Today. We will hear more about the budget from bernie sanders. He will be at the Brookings Institution outlining his economic agenda addressing things like wage growth, climate change, and text policy. Tax policy. The Political Landscape has changed with the 114th congress. Not only are there 43 new republicans and 50 new democrats in the house and 12 new republicans and one new democrat in the senate, there is also 108 women and commerce, including the first africanamerican republican in the house and the first woman veteran in the senate. Keep track of the members of congress using congressional conical on www. Cspan. Org. The congressional chronicle page has lots of information coming putting Voting Results and statistics for each session of congress. New congress, best access, on cspan, cspan 2, cspan radio and www. Cspan. Org. Cyber security breaches, cases where personal information were compromised, how the government can respond in the Technology Available for making breaches less likely. This is an hour and a half. Thank you for your presence. [indiscernible] i indicated this is the first subcommittee i have chaired in eight years in congress and i was nervous enough not to turn on the microphone. We look forward to being educated and getting a good understanding. First, i want to thank my colleagues and their level of interest in this important topic. I also would like to thank our witnesses for joining us today. Expertise is important to us as members of congress. Fortunately, this is a very timely topic. The purpose of this hearing is in many ways somewhat narrow. We all know we live in a digital world. They know they can make purchases, determine their credit score, determing banking and Health Care Plans from a mobile unit or tablet. That is true for consumers across the country and increasingly around the globe. But there are risks in a world where one bad actor can battle against a team of experts here in week face challenges to make certain consumers are protected. For more than a Decade CongressCommerce Committee in particular has been contemplating issues surrounding security breaches. In 2004, the Committee Held its first congressional hearing to examine the highprofile breach of choice point, a eta aggregation firm. This breach forced many conversations here in congress and today we continue that dialogue. A recent high profile data breach as well as the headline grabbing sony cyber attack late last year are the latest examples that highlight the important serious Cyber Threats that face american businesses. And just this morning, we woke up to the news of what experts are calling the Largest Healthcare breach to date. This time, the cyber criminals were able to infiltrate the nations second Largest Health insurer to steal names birth dates, medical id, Social Security numbers, email addresses, and Employment Information, including income data. These highprofile breaches are the most severe what have become common occurrence in our digital society. As of 2015, the privacy rights clearinghouse has estimated more than 4,400 breaches involving more than 932 million records that have been made public since 2005. The verizon 2014 data breach Investigation Report reviewed more than 63,000 security incidents and found 1,367 confirmed data breaches in 2013. So on average, thats just shy of four breaches every day. While congress has developed sectorspecific Data Security requirements for both companies, congress has been unable to reach consensus of the development of a national Data Security and data breach notification standards. As a result, states have taken on this task by developing their own standards and as of today, businesses are subjected to a patchwork of over 50 different state, district, territory laws that determine how businesses must notify consumers in the event of a breach. In addition, 12 states enacted laws regarding Data Security practices. The need for federal action becomes clearer each day. Last month president obama voiced his support for data breach notification legislation with Strong Language in part because he recognizes the benefits to American Consumers and businesses of a predictable uniform data breach notice. The president s support along with bipartisan congressional interest has renewed optimism among stake holders that congress can develop a balanced and thoughtful approach with legislation in the near term. Today well focus our attention on some of the key questions and topics of this debate, including what are the benefits of a national breach notification standard should should congress implement a basic Data Security standard . To whom should that standard apply . Should the federal standard preempts state standards . What should be the trigger for notification . The specific conditions that represent a potential harm to consumers. Should there be exemptions and safe harbors . If so, for who . And what circumstances . Within what time frame should a company be required to notify consumers . Should Congress Enact new or stronger penalties for enforcement authorities and remedies . What lessons can we learn from states that have implemented their own standards . Im confident that our panel its expertise can share valuable insight into those questions and others that the Committee Members may have. As we work and help us find a right balance to these issues. Id like to recognize the subcommittees Ranking Member for him to deliver his opening statement. And i would indicate to him here in public as we have in private that i look forward to working very closely with you in a very thoughtful and bipartisan way to see that our subcommittee accomplishes good thing for the country. Thank you. First of all, my than rks to senator moran for his leadership in a very bipartisan way reaching out to me and also convening this subcommittee on a critically important topic. And i really look forward to his continued insight and very thoughtful leadership on Consumer Protection issues. Im proud to serve as the Ranking Member of this very important subcommittee. I have served on this subcommittee for two years now. And it is critical to consumer issues that affect everyday americans. We have delved into the General Motors recall, the deadly airbags and more. And today, the issue of data breach is no less central to american lives, even if it seems somewhat less spectacular. 2014 was known as the year of the data breach. And the importance of this issue was brought home as senator moran said just this morning when we read about the anthem breach, which is absolutely breathtaking in its scope and scale. It is not only breathtaking but mindbending in its extent and potential impact and potentially heartbreaking for consumers who may be affected. Not only birthdays, addresses, email and Employment Information, but also Social Security numbers, and income data were taken from anthem. And potentially, although the company has said it was not theres no evidence of it so far, Critical Health information. This breach comes after j. P. Morgan indicated a loss of personal information to hackers of about 83 million households. Of course, in november, hackers that the United States government has said had ties to the north korean government orchestrated a destructive attack on sony. The sony attack would be comedy, but it is literally no laughing matter. To other businesses, including Financial Institutions on wall street, Health Insurers and others whose vital data may be taken. And to quote the f. B. I. Agent in new york, who supervisors the cyber and special operations division, yote we are losing ground. Thats a quote. We are losing ground in the battle with hackers. In december of 2013, we first learned about targets data breach, which affected credit card information and personal Contact Information for as many as 110 million consumers. The point here is that these losses of data are not only losses to these companies, they are potentially lifechanging losses to consumers. Target and j. P. Morgan and anthem failed not only the companies, but they failed their customers and consumers when these data breaches occurred. This fact of life is more than the cost of doing business for these companies. It is an invasion of their privacy. Its an invasion of consumer privacy. Potentially theft of identity and personal assets. So the billions of dollars that could have been saved by consumers, creditors, banks and others of companies and universities were collecting Sensitive Data, spent money and resources on better protecting that information is one of the facts that brings us here today. As attorney general, i brought a number of enforcement cases against companies that violated connecticuts data breach law, and i worked with my colleagues, including lisa mattigan, who is here today. But i worked with kelly iot who is now a colleague. So this issue is hardly a partisan one. In fact, it is distinctly bipartisan involving stronger protections for sensitive consumer data, and we recognize the states as laboratories of democracy and the great work that theyve done in this area. So let me just conclude by saying i think that we have a lot of work that needs to be done, a lot of good work that should be done. But one guiding principle is first do no harm. That is, do no harm to the state protections and state enforcers who every day are seeking