[inaudible conversations] welcome to the subcommittee on Consumer Protection, product safety and Data Security. Will come to order. I apologize for the bit of late. Senator blackburn was here quickly. She is en route. Were at a Pivotal Moment in the age of technology that rely on increasing massive consumer data. Obviously, Artificial Intelligence has gotten the lions share of publicity but thats nowhere near the limit. Businesses collect or process data ranging from personally identifiable information, name, address, likeness, as they say in college these days. Obviously, Sensitive Data like physical locations and browsing history. The threats to consumers data that Companies Face is complex and, in almost every way, daunting. As Companies Collect more data, they become more attractive targets for data breaches. And, by that i mean criminal activity. Each breach costs Companies Nearly 4. 2 million per incident. And consumers shoulder the financial burden and reputational harm of each incident. How many more consumers need to be victims of Identity Theft for us to take action . How much longer should we allow personal data to be sold on the dark web for profit . When will cyber criminals be stopped, or at least deterred, from preying on our data . These data breaches hurt Small Businesses, large corporations, and everything in between. In 2023 alone, there were 3,205 data breaches in the u. S. , and thats what we know of or were reported. 353,000 individuals were severely impacted. 10 of publicly traded Companies Reported a data breach impacting, in total, 143 million individuals. These data breaches can have devastating effects. A nationwide wireless carriers data breach exposed the data of 70 million customers. A large health insurer, this was recently widely reported, sawon their system grind to a halt, which delayed important Healthcare Payments and exposed Critical Health data. This is why we need strong requirements for how Companies Collect and protect our data, are conducting routine Risk Assessments, and establishing strong internal and external safeguards for data. We need a Strong National privacy standard that includes data minimization and Data Security. Obviously, data minimization establishes specific categories to turn off the spigot as it were. Turn off the spigot of data that Companies Collect from consumers so that companies arent just collecting everything they can. Data security establishes clear requirements for how companies should safeguard the data that they do collect, so breaches are less common. We need to give consumers meaningful control over how their data is used. This will restore consumers confidence in the technology that powers our economy. And i think states clearly are not waiting for the federal government to act. Already 16 states, including colorado, have passed, or are in the process of passing, their own state privacy laws. E other states are talking about it. Cl there are lessons we can learn from these state laws. Fo for example, colorados law has a temporary right to cure for businesses to comply or adapt to privacy requirements. There are also areas where the federal government has to step in to issue rules and apply enforcement, consistent definitions for key terms like Sensitive Data, or to issuely nationwide rules. The draft american privacy rights act is an important, bipartisan, compromise framework for congress to build upon. I commend chair cantwell and chair Mcmorris Rodgers in the house for their efforts to bring this proposal forward. Were committed here to listening to all perspectives on data minimization and Data Security. Minimization and security are obviously interconnected, interrelated. Together, they represent the foundation of a strong data privacy framework on which we can build. We have an opportunity right now, and an obligation rightte now, to build meaningful, bipartisan consensus around these complex issues. Thats i look forward to hearing today, each of our witnesses. I would like to welcome each of the witnesses were joining us today. James lee, chief army officer for Identity TheftResource Center your sam kaplan whose assistant general counsel of Palo Alto Networks. Policy director for numeric is open Technology Institute and jake parker, senior director Security Industry association. I now recognize our Ranking Member, our vice chair senator blackburn, for her opening remarks. Thank you so much, mr. Chairf you. Apologies for people can of coming and going. We had at 2 30 vote that end up getting called. But i am so please. I know chair campbell and Ranking Member cruze are on the floor right now, but i am appreciative that chair cantwell has brought privacy back into focus. Ive worked for over a decade for congress to take an action in this area. And when senator welch and i were each on the house energy and Commerce Committee in 2012, we brought forward Data Security and breach notification bill. It was the first of the privacy and Data Security bill andon it was bipartisan. It would take steps to protect the security of data from business of your it wouldve required security data breach thnotifications and allowed the ftc and state attorneys general to hold Companies Accountable for violations of the law. So that is where we were in 2012. And as we now know, this issue, since it hasnt been addressed and it hasnt been resolved, it is growing more and more urgent every single day. The need for the swift adoption of smart and effective data privacy and security legislation and is pressing for several reasons, first. China and other bad actors are not slowing down. Now, fbi director Christopher Wray was the force at a Judiciary Committee meeting, and he said something pretty significant turkey said, if you are an american adult, it is more likely than not that china has stolen your personal data. And he also said chinas fast Hacking Program is the world largest, and if stolen more americans personal and business data than every other country combined. We need to be paying attention to this. This threat is especially magnified as china seeks to become the world leader in Artificial Intelligence by the time we get to 2030. China plans for ai to power its vast surveyswo at state, and daa collection and retention is at the heart of their strategy. At the same time as Ai Technology becomes increasingly intertwined in our daily lives here in the u. S. , consumers have valid questions about how their data is going to be used to train these large language models. In an applications. I hope today that we will discuss why we need federal privacy and security legislation to combat these threats. Second, congress is past the point where we risk ceding our authority to both states and other countries. As we all know state governments are quickly and acting privacy laws, creating a patchwork of regulatory headache for our businesses. 