Coverage of government. Taking you where the policies are debated and decided. All with the support of americas cable companies. Cspan, 45 years and counting. Powered by cable. Data security executives testified before a Senate Commerce subcommittee on protecting consumer data against unauthorized access. They offered recommendations such as stronger Authentication Methods and the establishment of a federal Privacy Protection standard. This is about 90 minutes. Welcome to the subcommittee on Consumer Protection and security. We will come to order. Senator blackburn is en route. Were at a Pivotal Moment in the age of technology that rely on amounts of consumer data. Artificial intelligence has got then lions share of publicity but thats nowhere near the limit. Businesses collect or process data ranging from personally identifiable information, name, address, likeness, as they say these days. Obviously Sensitive Data, browsing history. The threats to consumers data that Companies Face is complex and in almost every way, daunting. As Companies Collect more data, they become more attractive targets for data breaches. And by that, i mean criminal activity. Each breach costs Companies Nearly 4. 2 million per incident. Consumers shoulder the financial burden and reputational harm of each incident. As more consumers how many more consumers need to be victims before we take action in how much longer should we allow data to be sold on the dark web for profit . When will cyber criminals be stopped or deterred from preying on our data. This data reaches breaches hurt Small Businesses, large corporations and everything in between. In 2023 alone, there were 3,205 data breaches in the u. S. Thats what we know. 3,000 individuals who were severely impacted, 10 of publicly shared Companies Reported a data breach impacting in total 143 million individuals. These data breaches can have devastating effects nationwide wireless carriers breach exposed the data of 70 million customers. A large Health Insurer was recently widely reported saw their system grind to a halt which delayed Important Health care payments, exposed Critical Health data. This is why we need more protections for data. We need a Strong National standard that include data minimization and security. Establishes specific categories to turn off the spigot of data for the so that data that Companies Collect from consume, so companies arent just checking everything they can. We need to establish requirements for how companies safeguard the data they do collect so breaches are less common. We need to give consumers meaningful control over how their data is used and restore consumers confidence in the technology that powers our economy. I think states clearly are not waiting for the federal government to act. Already 16 states including colorado have passed their own state privacy laws. Other states are talking about it. Excuse me. There are lessons to be learned from state laws. Colorado has a temporary right to cure for businesses to comply or adapt to privacy requirements. The federal government has to step in and issue rules and apply enforcement. A consistent definition of key terms like Sensitive Data or to issue nationwide rules. The draft of the americas privacy rights act is an important bipartisan framework for us to build on. I commend members of the house in their efforts to bring this forward. We are committed to listening to all perspectives on data minimization and security. Minimization and security are obviously interconnected, interrelated. Together they represent the foundation of a strong data privacy framework upon which we can build. We have an opportunity right now and obligation right now to build meaningful, bipartisan consensus around these complex issues. Thats why i look forward to the hearing today and to our witnesses. Id like to welcome each of our witnesses who are joining us today. James lee, chief operating office from Identity Theft resource center. Dan kaplan, assistant general counsel of pala Alto Networks. And jake parker, senior director of Security Industry association. I now recognize our Ranking Member, our vice chair, senator blackburn, for her opening remarks. Mrs. Blackburn thank you, mr. Chairman. Welcome to each of you. Apologies for people kind of coming and going. We have a 2 30 vote that ended up getting called. But i am i know chair cantwell and Ranking Member cruz are on the floor right now but i am appreciative that chair cantwell has brought privacy back into focus. And crews are on the floor. Im appreciative that the chair has brought privacy back into focus. Ive worked for over a decade for congress to take action in this area. And when senator welch and i were on the house energy and commerce committee, we brought forward the Data Security and breach bill. It was the first of the bills and it was bipartisan. It would take steps to protect the security of data from businesses. It wouldve required consumer data breach notifications and allowed the state attorney general to hold Companies Accountable for violations of the law. That is where we were in 2012. And as we now know, this issue grows more and more urgent every single day. The need for the swift adoption of smart and effective data privacy and security legislation is pressing for several reasons. China and other bad actors are not slowing down. The fbi director was before us at a Judiciary Committee meeting and he said something significant. He said if you are an american adult, its more likely than not that china has stolen your personal data. He also said chinas fast Hacking Program is the Worlds Largest and theyve stolen more americans personal and business data then any other country combined. We need to be paying attention to this. China seeks to become the world leader in Artificial Intelligence. Consumers have valid questions about how their data is going to be used to train these large language models. I hope today that we will discuss why we need federal privacy and security legislation to combat these threats. Second, congress has passed the point where he risk giving up our authority to states and other countries. State governments are quickly enacting privacy laws creating a patchwork of regulatory headaches for businesses. 15 such laws exist, including tennessee and colorado. The europeans have beaten us to the punch. Several years ago they did gdpr. They are using it as the foundation for regulating ai. Yet we can use the eu as a cautionary tale about the need to make a regulation smart and effective. I visited there last year and i heard stories from one of their Data Protection authorities about how they have been asked to resolve disputes over Bank Accounts after a couple divorced or how to resolve a dispute between neighbors about the location of an antenna. So lets not make these same mistakes and not overreach. We know the europeans have a heavier handed approach, which makes it more imperative that we act in a thoughtful manner. More without congressional action, the ftc will proceed ahead with their commercial surveillance and Data Security rulemaking, which it launched in 2022 without congressional authority. Congress should be setting these rules, not elected bureaucrat. Finally, while this hearing will feature much discussion on concepts like data minimization and other practices, we must not forget about the Cyber Security threats posed by new and emerging technologies. One area of great interest to tennessee is quantum technologies. Through methods like harvest now and decrypt later, once bad actors steel encrypted data today, nothing can stop them from decrypting it tomorrow. That