to protect their citizens from this scourge and spreading the problem of data threat. In order for consumers to trust retailers, banks and online sales, they need to know their data is secure, without abuse, whether theyre shopping online or at bricks and mortar stores. Retailers collecting their Sensitive Information will do everything in their power to protect that data, and thats a reasonable expectation. They have a right to expect better than theyre now receiving from retailers companies, ininsurers, banks all of the institutions, including universities and nonprofits that increasingly have the coin of the realm which is data about consumers. Thank you, mr. Chairman. Thank you, senator. We now will turn to our witnesses. With us today is ms. Sherry f. Mcgwire. She is Vice PresidentGlobal Government Affairs in Cyber Security policy for system tech. Mr. Mallory duncan, general counsel, National Retail federation. The chief Information Officer at brown university, but easier for me to say Wichita State university, his previous employer. The Vice President for Information Technology technology counsel. The attorney of the state of illinois. And finally, mr. Doug johnson, senior Vice President and senior advisor, chief economist of the american bankers association. Lets begin with you. Thank you very much. Thanks for the opportunity to testify today on this very important issue. As the largest Security Software company in the world, we are made up of millions of censors that give us a unique view of the entire internet threat landscape. We all have seen, even as of this morning, the recent headlines about Cyber Attacks have focused mostly on data breaches across the spectrum of industries. These Network Intrusions that result in stolen data have deep and profound impacts. For the individuals who must worry about and clean up their identities, for the organizations whose systems have been penetrated, and for the government trying to establish the right notification policies as well as deter and apprehend the perpetrators. The magnitude of thefts of personally identifiable information is unprecedented. Over just the past two years alone, the number of identities exposed through Network Breaches is approaching one billion. And those are just the ones that we know about. While many assume that breaches are the result of sophisticated malware, the reality is more troubling. According to a recent report 90 of last years breaches could have been prevented if organizations implemented basic Cyber Security best practices. While the focus on data breaches and the identifies put at risk is serntly warranted, he must not lose sight of the other attacks, that are equally concerning and can have dangerous consequences. There are a wide at risk is set of tools. Which often seek to exploit older known vulnerability, Many Organizations do not have uptodate security or patch systems, do not make full use of the security tools available to them or have security unevenly applied throughout their enterprise. Last year, nearly 60 of data breaches occurred through Network Intrusion by unauthorized users. Another major cause is a lack of basic computer hygiene practice. While good security will stop most of these attacks which often seek to exploit older known vulnerabilities, Many Organizations do not have uptodate security or patch systems, do not make full use of the security tools available to them or have security unevenly applied throughout their enterprise. So what can we do . Cyber security is about managing risk. Assessing ones risk and developing a plan is essential. For organizations, there are many guidelines, including, as you discussed yesterday, the Cyber Security framework, the f. C. C. Guidelines for Small Businesses, the Online Trust AllianceData Protection and Breach Readiness guide and many others. For the individual, we provide resources to our norton customers and the f. T. C. And others have many tips available on their websites. And, in fact, just this week the s. E. C. Published best practices for individual investors to secure their online accounts n short, theres no shortage of available resources. Strong security should include intrusion protection reputationbased security, behavioral based blocking, data encryption backups. And while the criminal tactics are evolving, basic cyber hygiene is still the most Cost Effective first step. Turning to the policy landscape, semantic supports, as you said chairman moran, a balanced and thoughtful National Standard for data breach notification built on three principles. First, the scope of any legislation should apply equally to all entities that collect maintain or sell significant numbers of records containing sensitive personal information. This covers both the government and private sector. Second, implementing prebreach security measures to be central to any legislation. New legislation should not simply require notification of consumers but should seek to minimize the likelihood of a breach in the first place. Third, encryption or other measures that render data unreadable or unusable should be a key element to establish the riskbased threshold for notification. This limits the burden for both consumers and for the breached organization. We are committed to improving Online Security across the globe and we will continue to work collaboratively with our partners on ways to do so. Thank you again for the opportunity to testify again today. Exactly five minutes. Thank you very much. Mr. Duncan . Mr. Duncan . Chairman moran and members of the subcommittee, thank you for this opportunity. Data breaches need to be correctly and forcibly addressed. It fundamentally affect our economies push toward greater efficiency and costeffectiveness. By way of context, there is a long history of interception by individuals and governments from opening letters to tapping and telephone conversations. Today, we had Super Computers and the internet. Theyre crating a Public Network with no boundaries, far more versatile and efficient than all the technology that has gone before it. Governments entrust them with particle infrastructure, businesses with their most valuable intellectual property and millions of people type their deepest secrets into google, all while knowing the system is vulnerable. This technology is still in its infancy, having commercially begun just a quarter century ago. We are still discovering its capabilities and implementations and risks. We are here to address one of the most significant risks to emerge, data breach. It is congresss challenged with some nice incentivize companies to manage this risk. How can congress do that . There are three essential elements. Uniform notice come express preemption and strong consensus law. Lets recognize that data breaches affect everyone. The 2014 verizon report, retailers and suffered their share of breaches, 11 . Government agencies and for a higher percentage. Hotel in restaurants constitute 10 while financial institutes represent 34 . It is not because those with the most breaches have the weakest security. Bad actors are always looking for the biggest bang for the buck. Each type of business is vulnerable in a different way. Congress needs to provide incentives for companies to increase their security and nothing motivates like sunlight. Requiring every company have the same Public Notice obligations will provide this the light needed light. It has two benefits. It can help individuals take steps to protect themselves. The consequences of requiring all companies to publicly expose their data breaches is a powerful incentive for them to improve security. Members are some of the best Retail Companies in america. Public breaches have engaged our members and senior executives. Our members are investing in unique and Terry Lundgren tailored solutions. Our nations economy is bigger than retail. Congress needs to encourage disclosure and the incentive for security brings across the board. Preemption there are more than 50 jurisdictions with breach of notice loss. Some come with different data sets and so forth. Midsized companies struggling with the consequences of a breach face conflicting loss. Conflicting laws. In the midst of a breach when a company should be focusing on securing its network and identifying effective customers effective customers, they affected customers, they direct their resources to paying law foirms. The law with simple fiify the process. It must be real preemption. Finally, it would not be appropriate to preempt the states to only adopt the weakest law. For a federal standard, you should be looking well above , not the most excessive, but language that reflects the strong consensus of the state laws. We urge you to go further. Establish the same notice obligations for all entities handling Sensitive Data. Congress should not permit notice holds where they are exempt from reporting their known breaches. We want meaningful and incentives come Everyone Needs a skin in the game. Nrf believes those three elements enforced by federal authorities are essential steps to properly and forcefully addressing the data breach conundrum. Thank you. Thank you, mr. Duncan. Good morning. Thank you so much for the opportunity to testify today about the data breach and notification legislation. It is truly an honor. I want to commend you for investing your valuable time