15 such laws exist, including tennessee and colorado. And the europeans have also beaten us to the punch. Several years ago they did gdpr. They are now using gdpr as the foundation for regulating ai. Yet, we can use the eu as something of a cautionary tale about the need to make a regulation smart and effective. I visited the eu to work on this issue last year, and i heard stories from one of their Data Protection authorities about how theyve been asked to resolve disputes over Bank Accounts after a couple divorced, or resolve a dispute between neighbors about the location of an antenna. So lets be smart and lets not make the same mistakes, and lets not overreach. We know our friends, the europeans,s, always have a heavyhanded approach, which makes it even more imperative that we act in a thoughtful manner. More without congressional action, the ftc will proceed ahead with its commercial surveillance and Data Security rulemaking, which it launched in 2022 without Congressional Authority and director. Congress should be studying these rules, not unelected finally, while this hearing will likely feature much discussion on concepts like data minimization and other Data Security practices, we must not forget about the cybersecurity threats posed by new and emerging technology. One area off great interest to tennessee are quantum technologies. Through methods like harvest now and decrypt later, once bad actors stealea encrypted data today, nothing can stop them from decrypting your data tomorrow with quantum technology. Thats why this committee must move quickly to examine this technology and reauthorize the National Quantum initiative act. I would love to work on this with our chairwoman and the team here of the committee. Tennessee is a leader in financial innovation in technologies like quantum computing. And Oak Ridge National lab is at the forefront of basic and Applied Science research. When i speak with people in the state to ask me how we can best tackle privacy and Data Security issues while also continuing to allow innovation. Privacy and Data Security issues while also continuing to allow innovation. This committee must be thoughtful in our approach but mindful of the realities the congressional calendar imposes. And now remarks from each of our witnesses. The term witness gives a false sense, i dont know, insecurity perhaps these days. Anyway, well start with james lee chief operating officer, Identity Theft resource officer. Thank you, mr. Chairman, chairman blackburn. I am mr. Lee, and the corps of our business is provide for victims of identity crimes and we do research on identity crime trends. And a lot happened since we were in this room in 2021 to talk about this subject. Weve seen bad actors shift their focus and expand their reach and weve seen them accelerate their innovation attempts. We may, in fact, be in the beginning of what is the golden age of an identity crime. Its fueled by stolen personal data made highly effective and efficient by ai and many all, but helpless to defend themselves. Why do i say that . Ill give you some scope of the problem. Data breaches are the fuel for identity crimes, all identity crimes and stolen logins and passwords. 3205, estimated over three Million People some people hit more than once, a 78 increase from the year before. Thats a 72 increase from the previous one which happened the last time we had this hearing. From a financial standpoint, more than twothirds of the people who contact the itrc are losing more than 500. Within that subset, 30 of them are losing more than 10,000. And we are now routinely hearing from people who are losing six and seven figures in financial losses due to identity scams. Most troubling trend is the number of people who have decided that their only way out is selfharm. 16 of the people who contacted us in 2023 said they contemplated taking their own life. For the decades before that, that number had never been higher than 2 to 4 and now, 16 , doubled in one year and we do not see it slowing down. And also, unlike past years, we now hear routinely from grieving families who are still being attacked by the identity criminals who are trying to keep the scam going. We dont advocate one way or the other for legislation or regulation for the most part, but we did provide a tip for information. With that in mind were still the same place we were las time, the best way to prevent identity crimes is to prevent the identity victims in the first place, uniform minimum standards for Data Protection and use. Minimal technical and nontechnical, and our world is driven by software and fueled by data. Compliance with comprehensive, but not necessarily prescriptive minimum standards can reduce the risk of exploitation, but standards are more than metrics, they are practices like data minimization which is a concept thats predicated on a very simple truth. If you do not have the data, you cannot lose it. And if its secure, it cannot be misused until we get to quantum computing and thats a different discussion. Routine Risk Assessments also help ensure Information Systems are secured in a manner equal to the risk. Thats very important. Equal to the risk that an organization faces. You add two other complimentary concepts, privacy by design, and security by default, and you have all the tools needed to keep privacy and security at the forefront of a companys culture and in every stage of our products life, to be effective in reducing identity crimes. Uniform standards also need strong enforcement, defenders must continually measure the progress and constantly adjust to the new task and you do that through audits. And theres a need for strong Enforcement Actions when it comes to data breach notices, increasingly effective even if a notice is issued. Let me give you two examples. In the first three months of this year, 32 , 32 of data breach notices had information what caused the data breach if it was link today a cyber attack. Reverse that number and that tells you how many didnt include information about what happened. That number was 100 of data breach notices until the Fourth Quarter of 2021. The average number of new data breach notices in the u. S. Is nine per day. In the european union, one of the things we do get right, 335 every day. We are missing data breach notices and there are plenty of examples to prove that. One final thought, if we adopt data minimization and we should and give consumers more access over their personal information, thats a vital part of data, and they can significantly reduce the amount of information in a data breach and to criminals. And theres going to be one. But personal information used responsibly and transparently for a people who is who they claim to be from opening to a bank account, applying for a government benefit, et cetera. And effectively prevent someone from becoming a victim of identity fraud. Restricting use the personal information for Fraud Prevention is part of control or data minimization could have the unintended effect of aiding criminals and negatively impacted those who are victims of identity crime. Thank you, and i look forward to your questions. Thank you very much. Now, mr. Sam kaplan, the assistant general counsel of palo alto and spent time in colorado. Thank you, chairman hickenlooper, Ranking Member blackburn and distinguished members of the committee, how Cyber Security is part of Consumer Protection. Im sam kaplan and sar for Public Policy affairs at Palo Alto Networks, ive spent the bulk of my career working in data, as kroot the federal government to include as the dhs privacy officer and served on the privacy and Civil LibertiesOversight Board at the u. S. Department of justice. For those not