is why this committee must with quickly to examine this and reauthorize the National Quantum initiative act. I would love to work on this with our chairwoman and the team here. Tennessee is a leader in financial nfh and in technologies like quantum computing. And the Oak Ridge National lab is at the forefront of basic and Applied Science research. When i speak with people in the state they ask how we can best tackle privacy and Data Security issues while also continuing to allow innovation. This committee must be thoughtful in our approach but mindful of the realities the congressional calendar imposes. I look forward to our discussion today and i appreciate the testimony from each of you. Now, we will hear opening remarks from each of our witnesses. The term witness gives a false sense of insecurity, perhaps these days. We will start with tran nine. Thank you, mr. Chairman. Im james leave and the chief operating officer of the Identity Theft just so Everybody Knows the core of our business is to provide ice assistance to those who are victims of identity crimes and we do research and analysis on trends that we make available to the public and private sector. A lot has happened since we were in this room and 2021 to talk about this subject. Weve seen bad actors shift their focus and weve seen them accelerate innovation attempts. We may be at the beginning of what is the golden age of identity crime. Its fueled by stolen personal data, made effective and efficient by ai with individuals and many businesses helpless to defend themselves. Why do i say that . We give you a scope of the problem. Data breaches are the fuel for identity crimes. And a fair portion of Cyber Attacks thanks to stolen log ins and passwords. The total number of data compromises with 3205. It impacted 353 Million People because some people were hit more than once. That is a 78 increase from the year before. Its a 72 increase from the previous high which happened the last time we had this hearing. From a financial standpoint, more than two thirds of the people who contact the itrc are losing more than 500. Within that subset 30 of them are losing more than 10,000 and we routinely hear from people losings six and seven figures. The most troubling trend is people that decided that their only way out is selfharm. 60 of people who contacted us that they contemplated taking their own life. For decades before that, that number was never higher than 2 to 4 . Now 16 and we do not see it slowing down. We now hear routinely from families who are still being attacked by the identity criminals who try to keep the scam going. We do not advocate one where the other for legislation, but we provide information. We are still the same place we were the last time. The best way to help victims is to prevent victimization in the first place. An important part of preventing that is three uniform minimum standards for Data Protection. And technical and nontechnical standards are essential in a world driven by software and data. Compliance with comprehensive but not necessarily prescriptive minimum standards can reduce the risk of exploitation and they are more than just metrics. They are practices like data minimization, which is a concept predicated on a simple truth. If you dont have the data, you cannot lose it. And if it is secure, it cannot be misused until we get to quantum computing. Routine Risk Assessments help ensure Information Systems are secure in a manner equal to the risk. That is important. Equal to the risk that an organization faces. You have privacy by design and security by default. And have all the tools needed to keep private he privacy and security at the forefront of their culture and every stage of a products life. To be effective in reducing identity crimes, uniform standards need strong enforcement and defenders must measure progress and constantly adjust to the new task and you do that through audits. There also strong Enforcement Actions when it comes to data breach notices were increasingly ineffective. Even if he noticed his issue. The first three months of this year 32 32 of data breach notices had some information about what caused the date of breach. Reverse that number and it tells you how many did not include information about what happened. That number was 100 of data breach notices until the Fourth Quarter of 2021. The average number of new data breach notices in the u. S. Is nine per day. In the eu, 335 every day. We are missing notices. Let me leave you with a final thought. If we adopt data minimization, and if we give consumers more access and control, its a vital part of Data Protection. They can significantly reduce the amount of personal information at risk of a data breach and misuse by criminals. Personal information used responsibly is important for proving a person is who they claim to be from opening a bank account to applying for government benefit. But they prevent someone from becoming a victim of Identity Fraud because of stolen personal information. Restricting the use is part of consumer control or data minimization could have the unintended effect of aiding identity criminals and negatively impacting communities that are disproportionately affected by identity crisis. Thank you for your time and i look forward to your questions. Mr. Kaplan, the assistant general counsel at Palo Alto Networks and has spent a considerable amount of time in colorado. Thank you, senator. Thank you for the opportunity to testify on how Cyber Security is a critical and foundational element of Data Security and Consumer Protection. My name is sam kaplan and im the assistant general counsel for Public Policy and Public Affairs at Palo Alto Networks. I spent the bulk of my career working at the intersection of National Security, data privacy, and i was proud to serve a number of positions across the federal government to include the dhs chief privacy officer. And at the u. S. Department of justice. We were founded in 2005 and has since become the leading Cyber Security company. This means that we have a deep and broad disability into the cyber landscape. We are committed to being a cyber citizen and a trusted partner of the federal government. It does no question that they cause disruptions to our regular lives like healthcare or Emergency Services to compromises of americans Sensitive Data. With that backdrop, Palo Alto Network strongly believes that deploying cuttingedge Cyber Security defenses is a necessary enabler of Data Security and privacy. The bottom line, effective Data Security and data privacy requires cutting edge Cyber Security protections. Organizations should be encouraged to protect data by implementing robust data and Network Security practices that can both prevent incidences and events from happening in the first place and mitigate the impact should an incident occur. To stay ahead of the evolving Threat Landscape, professionals regularly leverage security data, which is the network telemetry. The ones in the zeros. The malware analysis. The ip address. We must ingest and analyze in real time to optimize cyber defenses. To that end, we are heartened to see Cyber Security generally included in frameworks that Companies Like ours can use to collect, process, retain, and transfer security due to two in turn better protect those systems and data from compromise. Todays landscape requires that approach and everyones personal privacy will benefit from that framing. To that end, panel alters networks focus on the following actions to bolster their Cyber Resilience and increase their Data Security posture. First, leverage the posture of a. I. And automation. For too