to discuss this important area of Cyber Infrastructure and protection. As younger citizens get online to learn and create knowledge, your work on this legislation will be critical to predict protect our youth. As the amount of data continues to increase exponentially, primarily driven by our highly connected lifestyle, your work on this legislation will be cripple to protect critical to protect our citizens. Increasing the number from 10 million to a predicted 50 billion by 2020, impacting our economy by as much as 19 trillion according to many experts, your work on this legislation will be critical a critical catalyst. As connected robots and 3d printing fundamentally change how we manufacture goods and manage our supply chains, your work on this legislation will be critical to supporting next generation innovation and our leadership in the world. We are looking at exciting times. I have the privilege and honor to serve as Vice President and chief Information Officer at brown university. Im also a faculty member in both Computer Science and engineering. My area of expertise and research is in the internet of things, Cyber Security and Innovation Network security. I take great pride in admitting that i am a nerd. There have been over 932 million records compromised in over 4000 since 2005. And the reported a very large breach that may be impacting many people in this room. Many federal employees are covered by the programs anthem offers. We must maintain a focus in this area for the protection of our consumers and national security. Currently, 47 states including rhode island, the District Of Columbia and the Virgin Islands have enacted data breach legislation. No two are exactly alike. As a university with students from all 50 states, we are impacted by all of them. Maintaining the necessary standards for each state is challenging and difficult. This can create a barrier for small innovative organizations lacking expertise to address the specific state laws. This type of burden stifles an abuse and that stifles a stifles innovation, in my view. Legislation to clearly define the roles in case of a breach. We should identify the method, speed, delivery and content of notifications. A hard time limit for breach notification may be unattainable for small organizations. A tiered approach based upon the size and designation of an organization would make compliance possible for all. We should encourage organizations that collect data to be transparent about the use of such data. Consumers appear to be happy to give over their data and their privacy to services for the sake of convenience. We should clearly define expectations for security and storing personally identifiable data. Given the highly publicized breaches, it is apparent that more work is needed. No matter the size of the company, certain expectations of security should be defined when data is collected and stored. It should provide incentives to establish education to better combat breaches. Preventive action is necessary. It is important for us to develop Cyber Security expertise in the u. S. It cannot be off shored. I applaud your efforts and appreciate the opportunity for this dialogue. I stand by to assist you in any way i can. Thank you. Mr. Johnson. Good morning. My name is doug johnson senior Vice President of american bankers association. I currently lead the Cyber Security policy efforts at the association. Aba shares the concerns of congress of not protecting consumers in this world of Electronic Commerce and recordkeeping. It is clear that consumers enjoy the convenience of conducting transactions electronically. Notwithstanding these recent breaches our Payment System remains strong and functional. It is mandatory that we maintain that trust in the system so it remains a system that our customers can continue to trust. While the majority of the transactions are conducted safely, occasional breaches will continue to occur. Consumers have a right to swift, accurate, effective notification of these breaches. They have a right to trust that, whenever they conduct business electronically, the business is doing everything they can to prevent the breaches from occurring in the first place. Mr. Duncan mentioned an International Sample of private companies and police stations around the world. Other organizations such as the Identity TheftResource Center note that the United States, businesses reported over 30 of breaches for 2014 while Financial Institutions represented 6 . While our numbers may differ and we do believe the United States numbers are more appropriate to site, i believe our intent is the same. Our intent is to make sure that we are protecting customer data. That is both of our goals. The Banking Industry supports serving policy. We will continue to work with congress to achieve that goal. Supports Cyber Security policy. From the Financial Services perspective, it is critical that legislation takes a balanced approach that builds upon but does not duplicate or undermine what is already in place and effective for the financial sector. There are three key points that must be considered with regard to Data Protection standards. As others have noted, we need a National Data breach standard. Payments are not confined by borders. Breach notification is of paramount importance. Currently, there are 46 states and three u. S. Territories and the District Of Columbia that have enacted laws in some fashion. Although some of these laws are similar, many have a consistent and consistent and conflicting standards. Inconsistent and conflicting standards. They should be preempted in favor of strong federal Data Protection and notification requirements. Any federal Data Protection and notification requirement must recognize the existing Data Protection and notification requirements. Some Industries IncludingFinancial Services are already required to develop and maintain robust internal protections. They are required to protect Consumer Financial information and notify customers when a breach occurs. We believe the extensive breach reporting requirements currently in place provide an effective basis for any National Data breach reporting requirement. Finally, there must be a strong National Data protection requirement. Associated with any data breach law. All parties must share the responsibility and costs for protecting consumers. The costs of the data breach to limit such breaches, and any comprehensive data breach requirement must have strong Data ProtectionRequirements Applicable to any party with access to important Consumer Financial information. Thank you and i will be happy to answer any questions you may have. Thank you, chairman moran. I appreciate having an opportunity to testify today. Data security is one of the Biggest Challenges face as a nation. It is an ongoing struggle for all americans and the companies, nonprofits and Government Agencies that hold our personal information. By last years massive data breaches reawakened many, they are not i joined 43 other attorney generals including in a bipartisan call for a strong, Meaningful National breach notification law. For over a decade, my office helped individuals cleanup from Identity Theft damage and investigated major breaches. In 2005, i directed the launch which were customers are told when their personal Financial Information is copper mice are is compromised. In 2006, i created a hotline to help consumers restore their credit when their information was obtained and used without their authorization. We have helped over 37,000 people remove over 27 million worth of fraudulent charges from their credit. At this americans realize that point, its not a matter of if but when they will be a victim of some form of Identity Theft. The question now is what do we do to best assist them to prevent data breaches and reduce Identity Theft . I want you to recognize that for the most part, we already have data breach notification in this country. 47 states have laws requiring companies to notify people when their personal Financial Information is compromised. In this environment, americans need and expect more transparency with data breaches, not less. Last year i held over 25 , roundtables last year on data breaches throughout illinois with 1000 residents, including local officials, launch oarsman religious leaders, senior citizens, heads of social agencies, as well as regular consumers. Here is what they told me. They are concerned by the increasing number of breaches and when their information is stolen, they want to know. They want to know what they can second, do to protect themselves from Identity Theft. And they want to know whether third, entities are doing enough to prevent breaches and protect their information. A Weak National law will not meet americans increasing expectations that they be called when their information has been stolen. Any definition of protective personal information should be broad and included the growing types of Sensitive Information that entities are collecting. The ftc should be able to update the definition in response to new threats. In terms of whether entities are doing enough to protect the peoples data come unfortunately , it has been revealed that entities too often fail to take basic Data Security precautions. We have found numerous instances where entities allow sensitive personal data to be maintained