familiar, we are an american headquartered Company Founded in 2005 that has since become the leading Cyber Security company. We proudly provide Cyber Defense capabilities to enterprises around the world, supporting 95 of the fortune 100. Critical infrastructure of all shapes and sizes. The u. S. Federal government, universities, educational institutions and a wide range of state and local partners. This means that we have a deep and broad visibility into the cyber Threat Landscape. We are committed to being a good cyber citizen and a trusted Security Partner with the federal government. Its no secret that Cyber Attacks cause real impact to our daily lives from disruptions of public services, like health care, or emergency services, to compromises of american Sensitive Data. With that back drop, Palo Alto Network strongly believes that deploying cutting edge Cyber Security defenses is a necessary and effective enabler of Data Security and privacy. Bottom line, effective Data Security and data privacy requires cutting edge Cyber Security protection. Organizations should be encouraged to protect data by implementing robust data and Network Security practices that can both help prevent incidents and data breaches before occurring in the first place and mitigate the impact should an incident occur. To stay ahead of this evolving Threat LandscapeCyber Security professionals regularly leverage security data, which is the network teletri, the ones and the zeros, the malware addresses, the vulnerability enumeration that we must adjust in realtime to optimize Cyber Defenses, to that end we are heartened to see Cyber Security generally in frameworks so Companies Like yours can use to collect, process, retain and transfer security data to in turn better protect those systems and data from compromise. Todays cyber Threat Landscape requires that approach and everyones personal privacy will benefit from that framing. To that end, palo alto recommends organizations focus on the following actions to bolster their Cyber Resilience and increase their Data Security posture. First, leverage the power of ai and automation. For too long cyber defenders have been inundated to alerts to triage annually that can lead to data breaches. Ai can help slip this paradigm. And secondly, attack surfaces to help identify and mitigate vulnerabilities before they can be exploited. Third, implement a zero trust Network Architecture to prevent and limit an attacker moving laterally across the network. Fourth, promote, secure ai by design to assist with inventorying ai usage, applying policy control and securing applications built with Artificial Intelligence. Fifth, protect Cloud Infrastructure and applications, as Cloud Adoption accelerates, Cloud Security cannot be an afterthought. Sixth, maintain and test an Incident Response plan to prepare for and respond to cyber incidents. Our team at Palo Alto Networks is dedicated to securing our digital way of life. We enthusiastically participate in cisa, j c. D. C. And Situational Awareness and landscape with key partners. Reinforces that Cyber Security is truly a team sport. Thank you again for the opportunity to testify ow Cyber Security is a foundation of data privacy and i look forward to your questions. Thank you, mr. Kaplan. Now ill introduce, prem trivedi for new america Technology Institutements thank you for the opportunity to speak with you today. Im prem trivedi policy institute of new america. A nonprofit and Nonpartisan Organization dedicate today realizing the promise of america in the area of rapid social and technological change. Oti has worked to make sure that every area has access to benefits. And oti looks at strong needs that protects consumers and allowing flexibility for innovation, takes me to my first point. Data security and Consumer Privacy are two sides of the same coin. Strong save guards including minimization is vital for consumers. Its a powerful principle that requires collecting, using, sharing and retaining only the data necessary to provide a service or a product and strong Data Security safeguards are needed in this area of ai. Training many ai models requires ingesting huge data sets and as Companies Race to acquire more data, the pressures to adequately protect it keep increasing. So a baseline federal standard on privacy and Data Security is essential to ethically and effectively regulating ai development. And ill add Cyber Security practitioners, recognize it goes beyond Consumer Privacy because it can look at breaches and incidents. They cant misuse data that they dont have. And companies cant steal data that they dont have. The next point shows that americans want strong Data Security and theres no National Standard to protect all types of data and americans know that tracking of activities is pervasive. Probably why 75 of americans lack confidence that the company will hold Companies Accountable if it compromises their data. In all of this is negatively impact in ai and in leading ai Companies Many of which are u. S. Companies, small and large. And the good news is that more than twothirds of republicans and democrats support more regulation of companies, data use. And weve been heartened to see the recent reemergence of a credible bipartisan, credible proposal on Data Security via the rights act. And the strong data minimization machine will address the broken approach, and it would take people hundreds of thousands to read the privacy, and most click on agree without reading those policies. This isnt meaningful notice, its not meaningful consent and its not clearly its achievable in our activities. Data minimization shifts the responsibility on the companies from consumer to use only what the Company Needs to provide products and services. This is far from a new concept in Corporate Management play books and we can get without stifling innovation or burdening companies. And the best point of practice and security should become baseline across all sectors of our economy. Here is a short list of those, collect, use, share, retain only data thats relevant. Second, whenever possible, use incryption to securely store and process data. Third apply strong controls that ensure only the people who should be able to access data can, in fact, access that data. Fourth, use strong methods for authentication. Fifth, further study and standardize over time use of privacy enhancing technologies and six, routinely access and assess data insecurity youve heard from other witnesses as well. These best practices should be in federal law with flexibility to account for companys size and capacity. Data protection is Consumer Protection. And we need sensible data stewardship. Indian u. S. Leadership on ai requires congress address the Consumer Trust gap and we appreciate the committees bipartisan leadership on Data Security and privacy. Thank you again for the opportunity to testify before the subcommittee. I look forward to your questions. Thank you very much. Now go to mr. Parker, or the director of senior director of security, thank you for being here. Thank you, are the opportunity to participate in todays hearing. Im with a Nonprofit Trade Organization representing more than 1500 companies that provide products protecting lives, properties, businesses, schools and infrastructure