[inaudible conversations] welcome to the subcommittee on Consumer Protection, product safety and Data Security. Will come to order. I apologize for the bit of late. Senator blackburn was here quickly. She is en route. Were at a Pivotal Moment in the age of technology that rely on increasing massive consumer data. Obviously, Artificial Intelligence has gotten the lions share of publicity but thats nowhere near the limit. Businesses collect or process data ranging from personally identifiable information, name, address, likeness, as they say in college these days. Obviously, Sensitive Data like physical locations and browsing history. The threats to consumers data that Companies Face is complex and, in almost every way, daunting. As Companies Collect more data, they become more attractive targets for data breaches. And, by that i mean criminal activity. Each breach costs Companies Nearly 4. 2 million per incident. And consumers shoulder the financial burden and reputational harm of each incident. How many more consumers need to be victims of Identity Theft for us to take action . How much longer should we allow personal data to be sold on the dark web for profit . When will cyber criminals be stopped, or at least deterred, from preying on our data . These data breaches hurt Small Businesses, large corporations, and everything in between. In 2023 alone, there were 3,205 data breaches in the u. S. , and thats what we know of or were reported. 353,000 individuals were severely impacted. 10 of publicly traded Companies Reported a data breach impacting, in total, 143 million individuals. These data breaches can have devastating effects. A nationwide wireless carriers data breach exposed the data of 70 million customers. A large health insurer, this was recently widely reported, sawon their system grind to a halt, which delayed important Healthcare Payments and exposed Critical Health data. This is why we need strong requirements for how Companies Collect and protect our data, are conducting routine Risk Assessments, and establishing strong internal and external safeguards for data. We need a Strong National privacy standard that includes data minimization and Data Security. Obviously, data minimization establishes specific categories to turn off the spigot as it were. Turn off the spigot of data that Companies Collect from consumers so that companies arent just collecting everything they can. Data security establishes clear requirements for how companies should safeguard the data that they do collect, so breaches are less common. We need to give consumers meaningful control over how their data is used. This will restore consumers confidence in the technology that powers our economy. And i think states clearly are not waiting for the federal government to act. Already 16 states, including colorado, have passed, or are in the process of passing, their own state privacy laws. E other states are talking about it. Cl there are lessons we can learn from these state laws. Fo for example, colorados law has a temporary right to cure for businesses to comply or adapt to privacy requirements. There are also areas where the federal government has to step in to issue rules and apply enforcement, consistent definitions for key terms like Sensitive Data, or to issuely nationwide rules. The draft american privacy rights act is an important, bipartisan, compromise framework for congress to build upon. I commend chair cantwell and chair Mcmorris Rodgers in the house for their efforts to bring this proposal forward. Were committed here to listening to all perspectives on data minimization and Data Security. Minimization and security are obviously interconnected, interrelated. Together, they represent the foundation of a strong data privacy framework on which we can build. We have an opportunity right now, and an obligation rightte now, to build meaningful, bipartisan consensus around these complex issues. Thats i look forward to hearing today, each of our witnesses. I would like to welcome each of the witnesses were joining us today. James lee, chief army officer for Identity TheftResource Center your sam kaplan whose assistant general counsel of Palo Alto Networks. Policy director for numeric is open Technology Institute and jake parker, senior director Security Industry association. I now recognize our Ranking Member, our vice chair senator blackburn, for her opening remarks. Thank you so much, mr. Chairf you. Apologies for people can of coming and going. We had at 2 30 vote that end up getting called. But i am so please. I know chair campbell and Ranking Member cruze are on the floor right now, but i am appreciative that chair cantwell has brought privacy back into focus. Ive worked for over a decade for congress to take an action in this area. And when senator welch and i were each on the house energy and Commerce Committee in 2012, we brought forward Data Security and breach notification bill. It was the first of the privacy and Data Security bill andon it was bipartisan. It would take steps to protect the security of data from business of your it wouldve required security data breach thnotifications and allowed the ftc and state attorneys general to hold Companies