unencrypted, failed to install security patches, collected Sensitive Data that was not needed, retain the data longer than necessary and failed to protect against compromised login credentials. Congress should provide a Provision Requiring them to take reasonable steps to protect that information. An entity who suffers a breach should not be conducting the selfserving harmon analysis to harm analysis to determine whether consumers get notified. Imagine if a landlord learned a renters home was robbed and they had the opportunity to decide whether the stolen items were significant enough to let the renter know about the robbery. This is what you will allow when they do their own harm analysis. Designate a federal entity to investigate when massive data breaches affect millions of americans, similar to how the ntsb can investigate accidents. I know commerce will consider printing statess notification laws. I oppose federal legislation that inhibits our ability at the state to respond to issues. The preemption provision must be narrow. The law should preserve the states ability to use their own Consumer Protection laws and congress should give the states the right to enforce the federal law. I will be happy to answer any questions you have. Thank you. Thank you very much. Thank you for the opportunity to testify today. Im the Vice President for global Privacy Policy and the federal council at the Information TechnologyIndustry Council known as iti. Prior to joining itit in 2013, i spent years at the federal trade commission as an attorney advisor. I began my career at the ftc in the Enforcement Division ensuring companies subject to act asftc orders were in fact complying. The 59 Technology Companies that iti represents our leaders in the information and Communication Technology sector. When Consumer Information is breached, individuals may be at risk of Identity Theft or other financial harm. Year after year, Identity Theft tops the list as the number one complaint reported to the ftc. Consumers can take steps to protect themselves from Identity Theft or other financial harm following a data breach. Federal breach notification legislation would put consumers in the best possible position to protect themselves. I take this opportunity to outline three important principles in connection with federal data breach notification legislation. First is preemption thered a first is preemption. A federal breach notification framework that preempts the existing state and territory breach notification laws provides an opportunity to streamline the notification process. Complying with 51 loss, 47 states, three territories and one district, each one with its own unique provisions is complex and it slows down the notification process to consumers while an organization addresses the nuances in each of these 51 laws. Complying with 51 different laws also results in notices across the country that are inconsistent and thus confusing to consumers. A federal breach notification law without state preemption would add to the mosaic, resulting in a total of 52 different frameworks. The second principle is the timing of consumer notification. An inflexible mandate that would require organizations to notify consumers of a data breach within a prescribed timeframe is counterproductive. Following a breach, there is much to be done. Vulnerabilities must be identified and remedied. The scope of the breach must be determined. Cooperation with Law Enforcement is imperative. And impacted consumers must be notified. Premature notification could subject organizations to further attacks if they have not been able to secure than their systems. Further jeopardizing personal Sensitive Information. Premature notification might interfere with Law Enforcements efforts to identify the intruders. The hackers might cover their tracks more aggressively upon learning that the breach has been discovered. Notification to consumers before an organization has identified the full scope of the breach could yield to providing inaccurate and incomplete information. Organizations have every incentive to notify impacted consumers in a timely manner but a strict deadline does not afford the necessary flex ability flexibility. The third principle is determining which consumer should be notified. Notifying individuals that their information has been copper mice has been compromised enables them to take protective measures put consumers would be unable to determine which warrant action. Notification should be made to consumers if they are at a significant risk of Identity Theft or financial harm. In number of factors would be considered in making that determination, including the nature of the breach information and whether that information was unreadable. Unreadable information would not warrant a notification. Upon receiving a notice, individuals can take steps to help avoid being financially damaged. The three principles i have outlined today are included in the full set of principles iti has developed in connection with federal data breach legislation and i respectfully request that these be submitted for the record. 2014 has been referred to as the year of the data breach. I think many of us would like to see 2015 as the year of federal data breach notification legislation. Thank you. Thank you very much and thank you all of our witnesses. How do you respond to the concerns raised about 52 different sets of standards across the country . Is there a way to preempt state law but then continued to have states involved in the enforcement of that new standard . To answer your second question first, of course there is. It happens frequently at the federal level where you will set a National Standard but still allow state attorney generals to enforce the law. That is one of our most important concerns. There will be instances where there are significant data breaches. They may be smaller or may be confined to one or only a few states and will not be a circumstance where the ftc will look into it. The same situation we have in terms of different jurisdictions. Even for criminal matters. It has to be a big enough matter. We still need and want the ability to respond to and safeguard our own residence. In terms of the concern of having 52 different laws, i would say two things. One, to some extent, the concern is overblown. In a very real sense, if a lawyer sits down and determines what the notice has to be and produces a notice that can be used across the country that happened with the target breach. Its not impossible to do. It doesnt take such an enormous amount of time that the other issues are ignored. It is not an overall necessity but i do think it is imperative everybody agrees if you set a National Standard, and cannot be a week on. It has to be a higher one that some of the firstgeneration state notification laws. We are seeing an increasing number of breaches. You are going to have to start looking into the biometric data and things that few states considered. Thank you very much. Is there any indication that from state to state, depending on the law, that law or the effectiveness of that law has a consequence such there are fewer hackers question mark is there any suggestion that a state law discourages hacking from taking place in that state . Is it effective as a prevention measure . Is there any suggestion that state law has increased the standards of businesses who operate in those states . Is there a different level of compliance or different level of desire to attack at a certain state because of state laws . Mr. Duncan russian mark mr. Duncan. As i mentioned in my testimony, the very nature of this problem is that it is interstate. If you imagine a situation with a small startup, they instantly have connectivity throughout the entire United States selling merchandise. It is a fact of notice regardless of which state it occurs in that drives the interest in having greater standards. This is a national problem. I assume you look at states to see what standards are there. I want to make certain there is no suggestion that a particular state has found a way to prevent or discourage this kind of behavior. At least your answer, mr. Duncan, is no. I would echo that the answer is no. If you do not have both pieces you really do not have the ability to raise the bar from a security standpoint because i do not believe a breach notification in and of itself motivates businesses to raise the Cyber Security bar. Let let me ask you, is there any developing Insurance Coverage market for data breach . Your banks have a standard in place today. Is there insurance that covers the consequences of a data breach . There is. We actually have a captive Insurance Company that offers some of these policies. It is a market that needs further refinement. As an industry, we are looking at that very carefully and are working with treasury and administration generally to try and figure out ways to improve the market and build insurance as a private incentive as opposed to Building Public incentives. Thank you. I want to follow up on a couple of questions that the chairman asked. You make the point that preemption has sometimes been narrow. In fact, that concept of narrow protection is that there should be preemption only if there are state laws inconsistent with federal laws and then only to the extent of the inconsistency. That is a