throughout the nation. The Data Security is essential to the operation of Security Systems and services and our members are committed to protecting personal data, whether its consumer or operational data. Practices like data minimization and design, successful implementation of many types of these products. For example, when it comes to access, control and Video Systems features like data incryption we talked about a little here, permissions based access, decentralized data storage, Data Processing, data deletion schedules all serve to eliminate the data for misuse and limit the usefulness of data if its compromised. Another example, the mode proofing services essential to preventing Identity Theft and fraud as attackers become more sophisticated. And these are provided by our industry, especially biometrics and reducing the exposure, and vulnerability to hackers. And increasing rapid Data Security that must be addressed. Beyond technical standards, product features, best practices and security tools, having the right Public Policies in place will also address data privacy and security. Theres a key role for those. So, states like colorado, texas, tennessee, and by my count, by the end of this month there will be a total of 19 states with active Data Processing an and security laws, cover americans, almost half the populationment having a National Uniform standard could provide more to businesses and enfurther enhancing security. And weve been following the renewed discussions here in Congress Regarding development of such a standard and encouraged by the progress. And its essential that data be continue to be utilized as needed for safety and security purposes, for example, our members and their customers are often the first to raise the alarm in emergencies, were having to write data health and Law Enforcement and other responders get where they need to be as quickly as possible. As i mentioned earlier, many that are used for authentication accomplishing the goals of the draft proposal that we are looking at in section nine i think was mentioned earlier. Having a uniform and workable National Standard requires strong state and local preemption, to avoid layering additional requirements. This is really important to our industry. It needs to limit risk to businesses for opportunistic abuse of lawsuits which weve certainly seen in some jurisdictions over privacy matters. And need to make sure that we accomplish nos objectives in what we put forward. I appreciate you holding this hearing in your leadership and putting a spotlight on Data Security and doing what we can through our data Advisory Board and cyber Advisory Board in particular to provide key research and adoption and best practices for Data Security as i outlined in my written statement. And our members look forward to working with you on these issues. Great. Thank you all for being here, i realize how busy you all are, and some sacrifice you come ap share your information youre with and your data with us. Let me start off with you mr. Trivedi. Lincoln famously said with public sentiment nothing can fail and without it nothing can succeed. Many states established their own laws, soon to be 19 states that will pass their laws. And this is all about how, what types of data businesses can collect, how consumers should be notified. Consumers can be better protected, i think, businesses can more fairly compete when there are clear, consistent rules of the road and especially for Small Businesses. I think this is such an important mr. Trivedi, how do you believe a National Standard for data minimization and securing data benefits customers and privacy and how we get the word out to them, get that public sentiment behind us . Thanks so much for that question, chairman hickenlooper. I might start by saying, americans know that the data represents the most sensitive aspects of their lives and thats why theyre clamoring for stronger protections for it and a National Standard would set equal protections for all americans and uniform expectations for all companies which is something theyve been clamoring for as well. That kind of clarity in the Regulatory Environment is sorely needed because the u. S. Legislative regime for data privacy and security is fragmented in ways that make consumers more vulnerable and require companies, and this is particularly burdensome, i think for companies, compliance in response to state patch works and clear National Rules of the road. I think i would also add to your question about Small Business in particular, that many of these Small Businesses do not want to be hovering up as much data as possible to run their businesses, but there arent credible Strong National standards and they feel as though theres a competitive disadvantage if theyre not collecting as much data as possible. That, as weve heard, puts consumers at risk and also puts the companies at risk so i think that a data minimization approach and common at the federal level helps these companies do what they want to do which is being responsible data stewards. Lets agree and certainly hope youre right. Certainly ai has created a fascination with the value of all data and there seems to be a little bit of a race on minimization, not quite appearing as frequently as it has been since ais gotten more currency. Mr. Kaplan, on a bipartisan basis, Congress Passed the cyber Incident Reporting for the Critical Infrastructure act a couple of years ago to acquire Critical Infrastructure operation to quickly report cyber incidents, so, we can understand the Threat Landscape as it changes. The ftc has issued penalties against companies they found were unfair or deceptive in their Data Security practices after the consumer data was exposed. Gathering and sharing information about the specific ongoing attacks, as well as the broader Industry Trends helps us establish the defenses to prevent future incidents, especially, obviously, data breaches, across sectors. So in your experience, mr. Kaplan, which vulnerabilities are most important to address in order to prevent criminals from assessing or accessing consumer data . Thank you, senator. Thats a very great question. So in our experience and conveniently, every year, Palo Alto Networks publishes an incidents response report which provides an aggregated summary of the key trends that weve seen in how air force are their theyre looking. And the phishing attempts, essentially open doors available on public websites that havent been patched through updates or upgrades to software and systems. As a result, theyre having relevant ease to gain entree into those systems. One that weve noticed is remote desk top or rdt. If exploded can provide threat actors and attackers easy access to a deep level of administrative privilege into a victims system to better and quicker exfiltrate data. These rdp vulnerabilities will unlock the keys to the kingdom, if you will, so theyre a concern for our company. Its critical that we make it as difficult as possible through layered defenses and some of the best practices that i identified in my Opening Statement with regard to zero trust architecture, to prevent attackers from moving laterally across the system and close the open doors and to have better understanding and visibility in your relative attack service. Well