long, cyber defenders have been inundated with alerts to triage manually, which can lead to data breaches. A. I. Can help flip this paradigm. Second, ensure complete and identify and mitigate vulnerabilities before they can be exploited. Third, implement a zerotrust architecture to prevent and limit an attacker from moving laterally across the network. Fourth, promote, and secure a. I. By design, and assist with a. I. Usage, commit policy controls, and ensuring applications are built with Artificial Intelligence. Fifth, protect Cloud Infrastructure and applications. As Cloud Adoption accelerates, Cloud Security cannot be an afterthought. Sixth, maintain a Response Plan to prepare for and respond to cyber incidents. Artemi pill Alto Networks is dedicated to securing our way of life. We enthusiastically participate in a number of forums and share our Situational Awareness and understanding of the Threat Landscape with those key partners. Our collaboration reinforces that cybersecurity is truly a team sport. Thank you again for the opportunity to testify and how Cyber Security is a foundational requirement of data privacy and i look forward to your questions. Thank you, mr. Kaplan. I will now introduce tram trivedi. Ranking member blackburn, members of the committee, thank you very much for the opportunity to speak today. I am tram trivedi. A nonprofit and Nonpartisan Organization dedicated to realizing the promise of america in an era of rapid technological and social change. Since 2090 open Technology Institute has worked to ensure every committee has an access. We have long emphasized the need for strong federal standards in privacy and Data Security while retaining sufficient innovation. That takes me to my point. Data security and privacy are two sides of the same coin. Strong safeguards are vital to protecting consumers. And data minimization as you mentioned in your marks a powerful principle that requires collecting, using, sharing, and retaining only the data necessary to provide a service or product. And safeguards are urgently needed in this era of a. I. , training many a. I. Models which requires using huge data sets. As companys race to acquire more data, the pressures to adequately protect and keep increasing so a baseline standard on Data Security is essential to ethically and essentially regulating a. I. Development. And i will add cybersecurity practitioners also recognize benefits go beyond Consumer Privacy because it can reduce threats posed by breaches and other security incidents. In short, companies cannot misuse data that they have in hackers cannot steal data that companies dont have. My next point is that Research Shows that americans want strong Data Security and migrations. And americans know that all my Data Collection and tracking of their activities is pervasive. That is probably why 75 of americans lack confidence that a government will hold a Company Accountable if they misuse their data and all this concern about Data Security and privacy is negatively impacting Consumer Trust in a. I. And in leading a. I. Companies, many of which are u. S. Companies, small and large. The good news is that more than two thirds of republicans and democrats secure more legislation of companies and we are heartened to see the recent reemergence of an incredible Bipartisan Legislation for the privacy rights act. The next point i like to make is that a strong federal data regime would approach on notice and consent along. We know it would take people hundreds of hours to read all the privacy policies that they encounter in just a year and most americans even most Privacy Professionals sponsor this unfair burden by clicking on agree without reviewing those policies. This is that meaningful notice and it is not meaningful consent and is not clear that most is achievable in most of our online activities. Data minimization is important because it shifts the responsibility to use only what the Companies Need to provide products and services. And i want to point out this is far from a new concept in law or Corporate Risk playbooks. So i think we can get the benefits without overburdening smaller companies. And the last main point i would like to make is that a broad set of best practices in Data Security should become baseline safeguards across all sectors of our economy and heres a short list of those best practices. First as i have emphasized so far, collect, use, and retain only data that is relevant. Second, whenever possible, use encryption to properly store and access data. Third, placed on consoles so that only people who should be able to access data can access that data. Fourth, you strong method for authentication including multifactor authentication. Fifth, further study and standardized uses of technologies. And six, routinely assess and mitigate against data vulnerabilities. Something you have heard from other witnesses as well. There is no such thing as common Data Security but these should be in federal law if applied flexibly enough to account for Different Company sizes and technical capacity. In conclusion, Data Protection is Consumer Protection, and we need a National Legislative framework that incentivizes responsible data stewardship. Continued u. S. Leadership on a. I. Requires congress to address the Consumer Trust gap. And we appreciate the committees bipartisan leadership on Data Security and privacy. Thank you again for the opportunity to testify before the subcommittee. I look forward to your questions. Thank you very much. We now go to mr. Parker. You are the senior director of securities. Thank you for being here. Good afternoon. Thank you for the opportunity to participate in todays hearing. Security industries association. A nonprofit trade association representing more than 1500 companies to provide products for protecting lives, property, schools, and Critical Infrastructure throughout the nation. Data security is essential to the operation of Security Systems and services in our members are committed to protecting personal data whether it is consumer or operational data. Practices like data minimization and security by design enhance many types of these products. For example, when it comes to Access Control of video systems, features like data encryption which we talked about here, permissions based access, decentralized data storage, device processing, and data deletion schedules also to limit the availability of data from potential use and limit the usefulness of data if it is compromised. Another example that our members provide is the multifactor authentication and proofing services that are becoming essential to prevent Identity Theft and fraud as attackers become more sophisticated. These are provided by our industry, especially biometrics. They are providing higher assurance identification. It is not far more vulnerable by exploitation from identity hackers. There are increasing threats that must be addressed. Beyond technical standards, product features, best practices, and security tools, having the right public qualities in place will also address data privacy and security. There is a key role for those. Colorado, texas, tennessee, and by my count by the end of this month, there will be a total of 19 states with active Data Security and privacy laws that account for almost half the population. However, having a uniform National Standard could provide more benefits while further enhancing Data Security. A National Standard is something our members apart. Here in Congress Regarding the development of such a standard we are encouraged by the progress. And it is essential that data can continue to be utilized as