quote from one of those statutes. In the health Information Technology act that principle of narrow preemption has been adopted. Has the experience than with that narrow approach to preemption that there are these horrible inconsistencies or confusion that are witnesses seem to raise of avoiding preemption . No, senator. The concern from the state level, as you are aware, and we are assuming you guys will pass something this year it took 10 years or congress to pass a breach notification law. There are new threats out there or again, threats that specifically target a group of people, consumers in our state. We need to be able to respond. Or there is a rapidly changing area, we want to be able to respond. I think that is the real concern. We have not seen significant problems where states retain Enforcement Authority of federal law and or the preemption is narrow. I think it works best that way. Federal resources tend to go to larger issues whereas estate issues go to some of the smaller issues. Mr. Duncan, i am troubled by the failure of retailers to take responsible steps to protect their consumers. In fact, some of them i am told, have actually blocked some of the new technology that could have been available. I do not want to call any out but i am happy to name them if you wish. I am disturbed that these major retailers have in fact moved to block innovations by disabling their contact list transaction terminals that they offer as a feature to consumers for many years. Mobile Payment Technologies like apple pay and google wallet, efforts are underway. But, they still have not been deployed as they should be. Arent you disappointed that retailers have not done more to protect their consumers . It is not a matter of disappointment in terms of what retailers have done in the past. I can tell you that i have sat in the board meetings of the National Retail federation and i have heard the ceos of some of the bestknown companies in this country talk long and seriously about the steps they have to dig to address this very serious problem. I am sure they have talked. Why havent they done anything . We are adopting new technologies this is a very complicated issue to address because there are so many ways that the bad actors can get in. You have to develop very particular systems that will effectively block that. Why why did the retailers disable their terminals . Corks there are some technologies that either are unproven, are extraordinarily expensive, or that they control of the companys operations away from the company into someone else. Each company has to make its own decision on that element. But that is completely separate from a decision about how you secure the data in your files. I am struck that you have recommended to the panel that there be preemption not only of state statutory law but also common law. That is a pretty broad preemption, isnt it . If you do not have preemption that is strong and across the board, ultimately, experience has shown us, the court will strike down the preemption and the proliferation of conflicting laws will reemerge. We have to have a very strong law and it has to be a uniform law to be effective. Isnt that principle virtually unprecedented . I dont think so. Where else has it been adopted . Let look at thesehe telemarketing sales rule. The same kind of approach was taken. All power was placed on the ftc. You do not see individual actions under that rule. My time ashas expired but i would suggest that approach to preemption is broader than this committee should consider and that a more narrow view of preemption such as the attorney general has suggested, if there should be any preemption at all. Thank you, mr. Chairman. Senator fisher. Thank you, mr. Chairman. Miss mcguire, as you know, numerous reports have linked nation state actors to cyberattacks. Additionally some of the same , countries implicated in these reports may require u. S. I. T. Companies to turn over intellectual property. That includes interop operating software, operation source codes in exchange for market access. Are you concerned that this information in the hands of an irresponsible actor could pose additional Cyber Security risks . We are concerned about having to turn over any of our intellectual property to any country. We believe that that is an infringement on our ownership of our intellectual property that we had clearly spent extensive resources to develop. We should be allowed to protect it accordingly. Certainly, if it is passed to a second party, it does expose us to potential vulnerability. In short, we believe we should not have to share intellectual property. There are instances i believe where companies are being pressured by foreign governments to share that property. Do you know how prevalent that is . There are some new requirements. Actually, some not so new requirements in some countries. I cannot tell you how prevalent it is but we are certainly seeing a growth in those kinds of requests from many Different Countries around the world. How dangerous is that if we continue to see growth, if the companies do that and increase in market access, how dangerous is that to other companies here in our country when that property is shared . Would that put your security at risk . It potentially could put other organizations at risk. I am not sure that i can quantify how much, but anytime you have to provide the source code to another party, it can provide additional openings for risk. Our federal Data Protection framework is largely based on who is collecting that information rather than tailoring and enforcement based on what is being elected. What what has been collected. Would it be better for consumers and businesses alike is we would apply a more uniform regime for all entities so that enforcement is based on the sensitivity of the information that is being collected . That is our view, that it should be a space application and threshold for what type of data potentially is breached. For all of the witnesses, if i could just ask a couple of yes or no questions. Do you support a federal data breach notification standard that is consistent for all consumers . Miss mcguire, if you want to start. Yes. Absolutely. Yes. Yes, if it is strong and meaningful. I will be the outlier and ask for further clarification of the question. When you say consumers, are you referring to which particular type of data . Whether you do not want to distinguish between types of data . To a certain extent, the secretarial approach that we have in the United States has worked with regard to financial and health data. Since the desire is to get federal breach notification legislation across the finish line in 2015, anything that potentially could slow that down is something we should carefully consider. Do you think it would be easier to get something across the finish line if exceptions are made or targeting made on what type of data is collected . I think it would make it easier to get it across the finish line. If entities that are already subject to data breach notification requirements in specialized areas remain intact. Senator fisher, with all the respect, a sectoral specific approach or exceptions to the kind of incentives we need to have effective protection for consumers. We have disagreement. I am over my time, so thank you very much. Senator. Miss weinman, you and others have talked about the balance strike in terms of over notification. We recognize we do not want to be in a did a consumers and others with notification of breach is that they are not significant enough. It would become meaningless. My question is it determines whether this is a significant risk of Identity Theft. Is that the attorney general to determine . Is it the court, individual companies . I think that is one of the key issues. We can all agree on principle that we do not want to be over notifying that, where that responsibility resides is key. Thank you. I am glad that we can agree that over notification is not something desirable. I think an organization that holds the data and has a sense of what information has been compromised, the extent to which it has been compromised, would be in the best position to make the determination. What standard would they be held to . Under the law or their own judgment about whether this would be harmful to their consumers or does this get refereed in court . I think the level of risk would be something that would be codified in a statute. Like significant risk of identity that or financial harm. I do think that would be in the letter of the law. You are talking about a riskbased analysis. Please elaborate. Along the same lines of what kind of data has been breached and what the risk is to the consumer or the organizations data that also might have been part of that, but as i stated in my statement, we believe that a component of that statute needs to be that the data has been either rendered unreadable or unusable the encryption or other technology so that if the data has been accessed, it is meaningless to the perpetrator. That is a key component of the statute. Attorney general, maybe take a half a minute to elaborate. I do not think there is any such thing as over notification going on at this point. Notification keeps consumers alert to the possibility of Identity Theft. It certainly depends on what other information these criminals may have