get back to some of that, the danger of any hearing like this is we call attention to some of the open doors, but it increases your commercial activity in all of yours. Im going to turn it over to my vice chair, senator blackburn for some questions. And thank you all so much for your testimony. And i appreciate getting your perspectives on this. I want to start with gdpr. I mentioned that in my opening remarks and let me ask you, are each of you involved in some way in the eu, or your Companies Involved in some way in the eu . A show of hands is fine. Okay, so two of you are. Mr. Trivedi, youre trying to decide if you are or not. [laughter]. Only to say that were not a companies, but nonprofits tracking. Mr. Lee, likewise. What, as we look at this and as i mentioned, our friends in the eu know they went a little bit too far, but Companies Already have these protocols in place to meet the gdpr standard. So, as you look at what they have done in the eu, and canada has a new, new zealand has a law, australia has had a law, all protecting their citizens in the virtual space. Mr. Lee, start with you and just go down the line. What should be the lessons that we learned and what should we take away from the gdpr experience . Go ahead and just very quickly so i can work through my questions . The thing is i think they got right to deal with some of the more technical aspects, making sure that you are having the programs that you need in place and that they meet the risk that you are facing, so, its not a prescriptive necessarily standard, but its you have to assess and report. And when theres a data breach, you have to report that to the Data Authority for that country. Has an assessment reporting mechanism. You would say this they got it right. Mr. Kaplan. Thank you, senator, thats a great question. I would say from a macro level, the things they got right are sort of a uniform standard, regulatory complexity across multiple markets, just increases costs and from the Cyber Security perspective, the source,that and the resources that are dedicated to responding to incidents should be operationally responding to incidents rather than looking at regulatory i would say we need one set of rules for the entire internet eco system with one regulator. Yeah. Predictability in lessening regulatory its the whole thing, isnt it. Mr. Trivedi . Thank you, senator, for the question. The first lesson you highlighted is proving swiftly to establish that uniform standard, thats something we should emulate. I think its worth says gpdr has not been Strong Enough on data minimalization. I think working here in the United States could do it better. And i think they give too much did he have presence what minimalization means. While we have a reasonableness and flexibility, a strong and flexible approach i think theres an opportunity for an american approach that works different for us. Thanks. Mr. Parker . The embassies the emphasis on what theyve done already, and point out its a little different than what the proposal were talking about now at the federal level is. Just based on what ive also feedback from members weve had is theres definitely been an issue with conflicting interpretations over time from the national Data Protection authorities within the eu with causing problems for businesses or doing, you know, work across the different jurisdictions, but the potential of relevance here, overlap between the ai act and the gdpr and in some cases theyre going to get resolved with one another and its causing confusion. And Digital Marketing and Digital Services and some of the overlap there. Let me i want to go to the data minimizization issue. And again, just down the line, mr. Lee, starting with you. What is your opinion of data minimization as a security principle in this debate. I think its integral. If were going to reduce identity crimes and victims, we have to reduce the supply of data. Right. That can be abused by individuals, if its stolen or even if its just accidentally exposed. If you dont have it, you cant expose it. So you tie the two. Yeah. As you said data breaches are the fuel so at that ties in. Mr. Kaplan. Senator, from a macro perspective, i think that data minimization is an increasingly useful principle especially in lessening the attack purpose, especially those companies doing business with consumer focused data to that end and also where we think that legitimate and broad, not broad, but targeted permissible purposes like protecting the information can be critical. But minimization can be an important tool. So you would segment it. Correct. Okay, mr. Trivedi. Thank you, senator. I would say a data minimization is central, for the reasons that witnesses have highlighted as well, the attack surface is lessened when youre intentional collecting only what you need. You cant, again, you cant exfiltrate or hack what isnt there in the first place. All right. Parker. I mean, there is a bit after difference between data minimization as an operational principle and a policy principle, so from an operational standpoint it plays a big role in Data Security. For policy perspective, i know theres the overall approach of having a set number of permissible purposes for collecting and processing data. Certainly, it could work. I know there are some questions out there about what about future, other than the future, is that going to be too narrow and do they cover what they need to now. Those are legitimate questions, but an interesting approach. Can i ask oh, peter is here. Go to him. Ive got another question i want to ask. And i do, i wanted to talk about china because we just enacted legislation to force bytedance to divest from tik tok. And the threat from china is more than tik tok. A more owe list particular approach rather than play whackamole is beyond the apps. China is using drones, cranes, and potentially routers to spy on americans. How should congress approach the broader Data Security threat from china and what do you see as a good policy solution to this . Mr. Lee . Im just a humble victims advocate. But we do have to recognize the nation states, maybe not for the same reason as professional criminals. They want the information and its important that it is protected from whom ever wants to misuse it for whatever reason they want to use it. China is certainly a nation state that has great capabilities and we know that they have a lot of data about individuals for intel purposes. We have to assume there are other countries, friends and foes, who do the same. And an approach for Data Protection needs to be universal in its approach to whom ever is acquiring the information. Mr. Kaplan. Senator, yeah, the threat from china is something thats we are tracking every day on regular basis, both the threat with exfiltrating information to china, but also, other malign nation states that are looking to leverage data within the United States. As a Cyber Security company were principally focused on the security of the networks and Information Systems upon which that data relies, so, broader policy sort of questions how to deal more holistically with the problem, outside of our purview, to that end, strong cyber protections and encourage information sharing with the federal government as we regularly partner with regard to