needed for safety and security purposes. For example, our members are often the first to raise the alarm in emergencies. Data helps Law Enforcement another responders get to where they need to be as quickly as possible. And as i also mentioned earlier, there are many technologies used for authentication that will be essential to accomplishing the goals of the draft proposal that we are looking at in section 9 as mentioned earlier. So having a uniformed and workable National Standard requires strong state and local preemption to avoid glaring additional requirements. This is really important to our industry. It also needs to limit risks of lawsuits which we certainly are seeing in some jurisdictions over privacy matters. And we need to make sure you accomplish those two objectives and what we put forward. So i appreciate you holding us here with your leadership and putting a spotlight on Data Security. Now as an organization, we are doing what we can to our data Advisory Board for Data Security and our industry as i outlined in my written statement. Again, thank you for the opportunity to participate in my members look forward to working with you on these issues. Rate. Thank you all. I realize how busy you all are. Some sacrifice. You have shared your data with us. Let me start off with you. Lincoln famously said with public sentiment nothing can fail but nothing can succeed. Period states have established their own laws. It is soon to be 19 states that have passed their laws. And this is all about what types of data businesses can collect and how consumers should be notified. Consumers can be better protected. I think businesses can more freely compete when there are clear and consistent rules, especially for Small Businesses this is essentially important. So how do you believe a National Standard for data minimization ultimately benefits customers and their privacy . Have you thought about how they get the word out to them . How do we get that sentiment behind us . Thank you so much for that question chairman hickenlooper. People know that their data represents the most vulnerable portions of their lives. Would set uniform expectations for all companies which is something they have been clamoring for as well. And the kind of clarity in the Regulatory Environment is sorely needed because the u. S. Just of my regime for data privacy and security is fragmented in ways that make consumers more vulnerable and then require companies, and perfectly burdensome for smaller companies, to develop complicated responses to state patch works in the absence of clear National Rules on the road. I would also add to your question about Small Business in particular many of these Small Businesses do not want to bes who bring out as much data as possible to run their Small Business. But because there are not strong flexible standards they may feel there is a disadvantage if they are not collecting as much data as possible. That puts consumers at risks and also companies at risk progressively data minimization approach that is common on the federal level help these companies do what they want to do which is be responsible data stewards. I agree and certainly hope you are right. A. I. Has created a fascination with the value of all data and there seems to be a little bit of a race. Minimization is not appearing as frequently as it had been since a. I. Has gotten more and more currency. Mr. Kaplan, on a bipartisan basis, Congress Passed the Cyber Reporting for infrastructure critical act to require Critical Infrastructure operators to quickly report cyber instances so we can understand the Threat Landscape as it changes. The ftc has also investigated changes that were unfair or deceptive in their Data Security practices after the consumer data was exposed. Gathering and sharing information about specific ongoing attacks as well as the broader Industry Trends helps us establish defenses and prevent future incidents. Especially obviously data breaches across sectors. So in your experience, mr. Kaplan, which vulnerabilities do you think are most important to address in order to prevent criminals from accessing consumer data . Thank you, senator. That is a very great question. So in our experience and conveniently every year Palo Alto Networks publishes a response report which provides an aggregate date summary of the key trends we have seen and how adversaries are looking to break into systems across the country. And in this past year, we found that internet spacing Software Vulnerabilities actually surpassed phising attacks as the primary attacks to take place. These are essentially opened doors available in public websites that have not been patched to updates and software and systems. As a result, the adversaries are able to leverage these with relative ease to gain entrance into these systems. In that vein, all vulnerability should be taken seriously, but the one vulnerability we have noticed that is particularly troublesome is called a Remote Desktop vulnerable or a rdv vulnerability. This can put a mission of privilege into a victims system to quicker infiltrate data. These rdv vulnerabilities will unlock the keys to the kingdom so they are of concern to our company. It is critical that we make it as difficult as possible through layered defenses and some of the best practices i have identified in my Opening Statement with regard to zero trust architecture to prevent attackers from moving laterally across the system and to close those open doors and have better understanding and visibility into your relative attack surface. And we will get back to some of that. That danger of anything like this is we do call attention to these open doors. But it increases your commercial activity. I will turn it over to my vice chair, senator blackburn, for some questions. And thank you all so much for your testimony. And i appreciate getting your perspective on this. I want to start with gdp are. I mentioned that in my opening remarks. Let me ask you, are each of you involved in some way in the eu . Are your companys involved in some way in the eu . Okay. You are trying to decide if you are or not. As we look at this and as i mentioned our friends in the eu know that they went a little bit too far but Companies Already have these particles in place to meet the gdpr standard. So as you look at what they have done in the eu and canada has a lot in new zealand has a law and australia has a law all protecting their citizens in the virtual space mr. Lee, start with you and just go down the line. What should be the lessons that we learned and what should we take away from the gdpr experience . Just very quickly so i can get to my questions. The things they got right deal with some of the more technical aspects. Making sure that you are having the programs that you need in place. And that they meet the risk you are facing. So it is not a prescriptive necessary standard, but you have to assess and report. And when there is a data breach, you have to report that to the Data Authority for that country. So their assessment reporting mechanisms. Usa they got it right. Mr. Kaplan . Thank you, senator. That is a great question. I would say from a macro level the things they got right are sort of a uniform standard. Regulatory complexity across multiple markets. It just increases cost and from the Cyber Security perspective, the resources that are dedicated to responding to incidents should be operationally responding to incidents rather than looking at regulatory i was going to say we need one set of rules for the entire internet ecosystem with one regulator. Predictability and lessening regulatory complexity. That