access to in terms of what they could be using some information we would use if it is combined with other information. There is no over notification going on at this point. I agree with you but we do not want to create a scenario where im getting emails to our three times a week and i do not know what to panic about and what to ignore. I agree we are not there in reality. If you could articulate what would constitute a strong standard. I respect that the California Law and some other statutes are pretty good marks to make. I see a few heads nodding from a few shaking. That is fun but i would like to hear what you think would suffice in terms of being worth the tradeoff. A strategy i have heard about is we should look at the state laws that are out there. California at this point being one of the high marks. I should say it is not just california. This is a bipartisan issue. Texas, florida, indiana, if they do not already have some of the most progressive notification laws in the country. You need to see what the changes have been from the first generation. We were saying, it would be our first name and first initial with our last name as well as unencrypted Social Security number, credit or debit card number. Now we are moving to biometric data, email addresses with login passwords. As it changes, you need to look and see what is the High Water Mark and make sure that that really is your floor. Mr. Johnson, you can have the last word. What would suffice as a Strong Enough standard that we would also comfortable preempting the state laws we would be looking at. I think what were doing at the federal level as a Standard Associated with when a Company Makes a valuations a valuations. I think also, the Financial Services companies, even if the breach is not occurring at the company, they have a lot of experience with dealing with these breaches. I think that is what i would look to. Thank you. Senator. Thank you, chairman. We had a similar hearing in this Committee Last march. I think at that time, all of the panelists were for preemption. Attorney general, i often tend to be in favor of the underdog but i seldom imagine you would be the underdog on this issue. You might be in terms of where other people are tending to end up. I would ask on the topic of preemption, and we will see where that goes. I think the president and attorney general had taken a position on this since last march that they agree with the idea of preemption. We introduced a bill last ear and are working on a bill of this are. One of the things we have not done in that legislation so far is establish an arbitrary time frame. There is an argument about whether or not there should be a specific timeframe established as opposed to established by circumstances. So far, i have stayed on that we need to have some flexibility in the timeframe. I and not absolutely sure that i understand all of the impact that you can have your. I noticed in the of them data breach this week in the end anthem data breach, they were becoming the victim of breach fatigue by constantly being notified he could be in a group where information has been breached. Many people in that group the impact of that we are not lookup legislation with the idea that we need an arbitrary deadline. I have a couple of questions. The question would be, what would you perceive in terms of how a deadline should be established or the criteria for what would be a reasonable response and your view on whether an arbitrary deadline is something that should be included in a data breach notification. Thank you. I think an arbitrary deadline with a specific timeframe is not useful in that it sets an objective standard. Each incident is different. Each incident requires special consideration to address vulnerabilities, cooperate with Law Enforcement. Some breaches will require cooperating with many different types of Law Enforcement. I do not think a specific deadline is useful. That being said, a number of the states have deadlines that do not involve specific dates. I think that is the right approach, to give flexibility. Is there any sort of guideline you look at as to whether or not a response is appropriate if the guideline becomes the the response is to be an appropriate time for them could be a triggering factor whether the response was appropriately there are not . The words we hear a lot is without reasonable delay. In examining whether the notification was done without unreasonable delay, you would look at what the company had done until that point when it decided to make that edification. That notification. Had they got dotted all of the i s and dotted the ts, listened and cooperated with Law Enforcement. I am down to a minute. Anybody that feels like a guideline should be specific . Anyone want to respond . I agree there should be a standard for a reasonable notification. I think it is important to recognize that there are different types of breaches. Theres a difference between losing a laptop with a lot of data and a network that has been penetrated. That may require very different responses and investigation timelines. That is an important criteria to consider. I would agree with my colleagues. There should be some flexibility there because smaller organizations simply are not going to have the types of resources that bigger organizations can a lake to. Some flexibility would be essential. It my one concern about reasonable response is it sounds like time in court for me to determine whether the response was reasonable or not and contend that it was not. Im out of time. Thank you. We are honored to be joined by the chairman. Thank you for holding this hearing and for focusing on this issue. It is important to our country had something that congress has been trying to fix or over a decade. Hopefully, this will be the year we finally find the path forward that enables us to put forward a workable solution that attacks consumers and addresses this issue which we are reading about today. Protects consumers and addresses this issue which we are reading about today. Millions of americans impacted by yet another data breach. I want to ask, i think the question has been asked many times but perhaps not everyone is answered it. Miss weinman, you have extensive experience in this area. Having worked the ftc prior to your turn position. Your current position. Could you give us your explanation of why you think a single federal law is so preferable for businesses and consumers . Thank you. I have a chart with me that is 19 pages long that goes through the variances of the different state laws. That reason alone, i think lends it self to having one notification standard to enable companies to act quickly and provide the required notice. I think it i both business friendly, and consumer friendly. Mr. Duncan, your testimony highlights the need for congress to enact a preempted federal data breach notification law. I agree that would provide a great deal of clarity for companies, including retailers and merchants you count as remembers. It also provides needed consistency for consumers, which is an issue. Congress has dealt with in the past. There have been proposals that call for uniform notification procedures and uniform federal Data Security standards. I appreciate your observations about some of the risks of ftc enforcement. Says that enforcement can already occur, wouldnt retailers benefit them a federal law saying that reasonable Data Security measures must take into account the size and scope of the information . The ftc effectively has a reasonable standard either under this section or unfairness deception or unfairness. Once you put a lot of different factors in, you have a situation where is a Mediumsized Company cannot check the box of every single one of those factors, then they are likely to be in a bad shape. That kind of standard works better when you are developing guidance. That is a big distinction between the glb standards and a uniform National Standard. If you have an examiner sitting next to you and you can work the region of those various elements, that may work. But, if youre trying to set one standard for every type of business, then having multiple components to that is going to make it impossible for the average American Company to respond. Could nrs support this type of security requirements . Sure. A reasonable security standard coupled with a very robust notice requirement, that would work. I have a question for the attorney general. Ms. Mcguire suggested any notification standard should notify customers of their data before it was stolen. Ms. Wyman suggests it will not result in risk and a notice not be appropriate. I wonder what your thoughts are. Also, how the Illinois State law approaches that issue. It is the right thing to do. I agree with both of them. Illinois law, you do not get notification of the breach of the information is encrypted. What we need to see is encryption information has been compromised. If it is encrypted, unusable unreadable, notification does not need to take place. Thank you. Thank you very much, mr. Chairman. Thank you for holding this important hearing. One of our major retailers experienced a breach and i think there is a day that is not go by that we do not hear about another cyber attack. In fact, last night, the media reported the anthem was breached inand as many as 80 million customers