's things like that even it's not even though it's not in
01:11:32 some products certainly in the security area cannot even be fielded there under the rules,
01:11:37 but in other cases, you know, products like that some people are just say forget it we're
01:11:42 not going to even bother.
01:11:44 You know the savings from those systems I would know firsthand and they save businesses
01:11:48 money, they make them more competitive, allow them to pay employees more, hire more employees,
01:11:54 so I see the challenge there. Mr. Parker, can you speak to how uniform national requirements
01:12:00 and legal liabilities would improve the ability of your member companies to protect personal
01:12:05 data?
01:12:06 Yeah, so I mean I think having a national standard, you know, that fully preempts, you
01:12:13 know, state and local laws and data privacy would definitely save on compliance costs,
01:12:17 but it would also be better, you know, for the global competitiveness of our companies
01:12:22 that can align what they're doing, you know, with other parts of the world as well versus
01:12:28 having people track what's going on in each individual state, so what products can be
01:12:32 offered where and under what circumstances, so there's definitely a tremendous advantage
01:12:36 of having a national framework and standard.
01:12:39 Thank you. You mentioned that the Security Industry Association encourages its members
01:12:44 to implement resources like how to counter AI-driven cybersecurity threats to physical
01:12:50 security products, just an example. So your members seeing criminals use AI in new ways?
01:12:55 Yeah, so one thing we're certainly, I was just talking to some of our cybersecurity
01:13:00 experts in the industry about this, but one thing that's emerging is the ability to detect
01:13:06 when video has been altered, and so security video is obviously very important, you know,
01:13:11 what we do and provide to customers, but you want to make sure that that can't be manipulated
01:13:16 by bad actors for fraudulent purposes or maybe even further some other criminal activity,
01:13:21 so there's definitely technology available that is verifying the authenticity of, you
01:13:27 know, data that's stored and making sure it hasn't been, you know, altered, so that's
01:13:30 one area.
01:13:31 Thank you. Thank the panel. Chairman?
01:13:35 Thank you, Senator. Okay, I'll be quick. I know you guys have been here for a while,
01:13:41 and a couple of you already commented on this, but I just, you know, put in a fair amount
01:13:46 of our office, put in a fair amount of work on the American Privacy Rights Act, and you
01:13:52 guys, it affects what we're talking about today. It is about security in addition to
01:13:58 privacy. I think all of you have pointed out that there's a connection there that is inviolate.
01:14:04 What's your feelings, and we'll go right down the list on APRA in terms of if you've got
01:14:10 some constructive, something bothers you, or constructive criticism that's out with
01:14:14 it, but if you think we need to have a sense of urgency, a couple of people have referred
01:14:20 to quantum computing as it comes down the pike. If it doesn't give us a sense of urgency
01:14:26 around these issues, then nothing will. Anyway, we'll start with you, Mr. Lee.
01:14:29 I do think there should be a sense of urgency, just because of, we don't even have to get
01:14:34 to quantum, we can just look at artificial intelligence, and just the efficiency and
01:14:40 the depth and breadth that that is bringing to everything from creating malware to a phishing
01:14:47 attack. We're seeing more and more phishing attacks, which are very basic, that are letter
01:14:52 perfect, that fool even professionals. They are so good, whereas a couple of years ago,
01:14:58 everybody kind of go, yeah, yeah, Bank of America isn't spelled with B-A-N-K. You can't
01:15:05 do that anymore. It is good, and it is getting better. You have, for the most sophisticated,
01:15:10 you've got a deep fake video, you have voice cloning, you have risks that are primarily
01:15:16 to businesses, but individuals will be the vehicle to get to the business attack. So,
01:15:22 there is a sense of urgency. My watch out on the Privacy Rights Act would be, beware
01:15:28 the law of unintended consequences. As we talked about a little bit with data minimization,
01:15:34 we still need data, and we need it for some very specific purposes, because it's used
01:15:39 for anti-fraud. It's used for identity verification to prevent identity crimes. So, in our zeal
01:15:46 to protect consumers and give them access, we also have to be realistic that we still
01:15:51 need some data. Thank you. Mr. Kaplan? Senator, we're still evaluating APRA. We do think that
01:16:00 this current version, there are some beneficial aspects, like specifically... Wait, wait, so
01:16:03 I started this with a sense of urgency. You're still evaluating? With a sense of urgency,
01:16:07 and I can hit that. So, what we've seen with regard to artificial intelligence, for example,
01:16:12 is to echo what Mr. Lee said, is we have seen threat actors leverage this to create really