is one of the things. Isnt it, mr. Trivedi . I think the first lesson is something highlighted which is moving swiftly to establish that uniform standard. I think that is something we should emulate. I think it is fair to say that gdpr is not Strong Enough towards data minimization. I think the United States could do it better. I think that gdpr gives too much preference to decide what minimization means and while we should have sort of a reasonableness and flexibility and a strong flexible approach i think there is an opportunity for an american approach that is different and works for us. Okay. Mr. Parker . The instances on reasonableness and consent are similar to what a lot of states have done already. They are a little bit different than what the proposal we are talking about now at the federal level is. But just based on some feedback from members, there has definitely been an issue with conflicting interpretations over time from the national Data Protection authorities within the eu that is causing problems for businesses or doing work across the eu in different jurisdictions. But also there is the potential is of any relevance for us that there is overlap between the a. I. Act in the gdpr. And sometimes they may get resolved in one way or another and cause confusion. And Digital Marketing and Digital Services and some of the other overlap there. I want to go to the data minimization issue. And, again, just down the line, mr. Lee, starting with you, what is your opinion of data minimization as a security principal in this debate . I think it has to be enter cool. If we are going to reduce identity crimes and have your crimes, we have to reduce the supply of data that can be abused by individuals if it is stolen or even if its just accidentally exposed. If you dont have it, you cannot expose it. Okay. As you said, data breaches are the fuel. Mr. Kaplan . Senator, from a macro perspective, i think data minimization is an increasingly useful principle, especially in lessening the attack surface for those companies that are doing business with consumer focused data. To that end, we think there is legitimate and broad not broad but targeted purposes like protecting the information can be critical. But minimization can be an important role. So you would segment it . Rx. Mr. Trivedi . I would say data minimization is a central part for the reason other witnesses have highlighted. Like when youre intentional about collecting only what you need. You cannot trade or hack there in the first place. All right. Mr. Parker . I would say there is a difference between operational principle and policy principle. Certainly from an operational standpoint, it definitely plays a big role in Data Security. And policy, there is a big difference in having a set number of purposes for collecting and processing data. It certainly could work. I know there are questions up there about future proofing this. Will it be too narrow . Will it cover what it does now . Those are all good questions but certainly an interesting approach. Okay. I have got another question i want to ask. Ask your question. I do. I wanted to talk about china. Because we just enacted legislation for bytedance to divest from tiktok. And the Data Security threat from china is broader than just tiktok. And a more holistic approach rather than playing whack a mole is that the problem goes beyond apps. And we know that china issues drones and potentially routers to spy on americans. So how should congress approach the broader Data Security threat from china . And what do you see as a good policy solution . To this . Mr. Lee . I am just a humble victim and advocate. But we do have to recognize that nationstates, maybe not for the same reason as professional criminals, they want the information and it is important that it is protected from whomever wants to misuse it for whatever reason they want to misuse it. China is certainly a nationstate that has great capabilities. We know that they have a lot of data about individuals for intel purposes. We have to assume there are other countries, friends and foes, that do the same. And approach for Data Protection needs to be universal in its approach to whomever is acquiring the information. Mr. Kaplan . Yeah. The threat from china is something we are tracking every day on a regular basis. Both the threat with explicating information to china but other belying nationstates looking to leverage data within the United States. As a cybersecurity company, we are focused on the networks and Information Systems upon which that data relies. So broader policy sort of questions about how to deal more holistically with the problem may be outside of our purview. To that end, we would encourage strong cyber protections and encourage information sharing with the federal government like we enjoy and wrigley partner with. I thank you for the question. Youre partly highlighting the ways in which Data Security and Data Protection have a National Security dimension. We have been talking to Consumer Protection which is vital. We have been talking about Consumer Privacy. But this is not all happening within our own borders. There are a number of nations in competition with one anothers data. The right policy approach at the top of the list should be establishing a federal Data Security and Privacy Protection standard. Right . I think that is essential because it does all the things we have talked about. Yes. And certainly what is mentioned is establishing that standard in the federal privacy framework that we are talking about. You can go a long way to doing that. Certainly internetconnected devices are a target for exploitation by nationstate actors. Implementing, you know, certain encryption protocols. It is pretty important. Protecting those specific kind of devices. And on a side note, there has been a large shift away from manufacturers in china and sourcing equipment there that could possibly have vulnerabilities. I would say in the commercial sector has been a nearcomplete move away from those sources. Right. Thank you. Senator walsh . Thank you very much. Senator blackburn, it is always fun to see you continuing this work that you began when youre in the house. And it has only gotten more complicated. Let me ask you a few questions. About privacy for individuals. And then cybersecurity, which is essential for everyone. As you know, about 72 of americans believe there should be more regulation over what companies do with peoples data. 67 report little to no understanding of how Companies Use their data. And 73 report they believe they have little to no control over what companies do. So there is a question about my data, citizens data, and what companies do, and there is the question about hacking into systems. And Companies Tech companies have a high self interest in doing Everything Possible to protect against hacking because it hurts them and their customers. I mean, where is the difference in responsibility for protecting the system from being hacked . And i hear you saying there should be a National Standard, and that National Standard, what does that mean for Small Businesses that do not have the financial where to bear that burden . And how would those recommended protections how could they be integrated affordably, organically into systems that a small mom and pop business might deploy . And i guess i would start with you, mr. Lee. Thank you, senator. I guess let me work backwards. Particularly for Small Businesses, this concept of the Risk Assessment is very important. They have to do it themselves . Yes. Because that is where they understand where the risk is. You have