could have had their account information stolen. These Cyber Attacks our increasing in scope. I hope, given that we have already had a hearing, and i appreciate the senators leadership. I hope we can move ahead in this area of Cyber Security. My first question was about what i just raised. With this disclosure, it is important to discuss what is and what is not covered under the Health Insurance portability and accountability act for hippa. Would the breach be covered by hippa . What i have heard so far is they claim medical information was not breached so it would probably fall under the various state laws to determine if the definition is met. But i think it remains to be seen what the total extent of that breach is. I think we dont know yet. In your experience if Something Like this happens, not this exact case, how are the agencies coordinated with the attorneys general whether the departments of health and Human Services f. T. C. , to enforce these Consumer Protections, and do you think there is more that can be done when it comes to coordination . Weve certainly long had a very good working relationship with the f. T. C. Because we obviously had similar jurisdiction over consumer matters. We probably do not have as much interaction with the other entities that are dealing with some of the health information. In illinois the way our breach notification law works if that type of information is taken we want the ability to make sure people are notified. Obviously coordination helps everybody particularly when we all have limited resources. At the end of the day our concern is all the same. Were trying to protect individuals from any sort of Identity Theft, financial damage that could occur because of it. So we are always looking to cooperate whether its at the state level or the state and federal level. Ok. Mr. Duncan, ill focus some on the retail issue since were proud to have target and best buy in the state of minnesota, two great companies. Last year many of my colleagues and the media talked about the need to move to chipandpin Technology Similar to what were seeing in europe, canada, and elsewhere, and following the push for the change the industry made a voluntary commitment as you know to switch over to the cards and readers by the end of october, 2015, which is this year. Thats an important timeline i think for consumers. We learned from the home depot data breach that impacted both canadians and americans that cards from canada were actually less valuable on the black market than american cards because they had chipandpin technology. We tended to be a target because weve not improved that Technology Despite the work of Companies Like target, who had early on tried to but as we know its not universal across the country. Mr. Duncan, what percentage of your members have already adopted chipandpin Payment Technology and have the Necessary Technology to read cards at points of sale . This is a quickly changing number. I have data from several months ago, in which case it was in excess of a quarter of the nations retail terminals were already outfitted for chip and pin. The concern that many of our members have is that the investment in pinandchip technology is extraordinarily expensive. It will cost between dass 25 billion and 30 billion to reterminalize the entire country. Its worth it if you get improvement in fraud reduction. Unfortunately, many of the banks, not all, but many of the banks are not issuing pinandchip cards. Theyre only issuing chip and signature cards. As you know, a signature is a virtually worthless security device. Retailers are being asked to spend tens of billions of dollars for security that is going to be ill luceary. Illusionarryy. Just talking to target and best buy i know theyre pretty committed to this october deadline, which is great, but is the when youre talking about the 25 are there just ones that havent done it yet but you expect a higher percentage to be there by october . Lots of companies. I mean, it takes a great its a huge effort to reterminalize a large operation, interconnected operation, but we expect a significant portion of the industry to be there. Not a hundred percent. Its impossible to do that in 10 months. So your point is that its very important to have the full technology with the pin and chip. If were going to spend the money to reduce fraud, lets do pin and chip. Ok. Good. Any comments from anyone else about this . Yes. Mr. Johnson. Thank you, mr. Duncan. Thanks for the opportunity, senator. I think one of the things when we have this conversation that we forget sometimes is the fact that the card market is really two different markets to some degree. Its the debit card market as well as the credit card market and debit cards have p. I. N. S. And so youve essentially got more than 50 of the card environment already that is p. I. N. Enabled. But what weve learned from the credit side is the fact that both of the retail side as well as our Customer Behavior that in the credit environment our customers prefer to use the signature. If they want to be protected by a p. I. N. They can use their debit card. They have effective choice to be able to accomplish that. But i think what mr. Duncan said is that you get more protection and certainly the situation that we saw with the home depot where the canadian cards were less valuable because they had that full technology, i can imagine everyone would like ease. Its just that if we know one technology protects better it seems we wouldnt want it just for debit card. Sometimes i just know from having a bunch of cards in my purse i dont really think through what kind of card it is or if its signature or not. I think that the most important thing here is to really work toward getting rid of static numbers. What we have in the environment right now are credit card numbers and p. I. N. S that are static numbers that make us vulnerable. And i think that to the extent that we develop technology such as tokenization where numbers are meaningless, if someone was to breach target and capture all the numbers that were associated with those transactions or any retailer the numbers would be meaningless because theyd only work for that one transaction. So i think thats really what we need to be working toward is making those numbers absolutely worthless to the criminal. Thats whats going to really protect the customer at the end of the day. Very good. My last thing is just for the good of my hometown companies that target did fix the breach and everyone can go shopping there. Thank you. Thank you. Senator danes, let me first say that a vote is scheduled at 11 30. I want to make sure senator dane gets an opportunity to question. We had intended to take a second round but that may not be possible based on the voting schedule. Senator danes . All right. Thank you, mr. Chairman. This morning 80 million anthem Health Insurance customers woke up to learn that their personal identifiable information could have been stolen. In fact, we just received this over the fax machine, a notice from anthem that says to our members, just quoting from the letter just sent out to their members, it could be 80 million members, these attackers gained unauthorized access to anthems i. T. System and have obtained personal information from our current and former members such as their names, their birthdays, their medical i. D. s, Social Security numbers, street addresses, email addresses, and Employment Information including income data. Last year in the house i offered an amendment that would strengthen victim notification requirements. Im eager to work with the chairman on strengthening these requirements again in future legislation. Ive got a question for anyone on the panel here this morning in light of, theres been a lot of discussion about past breaches and now it looks like this most recent significant and serious breach. What is an appropriate notification time period like for the 80 million anthem customers . We still know for sure dont know for sure when this occurred but were hearing it might have been last week. For these 80 million customers that are waking up this morning to hear and learn that their p. I. I. Could have been stolen . Senator, i would respond this way. It sounds unusual and helpful that anthem has actually notified people even if we dont know the full extent of the breach as quickly as they have because we are aware of situations where there are retailers who have waited months and months, some maybe as long as six months to notify people which is clearly too long to notify. Weve had some extensive discussion about should there be a 30day, you know, hard deadline . Should it be more flexible . I can tell you at the state level there are some that have time frames. Weve been very reasonable basically saying to do this as expeditiously as possible. When we look into if that has taken place, we determine when did the breach take place, when did the company know about it, did they have time to put in place a response to secure their system, and obviously any exceptions they need to continue to work with Law Enforcement. So a flexible deadline would be a good one, but it cannot be that there is seemingly such a flexible deadline that you never have to notify or you can wait for months because our goal is to let people know their information is out there and that they may