Accountable for violations of the law. So that is where we were in 2012. And as we now know, this issue, since it hasnt been addressed and it hasnt been resolved, it is growing more and more urgent every single day. The need for the swift adoption of smart and effective data privacy and security legislation and is pressing for several reasons, first. China and other bad actors are not slowing down. Now, fbi director Christopher Wray was the force at a Judiciary Committee meeting, and he said something pretty significant turkey said, if you are an american adult, it is more likely than not that china has stolen your personal data. And he also said chinas fast Hacking Program is the world largest, and if stolen more americans personal and business data than every other country combined. We need to be paying attention to this. This threat is especially magnified as china seeks to become the world leader in Artificial Intelligence by the time we get to 2030. China plans for ai to power its vast surveyswo at state, and daa collection and retention is at the heart of their strategy. At the same time as Ai Technology becomes increasingly intertwined in our daily lives here in the u. S. , consumers have valid questions about how their data is going to be used to train these large language models. In an applications. I hope today that we will discuss why we need federal privacy and security legislation to combat these threats. Second, congress is past the point where we risk ceding our authority to both states and other countries. As we all know state governments are quickly and acting privacy laws, creating a patchwork of regulatory headache for our businesses. 15 such laws exist, including tennessee and colorado. And the europeans have also beaten us to the punch. Several years ago they did gdpr. They are now using gdpr as the foundation for regulating ai. Yet, we can use the eu as something of a cautionary tale about the need to make a regulation smart and effective. I visited the eu to work on this issue last year, and i heard stories from one of their Data Protection authorities about how theyve been asked to resolve disputes over Bank Accounts after a couple divorced, or resolve a dispute between neighbors about the location of an antenna. So lets be smart and lets not make the same mistakes, and lets not overreach. We know our friends, the europeans,s, always have a heavyhanded approach, which makes it even more imperative that we act in a thoughtful manner. More without congressional action, the ftc will proceed ahead with its commercial surveillance and Data Security rulemaking, which it launched in 2022 without Congressional Authority and director. Congress should be studying these rules, not unelected finally, while this hearing will likely feature much discussion on concepts like data minimization and other Data Security practices, we must not forget about the cybersecurity threats posed by new and emerging technology. One area off great interest to tennessee are quantum technologies. Through methods like harvest now and decrypt later, once bad actors stealea encrypted data today, nothing can stop them from decrypting your data tomorrow with quantum technology. Thats why this committee must move quickly to examine this technology and reauthorize the National Quantum initiative act. I would love to work on this with our chairwoman and the team here of the committee. Tennessee is a leader in financial innovation in technologies like quantum computing. And Oak Ridge National lab is at the forefront of basic and Applied Science research. When i speak with people in the state to ask me how we can best tackle privacy and Data Security issues while also continuing to allow innovation. Privacy and Data Security issues while also continuing to allow innovation. This committee must be thoughtful in our approach but mindful of the realities the congressional calendar imposes. And now remarks from each of our witnesses. The term witness gives a false sense, i dont know, insecurity perhaps these days. Anyway, well start with james lee chief operating officer, Identity Theft resource officer. Thank you, mr. Chairman, chairman blackburn. I am mr. Lee, and the corps of our business is provide for victims of identity crimes and we do research on identity crime trends. And a lot happened since we were in this room in 2021 to talk about this subject. Weve seen bad actors shift their focus and expand their reach and weve seen them accelerate their innovation attempts. We may, in fact, be in the beginning of what is the golden age of an identity crime. Its fueled by stolen personal data made highly effective and efficient by ai and many all, but helpless to defend themselves. Why do i say that . Ill give you some scope of the problem. Data breaches are the fuel for identity crimes, all identity crimes and stolen logins and passwords. 3205, estimated over three Million People some people hit more than once, a 78 increase from the year before. Thats a 72 increase from the previous one which happened the last time we had this hearing. From a financial standpoint, more than twothirds of the people who contact the itrc are losing more than 500. Within that subset, 30 of them are losing more than 10,000. And we are now routinely hearing from people who are losing six and seven figures in financial losses due to identity scams. Most troubling trend is the number of people who have decided that their only way out is selfharm. 