to do x but you have no risk of that happening, theres no incentive. That is a time of their energy and money. But if you understand exactly what risks you are doing in your unique business based on the information you have from your customers, then you are meeting that risk as it is today and monitoring it to see what you have to do moving forward. Lets say a small record producer in nashville is a new startup. I mean, for that person and business to be talking to customers about what they need and then being able to make the decisions to deploy that requires a level of sophistication that may not be the level of sophistication required to be a good record producer. I mean, a Small Law Firm, lets say. I was in a Small Law Firm for lawyers. We started small. We do not have the demands and capacity to do what the major law street firms do. So what you are describing seems out of reach to me for the millions of Small Businesses we have. It seems that they should be just available. Baked into what you by. That is actually the foundational step. It is the one size fits all approach which we have taken here before that has burdened Small Businesses but when you take a tailored approach that is specific to their business and specific to their data, then you dont have to do things that you which but the expense associated with that . It depends on which tool youre using. And me a ballpark. I mean, i am right about the Small Businesses having to deal with these massive impacts on their smallbusiness. We have got representatives of the Worlds Largest cybersecurity organization. But there are small momandpop Management Services providers. That is what they do. There are hundreds of them even in the national area. Mr. Parker, thanks. You mentioned future proofing, which makes a lot of sense to me. But one of the things i have found frustrating as a member of the house and now in the senate is we cannot keep up with all the changes and all the methodologies by which there is hacking. Tonight, even those who are far more expert in congress on technology issues, senator bennet and i think that the time has come where we actually need an agency, a digital commission, much like say the ftc or fcc, that is properly staffed and properly resourced and has the capacity to keep up because if it is a oneoff bill dealing with problem a or problem b, it is a very cumbersome and difficult process to get it all done in a timely way through congress. Do you have any wisdom on having such an entity that would have this ongoing challenge protecting privacy . And considering other issues related . That is a great question. I apologize. I dont have a great answer. But i know that obviously the state of california has done Something Like that. Having a privacy agency. So i know the issues discussed here, there is probably the opinion that we have existing agencies that are playing that role. But i know what youre saying. Well, mr. Trivedi, you mentioned this should be a National Standard. Right . Yes. Yes. It makes sense to me. Who determines what that National Standard is . I think that legislation would emerge from a number of stakeholders working together but i would emphasize it should be both strong and flexible to your point about how smaller businesses are able to comply. Cannot have a small record store collecting potentially far left digital data. What what a National Standard look like . Strong and flexible makes a lot of sense to me. What youre saying i agree with. I agree with the practical way, a, to implement it, b, to change it. Sure. Thank you, senator. It is a very good question. I think there are some best practices i have listed out as near universal. Some can set about an implement practices so that employees who dont need certain data cant access it. They can engage in data minimization relative to their capacity. Think hard about what they really need and dont need percolation to keep it because it is also a risk to them. The legislation has to determine that. Unit asking individuals to determine that. Right . There should be a strong set of practices but also flexibility and how businesses of varying sizes comply with it but there should be some requirements that are common. You have a template of what you think congress should pass . We have seen some credible bipartisan proposals. There is a good discussion on the american privacy rights act. I think that is a very promising proposal on the table today. But in terms of templates for how specifically Small Businesses can operate, that is something we should get back you on. I yelled back. Thank you. Now we have senator klobuchar. Thank you very much, mr. Chair. Thank you to the witnesses. I will just start out by generally saying that we need a National Privacy law that creates rules and roads. I support the review of the discussion draft of the american privacy rights act. Is privately the consumer should have access and control over how their personal data is being hughes. Mr. Trivedi, do you believe consumer should have the ability to access their data and control how it is being used by companies . I do, senator. I think access and control rights are very important to consumers. Okay. Thank you. Mr. Lee, and im having trouble hearing. I will just try my best here. Mr. Lee, we also need to educate americans on how to identify and react to cyber threats. We know there are phishing schemes going on. Senator kuhn and i have been introducing the american cybersecurity literacy act to educate the public on Cyber Security risks by requiring a cybersecurity campaign. Can you talk about the importance of educating americans on how to identify and avoid Cyber Security threats . Well, education is the key to so many Different Things and in this case it is a part and parcel of keeping people safe. One of the things we learned from talking to victims every day is, they are very curious about how to make sure it does not happen to them again. So having a comprehensive approach that is led by the federal government would be very helpful because we overall identity crimes do not support anyway because people think of them as victimless crimes. And trying to avoid that crime is even more difficult so education is going to be a key part of making sure that we are keeping people safe in this increasingly dangerous cyber world. Agreed. Mr. Kaplan, in just the past five months, we have seen significant Data Security breaches. Obviously, United Health group, at t, microsoft, because these Companies Maintain large amount of data on huge swaths of the population, it can often affect tens of millions of people. And your testimony, you noted that Large Companies have twice the number of systems exposed on the internet than what they were monitoring. What complications for tech and consumer data arise from simply holding such vast amounts . Thank you for that question, senator. Yeah. Holding that vast amount of data just increases sort of your attack surface and your vulnerability and that you a more likely target of sort of the malign threat actors and nationstates looking to divide and exploit and pull out that data to make strategic use of it. With regards of the attack surface, this was one of the basic cyber principles that we also talked about. It is understanding what your internetexposed attack surface looks like. Understanding how many of the portals into your system are opened to the public internet and having visibility into existing vulnerabilities, mis configurations, you know, not updated pieces of equipment or software exposed to the open internet that just give those maligned actors entrie into the system. So having