01:16:17 sophisticated spear phishing attacks. Senator Blackburn brought up quantum. Quantum threats
01:16:23 right now, there is a campaign of harvest now and decrypt later, where malign nation
01:16:29 states are collecting data, even encrypted data, knowing that this day is coming where
01:16:35 they'll be able to decrypt it. So, the urgency is really, harden your systems now and secure
01:16:39 your systems now and secure your data now. One of the beneficial aspects of APRA that
01:16:44 we see is those strong permissible purposes for cybersecurity companies. Mr. Lee also
01:16:50 talked about the uses of data, both for our cyber defenses, but also in the artificial
01:16:56 intelligence. And just a quick stat, we leverage AI across our systems and capabilities, and
01:17:02 we are able to detect 2.3 million unique attacks that weren't there the day before. This is
01:17:09 a process of continuous discovery, and we're able to leverage our security data and those
01:17:15 AI tools to block 11.3 billion attacks per day. And that's just one player, one company
01:17:22 in the cyber ecosystem. So, the utility of this data, I think, is proven, and that's
01:17:27 where sort of the flexibility of something like the permissible purposes in APRA are
01:17:32 critical to securing everybody's data. Great, great. Mr. Gervais? Thanks for the question,
01:17:38 Senator. I think, you know, and we've said publicly that APRA includes some of the necessary
01:17:43 pillars of sound privacy legislation. I won't list all of them, but I think it is germane
01:17:48 to today's conversation, strong data minimization principles, online civil rights protections,
01:17:54 privacy rights for users to be able to view, correct, and opt out, delete their data, stop
01:17:59 at sale or transfer. These are essential elements of data protection and consumer protection.
01:18:04 And so, we are heartened to see this credible proposal reemerge. In terms of constructive
01:18:09 areas to focus on, I think one of the areas of concern for us has been the scope of FCC
01:18:15 preemption in APRA. We've seen with the recent announcement from the FCC finding wireless
01:18:21 carriers and the depth of their expertise and ability to act to be a cop on the beat
01:18:28 with respect to ISP privacy, Internet Service Provider privacy. I think that's essential.
01:18:35 And so, we would focus on this issue not to have overbroad preemption of the FCC's ability
01:18:40 to exercise longstanding expertise in their domain on privacy.
01:18:44 Interesting. Thank you. Mr. Parker?
01:18:47 Just to speak to urgency from a policy perspective versus cybersecurity, three years ago there
01:18:52 was one state that had their data privacy law and now there's 19. So, I think there's
01:18:57 definitely a window of opportunity to have a federal standard. Many of those states that
01:19:01 have acted since then have very similar frameworks. But there is a potential, if they're different
01:19:07 enough that a 50-state patchwork of laws can harm the economy. So, it's important to consider
01:19:12 acting soon. That said, we're still looking at the proposal and gathering input from members,
01:19:17 but definitely applaud Chair Cantwell and Chair Rogers for working to get to this place.
01:19:23 And I would say that there's significant improvements over what we saw two years ago. In one example,
01:19:29 in particular, we're pleased with the data minimization permissible use purposes related
01:19:33 to cybersecurity and physical security, which we think are very well defined and well crafted.
01:19:40 But there's some other issues and questions mainly I think that need to be addressed,
01:19:43 you know, in moving forward. I mentioned earlier how important it is to have strong preemption.
01:19:48 We're definitely getting questions from members about whether what's in the proposal now is
01:19:52 adequate enough to be truly the national standard that it's intended to be. So, I think that
01:19:58 needs a clear, you know, a clear answer. And there's a few other kind of more detailed
01:20:06 issues in the bill, but we're definitely still looking at it and providing input.
01:20:09 Okay, we'll keep those cards and letters coming, as they say on TV. I guess they used to say
01:20:15 on TV. Appreciate all those comments about APRA. I think I have a great sense of urgency
01:20:23 on it, and I think that this is a wonderful time to work on something like data privacy
01:20:29 on a bipartisan basis right before a big election, but this should not be a partisan issue. And
01:20:34 I think we've seen a lot of bipartisan participation so far, but I'm hopeful that the people you
01:20:42 all represent will continue to push with a sense of urgency this year to get this done.
01:20:48 I think it's doable. I think we're done here for today, but thank you all for your effort.
01:20:56 Members can submit additional questions for the record until May 22nd. We thank you in
01:21:02 advance for taking the time and the chance to answer those and provide responses hopefully
01:21:10 by June 5th. And with that, I will adjourn.
01:21:14 [Gavel]
01:21:14 [Gavel]
01:21:15 [Gavel]
01:21:15 [Gavel]
01:21:16 [Gavel]
01:21:16 [Gavel]
01:21:17 [Gavel]
01:21:17 [Gavel]
01:21:18 [Gavel]
01:21:18 [Gavel]