that threat. Thank you for the question. I think youre importantly highlighting the ways in which Data Security and Data Protection have a National Security protection. Weve been talking about Consumer Protection which is vital and this is not all just occurring within the context of our own borders and as mr. Kaplan mentioned there are nations in competition for one anothers data. There are costs for that. To answer your question about the right policy approach, at the top of the list should be establishing a federal Data Security and Privacy Protection standard, right . I think thats essential because it does all the things weve talked about, but also confers National Security benefits on america as well. And certainly, what was just mentioned establishing that standard in the federal privacy frame work were talking about would go a long way to doing that. Certainly anything thats internet connected, devices, the target for exploitation by actors, implementing certain encryption protocols and protecting those specific devices as an additional side note, a large shift with our industry away from manufacturers in china and forcing equipment there that could possibly have vulnerability, especially in the commercial sectors, its complete, move away from those sources. Thank you, senator walsh . Thank you good to be here, senator blackburn, its wonderful to see this pioneering work that you began when were you in the house and its only gotten more complicated, actually. Let me ask a few questions about the privacy issues for individuals and then the Cyber Security thats essential for everyone. I mean, as you know, about 72 of americans believe there should be more regulation over what companies do with peoples data. 67 , and im among the 67, report little to no understanding how Companies Use their data. And 73 report that they believe they have little or no control over what companies do. So theres a question about my data, a citizens data and what companies do, and then theres the question about hacking into systems and companies, Tech Companies have a high selfinterest in doing Everything Possible to protect against hacking because it hurts them and their customers. I mean, where is the difference in the responsibility for protecting the system from being hacked . And i hear you saying there should be a National Standard and that National Standard, what does that mean for Small Businesses that just dont have the financial wherewithal to be able to bear that burden and how what those recommended protections, how they could be integrated affordably, organically, into systems that a small mom and pop business might deploy. And i guess id start with you, mr. Lee. Thank you, senator. I work backwards. Particularly for Small Businesses, this concept of the Risk Assessment is very important. That they have to do themselves . They would do themselves. Thats where they understand where the risk is. If youre prescriptive and you must do x, thats a waste of their time, energy and money. If you do a Risk Assessment so you understand exactly what facing in your unique business based on the information you have from your customers, then you are meeting that risk as it is today and youre monitoring it to see what you have to do going forward. Let me push back a little bit. Im thinking, lets say if a small record producer in nashville. In new startups i mean, for that person in business to talk about what the customers need and then to be able to make the decisions to deploy, that requires the level of sophistication that may not be the level of sophistication required to be a good record producer. I mean, i have a say youre a small law firm, lets say, in a law firm with four lawyers, which is pretty small. We didnt have the demands or the capacity to do what the major wall street firms do. So what youre describing as a step that we should take seems out of reach for me for the millions of Small Businesses we have. It seems to me, that this should be just available, baked into what it is you buy. I guess i would view that thats actually the foundational step. Its one size fits all weve taken heretofore is what burdens Small Businesses. When you take a tailored approach, its specific to their business and specific to their data, then you dont have to do things which you know youre never going to. No, that makes sense. But whats the expense associated with that . Depends which tool youre using. Give me a ballpark, i mean, im worried about the Small Businesses having to deal with these massive impacts on their Small Business. As, you know, weve got representatives of the Worlds LargestCyber Security organization, but there are small mom and pop Management Service providers thats what they do. Theres, im sure, hundreds of them even in the nashville area and every city and people who do that. Okay, mr. Parker, thanks. You mentioned future proofing which makes a lot of sense to me, but one of the things that ive found frustrating as a member of the house and now in the state is we cant keep up with all the changes and all the methodoloies which by there is hacking even those far more expert in congress cant keep up with it. And the time has come where we need an agency, a digital commission, much like, say, the ftc or fcc thats properly staffed, properly resourced and have the capacity to keep up. Its a oneoff bill, problem a or problem b, its a cumbersome and difficult process to get it done in a timely way through congress. Do you have any thoughts on the wisdom of having such an entity that would have as its ongoing challenge protecting privacy and in considering other issues related tech . I mean, thats a great question and i apologize, i dont have a great answer, but i know that the obviously, the state of california having Something Like that, having a Privacy Agency and so, i know the issue has been discussed, here as far as that. Theres probably the opinion that most of the that we have existing agencies and playing that role and i understand what youre saying. I know thats definitely bifurcated. Well, you mentioned there should be a National Standard, right . Yes. That makes sense to me. Who determines what that National Standard is. Well, i think that legislation would emerge from a number of stake holders working together, but i would emphasize that it should be both strong and flexible to your point how smaller businesses are able to comply. We cannot expect a small record store collecting far less digital data than a large tech company. What would a National Standard look like in strong and flexible makes a lot of sense to me. So what youre saying i agree with, but im trying to think of the practical way, to benefit it, x, to change it. And sitting up here, i know thats a tough ask for folks in this job who are determined to do the best they possibly can. So do your best to answer that question. Sure, thank you, senator. Its a very good question. I think there are some best practices i listed out near universal that would apply. For example, even Small Businesses can think about and implement Access Controls to make sure employees who dont have certain data can access it. They can engage in data minimization relative to their capacity, which is to say think hard what they need and what they dont need they shouldnt keep, its