16 of the people who contacted us in 2023 said they contemplated taking their own life. For the decades before that, that number had never been higher than 2 to 4 and now, 16 , doubled in one year and we do not see it slowing down. And also, unlike past years, we now hear routinely from grieving families who are still being attacked by the identity criminals who are trying to keep the scam going. We dont advocate one way or the other for legislation or regulation for the most part, but we did provide a tip for information. With that in mind were still the same place we were las time, the best way to prevent identity crimes is to prevent the identity victims in the first place, uniform minimum standards for Data Protection and use. Minimal technical and nontechnical, and our world is driven by software and fueled by data. Compliance with comprehensive, but not necessarily prescriptive minimum standards can reduce the risk of exploitation, but standards are more than metrics, they are practices like data minimization which is a concept thats predicated on a very simple truth. If you do not have the data, you cannot lose it. And if its secure, it cannot be misused until we get to quantum computing and thats a different discussion. Routine Risk Assessments also help ensure Information Systems are secured in a manner equal to the risk. Thats very important. Equal to the risk that an organization faces. You add two other complimentary concepts, privacy by design, and security by default, and you have all the tools needed to keep privacy and security at the forefront of a companys culture and in every stage of our products life, to be effective in reducing identity crimes. Uniform standards also need strong enforcement, defenders must continually measure the progress and constantly adjust to the new task and you do that through audits. And theres a need for strong Enforcement Actions when it comes to data breach notices, increasingly effective even if a notice is issued. Let me give you two examples. In the first three months of this year, 32 , 32 of data breach notices had information what caused the data breach if it was link today a cyber attack. Reverse that number and that tells you how many didnt include information about what happened. That number was 100 of data breach notices until the Fourth Quarter of 2021. The average number of new data breach notices in the u. S. Is nine per day. In the european union, one of the things we do get right, 335 every day. We are missing data breach notices and there are plenty of examples to prove that. One final thought, if we adopt data minimization and we should and give consumers more access over their personal information, thats a vital part of data, and they can significantly reduce the amount of information in a data breach and to criminals. And theres going to be one. But personal information used responsibly and transparently for a people who is who they claim to be from opening to a bank account, applying for a government benefit, et cetera. And effectively prevent someone from becoming a victim of identity fraud. Restricting use the personal information for Fraud Prevention is part of control or data minimization could have the unintended effect of aiding criminals and negatively impacted those who are victims of identity crime. Thank you, and i look forward to your questions. Thank you very much. Now, mr. Sam kaplan, the assistant general counsel of palo alto and spent time in colorado. Thank you, chairman hickenlooper, Ranking Member blackburn and distinguished members of the committee, how Cyber Security is part of Consumer Protection. Im sam kaplan and sar for Public Policy affairs at Palo Alto Networks, ive spent the bulk of my career working in data, as kroot the federal government to include as the dhs privacy officer and served on the privacy and Civil LibertiesOversight Board at the u. S. Department of justice. For those not familiar, we are an american headquartered Company Founded in 2005 that has since become the leading Cyber Security company. We proudly provide Cyber Defense capabilities to enterprises around the world, supporting 95 of the fortune 100. Critical infrastructure of all shapes and sizes. The u. S. Federal government, universities, educational institutions and a wide range of state and local partners. This means that we have a deep and broad visibility into the cyber Threat Landscape. We are committed to being a good cyber citizen and a trusted Security Partner with the federal government. Its no secret that Cyber Attacks cause real impact to our daily lives from disruptions of public services, like health care, or emergency services, to compromises of american Sensitive Data. With that back drop, Palo Alto Network strongly believes that deploying cutting edge Cyber Security defenses is a necessary and effective enabler of Data Security and privacy. Bottom line, effective Data Security and data privacy requires cutting edge Cyber Se