American consumers rightfully expect their personal information should be protected by their Financial Institution by their retailers, payment processors that neither federal government. Consumer should be left to hope and pray that all information will be safe every time despite their debit or credit card or rent your information online. They deserve protection. Today the committee will hear from representatives of organization to constitute major participation for the Payment System. We welcome their expertise and insight. My hope is they carried out for its members on both sides an opportunity to better understand what security measures are currently in place to prevent data breaches, how consumers are notified and what types of emergency technologies will help reduce the frequency and severity of breaches and what steps are being taken by the merchant in Financial Services communities to address the problem and where additional federal legislation may be warranted. I further hope t
Which is massachusetts, and ive been talking to some of my colleagues from massachusetts. Would you agree with that . I think also oregon has a pretty good standard. There are elements of other state laws you may not consider specific data laws. A pretty High Standard . It is a pretty High Standard, yes. Thats the starting point for us. Theres been some discussion about the Standard Energy in commerce. Would you say its a higher standard than what our bill would propose. Our standard is a reasonableness standard. So i think the difference here is not only might there be a difference in what the language says in that bill i think, also, we would be looking to the common law of the ftc and others to flesh out what the specific requirements are but its really important as were thinking about how strong the security standard is, to think about who has the enforcement power and whos going to be guiding the parties there. If the federal agencies are solely responsible for it even a strong st
It. I said in the opening comments that the preemption should not have the unaintended consequence raised outside the bill. We would certainly be willing to make that plain. Miss moy, you said i thought i heard you say that we shouldnt have 50 different standards is not the answer. Is that what you said, or did i mishear your comments . So what i have said is i think the best for consumers would be to create a floor, not a ceiling so that states can continue so set a National Standard and then allow states to protect additional categories of information. So my understanding is 13 states have data breach standards like this. And ours would be better than all of them except maybe one which is massachusetts and ive been talking to my colleagues from massachusetts. Would you agree with that . I well so i think that oregon has a pretty good standard and i also think there are elements of other state laws that you might not consider specific day sta security laws. A pretty High Standard . It
Congresswoman maloney no. The standards have been flexible. I think congressman nugerbauer and congressman carnie have done a good job in doing the same thing in their bill, which is to say, were going to have standards and were going to allow them to be scaled. I think thats a good model. In other words theyve worked well and they wont be too burdensome for smaller institutions and retailers. Id also like to know your feelings about the having a minimum or a floor standard. I know that california oregon have a standard thats higher. I think its important you have to have a floor. Do you think it should be a floor or should it be a ceiling and why . Another great question. Right now we have nothing. Right. Something is better than nothing. Absolutely. And so floor would be progress, but ceiling, if its set high. We passed what we thought were nation leading standards and notification standards. You wouldnt want a bill that undercuts the 13 or so states that have done this. If youre goi
Were about to compromise the Payment System, the electrical grid, you wouldnt say lets kick it to the states. Lets let them handle it. I dont think you would do that. Whatever you do will be helpful, even if directionally. It will be better than what we have now for the sectors that dont have any standard in those states. Miss moy . Right, so i would say a couple of things. One is that consumers are protected right now by the federal trade Commission Section five authority, and the ftc is enforcing that. As weve heard, theyve enforced over 50 cases since 2001. And consumers in the other 47 are, you know 47 states and three jurisdictions are protected by breach notification laws. So there are protections existing for consumers. I think setting a floor and not a ceiling, as ive mentioned before, there is a clear pattern in terms of whats covered, even by the disparate state laws. So as a practical matter, most companies that have to comply with the laws of multiple states are just comply