a risk to them. We have to make, the legislation has to determine that, its not like youre asking the individual to determine that, right . Right. I think that legislation should establish a strong set of practices, but there should be flexibility in how businesses of varying sizes comply with it, but there should be basic requirements that are common. Do you have a template what it is you think that congress should pass . Well, i think weve seen some credible bipartisan proposals. I think theres Good Progress being made the discussion to the american privacy rights act. I think thats a very promising proposal on the table today. In terms of a template specifically for how Small Businesses can operate, i think thats something that we could get back to you on and think more about. All right. Thank you. I yield back. Thank you. Now, we have by remote, senator klobuchar. Thank you very much, mr. Chair. Thank you to the witnesses. Start out by generally saying that we need a National Privacy law that creates rules of the road. I support sector reviewing and senator cantwells discussion draft of the american privacy rights act. I strongly believe that consumers should have access and control over how their personal data is being used. Mr. Trivedi, do you agree that consumers should have access to their data and control how its used by companies . I do, senator, thank you. I think access and control rights are very important for consumers. Okay. Thank you. Mr. Lee, and im having trouble hearing, but ill try my best here. Mr. Lee, we also need to educate americans how to identify and react to cyber threats. We know theres phishing schemes going on and senator thune and i have introduced the american Cyber Security literacy act to educate the public on Cyber Security risks by requiring to conduct Cyber Security literacy campaign. Can you talk about the importance of educating americans how to avoid Cyber Security threats . Education is the key to so many different things. In this case, its a part and parcel of keeping people safe. One of the things we learned from talking to victims every day, theyre curious how to make sure it doesnt happen to them again. So having a comprehensive approach thats led by the federal government would be very helpful because we overall, identity crime victims dont get a lot of support anyway because a lot of times people think of them as victimless crimes. Trying to avoid that crime is even more difficult. Education is going to be a key part of making sure that we are keeping people safe in this increasingly dangerous cyber world. Agree. Mr. Kaplan, in just the past five months weve seen significant Data Security breaches, obviously United Health group, at t, microsoft, because these Companies Maintain large amounts of data on huge swaths of the population, hacks often can affect tens of millions of people. In your testimony, you noted that Large Companies have twice the number of systems exposed on the internet than what they were monitoring. What complications for protecting consumer data arrived from simply holding such vast amounts of it . Thank you for that question, senator. Yeah, holding that vast amount of data just increases, sort of your attack surface and your vulnerability and makes you a more likely target of sort of the malign threat actors and nation states that are looking to sort of divine and exploit and pull out that data to make strategic use of it. With regard to the attack surface, this was one of the basic cyber principles that we also talked about. Its understanding what your internet exposed attack surface looks like. Understanding how many of the portals into your system are open to the public internet and having visibility into existing vulnerabilities, misconfigurations, not updated pieces of equipment or software that are exposed to the open internet that just gives those malign actors entree into the system. So having the ability to the system and what your attack surface looks like to the attacker we think is a critical, critical piece of securing your infrastructure. That combined with knowing what your data is a critical element of maintaining customer you noted in your testimony that the United Health care change chain data breach is likely to be the largest supply chain, this is mr. Lee, supply chain attack in history because of how Many Organizations depend on chains to process insurance payments. When an entire industry relies on only one or two digital supply chain providers, that holds huge amounts of data, how does that affect the impact of a cyber attack . Its for a cyber criminal, its nirvana, if you can find a supply chain. Rather than one company at a time if you can find the organization that has weak Cyber Security not just from one company, but all the people that they support theyre going to get massive amounts of data and weve seen a 2600 increase in the number of organizations hit by supply chain attacks. Not just that they were attacked. You may only have 100 companies attacked last year, but you had 2600 companies that were impacted by it. Their data was exposed. So, for a criminal, these things are incredibly profitable and its something that we the whole topic of this information is how can we bring these other organizations up to speed so you do not have that risk from vendors to the larger organizations. Yeah, i mean, we have been helping dozens and dozens of hospitals and pharmacies and other Health Care Providers in our state to become whole and to be able to function ever since that data breach and clearly, work has to be done here, so, you have you cant have all this data in one place. And then they dont have backup systems. Is that would that be one of your suggestions . What would be your suggestions to protect this data and that will be my last question. From a Data Protection standpoint, a lot to that. Only one of which would be backups. There are just so many parts of the Health Care Supply chain, it has been the industry thats most attacked for the last six years running because there are just so many different parts of it, so many members. You know, from mom and pop organizations all the way up to a United Health care. So, while there are key things that they need to be done, a big part of it is just making sure that everybody in that supply chain is aware, they are a target. They are at risk and to act accordingly. Exactly. Thank you very much. Thanks, everyone. Appreciate it. Thank you, senator. Ive still got some questions and i think one or two people might be on their way here so ill indulge myself. Mr. Parker, and i dont want to get you in trouble with any of your members in any way. But you know, the requirements for reporting a breach, whether its ransomware or phishing or whatever it is, there really the penalties, unless someone paid the ransom, the penalties so far dont appear to be significant. In almost all cases. Does there need to be incentive or some way to reward some of the smaller breaches that are happening more frequently, that dont get the attention and yet are, as im sure youre aware, costing us tens of hundreds of millions of dollars in the country . Is that i mean, how within the framework of your membership, how do we get everyone eager to make sure that they report each incident . Its a great