visibility into the ecosystem and what the attack surface looks like to the attacker we think is a critical, critical piece on securing your infrastructure. That interest in knowing where your data is is only critical element of maintaining. You also noted in your testimony that United Healthcare change data breach is likely to be the largest supply chain breach, mr. Lee. The largest supplychain attack in history because of how Many Organizations depend on change to process insurance payments. When an entire industry relies on only one or two digital supplychain providers, which hold and process huge amounts of data, how does that affect the impact of such a cyber attack . For a cyber criminal, it is a nirvana if you can find a supplychain. Rather than have to attack a series of Companies One at a time. If you can find that one organization that has weak cybersecurity from all of the companies that they support, you are going to get massive amounts of data. We have seen a 2600 increase in the number of organization hits by supplychain attacks. You may have 100 companies attacked last year, but you had 2600 companies that were impacted by it. Their data was exposed. So for a criminal, these things are incredibly profitable. And at the whole topic of this conversation is how can we bring these other organizations up to speed so you do not have that risk of vendors to the larger organization. Yeah. I mean, we have been helping dozens and dozens of hospitals and pharmacies and other Healthcare Providers in our state to remain whole and be able to function since this data breach, and clearly work has to be done here. You cannot have all this data in one place. And then they do not have backup systems. Would that be one of your suggestions . What would be your suggestion to protect this data . And this will be my last question. From a Data Collection standpoint, there is a lot to that. Only one part of which will be backups. You know . There are just so many parts of the healthcare supplychain. It has been the industry that is the most attack for the last six years running because there are so many different parts of it and so many different members from momandpop organizations all the way up to United Healthcare. So while there are key things that need to be done, a big part of it is just making sure that everybody in that supply chain is aware that they are a target. They are at risk. And they must act accordingly. Exactly. Thank you very much. Thanks, everyone. I appreciate it. I have still got some questions. There may be one or two people on their way here so i will indulge myself. Mr. Parker, i dont want to get you in trouble with any of our members in any way, but, you know, the requirements for reporting a breach, whether it is ransomware or phishing , or whatever it is, really the penalties, unless they pay the ransom, the penalties dont seem to be significant. Does there seem to be some sort of incentive or some way to reward some of the smaller breaches that are happening more frequently that dont get the attention and get our, as i am sure you are aware, costing us tens of hundreds of millions of dollars in the country. I mean, within the framework of your membership, how do we get everyone eager to make sure that they report each incident . Yeah. That is a great question. I think every state has a law. Breach notification is different in some ways. Some have a private right of action applied to them. They have some of those requirements as well but there is not just a heavyhanded. It is fairly light. I know for the other witnesses, they may have a better idea here, but it is certainly something that should be a priority for the enforcers of these roles. There needs to be some incentives of moving peoples anybody want to comment on that . I dont feel the obligation because i have got more questions. Oh, i have got comments. To your point, it took from 2003 to 2018s to get all states and the district of columbia to have it. They all have different triggers of what constitutes a breach. They are different requirements of what is in a breach notice. And in every notice, it is the ordination that has lost control of the data that gets to decide if there is a notice. Oregon will allow a consultation with Law Enforcement but other than that the Organization Makes the determination. Where you live determines how much information you have, if you have any information, and what resources are made available to you. So when we talk about National Standards, that is when we mentioned that data breach organizations have to be part of that because they are data breaches for the individuals and to make sure that they do not have repeat occurrences. Absolutely. Anyone house . You all referred to in at one point or another. I dont know whether or not there is a certain amount of irony, but the swiftness or response would you all agree that the swiftness needs to be a goal . Something that we should find ways both within government but within the Business Community of accelerating responses and making sure that swiftness becomes an important factor. We will start with mr. Parker. Just for a change in direction. I absolutely agree with that. I think both on cybersecurity and the Incident Response side, swiftness is essential. Could you say that louder when you say that . I am just kidding. We want it to fill the room. Senator . Swiftness when responding to a cyber incident is critically important. One of the things we have seen from Palo Alto Networks the average Response Time for companies as recently as 2021 was 44 days that it would take to address a cyber incident when it occurred. And it was 44 days until they started seeing Data Exfiltration from those attackers. We have seen that exfiltration timeline decreased to just days and hours. If you take that in context with the average time that it takes for a company to respond and mitigate it, that is six days. If they are starting to exfiltration in just one day, a handful of hours, swiftness is critical. I agree. Right. Thank you. Can i have one more question. Thank you, mr. Chairman, and thank you all for being here today. So with the commerce business, a lot of work takes place online and there is a large volume of Sensitive Data that goes into those interactions. In many ways, data has become the lifeblood of the digital economy. So i know this firsthand in the Small Business end. They have run Digital Advertising campaigns myself. I also know that the majority of businesses taking a security extremely seriously. Burdening customers with what they feel are overly sensitive identification are ways to create trust. Mr. Parker, you mentioned how important the uniform standards and laws are to the Security Association members. Is there an example you can share with conflicting laws where states have reduced Business Opportunities for any Member Companies . Sure. Absolutely. So a prime example of this is the l i biometric data privacy lot known as bipa, which was formulated more than 15 years ago when that technology was in its infancy. The way it was structured and the task in the environment where there is tremendous litigation risk in fielding technology, even if they are deemed to be compliant and as a result there is a number of our Member Companies who did not actually offer their products to companies in illinois anymore because of what has happened to that. Any particular incidents that you recall . Within biometrics, there have been different types of objects but just to give you an idea, 88 of the lawsuit law have been on regarding biometric time clocks. A way to authenticate your identity for punching in and out