be a victim of some form of financial fraud or Identity Theft. Yeah. I prior to coming up on the hill i spent 28 years in business. In fact, half of that time with procter gamble. We prided ourselves on good Customer Service. The other half of that time was part of a technology startup, a Cloud Computing company we took public. Oracle acquired us an couple years ago. Built a world class Cloud Computing company. I was Vice President of Customer Service working with literally millions of end users and thousands of customers who we were we sold a btoc Customer Service cloud based solution. When i was running Customer Service and looking out for customers and we had a problem our policy was wed notify our customers as soon as we were aware of the problem. Maybe not always understanding the magnitude of it. We believed we owed it to our customers to get back to them. Im frankly surprised to think we might be thinking in terms of 30 days or i think, frankly thats unacceptable, that the customers, consumers in this country should be served better than that. And we should ensure that when particularly dealing with p. I. I. , recognizing we may not know the scope of the problem at the time, but at least the customers ought to know theres a problem and were working quickly to try to resolve that. Id be happy if theres any other comments from the panel, please. Senator, we would support the kind of notice regime thats contained within the illinois law. Its less important as to what number of days are attached to it as long as you provide the time for Law Enforcement, for example, they may not want to notify because they want to set a trap for the people who have invaded it and have a way of catching them, taking them off the street. Youve got to allow for that. You clearly want to clean up the hole so that the people cant come back inside. Once youve taken care of that, you can 30 days, 10 days, whatever, 40 days, it doesnt matter, just a reasonable time period. I will say, to the specific point that was made a moment ago, one of our members had a breach which they initially interpreted to be a million card data had been released. Once they examined it, it turned out there were only 35,000. So the idea that you would have given notices to 965,000 more people unnecessarily is a pretty serious problem. So youve got to get it right. There is no easy answer here. If i may comment, in terms of Customer Service i agree with you that quick notification is very important, but on the other hand, situations such as my other panelists have pointed out, some flexibility is necessary in this situation. One of the biggest deterrents to any organization is loss of trust. As we noticed, anthem has been very quick at reaching out to people and hopefully will learn from their past challenges and also from other breaches that have occurred. Lots of trust is a very big deterrent in the current environment, internet enabled gathering session, people have to quickly respond. Yeah. Well, i would hope to continue to work on this issue of trying to establish what we think would be without unreasonable delay and trying to perhaps put better guard rails on that because i think its probably in the eye of the beholder sometimes. I can just say my experience in years of working with a cloudbased Computing Company i just believe its better to err on the side of the consumer and for their protection. I fully understand you can create maybe a bigger problem by notifying everybody without understanding what really has happened. But i think as we lean one way or the other on this i would just urge us to lean toward a quicker response, defining that. I think better safe than sorry particularly looking at this notification that went out. This is Social Security numbers. This is personal income data. This is perhaps private medical records. This is very, very serious. I think the consumer has the right to know about that sooner than perhaps waiting a week as we try to walk the fine line here of Law Enforcement and not creating a mountain out of a mole hill. I tell you what, i think we should be trying to make this tighter. I had two days. I hope we can work to something here that we can actually define. Mr. Daines, thank you very much. The bell has rung indicating votes and we will conclude this meeting momentarily. Im not going to ask any additional questions but, dr. Pendse, i would be glad to have you visit with my staff. You know kansas well. What Small Businesses should we be worried about . What innovators may be deterred from greater innovation as a result of this kind of legislation . Id welcome your input. Absolutely. Then id be interested in hearing from any of the witnesses about graham leech bleily and its potential being used as a standard. Id like to know whether the bankers, if there is information that banks have that could be breached that is not covered. And, also, the same kind of question related to hipaa. Where in those two arenas health care and Financial Services is there something that we ought to be considering a standard or a starting point as we look at broader breach opportunities or is that just a bad idea . Yeah. I agree with you that it offers a potential model here. Mr. Johnson, i gather you feel that preemption language you said in your testimony, im quoting, the extensive breach reporting requirement currently in place for banks provides an effective basis for any National Data breach reporting requirement for businesses generally i gather that you support the preemption model contained in graham leech bleily. Thats correct. Because i think that may provide some Common Ground here. And i invite the witnesses, i know mr. Duncan, i apologize, my time expired before you may have been able to provide a full teens my question so id invite you to supplement your answer in writing if you wish because i value your further comment. Thank you, mr. Chairman. If i may, senator blumenthal, i would emphasize the fact that this is essentially guidance. It says you should, you ought to, Something Like that. That differs quite a bit from the state laws that have a mandate and a requirement. We would favor a mandate and a requirement rather than something thats merely suggesting. I was referring really to the preemption model there. Senator klobuchar has exceeded her time at the earlier opportunity. [laughter] but any concluding comments . In the great tradition of senators thats what were expected to do. I think actually, snore daines followed up on the question that i had but i want to ask one more time. Mr. Duncan, a couple different times, has established a matrix of what might go into a reasonable standard. Is there anyone on the panel whos concerned about the congress pursuing, as we look at this issue, a reasonable standard sort of along the lines that have been outlined or as opposed to a specific notification period . Are we talking about time frame . We are. Nobody has a problem . Nobody is proposing that we should include a specific time frame in any law that we require notification in . Senator, what i can tell you is the reasonable time frame such as what illinois has, we have seen it abused. And so the idea that you would put in a specific deadline maybe within the most expedient time but in, you know, no circumstances less than, i mean, put some sort of a line there or as i said, it could be six months at which point your information is long gone. It has long been purchased on the black market. And who knows what has been done with it or damage thats been done to you. You need to have further discussion about how do you better define what the time line is going to be for notification. Anyone else . Thank you. Thank you, senator. To be bipartisan in my admonition senator daines also exceeded his time allotment. I also notice senator clope char was very effective in putting me in my place by Something Like the new kid on the block. Were delighted you were all here and appreciate the information conveyed us to. The hearing record will remain open for two weeks. During that time senators are asked to submit any questions for the record. Upon receipt of those questions the witnesses are requested to respond to those, to the committee as soon as possible. I thank the witnesses again for their testimony and i conclude this hearing. We are adjourned. Thank you. Leaders from germany, france russia and ukraine me in minsk this week. The Associated Press writes the announcement intense diplomacy. The french and german president traveled to moscow in a bid to advance the peace talks. Officials in washington have indicated the u. S. May be willing to provide arms to ukraine. Chancellor merkel will be talking with president obama. The two are expected to discuss the Ukraine Russia conflict and other issues. We expect a joint conference tomorrow. We will bring you live on cspan. February is black history month, and the cspan bus is on the road visiting the top historically black colleges and university to speak with her five speak with their faculty. This tuesday during washington journal, will be fits University Fisk University in nashville. A look at u. S. Cuba relations and the obama administrations attempt to normalize relationships with the country. By lifting economic and travel sanctions that have been in place for decades. This is two hours 40 minutes. This hearing will come to order