question. I know, so, its been a while since i think every state has a law or a breach notification and different, ap and some have private right of action. Theres not a heavy hand, fairly light. I mean, i know some i know from the other witnesses may have a better idea here. But certainly, something should be a priority for the ags that are enforcing these rules. Right, but again, they need to have penalties or some way of moving through. Anybody just want to comment on that . Dont feel any obligation because i have more questions. Oh, ive got comments. To your point, we it took from 2003 until 2018 to get all 50 states and territories and the district of columbia to have a data breach law and theyre all different. They all have different triggers, what is a breach. And data breach notice and in every instance, its the organization that lost control of the data that gets to decide if theres a notice. Oregon will allow with Law Enforcement. Other than that, the organization gets that. And what the information is, if you have information, what resources are available to you. When we talk about National Standards thats why we mention data breach notifications are part of that. Those are both Education Opportunities for the individual and theyre opportunities to make sure that we dont have repeat occurrences. Absolutely. Anyone else . Youve all referred to at one point or another, i dont know whether a certain amount of irony in some of the comments, but the swiftness of response. Would you all agree that swiftness needs to be a goal, something that we should find ways of both within government, but also within the Business Community of accelerating responses and making sure at that swiftness becomes an important factor . Well go this way just for a change of direction. Absolutely agree with that. Yeah, i think both on Cyber SecurityIncident Response side and the pace which we should move on Data Security, swiftness is essential. Say that louder when you say that. Im not just kidding. We want it to fill the room. Senator, swiftness when responding to a cyber incident is critically important. One of the things weve seen from Palo Alto Network is the average Response Time for Companies Recently as 2021 was 44 days it would take companies to address a cyber incident when it occurred and it was 44 days until they started seeing data exfiltrated from those attackers. Weve seen that exfiltration timeline decrease to just days and hours, if you take that in context with the average time that takes for a company to respond to a cyber incident and mitigate it, its six days, if the attackers are exfiltrating in one day youre losing hours, and its a critical aspect. Mr. Lee. I agree. Great. Thank you. I might have one more question. First im going to turn to senator bud. Thank you, mr. Chairman and again, thank you all for being here today. So much commerce, business, work and social interaction now takes place online as you all know and theres a large volume of Sensitive Data and in many ways that data is the life blood of the economy, businesses, customers and online services. And i know this firsthand as a Small Business owner who has run Digital Advertising campaigns myself and also know that the majority of businesses take Data Security extremely seriously. Burdening customers with what may feel like arbitrary or overly sensitive personal information disclosures is a poor way to instill Customer Trust and protecting against devastating breaches. Mr. Parker, you mentioned how important uniform standards and laws are to the Security Industry association members. Is there an example that you could share where conflicting laws between states have reduced Business Opportunities for any Member Companies . Sir, so the kind of prime example of this is the illinois biometric data law, and it was formulated i think more than 15 years ago, when the technology from in its infancy and certainly, the way that the way it was established and created an environment where theres tremendous litigation risk in fielding the technologies, even if theyre deemed to be compliant so as a result, theres a number of our Member Companies who do not actually offer their products to customers in illinois anymore because of whats happened with that. Any particular products that you can recall . Well, you know, theres within biometrics theres different types of products, but just to give you an idea, 88 of the lawsuits under that law have been on regarding biometric time clocks, so basically a way to authenticate your identity for punching out of work, no allegations that harm actually occurred to anyone. There was some misstep in collecting consent and things like that that were found and that was the basis for class action lawsuits and things like that, even if not even though in some products, certainly, in the security area cannot even be fielded there under the rules, but in other cases, you know, products like that, some people were just, they forget that were not going to even bother. You know, the savings from those systems, i would note firsthand and they save businesses money and they make them more competitive and allow them to hire more employees so i see the challenge there. Employees more. They hire more employees. Mr. Parker, can you speak to how uniform National Requirements and legal liabilities would protect personal data . Yes. So i think having a National Standard, you know, that fully preempts state and local law would definitely save a compliance cost but it would also be better, you know, for the Global Competitiveness of our company if they could align with what they are doing, you know, with other parts of the world as well versus having people track what is going on in the individual states. So there is definite you mentionedtr Security Industry association encourages its members to momentst resourcs like how to count and i an cybersecurity threats to physical Security Products as an example. Do your members see criminals using ai in new ways . One thing we are, i started some of our saprocit experts in the industry about this but one thing thats emerging is the ability to detect when video has been altered. So security video is important to what we do. We want to make sure that cant be manipulated by bad actors for fraudulent purposes or maybe further some other criminal activity. Theres Technology Available that is verifying the authenticity of data that is stored to make sure it hasnt been altered. Thats one area. Thank you. Thank the panel. Mr. Chairman. Thank you, senator. Ill be quick because i no hes a banner for a while. A couple of the aubrey commented on this. Put in a fair amount of our office put a fair amount of work in a american privacy rights act. You guys come at a fix or talk about today. It is about security in addition to privacy as a think all of you have pointed out that theres a connection there that is there. What your feelings come will write down the list in terms of if youve got some constructive come something bothers you, if you think we need of a sense of urgency, a cup people ever have we will leave this here to take you live now to a Senate ForeignRelations Committee hearing on several state department nominees. Youre watching live coverage on cspan2. [inaudible conversations] [inaudible conversations]