of work. No allegations and harm actually occurred to anyone. There was a misstep in collecting consent that was found and that was based on classaction lawsuits. Things like that. And some product certainly in the security area, there are rules but in other cases, you know, some people are like forget it. We will not even bother. Yeah. The savings from those systems, i would know firsthand. They make them more competitive. To make the employees more. They hire more employees. Mr. Parker, can you speak to how uniform National Requirements and legal liabilities would protect personal data . Yes. So i think having a National Standard, you know, that fully preempts state and local law would definitely save a compliance cost but it would also be better, you know, for the Global Competitiveness of our company if they could align with what they are doing, you know, with other parts of the world as well versus having people track what is going on in the individual states. So there is definitely a tremendous advantage to having a National Framework and standard. Thank you. You mentioned implementing resources like how to counter a. I. Threats to physical Security Products just as an example. Are your member seen criminals use a. I. In anyways . I was just talking to some of our cybersecurity experts in the industry about this. One thing that is emerging is the ability to detect when video has been altered. So a security video is obviously very important to what we do. But you want to make sure that cannot be manipulative by bad actors for fraudulent purposes or maybe to further some other criminal activity. There is some material to make sure that data has to be stored has not been altered so that is one area. Thank you. Thanks the panel. I will be quick. A couple of you already commented on this. I just put in a fair amount of work our office put a fair amount of work on the american privacy rights act. It affects what we are talking about today. It is about security in addition to privacy. There is a connection there that is what is your feelings then we will go down the list on apra. Do you think we need to have a sense of urgency . A couple people referred to quantum computing as it comes down the pipe. Does not give a sense of urgency around these issues. I do think there should be a sense of urgency just because we dont even have to get to quantum. We can look at Artificial Intelligence. Just the efficiency and the depth and breath that is bringing to everything from creating malware to a phishing attacked. We are seeing more and more phishing attacks that are more basic better letter perfect that fully even professionals. They are so good. A couple years ago, bank of america was not spelled with b ank. You have got a deep fake video. You have voice cloning. You have risks that are primarily to businesses but individuals will be the vehicle to get to the business attacks are there is a sense of urgency. So on the privacy rights act, beware of the laws unintended consequences. As i talked about with data minimization, we need data and we need it for some very specific purposes because it is used for Identity Verification to prevent identity crime so in our zeal to protect consumers and give them access, we also have to be realistic that we need some data. Thank you. Mr. Kaplan . Senator, we are still evaluating apra. We do think there are some beneficial aspects. So there is a sense of urgency . I can hit that. What we have seen with regard to Artificial Intelligence for example is to echo what mr. Lee said. We have seen this leveraged to create really sophisticated spear phishing attacks. Senator blackburn brought up quantum threats right now. There is a campaign into harvest now into encrypt later were nation states are collecting encrypted data knowing this day is coming where they will be able to decrypt it so really hard in your system secure your systems now and secure your data now. One of the beneficial aspects of apra that we see are the strong permissible purposes. Mr. Lee also talked about the uses of data for our cyber defenses but also in the Artificial Intelligence. Just a quick stat. We leveraged a. I. Across our systems and capabilities and we are able to detect 3. 2 million unique attacks that were not there the day before. This is a process of continuous discovery, and we are able to leverage our security data on those a. I. Tolls to block 11. 3 billion attacks per day. And that is just one player or one company in the cyber ecosystem. So the utility of this system is proven and that reflects like the permissible purposes of apra are critical to securing everybodys data. Thank you for the questions, senator. And we said publicly that the apra include some of the necessary pillars of sound legislation. I will list all of them. Strong data minimization principles. Online civil rights protections. Privacy rights for users to be able to view, crack, and opt out and delete their data. These are essential elements. So we are heartened to see this incredible proposal reemerge. In terms of areas to focus on, i think one of the focuses has been the scope of fcc focus. We have seen a recent announcement from the fcc defining wireless carriers. The depths of their expertise and ability to act to be a cop on the beat with respect to isp privacy Internet Service provider privacy and i think that is essential. So we would focus on this issue. Their long standing expertise in the domain of privacy. Interesting. Mr. Parker . You know, three years ago, there was one state that had their data privacy law, and now there is 19, so i think there is a window of opportunity to have a federal standard. And those states that have enacted it with very similar frameworks, there is potential different enough to harm the economy. So, you know, it is important to consider acting soon. We are still looking at the proposal and gather info for members. So we definitely think l and rogers for working together. One example we are happy with the private security and physical security which are welldefined and well crafted. But there are some other issues in question that need to be addressed moving forward. Mentioned how important it is to have strong prevention. I got questions from members about other what is in the proposal now is adequate to be truly the National Standard that it is intended to be so that needs a clear you know a clear answer. And there are a few other detailed answers in the bill but we are still looking at dividing it. We will keep those coming. It is like they used to say on tv. We appreciate all those comments. I have a great sense of urgency. And i think this is a wonderful time to work on Something Like data privacy on a bipartisan basis. Right before a a collection. But this should not be a partisan issue. We see a lot of bipartisan participation so far. But i am hopeful the people you will represent will continue to push with a sense of urgency this year. Represent will continue to push with a sense of urgency this year to get this done i think it is doable. I think we are done for today but thank you for your effort. Members, can submit additional questions for the record until may 22nd. We thank you in advance for taking the time to, and the chance, to answer those provide responses by june 5th. With that, i will adjourn. Announcer cspans washington journal, our live forum involving you to discuss the latest issues in government, politics, and Public Policy from washington and across the country. Friday morning we will talk about the recent protests on College Campuses as a potential impact on campaign 2024 with the National Review editor in chi,